rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Updated persistent-keyring changes, set as default

Browse Source 
- switch to the version of persistent-keyring that was just merged to
  master (RT#7711), along with related changes to kinit (RT#7689)
- go back to setting default_ccache_name to a KEYRING type
This commit is contained in:
Nalin Dahyabhai 2013-10-02 14:46:20 -04:00
parent 682dc07d28
commit 494e7adbb0
4 changed files with 1919 additions and 1087 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
krb5-cccol-primary.patch
View File

@ -83,24 +83,3 @@ index cee21ac..b8231ed 100644
/* Look for the next filename of the correct form, without repeating the
* primary cache. */
while ((ent = readdir(data->dir)) != NULL) {
diff --git a/src/lib/krb5/ccache/t_cccol.py b/src/lib/krb5/ccache/t_cccol.py
index acd2b6e..f0792e9 100644
--- a/src/lib/krb5/ccache/t_cccol.py
+++ b/src/lib/krb5/ccache/t_cccol.py
@@ -11,6 +11,7 @@ dccname = 'DIR:%s' % ccdir
duser = 'DIR::%s/tkt1' % ccdir
dalice = 'DIR::%s/tkt2' % ccdir
dbob = 'DIR::%s/tkt3' % ccdir
+dnoent = 'DIR::%s/noent' % ccdir
realm.kinit('user', password('user'), flags=['-c', duser])
realm.kinit('alice', password('alice'), flags=['-c', dalice])
realm.kinit('bob', password('bob'), flags=['-c', dbob])
@@ -30,6 +31,8 @@ cursor_test('file-default2', [realm.ccache], [fccname])
cursor_test('file-default3', [fccname], [fccname])
cursor_test('dir', [dccname], [duser, dalice, dbob])
+cursor_test('dir-subsidiary', [duser], [duser])
+cursor_test('dir-nofile', [dnoent], [])
mfoo = 'MEMORY:foo'
mbar = 'MEMORY:bar'

