- proposed fix for not being able to find delegated krb5 creds when using
spnego
This commit is contained in:
Nalin Dahyabhai
parent
359196dde6
commit
6e3299423a
44
krb5-trunk-spnego_delegation.patch
Normal file
44
krb5-trunk-spnego_delegation.patch
Normal file
@ -0,0 +1,44 @@
|
||||
An spnego credential is itself a union credential, so search through it
|
||||
when we're looking for credentials of a mechanism which may already have
|
||||
been wrapped by spnego.
|
||||
|
||||
Index: src/lib/gssapi/mechglue/g_glue.c
|
||||
===================================================================
|
||||
--- src/lib/gssapi/mechglue/g_glue.c (revision 20093)
|
||||
+++ src/lib/gssapi/mechglue/g_glue.c (working copy)
|
||||
@@ -33,6 +33,8 @@
|
||||
#define MSO_BIT (8*(sizeof (int) - 1)) /* Most significant octet bit */
|
||||
|
||||
extern gss_mechanism *gssint_mechs_array;
|
||||
+#define SPNEGO_OID_LENGTH 6
|
||||
+#define SPNEGO_OID "\053\006\001\005\005\002"
|
||||
|
||||
/*
|
||||
* This file contains the support routines for the glue layer.
|
||||
@@ -548,6 +550,8 @@
|
||||
gss_OID mech_type;
|
||||
{
|
||||
int i;
|
||||
+ gss_union_cred_t spnego_cred;
|
||||
+ gss_cred_id_t mech_cred;
|
||||
|
||||
if (union_cred == GSS_C_NO_CREDENTIAL)
|
||||
return GSS_C_NO_CREDENTIAL;
|
||||
@@ -555,6 +559,17 @@
|
||||
for (i=0; i < union_cred->count; i++) {
|
||||
if (g_OID_equal(mech_type, &union_cred->mechs_array[i]))
|
||||
return union_cred->cred_array[i];
|
||||
+
|
||||
+ /* if this is an spnego credential, search its contents */
|
||||
+ if ((union_cred->mechs_array[i].length == SPNEGO_OID_LENGTH) &&
|
||||
+ (memcmp(union_cred->mechs_array[i].elements,
|
||||
+ SPNEGO_OID,
|
||||
+ SPNEGO_OID_LENGTH) == 0)) {
|
||||
+ spnego_cred = union_cred->cred_array[i];
|
||||
+ mech_cred = gssint_get_mechanism_cred(spnego_cred, mech_type);
|
||||
+ if (mech_cred != GSS_C_NO_CREDENTIAL)
|
||||
+ return mech_cred;
|
||||
+ }
|
||||
}
|
||||
return GSS_C_NO_CREDENTIAL;
|
||||
}
|
||||
@ -93,6 +93,7 @@ Patch62: krb5-any-fixup-patch.txt
|
||||
Patch63: krb5-1.6.1-selinux-label.patch
|
||||
Patch64: krb5-ok-as-delegate.patch
|
||||
Patch67: krb5-trunk-server_delegation.patch
|
||||
Patch68: krb5-trunk-spnego_delegation.patch
|
||||
|
||||
License: MIT, freely distributable.
|
||||
URL: http://web.mit.edu/kerberos/www/
|
||||
@ -1240,6 +1241,7 @@ popd
|
||||
#%patch59 -p0 -b .kpasswd_tcp
|
||||
#%patch64 -p0 -b .ok-as-delegate
|
||||
#%patch67 -p0 -b .server-delegation
|
||||
#%patch68 -p0 -b .spnego_delegation
|
||||
cp src/krb524/README README.krb524
|
||||
gzip doc/*.ps
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user