99 lines
		
	
	
		
			3.6 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
			
		
		
	
	
			99 lines
		
	
	
		
			3.6 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
| From 55d9bf151b100db9bf52e8f968e33f3ae1d234f5 Mon Sep 17 00:00:00 2001
 | |
| From: Olga Kornievskaia <okorniev@redhat.com>
 | |
| Date: Mon, 24 Mar 2025 08:40:32 -0400
 | |
| Subject: [PATCH 1/2] gssd: unconditionally use krb5_get_init_creds_opt_alloc
 | |
| 
 | |
| Note: This patch has a context difference from the upstream version
 | |
| because RHEL 8 does not have c8659457 ("gssd: We never use the nocache
 | |
| param of gssd_check_if_cc_exists()") or f066f87b ("gssd: enable forcing
 | |
| cred renewal using the keytab").
 | |
| 
 | |
| Original commit message:
 | |
| 
 | |
| Modern kerberos API uses krb5_get_init_creds_opt_alloc() for managing
 | |
| its options for credential data structure.
 | |
| 
 | |
| Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
 | |
| Signed-off-by: Steve Dickson <steved@redhat.com>
 | |
| (cherry picked from commit 9b3f949331c6541a358fc28bac323533f94d7e0b)
 | |
| Signed-off-by: Scott Mayhew <smayhew@redhat.com>
 | |
| ---
 | |
|  utils/gssd/krb5_util.c | 37 ++++++++++---------------------------
 | |
|  1 file changed, 10 insertions(+), 27 deletions(-)
 | |
| 
 | |
| diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
 | |
| index a1a77a2f..871add74 100644
 | |
| --- a/utils/gssd/krb5_util.c
 | |
| +++ b/utils/gssd/krb5_util.c
 | |
| @@ -370,12 +370,7 @@ gssd_get_single_krb5_cred(krb5_context context,
 | |
|  			  struct gssd_k5_kt_princ *ple,
 | |
|  			  int nocache)
 | |
|  {
 | |
| -#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_ADDRESSLESS
 | |
| -	krb5_get_init_creds_opt *init_opts = NULL;
 | |
| -#else
 | |
| -	krb5_get_init_creds_opt options;
 | |
| -#endif
 | |
| -	krb5_get_init_creds_opt *opts;
 | |
| +	krb5_get_init_creds_opt *opts = NULL;
 | |
|  	krb5_creds my_creds;
 | |
|  	krb5_ccache ccache = NULL;
 | |
|  	char kt_name[BUFSIZ];
 | |
| @@ -413,33 +408,23 @@ gssd_get_single_krb5_cred(krb5_context context,
 | |
|  	if ((krb5_unparse_name(context, ple->princ, &pname)))
 | |
|  		pname = NULL;
 | |
|  
 | |
| -#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_ADDRESSLESS
 | |
| -	code = krb5_get_init_creds_opt_alloc(context, &init_opts);
 | |
| +	code = krb5_get_init_creds_opt_alloc(context, &opts);
 | |
|  	if (code) {
 | |
|  		k5err = gssd_k5_err_msg(context, code);
 | |
|  		printerr(0, "ERROR: %s allocating gic options\n", k5err);
 | |
|  		goto out;
 | |
|  	}
 | |
| -	if (krb5_get_init_creds_opt_set_addressless(context, init_opts, 1))
 | |
| +#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_ADDRESSLESS
 | |
| +	if (krb5_get_init_creds_opt_set_addressless(context, opts, 1))
 | |
|  		printerr(1, "WARNING: Unable to set option for addressless "
 | |
|  			 "tickets.  May have problems behind a NAT.\n");
 | |
| -#ifdef TEST_SHORT_LIFETIME
 | |
| -	/* set a short lifetime (for debugging only!) */
 | |
| -	printerr(1, "WARNING: Using (debug) short machine cred lifetime!\n");
 | |
| -	krb5_get_init_creds_opt_set_tkt_life(init_opts, 5*60);
 | |
| +#else
 | |
| +	krb5_get_init_creds_opt_set_address_list(opts, NULL);
 | |
|  #endif
 | |
| -	opts = init_opts;
 | |
| -
 | |
| -#else	/* HAVE_KRB5_GET_INIT_CREDS_OPT_SET_ADDRESSLESS */
 | |
| -
 | |
| -	krb5_get_init_creds_opt_init(&options);
 | |
| -	krb5_get_init_creds_opt_set_address_list(&options, NULL);
 | |
|  #ifdef TEST_SHORT_LIFETIME
 | |
|  	/* set a short lifetime (for debugging only!) */
 | |
| -	printerr(0, "WARNING: Using (debug) short machine cred lifetime!\n");
 | |
| -	krb5_get_init_creds_opt_set_tkt_life(&options, 5*60);
 | |
| -#endif
 | |
| -	opts = &options;
 | |
| +	printerr(1, "WARNING: Using (debug) short machine cred lifetime!\n");
 | |
| +	krb5_get_init_creds_opt_set_tkt_life(opts, 5*60);
 | |
|  #endif
 | |
|  
 | |
|  	if ((code = krb5_get_init_creds_keytab(context, &my_creds, ple->princ,
 | |
| @@ -500,10 +485,8 @@ gssd_get_single_krb5_cred(krb5_context context,
 | |
|  	printerr(2, "%s(0x%lx): principal '%s' ccache:'%s'\n", 
 | |
|  		__func__, tid, pname, cc_name);
 | |
|    out:
 | |
| -#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_ADDRESSLESS
 | |
| -	if (init_opts)
 | |
| -		krb5_get_init_creds_opt_free(context, init_opts);
 | |
| -#endif
 | |
| +	if (opts)
 | |
| +		krb5_get_init_creds_opt_free(context, opts);
 | |
|  	if (pname)
 | |
|  		k5_free_unparsed_name(context, pname);
 | |
|  	if (ccache)
 | |
| -- 
 | |
| 2.43.0
 | |
| 
 |