314
krb5-master-kinit-cccol.patch Normal file
View File

@ -0,0 +1,314 @@
commit d7b94742daae85329067b126d0a4bc5b2ea7e4a0
Author: Greg Hudson <ghudson@mit.edu>
Date: Thu Sep 26 05:38:46 2013 -0400
Improve kinit output credential cache selection
If kinit chooses a client principal based on anything other than the
current default ccache's principal name, apply collection rules if
possible. When applying collection rules, if we don't find an
existing cache for the client principal, use the default cache if it
is uninitialized, instead of creating a new one.
ticket: 7689
diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c
index 5ceede8..d9033ec 100644
--- a/src/clients/kinit/kinit.c
+++ b/src/clients/kinit/kinit.c
@@ -466,9 +466,12 @@ k5_begin(opts, k5)
struct k5_data* k5;
{
krb5_error_code code = 0;
+ int success = 0;
int flags = opts->enterprise ? KRB5_PRINCIPAL_PARSE_ENTERPRISE : 0;
- krb5_ccache defcache;
- const char *deftype;
+ krb5_ccache defcache = NULL;
+ krb5_principal defcache_princ = NULL, princ;
+ const char *deftype = NULL;
+ char *defrealm, *name;
code = krb5_init_context(&k5->ctx);
if (code) {
@@ -477,73 +480,153 @@ k5_begin(opts, k5)
}
errctx = k5->ctx;
- /* Parse specified principal name now if we got one. */
- if (opts->principal_name) {
- if ((code = krb5_parse_name_flags(k5->ctx, opts->principal_name,
- flags, &k5->me))) {
- com_err(progname, code, _("when parsing name %s"),
- opts->principal_name);
- return 0;
- }
- }
-
if (opts->k5_out_cache_name) {
code = krb5_cc_resolve(k5->ctx, opts->k5_out_cache_name, &k5->out_cc);
if (code != 0) {
com_err(progname, code, _("resolving ccache %s"),
opts->k5_out_cache_name);
- return 0;
+ goto cleanup;
}
if (opts->verbose) {
fprintf(stderr, _("Using specified cache: %s\n"),
opts->k5_out_cache_name);
}
} else {
- if ((code = krb5_cc_default(k5->ctx, &defcache))) {
+ /* Resolve the default ccache and get its type and default principal
+ * (if it is initialized). */
+ code = krb5_cc_default(k5->ctx, &defcache);
+ if (code) {
com_err(progname, code, _("while getting default ccache"));
- return 0;
+ goto cleanup;
}
deftype = krb5_cc_get_type(k5->ctx, defcache);
- if (k5->me != NULL && krb5_cc_support_switch(k5->ctx, deftype)) {
- /* Use an existing cache for the specified principal if we can. */
- code = krb5_cc_cache_match(k5->ctx, k5->me, &k5->out_cc);
- if (code != 0 && code != KRB5_CC_NOTFOUND) {
- com_err(progname, code, _("while searching for ccache for %s"),
- opts->principal_name);
- krb5_cc_close(k5->ctx, defcache);
- return 0;
+ if (krb5_cc_get_principal(k5->ctx, defcache, &defcache_princ) != 0)
+ defcache_princ = NULL;
+ }
+
+ /* Choose a client principal name. */
+ if (opts->principal_name != NULL) {
+ /* Use the specified principal name. */
+ code = krb5_parse_name_flags(k5->ctx, opts->principal_name, flags,
+ &k5->me);
+ if (code) {
+ com_err(progname, code, _("when parsing name %s"),
+ opts->principal_name);
+ goto cleanup;
+ }
+ } else if (opts->anonymous) {
+ /* Use the anonymous principal for the local realm. */
+ code = krb5_get_default_realm(k5->ctx, &defrealm);
+ if (code) {
+ com_err(progname, code, _("while getting default realm"));
+ goto cleanup;
+ }
+ code = krb5_build_principal_ext(k5->ctx, &k5->me,
+ strlen(defrealm), defrealm,
+ strlen(KRB5_WELLKNOWN_NAMESTR),
+ KRB5_WELLKNOWN_NAMESTR,
+ strlen(KRB5_ANONYMOUS_PRINCSTR),
+ KRB5_ANONYMOUS_PRINCSTR,
+ 0);
+ krb5_free_default_realm(k5->ctx, defrealm);
+ if (code) {
+ com_err(progname, code, _("while building principal"));
+ goto cleanup;
+ }
+ } else if (opts->action == INIT_KT) {
+ /* Use the default host/service name. */
+ code = krb5_sname_to_principal(k5->ctx, NULL, NULL, KRB5_NT_SRV_HST,
+ &k5->me);
+ if (code) {
+ com_err(progname, code,
+ _("when creating default server principal name"));
+ goto cleanup;
+ }
+ if (k5->me->realm.data[0] == 0) {
+ code = krb5_unparse_name(k5->ctx, k5->me, &k5->name);
+ if (code == 0) {
+ com_err(progname, KRB5_ERR_HOST_REALM_UNKNOWN,
+ _("(principal %s)"), k5->name);
+ } else {
+ com_err(progname, KRB5_ERR_HOST_REALM_UNKNOWN,
+ _("for local services"));
}
- if (code == KRB5_CC_NOTFOUND) {
- code = krb5_cc_new_unique(k5->ctx, deftype, NULL, &k5->out_cc);
- if (code) {
- com_err(progname, code, _("while generating new ccache"));
- krb5_cc_close(k5->ctx, defcache);
- return 0;
- }
- if (opts->verbose) {
- fprintf(stderr, _("Using new cache: %s\n"),
- krb5_cc_get_name(k5->ctx, k5->out_cc));
- }
- } else if (opts->verbose) {
+ goto cleanup;
