[krb5] Pull in fix to improve SPNEGO error messages
Nalin Dahyabhai
nalin at fedoraproject.org
Thu Dec 19 16:52:37 UTC 2013
commit e1cb52723825480e8ef4b512798b938e118fe108
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date: Thu Dec 19 11:52:30 2013 -0500
Pull in fix to improve SPNEGO error messages
- pull in fix from master to make reporting of errors encountered by the
SPNEGO mechanism work better (RT#7045, part of #1043962)
krb5-master-spnego_error_messages.patch | 44 +++++++++++++++++++++++++++++++
krb5.spec | 8 +++++-
2 files changed, 51 insertions(+), 1 deletions(-)
---
diff --git a/krb5-master-spnego_error_messages.patch b/krb5-master-spnego_error_messages.patch
new file mode 100644
index 0000000..6840708
--- /dev/null
+++ b/krb5-master-spnego_error_messages.patch
@@ -0,0 +1,44 @@
+commit 4faca53e3a8ee213d43da8998f6889e7bfd36248
+Author: Greg Hudson <ghudson at mit.edu>
+Date: Wed Dec 18 16:03:16 2013 -0500
+
+ Test SPNEGO error message in t_s4u.py
+
+ Now that #7045 is fixed, we can check for the correct error message
+ from t_s4u2proxy_krb5 with --spnego.
+
+ ticket: 7045
+
+diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py
+index 67dc810..e4aa259 100644
+--- a/src/tests/gssapi/t_s4u.py
++++ b/src/tests/gssapi/t_s4u.py
+@@ -30,12 +30,12 @@ if ('auth1: ' + realm.user_princ not in output or
+ 'NOT_ALLOWED_TO_DELEGATE' not in output):
+ fail('krb5 -> s4u2proxy')
+
+-# Again with SPNEGO. Bug #7045 prevents us from checking the error
+-# message, but we can at least exercise the code.
++# Again with SPNEGO.
+ output = realm.run(['./t_s4u2proxy_krb5', '--spnego', usercache, storagecache,
+ '-', pservice1, pservice2],
+ expected_code=1)
+-if ('auth1: ' + realm.user_princ not in output):
++if ('auth1: ' + realm.user_princ not in output or
++ 'NOT_ALLOWED_TO_DELEGATE' not in output):
+ fail('krb5 -> s4u2proxy (SPNEGO)')
+
+ # Try krb5 -> S4U2Proxy without forwardable user creds. This should
+@@ -66,10 +66,9 @@ if 'NOT_ALLOWED_TO_DELEGATE' not in output:
+ fail('s4u2self')
+
+ # Again with SPNEGO. This uses SPNEGO for the initial authentication,
+-# but still uses krb5 for S4U2Proxy (the delegated cred is returned as
++# but still uses krb5 for S4U2Proxy--the delegated cred is returned as
+ # a krb5 cred, not a SPNEGO cred, and t_s4u uses the delegated cred
+-# directly rather than saving and reacquiring it) so bug #7045 does
+-# not apply and we can verify the error message.
++# directly rather than saving and reacquiring it.
+ output = realm.run(['./t_s4u', '--spnego', puser, pservice2], expected_code=1)
+ if 'NOT_ALLOWED_TO_DELEGATE' not in output:
+ fail('s4u2self')
diff --git a/krb5.spec b/krb5.spec
index 8eef584..5bb3da4 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -41,7 +41,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.12
-Release: 4%{?dist}
+Release: 5%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.12/krb5-1.12-signed.tar
Source0: krb5-%{version}.tar.gz
@@ -95,6 +95,7 @@ Patch136: krb5-master-ignore-empty-unnecessary-final-token.patch
Patch137: krb5-master-gss_oid_leak.patch
Patch138: krb5-master-keytab_close.patch
Patch139: krb5-1.12-copy_context.patch
+Patch140: krb5-master-spnego_error_messages.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@@ -313,6 +314,7 @@ ln -s NOTICE LICENSE
%patch137 -p1 -b .gss_oid_leak
%patch138 -p1 -b .keytab_close
%patch139 -p1 -b .copy_context
+%patch140 -p1 -b .spnego_error_messages
# Apply when the hard-wired or configured default location is
# DIR:/run/user/%%{uid}/krb5cc.
@@ -967,6 +969,10 @@ exit 0
%{_sbindir}/uuserver
%changelog
+* Thu Dec 19 2013 Nalin Dahyabhai <nalin at redhat.com> - 1.12-5
+- pull in fix from master to make reporting of errors encountered by
+ the SPNEGO mechanism work better (RT#7045, part of #1043962)
+
* Thu Dec 19 2013 Nalin Dahyabhai <nalin at redhat.com>
- update a test wrapper to properly handle things that the new libkrad does,
and add python-pyrad as a build requirement so that we can run its tests
More information about the scm-commits
mailing list