From 80253e676274490cf27507f40f23de1cc7197524 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gdeschner@redhat.com>
Date: Wed, 23 Oct 2013 20:34:53 +0200
Subject: [PATCH] Wed Oct 24 2013 Guenther Deschner <gdeschner@redhat.com>
 0.3.0-8 New upstream release 0.3.0:  * Add support for impersonation (depends
 on s4u2self/s4u2proxy on the KDC)  * Add support for new rpc.gssd mode of
 operation that forks and changes uid  * Add 2 new options allow_any_uid and
 cred_usage

---
 0001-Fix-LOCAL_FIRST-behavior.patch           | 79 -------------------
 0002-Fix-documentation-to-match-reality.patch | 39 ---------
 gssproxy-conf.patch                           | 51 ------------
 gssproxy.spec                                 | 19 +++--
 4 files changed, 9 insertions(+), 179 deletions(-)
 delete mode 100644 0001-Fix-LOCAL_FIRST-behavior.patch
 delete mode 100644 0002-Fix-documentation-to-match-reality.patch
 delete mode 100644 gssproxy-conf.patch

diff --git a/0001-Fix-LOCAL_FIRST-behavior.patch b/0001-Fix-LOCAL_FIRST-behavior.patch
deleted file mode 100644
index ed200a9..0000000
--- a/0001-Fix-LOCAL_FIRST-behavior.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From b73a9a18cb2df0b39c30d3e03c66d2f24ec3f57d Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Tue, 15 Oct 2013 15:45:59 -0400
-Subject: [PATCH 1/2] Fix LOCAL_FIRST behavior
-
-We were erroneously returning and never falling back if LOCAL_FIRST was
-selected. Correct also the remote first fallback flow.
-
-Resolves: https://fedorahosted.org/gss-proxy/ticket/105
----
- proxy/src/mechglue/gpp_acquire_cred.c | 39 +++++++++++++++++------------------
- 1 file changed, 19 insertions(+), 20 deletions(-)
-
-diff --git a/proxy/src/mechglue/gpp_acquire_cred.c b/proxy/src/mechglue/gpp_acquire_cred.c
-index a3290dd72ae2d97eaa05f250a4d2dd96824abebf..fb80677eed4680470e21b820633e87b94f36d6cc 100644
---- a/proxy/src/mechglue/gpp_acquire_cred.c
-+++ b/proxy/src/mechglue/gpp_acquire_cred.c
-@@ -109,7 +109,7 @@ OM_uint32 gssi_acquire_cred(OM_uint32 *minor_status,
-         maj = acquire_local(&min, name, time_req, desired_mechs, cred_usage,
-                             out_cred_handle, actual_mechs, time_rec);
- 
--        if (maj != GSS_S_NO_CRED || behavior != GPP_LOCAL_FIRST) {
-+        if (maj == GSS_S_COMPLETE || behavior == GPP_LOCAL_ONLY) {
-             goto done;
-         }
- 
-@@ -119,31 +119,30 @@ OM_uint32 gssi_acquire_cred(OM_uint32 *minor_status,
-     }
- 
-     /* Then try with remote */
--    if (behavior == GPP_REMOTE_ONLY || behavior == GPP_REMOTE_FIRST) {
--
--        if (name && name->local && !name->remote) {
--            maj = gpp_local_to_name(&min, name->local, &name->remote);
--            if (maj) {
--                goto done;
--            }
--        }
--
--        maj = gpm_acquire_cred(&min,
--                               name ? name->remote : NULL,
--                               time_req,
--                               desired_mechs,
--                               cred_usage,
--                               &out_cred_handle->remote,
--                               actual_mechs,
--                               time_rec);
--        if (maj == GSS_S_COMPLETE || behavior == GPP_REMOTE_ONLY) {
-+    if (name && name->local && !name->remote) {
-+        maj = gpp_local_to_name(&min, name->local, &name->remote);
-+        if (maj) {
-             goto done;
-         }
-+    }
- 
-+    maj = gpm_acquire_cred(&min,
-+                           name ? name->remote : NULL,
-+                           time_req,
-+                           desired_mechs,
-+                           cred_usage,
-+                           &out_cred_handle->remote,
-+                           actual_mechs,
-+                           time_rec);
-+    if (maj == GSS_S_COMPLETE || behavior == GPP_REMOTE_ONLY) {
-+        goto done;
-+    }
-+
-+    if (behavior == GPP_REMOTE_FIRST) {
-         /* So remote failed, but we can fallback to local, try that */
-         maj = acquire_local(&min, name, time_req, desired_mechs, cred_usage,
-                             out_cred_handle, actual_mechs, time_rec);
--   }
-+    }
- 
- done:
-     if (maj != GSS_S_COMPLETE &&
--- 
-1.8.3.1
-
diff --git a/0002-Fix-documentation-to-match-reality.patch b/0002-Fix-documentation-to-match-reality.patch
deleted file mode 100644
index 51d0e9a..0000000
--- a/0002-Fix-documentation-to-match-reality.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 788132ea70522663efab652d8653e1eaa8819822 Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Tue, 15 Oct 2013 15:48:04 -0400
-Subject: [PATCH 2/2] Fix documentation to match reality
-
-LOCAL_FIRST is our default
----
- proxy/man/gssproxy-mech.8.xml | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/proxy/man/gssproxy-mech.8.xml b/proxy/man/gssproxy-mech.8.xml
-index b2d008cc8990c214027d2104bf72da776faf1b82..2249ced68af410d9f444ca479df1827712898354 100644
---- a/proxy/man/gssproxy-mech.8.xml
-+++ b/proxy/man/gssproxy-mech.8.xml
-@@ -74,10 +74,7 @@
-                     <para>All commands received with this setting will cause
-                         to immediately reenter the GSSAPI w/o any interaction
-                         with the gssproxy daemon. When the request cannot be
--                        processed it will just fail. This is the default
--                        behavior when the
--                        <emphasis>GSSPROXY_BEHAVIOR</emphasis> environment
--                        variable is not set at all.
-+                        processed it will just fail.
-                     </para>
-                 </listitem>
-             </varlistentry>
-@@ -88,6 +85,9 @@
-                         to immediately reenter the GSSAPI. When the local
-                         GSSAPI cannot process the request, it will resend the
-                         request to the gssproxy daemon.
-+                        This is the default behavior when the
-+                        <emphasis>GSSPROXY_BEHAVIOR</emphasis> environment
-+                        variable is not set.
-                     </para>
-                 </listitem>
-             </varlistentry>
--- 
-1.8.3.1
-
diff --git a/gssproxy-conf.patch b/gssproxy-conf.patch
deleted file mode 100644
index f97d40c..0000000
--- a/gssproxy-conf.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 7201cabaf0c59b2f50c1a86a47465daaafff6cb4 Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Wed, 19 Jun 2013 11:41:29 -0400
-Subject: [PATCH] Split nfs server and client services
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The NFS server uses a special socket for the kernel communication.
-Split configuration in 2 distinct services so we can use specific options that
-may be different between server and client.
-
-The 3 main differences so far are:
-1. socket: default for client, custom for server
-2. kernel_nfd option only for server
-3. ccache and client keytab options only for client
-
-Signed-off-by: Simo Sorce <simo@redhat.com>
-Reviewed-by: Günther Deschner <gdeschner@redhat.com>
----
- proxy/examples/gssproxy.conf.in | 11 ++++++++---
- 1 file changed, 8 insertions(+), 3 deletions(-)
-
-diff --git a/proxy/examples/gssproxy.conf.in b/proxy/examples/gssproxy.conf.in
-index b30d39a..0f8339e 100644
---- a/proxy/examples/gssproxy.conf.in
-+++ b/proxy/examples/gssproxy.conf.in
-@@ -1,12 +1,17 @@
- [gssproxy]
- 
--[service/nfs]
-+[service/nfs-server]
-   mechs = krb5
-   socket = /run/gssproxy.sock
-   cred_store = keytab:/etc/krb5.keytab
--  cred_store = ccache:FILE:@gpstatedir@/clients/krb5cc_%U
--  cred_store = client_keytab:@gpstatedir@/clients/%U.keytab
-   trusted = yes
-   kernel_nfsd = yes
-   euid = 0
- 
-+[service/nfs-client]
-+  mechs = krb5
-+  cred_store = keytab:/etc/krb5.keytab
-+  cred_store = ccache:FILE:@gpstatedir@/clients/krb5cc_%U
-+  cred_store = client_keytab:@gpstatedir@/clients/%U.keytab
-+  trusted = yes
-+  euid = 0
--- 
-1.8.3.1
-
diff --git a/gssproxy.spec b/gssproxy.spec
index 2f4aaed..86d3d53 100644
--- a/gssproxy.spec
+++ b/gssproxy.spec
@@ -1,5 +1,5 @@
 Name:		gssproxy
-Version:	0.2.3
+Version:	0.3.0
 Release:	8%{?dist}
 Summary:	GSSAPI Proxy
 