+ }
+ } else if (k5->out_cc != NULL) {
+ /* If the output ccache is initialized, use its principal. */
+ if (krb5_cc_get_principal(k5->ctx, k5->out_cc, &princ) == 0)
+ k5->me = princ;
+ } else if (defcache_princ != NULL) {
+ /* Use the default cache's principal, and use the default cache as the
+ * output cache. */
+ k5->out_cc = defcache;
+ defcache = NULL;
+ k5->me = defcache_princ;
+ defcache_princ = NULL;
+ }
+
+ /* If we still haven't chosen, use the local username. */
+ if (k5->me == NULL) {
+ name = get_name_from_os();
+ if (name == NULL) {
+ fprintf(stderr, _("Unable to identify user\n"));
+ goto cleanup;
+ }
+ code = krb5_parse_name_flags(k5->ctx, name, flags, &k5->me);
+ if (code) {
+ com_err(progname, code, _("when parsing name %s"),
+ name);
+ goto cleanup;
+ }
+ }
+
+ if (k5->out_cc == NULL && krb5_cc_support_switch(k5->ctx, deftype)) {
+ /* Use an existing cache for the client principal if we can. */
+ code = krb5_cc_cache_match(k5->ctx, k5->me, &k5->out_cc);
+ if (code != 0 && code != KRB5_CC_NOTFOUND) {
+ com_err(progname, code, _("while searching for ccache for %s"),
+ opts->principal_name);
+ goto cleanup;
+ }
+ if (code == 0) {
+ if (opts->verbose) {
fprintf(stderr, _("Using existing cache: %s\n"),
krb5_cc_get_name(k5->ctx, k5->out_cc));
}
- krb5_cc_close(k5->ctx, defcache);
k5->switch_to_cache = 1;
- } else {
- k5->out_cc = defcache;
+ } else if (defcache_princ != NULL) {
+ /* Create a new cache to avoid overwriting the initialized default
+ * cache. */
+ code = krb5_cc_new_unique(k5->ctx, deftype, NULL, &k5->out_cc);
+ if (code) {
+ com_err(progname, code, _("while generating new ccache"));
+ goto cleanup;
+ }
if (opts->verbose) {
- fprintf(stderr, _("Using default cache: %s\n"),
+ fprintf(stderr, _("Using new cache: %s\n"),
krb5_cc_get_name(k5->ctx, k5->out_cc));
}
+ k5->switch_to_cache = 1;
+ }
+ }
+
+ /* Use the default cache if we haven't picked one yet. */
+ if (k5->out_cc == NULL) {
+ k5->out_cc = defcache;
+ defcache = NULL;
+ if (opts->verbose) {
+ fprintf(stderr, _("Using default cache: %s\n"),
+ krb5_cc_get_name(k5->ctx, k5->out_cc));
}
}
+
if (opts->k5_in_cache_name) {
code = krb5_cc_resolve(k5->ctx, opts->k5_in_cache_name, &k5->in_cc);
if (code != 0) {
com_err(progname, code, _("resolving ccache %s"),
opts->k5_in_cache_name);
- return 0;
+ goto cleanup;
}
if (opts->verbose) {
fprintf(stderr, _("Using specified input cache: %s\n"),
@@ -551,80 +634,24 @@ k5_begin(opts, k5)
}
}
- if (!k5->me) {
- /* No principal name specified */
- if (opts->anonymous) {
- char *defrealm;
- code = krb5_get_default_realm(k5->ctx, &defrealm);
- if (code) {
- com_err(progname, code, _("while getting default realm"));
- return 0;
- }
- code = krb5_build_principal_ext(k5->ctx, &k5->me,
- strlen(defrealm), defrealm,
- strlen(KRB5_WELLKNOWN_NAMESTR),
- KRB5_WELLKNOWN_NAMESTR,
- strlen(KRB5_ANONYMOUS_PRINCSTR),
- KRB5_ANONYMOUS_PRINCSTR,
- 0);
- krb5_free_default_realm(k5->ctx, defrealm);
- if (code) {
- com_err(progname, code, _("while building principal"));
- return 0;
- }
- } else {
- if (opts->action == INIT_KT) {
- /* Use the default host/service name */
- code = krb5_sname_to_principal(k5->ctx, NULL, NULL,
- KRB5_NT_SRV_HST, &k5->me);
- if (code) {
- com_err(progname, code,
- _("when creating default server principal name"));
- return 0;
- }
- if (k5->me->realm.data[0] == 0) {
- code = krb5_unparse_name(k5->ctx, k5->me, &k5->name);
- if (code == 0) {
- com_err(progname, KRB5_ERR_HOST_REALM_UNKNOWN,
- _("(principal %s)"), k5->name);
- } else {
- com_err(progname, KRB5_ERR_HOST_REALM_UNKNOWN,
- _("for local services"));
- }
- return 0;
- }
- } else {
- /* Get default principal from cache if one exists */
- code = krb5_cc_get_principal(k5->ctx, k5->out_cc,
- &k5->me);
- if (code) {
- char *name = get_name_from_os();
- if (!name) {
- fprintf(stderr, _("Unable to identify user\n"));
- return 0;
- }
- if ((code = krb5_parse_name_flags(k5->ctx, name,
- flags, &k5->me))) {
- com_err(progname, code, _("when parsing name %s"),
- name);
- return 0;
- }
- }
- }
- }
- }
code = krb5_unparse_name(k5->ctx, k5->me, &k5->name);
if (code) {
com_err(progname, code, _("when unparsing name"));
- return 0;
+ goto cleanup;
}
if (opts->verbose)
fprintf(stderr, _("Using principal: %s\n"), k5->name);
opts->principal_name = k5->name;
- return 1;
+ success = 1;
+
+cleanup:
+ if (defcache != NULL)
+ krb5_cc_close(k5->ctx, defcache);
+ krb5_free_principal(k5->ctx, defcache_princ);
+ return success;
}
static void

