[mod_auth_kerb] handle GSS_S_CONTINUE_NEEDED returned by accept_sec_token, fixes error 500
Jan Kaluža
jkaluza at fedoraproject.org
Tue Jul 9 09:05:00 UTC 2013
commit 70f9011e517a302f40272f1402866be7bac9adbf
Author: Jan Kaluza <hanzz.k at gmail.com>
Date: Tue Jul 9 11:04:11 2013 +0200
handle GSS_S_CONTINUE_NEEDED returned by accept_sec_token, fixes error 500
when trying to auth with expired token from Firefox
mod_auth_kerb-5.4-handle-continue.patch | 20 ++++++++++++++++++++
mod_auth_kerb.spec | 8 +++++++-
2 files changed, 27 insertions(+), 1 deletions(-)
---
diff --git a/mod_auth_kerb-5.4-handle-continue.patch b/mod_auth_kerb-5.4-handle-continue.patch
new file mode 100644
index 0000000..4b77a49
--- /dev/null
+++ b/mod_auth_kerb-5.4-handle-continue.patch
@@ -0,0 +1,20 @@
+diff --git a/src/mod_auth_kerb.c b/src/mod_auth_kerb.c
+index 2aab5ee..ca81878 100644
+--- a/src/mod_auth_kerb.c
++++ b/src/mod_auth_kerb.c
+@@ -1744,7 +1744,6 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
+ goto end;
+ }
+
+-#if 0
+ /* This is a _Kerberos_ module so multiple authentication rounds aren't
+ * supported. If we wanted a generic GSS authentication we would have to do
+ * some magic with exporting context etc. */
+@@ -1752,7 +1751,6 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
+ ret = HTTP_UNAUTHORIZED;
+ goto end;
+ }
+-#endif
+
+ major_status = gss_display_name(&minor_status, client_name, &output_token, NULL);
+ gss_release_name(&minor_status, &client_name);
diff --git a/mod_auth_kerb.spec b/mod_auth_kerb.spec
index 2ff3b10..590dbcd 100644
--- a/mod_auth_kerb.spec
+++ b/mod_auth_kerb.spec
@@ -8,7 +8,7 @@
Summary: Kerberos authentication module for HTTP
Name: mod_auth_kerb
Version: 5.4
-Release: 24%{?dist}
+Release: 25%{?dist}
# src/mod_auth_kerb.c is under 3-clause BSD, ASL 2.0 code is patched in (-s4u2proxy.patch)
# src/mit-internals.h contains MIT-licensed code.
License: BSD and MIT and ASL 2.0
@@ -24,6 +24,7 @@ Patch4: mod_auth_kerb-5.4-httpd24.patch
Patch5: mod_auth_kerb-5.4-delegation.patch
Patch6: mod_auth_kerb-5.4-cachedir.patch
Patch7: mod_auth_kerb-5.4-longuser.patch
+Patch8: mod_auth_kerb-5.4-handle-continue.patch
BuildRequires: httpd-devel, krb5-devel
Requires: httpd-mmn = %{_httpd_mmn}
Requires(pre): httpd
@@ -47,6 +48,7 @@ authentication based on ticket exchanges.
%patch5 -p1 -b .delegation
%patch6 -p1 -b .cachedir
%patch7 -p1 -b .longuser
+%patch8 -p1 -b .continue
%build
export APXS=%{_httpd_apxs}
@@ -88,6 +90,10 @@ cp -p %{SOURCE2} .
%attr(0700,apache,apache) %dir /run/httpd/krbcache
%changelog
+* Tue Jul 09 2013 Jan Kaluza <jkaluza at redhat.com> - 5.4-25
+- handle GSS_S_CONTINUE_NEEDED returned by accept_sec_token, fixes error 500
+ when trying to auth with expired token from Firefox
+
* Tue Jun 04 2013 Jan Kaluza <jkaluza at redhat.com> - 5.4-24
- don't truncate translated names with KrbLocalUserMapping
More information about the scm-commits
mailing list