This is a preliminary patch, aiming to enable a clean build of gssd on systems with Heimdal kerberos flavour. A major part of Heimdal breakage until now was caused by problems with gssglue. Now that libtirpc can be build independently from libgssglue, why not gssd? Unfortunately, I could not test this patch againts mit-krb5, hopefully somebody can give me a hand here. Signed-off-by: Alex Dubov <oakad@xxxxxxxxx> --- aclocal/kerberos5.m4 | 5 ++- aclocal/rpcsec_vers.m4 | 2 +- utils/gssd/context_lucid.c | 10 ++++---- utils/gssd/krb5_util.c | 45 ++++++++++++++++++++++++++++++++++++------- utils/gssd/svcgssd_krb5.c | 2 +- 5 files changed, 47 insertions(+), 17 deletions(-) diff --git a/aclocal/kerberos5.m4 b/aclocal/kerberos5.m4 index 7574e2d..76914d6 100644 --- a/aclocal/kerberos5.m4 +++ b/aclocal/kerberos5.m4 @@ -54,9 +54,10 @@ AC_DEFUN([AC_KERBEROS_V5],[ break dnl The following ugly hack brought on by the split installation dnl of Heimdal Kerberos on SuSe - elif test \( -f $dir/include/heim_err.h -o\ + elif test \( \( -f $dir/include/heim_err.h -o\ -f $dir/include/heimdal/heim_err.h \) -a \ - -f $dir/lib/libroken.a; then + \( -f $dir/lib/libroken.a -o\ + -f $dir/lib/libroken.so \) \) ; then AC_DEFINE(HAVE_HEIMDAL, 1, [Define this if you have Heimdal Kerberos libraries]) KRBDIR="$dir" gssapi_lib=gssapi diff --git a/aclocal/rpcsec_vers.m4 b/aclocal/rpcsec_vers.m4 index 8218372..9cf7556 100644 --- a/aclocal/rpcsec_vers.m4 +++ b/aclocal/rpcsec_vers.m4 @@ -1,7 +1,7 @@ dnl Checks librpcsec version AC_DEFUN([AC_RPCSEC_VERSION], [ - PKG_CHECK_MODULES([GSSGLUE], [libgssglue >= 0.3]) +# PKG_CHECK_MODULES([GSSGLUE], [libgssglue >= 0.3]) dnl TI-RPC replaces librpcsecgss if test "$enable_tirpc" = no; then diff --git a/utils/gssd/context_lucid.c b/utils/gssd/context_lucid.c index 64146d7..82171da 100644 --- a/utils/gssd/context_lucid.c +++ b/utils/gssd/context_lucid.c @@ -266,10 +266,10 @@ serialize_krb5_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf, int32_t *endtime) int retcode = 0; printerr(2, "DEBUG: %s: lucid version!\n", __FUNCTION__); - maj_stat = gss_export_lucid_sec_context(&min_stat, &ctx, - 1, &return_ctx); + maj_stat = gss_krb5_export_lucid_sec_context(&min_stat, &ctx, + 1, &return_ctx); if (maj_stat != GSS_S_COMPLETE) { - pgsserr("gss_export_lucid_sec_context", + pgsserr("gss_krb5_export_lucid_sec_context", maj_stat, min_stat, &krb5oid); goto out_err; } @@ -302,9 +302,9 @@ serialize_krb5_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf, int32_t *endtime) else retcode = prepare_krb5_rfc4121_buffer(lctx, buf, endtime); - maj_stat = gss_free_lucid_sec_context(&min_stat, ctx, return_ctx); + maj_stat = gss_krb5_free_lucid_sec_context(&min_stat, ctx); if (maj_stat != GSS_S_COMPLETE) { - pgsserr("gss_free_lucid_sec_context", + pgsserr("gss_krb5_free_lucid_sec_context", maj_stat, min_stat, &krb5oid); printerr(0, "WARN: failed to free lucid sec context\n"); } diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c index 20b55b3..958ed57 100644 --- a/utils/gssd/krb5_util.c +++ b/utils/gssd/krb5_util.c @@ -115,7 +115,7 @@ #include <errno.h> #include <time.h> #include <gssapi/gssapi.h> -#ifdef USE_PRIVATE_KRB5_FUNCTIONS +#if defined(USE_PRIVATE_KRB5_FUNCTIONS) || defined(HAVE_HEIMDAL) #include <gssapi/gssapi_krb5.h> #endif #include <krb5.h> @@ -958,9 +958,38 @@ check_for_tgt(krb5_context context, krb5_ccache ccache, { krb5_error_code ret; krb5_creds creds; - krb5_cc_cursor cur; int found = 0; +#if defined (HAVE_HEIMDAL) + krb5_creds pattern; + krb5_const_realm client_realm; + + krb5_cc_clear_mcred(&pattern); + + client_realm = krb5_principal_get_realm(context, principal); + + ret = krb5_make_principal(context, &pattern.server, + client_realm, KRB5_TGS_NAME, client_realm, + NULL); + if (ret) + krb5_err(context, 1, ret, "krb5_make_principal"); + pattern.client = principal; + + ret = krb5_cc_retrieve_cred(context, ccache, 0, &pattern, &creds); + krb5_free_principal(context, pattern.server); + if (ret) { + if (ret == KRB5_CC_END) + return 1; + krb5_err(context, 1, ret, "krb5_cc_retrieve_cred"); + } + + found = creds.times.endtime > time(NULL); + + krb5_free_cred_contents (context, &creds); +#else + krb5_cc_cursor cur; + + ret = krb5_cc_start_seq_get(context, ccache, &cur); if (ret) return 0; @@ -980,7 +1009,7 @@ check_for_tgt(krb5_context context, krb5_ccache ccache, krb5_free_cred_contents(context, &creds); } krb5_cc_end_seq_get(context, ccache, &cur); - +#endif return found; } @@ -1328,7 +1357,7 @@ gssd_k5_err_msg(krb5_context context, krb5_error_code code) return strdup(error_message(code)); #else if (context != NULL) - return strdup(krb5_get_err_text(context, code)); + return strdup(krb5_get_error_message(context, code)); else return strdup(error_message(code)); #endif @@ -1397,11 +1426,11 @@ limit_krb5_enctypes(struct rpc_gss_sec *sec) * list of supported enctypes, use local default here. */ if (krb5_enctypes == NULL || limit_to_legacy_enctypes) - maj_stat = gss_set_allowable_enctypes(&min_stat, credh, - &krb5oid, num_enctypes, enctypes); + maj_stat = gss_krb5_set_allowable_enctypes(&min_stat, credh, + num_enctypes, enctypes); else - maj_stat = gss_set_allowable_enctypes(&min_stat, credh, - &krb5oid, num_krb5_enctypes, krb5_enctypes); + maj_stat = gss_krb5_set_allowable_enctypes(&min_stat, credh, + num_krb5_enctypes, krb5_enctypes); if (maj_stat != GSS_S_COMPLETE) { pgsserr("gss_set_allowable_enctypes", diff --git a/utils/gssd/svcgssd_krb5.c b/utils/gssd/svcgssd_krb5.c index 1d44d34..3b10bde 100644 --- a/utils/gssd/svcgssd_krb5.c +++ b/utils/gssd/svcgssd_krb5.c @@ -217,7 +217,7 @@ svcgssd_limit_krb5_enctypes(void) "enctypes from defaults\n", __func__, num_enctypes); } - maj_stat = gss_set_allowable_enctypes(&min_stat, gssd_creds, + maj_stat = gss_krb5_set_allowable_enctypes(&min_stat, gssd_creds, &krb5oid, num_enctypes, enctypes); if (maj_stat != GSS_S_COMPLETE) { printerr(1, "WARNING: gss_set_allowable_enctypes failed\n"); -- 1.7.4.5 -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html