17
krb5.spec
View File

@ -35,13 +35,13 @@
%endif
%if 0%{?fedora} >= 20 || 0%{?rhel} > 6
%global configure_default_ccache_name 1
%global configured_default_ccache_name DIR:/run/user/%%{uid}/krb5cc
%global configured_default_ccache_name KEYRING:persistent:%%{uid}
%endif
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.11.3
Release: 20%{?dist}
Release: 21%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.3-signed.tar
Source0: krb5-%{version}.tar.gz
@ -113,6 +113,7 @@ Patch202: krb5-1.11.2-otp.patch
# Patches for kernel-persistent-keyring support (backport)
Patch301: persistent_keyring.patch
Patch302: krb5-master-kinit-cccol.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@ -307,6 +308,9 @@ certificate.
%setup -q -n %{name}-%{version} -a 3 -a 100
ln -s NOTICE LICENSE
%patch301 -p1 -b .persistent-keyring
%patch302 -p1 -b .kinit-cccol
%patch60 -p1 -b .pam
%patch63 -p1 -b .selinux-label
@ -349,8 +353,6 @@ ln -s NOTICE LICENSE
%patch201 -p1 -b .keycheck
%patch202 -p1 -b .otp
%patch301 -p1 -b .persistent-keyring
# Take the execute bit off of documentation.
chmod -x doc/krb5-protocol/*.txt
@ -653,7 +655,7 @@ if test -z "$tmpfile" ; then
fi
# Remove the default value we previously set. Be very exact about it.
if grep -q default_ccache_name /etc/krb5.conf ; then
sed -r '/^ default_ccache_name = KEYRING:persistent:%%\{uid\}$/d' /etc/krb5.conf > "$tmpfile"
sed -r '|^ default_ccache_name = DIR:/run/user/%%\{uid\}/krb5cc$|d' /etc/krb5.conf > "$tmpfile"
if test -s "$tmpfile" ; then
if touch -r /etc/krb5.conf "$tmpfile" ; then
cat "$tmpfile" > /etc/krb5.conf
@ -992,6 +994,11 @@ exit 0
%{_sbindir}/uuserver
%changelog
* Wed Oct 2 2013 Nalin Dahyabhai <nalin@redhat.com> - 1.11.3-21
- switch to the version of persistent-keyring that was just merged to
master (RT#7711), along with related changes to kinit (RT#7689)
- go back to setting default_ccache_name to a KEYRING type
* Mon Sep 30 2013 Nalin Dahyabhai <nalin@redhat.com> - 1.11.3-20
- pull up fix for not calling a kdb plugin's check-transited-path
method before calling the library's default version, which only knows

2654
persistent_keyring.patch
View File

File diff suppressed because it is too large Load Diff