diff --git a/krb5-1.11-gss-client-keytab.patch b/krb5-1.11-gss-client-keytab.patch new file mode 100644 index 0000000..3c1e964 --- /dev/null +++ b/krb5-1.11-gss-client-keytab.patch @@ -0,0 +1,131 @@ +Originally http://fedorapeople.org/cgit/simo/public_git/krb5.git/commit/?h=gss_cs&id=a3b9bf20df1d976775ed929d8cb5f4844e03b1bf + +commit a3b9bf20df1d976775ed929d8cb5f4844e03b1bf +Author: Simo Sorce +Date: Thu Mar 28 12:53:01 2013 -0400 + + Add support for client keytab from cred store + + The new credential store extensions added support for specifying a + specific ccache name and also a specific keytab to be used for accepting + security contexts, but did not add a way to specify a client keytab + to be used in conjunction with the Keytab initiation support added also + in 1.11 + + This patch introduces a new URN named client_keytab through which a + specific client_keytab can be set when calling gss_acquire_cred_from() + and Keytab Initiation will use that keytab to initialize credentials. + +diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c +index 4d499e4..8540bf3 100644 +--- a/src/lib/gssapi/krb5/acquire_cred.c ++++ b/src/lib/gssapi/krb5/acquire_cred.c +@@ -636,6 +636,7 @@ acquire_init_cred(krb5_context context, + OM_uint32 *minor_status, + krb5_ccache req_ccache, + gss_buffer_t password, ++ krb5_keytab client_keytab, + krb5_gss_cred_id_rec *cred) + { + krb5_error_code code; +@@ -659,9 +660,13 @@ acquire_init_cred(krb5_context context, + goto error; + } + +- code = krb5_kt_client_default(context, &cred->client_keytab); +- if (code) +- goto error; ++ if (client_keytab != NULL) ++ cred->client_keytab = client_keytab; ++ else { ++ code = krb5_kt_client_default(context, &cred->client_keytab); ++ if (code) ++ goto error; ++ } + + if (password != GSS_C_NO_BUFFER) { + pwdata = make_data(password->value, password->length); +@@ -719,8 +724,9 @@ static OM_uint32 + acquire_cred_context(krb5_context context, OM_uint32 *minor_status, + gss_name_t desired_name, gss_buffer_t password, + OM_uint32 time_req, gss_cred_usage_t cred_usage, +- krb5_ccache ccache, krb5_keytab keytab, +- krb5_boolean iakerb, gss_cred_id_t *output_cred_handle, ++ krb5_ccache ccache, krb5_keytab client_keytab, ++ krb5_keytab keytab, krb5_boolean iakerb, ++ gss_cred_id_t *output_cred_handle, + OM_uint32 *time_rec) + { + krb5_gss_cred_id_t cred = NULL; +@@ -787,7 +793,8 @@ acquire_cred_context(krb5_context context, OM_uint32 *minor_status, + * in cred->name if it wasn't set above. + */ + if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) { +- ret = acquire_init_cred(context, minor_status, ccache, password, cred); ++ ret = acquire_init_cred(context, minor_status, ccache, password, ++ client_keytab, cred); + if (ret != GSS_S_COMPLETE) + goto error_out; + } +@@ -864,8 +871,8 @@ acquire_cred(OM_uint32 *minor_status, gss_name_t desired_name, + } + + ret = acquire_cred_context(context, minor_status, desired_name, password, +- time_req, cred_usage, ccache, keytab, iakerb, +- output_cred_handle, time_rec); ++ time_req, cred_usage, ccache, NULL, keytab, ++ iakerb, output_cred_handle, time_rec); + + out: + krb5_free_context(context); +@@ -1130,6 +1137,7 @@ krb5_gss_acquire_cred_from(OM_uint32 *minor_status, + { + krb5_context context = NULL; + krb5_error_code code = 0; ++ krb5_keytab client_keytab = NULL; + krb5_keytab keytab = NULL; + krb5_ccache ccache = NULL; + const char *value; +@@ -1162,6 +1170,19 @@ krb5_gss_acquire_cred_from(OM_uint32 *minor_status, + } + } + ++ ret = kg_value_from_cred_store(cred_store, KRB5_CS_CLI_KEYTAB_URN, &value); ++ if (GSS_ERROR(ret)) ++ goto out; ++ ++ if (value) { ++ code = krb5_kt_resolve(context, value, &client_keytab); ++ if (code != 0) { ++ *minor_status = code; ++ ret = GSS_S_CRED_UNAVAIL; ++ goto out; ++ } ++ } ++ + ret = kg_value_from_cred_store(cred_store, KRB5_CS_KEYTAB_URN, &value); + if (GSS_ERROR(ret)) + goto out; +@@ -1176,8 +1197,8 @@ krb5_gss_acquire_cred_from(OM_uint32 *minor_status, + } + + ret = acquire_cred_context(context, minor_status, desired_name, NULL, +- time_req, cred_usage, ccache, keytab, 0, +- output_cred_handle, time_rec); ++ time_req, cred_usage, ccache, client_keytab, ++ keytab, 0, output_cred_handle, time_rec); + + out: + if (ccache != NULL) +diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h +index 8215b10..310ff58 100644 +--- a/src/lib/gssapi/krb5/gssapiP_krb5.h ++++ b/src/lib/gssapi/krb5/gssapiP_krb5.h +@@ -1227,6 +1227,7 @@ data_to_gss(krb5_data *input_k5data, gss_buffer_t output_buffer) + + /* Credential store extensions */ + ++#define KRB5_CS_CLI_KEYTAB_URN "client_keytab" + #define KRB5_CS_KEYTAB_URN "keytab" + #define KRB5_CS_CCACHE_URN "ccache" + diff --git a/krb5.spec b/krb5.spec index b3a5dac..928d119 100644 --- a/krb5.spec +++ b/krb5.spec @@ -76,6 +76,7 @@ Patch113: krb5-1.11-alpha1-init.patch Patch114: krb5-lookup_etypes-leak.patch Patch115: krb5-1.11.1-interposers.patch Patch116: http://ausil.fedorapeople.org/aarch64/krb5/krb5-aarch64.patch +Patch117: krb5-1.11-gss-client-keytab.patch Patch201: 0001-add-libk5radius.patch Patch202: 0002-Add-internal-KDC_DIR-macro.patch @@ -294,6 +295,7 @@ ln -s NOTICE LICENSE %patch114 -p1 -b .lookup_etypes-leak %patch115 -p1 -b .interposers %patch116 -p1 -b .aarch64 +%patch117 -p1 -b .gss-client-keytab %patch201 -p1 -b .add-libk5radius %patch202 -p1 -b .add-internal-kdc_dir @@ -819,6 +821,8 @@ exit 0 since that's what the libraries actually look for - add buildrequires on nss-myhostname, in an attempt to get more of the tests to run properly during builds +- pull in Simo's patch to recognize "client_keytab" as a key type which can + be passed in to gss_acquire_cred_from() * Tue Mar 26 2013 Nalin Dahyabhai 1.11.1-5 - pull up Simo's patch to mark the correct mechanism on imported GSSAPI