@@ -8,9 +8,6 @@ License:	MIT
 URL:		http://fedorahosted.org/gss-proxy
 Source0:	http://fedorahosted.org/released/gss-proxy/%{name}-%{version}.tar.gz
 BuildRoot:	%(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
-Patch0:		gssproxy-conf.patch
-Patch1:		0001-Fix-LOCAL_FIRST-behavior.patch
-Patch2:		0002-Fix-documentation-to-match-reality.patch
 
 %global servicename gssproxy
 %global pubconfpath %{_sysconfdir}/gssproxy
@@ -20,7 +17,7 @@ Patch2:		0002-Fix-documentation-to-match-reality.patch
 
 ### Dependencies ###
 
-Requires: krb5-libs >= 1.11.2
+Requires: krb5-libs >= 1.11.3-25
 Requires: keyutils-libs
 Requires: libverto-tevent
 Requires(post): systemd-units
@@ -39,7 +36,7 @@ BuildRequires: docbook-style-xsl
 BuildRequires: doxygen
 BuildRequires: gettext-devel
 BuildRequires: pkgconfig
-BuildRequires: krb5-devel >= 1.11.2
+BuildRequires: krb5-devel >= 1.11.3-25
 BuildRequires: libselinux-devel
 BuildRequires: keyutils-libs-devel
 BuildRequires: libini_config-devel >= 1.0.0.1
@@ -55,10 +52,6 @@ A proxy for GSSAPI credential handling
 %prep
 %setup -q
 
-%patch0 -p2 -b .gssproxy_conf
-%patch1 -p2 -b .gpp_default_behavior
-%patch2 -p2 -b .gpp_default_behavior_doc
-
 %build
 autoreconf -f -i
 %configure \
@@ -110,6 +103,12 @@ rm -rf %{buildroot}
 %systemd_postun_with_restart gssproxy.service
 
 %changelog
+* Wed Oct 24 2013 Guenther Deschner <gdeschner@redhat.com> 0.3.0-8
+- New upstream release 0.3.0:
+  * Add support for impersonation (depends on s4u2self/s4u2proxy on the KDC)
+  * Add support for new rpc.gssd mode of operation that forks and changes uid
+  * Add 2 new options allow_any_uid and cred_usage
+
 * Fri Oct 18 2013 Guenther Deschner <gdeschner@redhat.com> 0.2.3-8
 - Fix default proxymech documentation and fix LOCAL_FIRST implementation
 - resolves: https://fedorahosted.org/gss-proxy/ticket/105