From bd8c46afd26e166f11b938e8b77921953f850c83 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Tue, 15 Oct 2013 16:50:37 -0400 Subject: [PATCH] Drop backport for RT#7598 --- krb5-1.11-gss-client-keytab.patch | 131 ------------------------------ krb5.spec | 3 +- 2 files changed, 1 insertion(+), 133 deletions(-) delete mode 100644 krb5-1.11-gss-client-keytab.patch diff --git a/krb5-1.11-gss-client-keytab.patch b/krb5-1.11-gss-client-keytab.patch deleted file mode 100644 index 3c1e964..0000000 --- a/krb5-1.11-gss-client-keytab.patch +++ /dev/null @@ -1,131 +0,0 @@ -Originally http://fedorapeople.org/cgit/simo/public_git/krb5.git/commit/?h=gss_cs&id=a3b9bf20df1d976775ed929d8cb5f4844e03b1bf - -commit a3b9bf20df1d976775ed929d8cb5f4844e03b1bf -Author: Simo Sorce -Date: Thu Mar 28 12:53:01 2013 -0400 - - Add support for client keytab from cred store - - The new credential store extensions added support for specifying a - specific ccache name and also a specific keytab to be used for accepting - security contexts, but did not add a way to specify a client keytab - to be used in conjunction with the Keytab initiation support added also - in 1.11 - - This patch introduces a new URN named client_keytab through which a - specific client_keytab can be set when calling gss_acquire_cred_from() - and Keytab Initiation will use that keytab to initialize credentials. - -diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c -index 4d499e4..8540bf3 100644 ---- a/src/lib/gssapi/krb5/acquire_cred.c -+++ b/src/lib/gssapi/krb5/acquire_cred.c -@@ -636,6 +636,7 @@ acquire_init_cred(krb5_context context, - OM_uint32 *minor_status, - krb5_ccache req_ccache, - gss_buffer_t password, -+ krb5_keytab client_keytab, - krb5_gss_cred_id_rec *cred) - { - krb5_error_code code; -@@ -659,9 +660,13 @@ acquire_init_cred(krb5_context context, - goto error; - } - -- code = krb5_kt_client_default(context, &cred->client_keytab); -- if (code) -- goto error; -+ if (client_keytab != NULL) -+ cred->client_keytab = client_keytab; -+ else { -+ code = krb5_kt_client_default(context, &cred->client_keytab); -+ if (code) -+ goto error; -+ } - - if (password != GSS_C_NO_BUFFER) { - pwdata = make_data(password->value, password->length); -@@ -719,8 +724,9 @@ static OM_uint32 - acquire_cred_context(krb5_context context, OM_uint32 *minor_status, - gss_name_t desired_name, gss_buffer_t password, - OM_uint32 time_req, gss_cred_usage_t cred_usage, -- krb5_ccache ccache, krb5_keytab keytab, -- krb5_boolean iakerb, gss_cred_id_t *output_cred_handle, -+ krb5_ccache ccache, krb5_keytab client_keytab, -+ krb5_keytab keytab, krb5_boolean iakerb, -+ gss_cred_id_t *output_cred_handle, - OM_uint32 *time_rec) - { - krb5_gss_cred_id_t cred = NULL; -@@ -787,7 +793,8 @@ acquire_cred_context(krb5_context context, OM_uint32 *minor_status, - * in cred->name if it wasn't set above. - */ - if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) { -- ret = acquire_init_cred(context, minor_status, ccache, password, cred); -+ ret = acquire_init_cred(context, minor_status, ccache, password, -+ client_keytab, cred); - if (ret != GSS_S_COMPLETE) - goto error_out; - } -@@ -864,8 +871,8 @@ acquire_cred(OM_uint32 *minor_status, gss_name_t desired_name, - } - - ret = acquire_cred_context(context, minor_status, desired_name, password, -- time_req, cred_usage, ccache, keytab, iakerb, -- output_cred_handle, time_rec); -+ time_req, cred_usage, ccache, NULL, keytab, -+ iakerb, output_cred_handle, time_rec); - - out: - krb5_free_context(context); -@@ -1130,6 +1137,7 @@ krb5_gss_acquire_cred_from(OM_uint32 *minor_status, - { - krb5_context context = NULL; - krb5_error_code code = 0; -+ krb5_keytab client_keytab = NULL; - krb5_keytab keytab = NULL; - krb5_ccache ccache = NULL; - const char *value; -@@ -1162,6 +1170,19 @@ krb5_gss_acquire_cred_from(OM_uint32 *minor_status, - } - } - -+ ret = kg_value_from_cred_store(cred_store, KRB5_CS_CLI_KEYTAB_URN, &value); -+ if (GSS_ERROR(ret)) -+ goto out; -+ -+ if (value) { -+ code = krb5_kt_resolve(context, value, &client_keytab); -+ if (code != 0) { -+ *minor_status = code; -+ ret = GSS_S_CRED_UNAVAIL; -+ goto out; -+ } -+ } -+ - ret = kg_value_from_cred_store(cred_store, KRB5_CS_KEYTAB_URN, &value); - if (GSS_ERROR(ret)) - goto out; -@@ -1176,8 +1197,8 @@ krb5_gss_acquire_cred_from(OM_uint32 *minor_status, - } - - ret = acquire_cred_context(context, minor_status, desired_name, NULL, -- time_req, cred_usage, ccache, keytab, 0, -- output_cred_handle, time_rec); -+ time_req, cred_usage, ccache, client_keytab, -+ keytab, 0, output_cred_handle, time_rec); - - out: - if (ccache != NULL) -diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h -index 8215b10..310ff58 100644 ---- a/src/lib/gssapi/krb5/gssapiP_krb5.h -+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h -@@ -1227,6 +1227,7 @@ data_to_gss(krb5_data *input_k5data, gss_buffer_t output_buffer) - - /* Credential store extensions */ - -+#define KRB5_CS_CLI_KEYTAB_URN "client_keytab" - #define KRB5_CS_KEYTAB_URN "keytab" - #define KRB5_CS_CCACHE_URN "ccache" - diff --git a/krb5.spec b/krb5.spec index 1446c98..502910f 100644 --- a/krb5.spec +++ b/krb5.spec @@ -88,7 +88,6 @@ Patch63: krb5-1.12-selinux-label.patch Patch71: krb5-1.11-dirsrv-accountlock.patch Patch86: krb5-1.9-debuginfo.patch Patch105: krb5-kvno-230379.patch -Patch117: krb5-1.11-gss-client-keytab.patch Patch121: krb5-cccol-primary.patch Patch123: krb5-1.11.2-empty_passwords.patch Patch124: krb5-1.11.2-arcfour_short.patch @@ -320,7 +319,6 @@ ln -s NOTICE LICENSE %patch71 -p1 -b .dirsrv-accountlock %{?_rawbuild} %patch86 -p0 -b .debuginfo %patch105 -p1 -b .kvno -%patch117 -p1 -b .gss-client-keytab %patch121 -p1 -b .cccol-primary %patch123 -p1 -b .empty_passwords %patch124 -p1 -b .arcfour_short @@ -1032,6 +1030,7 @@ exit 0 - drop backport for RT#7689 - drop obsolete patch for fixing a use-before-init in a test program - drop obsolete patch teaching config.guess/config.sub about aarch64-linux + - drop backport for RT#7598 * Wed Oct 16 2013 Nalin Dahyabhai - 1.11.3-26 - create and own /etc/gss (#1019937)