[mod_auth_kerb/f19] - Fix principal creation in Constrained Delegation so the principal can be defined in KrbServiceNa
rcritten
rcritten at fedoraproject.org
Wed Jan 22 20:31:03 UTC 2014
commit 13b67d6a76ba24d09ec15e9c276d8153e50f159a
Author: Rob Crittenden <rcritten at redhat.com>
Date: Tue Jan 21 15:44:22 2014 -0500
- Fix principal creation in Constrained Delegation so the principal can
be defined in KrbServiceName rather than always computing the value.
(#1012665)
mod_auth_kerb-5.4-s4u2proxy.patch | 40 +++++++++++++++++++++++-------------
mod_auth_kerb.spec | 7 +++++-
2 files changed, 31 insertions(+), 16 deletions(-)
---
diff --git a/mod_auth_kerb-5.4-s4u2proxy.patch b/mod_auth_kerb-5.4-s4u2proxy.patch
index 031f87e..07a6e3b 100644
--- a/mod_auth_kerb-5.4-s4u2proxy.patch
+++ b/mod_auth_kerb-5.4-s4u2proxy.patch
@@ -19,9 +19,10 @@ These are patches against the current CVS HEAD (mod_auth_krb 5.4).
I've added a new module option to enable this support,
KrbConstrainedDelegation. The default is off.
+diff -up --recursive mod_auth_kerb-5.4.orig/README mod_auth_kerb-5.4/README
--- mod_auth_kerb-5.4.orig/README 2008-11-26 11:51:05.000000000 -0500
-+++ mod_auth_kerb-5.4/README 2012-01-04 11:17:22.000000000 -0500
-@@ -122,4 +122,16 @@ KrbSaveCredentials, the tickets will be
++++ mod_auth_kerb-5.4/README 2014-01-21 13:46:21.482223432 -0500
+@@ -122,4 +122,16 @@ KrbSaveCredentials, the tickets will be
credential cache that will be available for the request handler. The ticket
file will be removed after request is handled.
@@ -39,8 +40,8 @@ KrbConstrainedDelegation. The default is off.
+
$Id: README,v 1.12 2008/09/17 14:01:55 baalberith Exp $
diff -up --recursive mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c mod_auth_kerb-5.4/src/mod_auth_kerb.c
---- mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c 2011-12-09 17:55:05.000000000 -0500
-+++ mod_auth_kerb-5.4/src/mod_auth_kerb.c 2012-03-01 14:19:40.000000000 -0500
+--- mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c 2014-01-21 13:45:21.605538007 -0500
++++ mod_auth_kerb-5.4/src/mod_auth_kerb.c 2014-01-21 13:46:46.746668762 -0500
@@ -42,6 +42,31 @@
* POSSIBILITY OF SUCH DAMAGE.
*/
@@ -184,7 +185,7 @@ diff -up --recursive mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c mod_auth_kerb-5.
server_creds, NULL, NULL);
gss_release_name(&minor_status2, &server_name);
if (GSS_ERROR(major_status)) {
-@@ -1257,6 +1325,293 @@ cmp_gss_type(gss_buffer_t token, gss_OID
+@@ -1257,6 +1325,302 @@ cmp_gss_type(gss_buffer_t token, gss_OID
}
#endif
@@ -371,16 +372,25 @@ diff -up --recursive mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c mod_auth_kerb-5.
+ }
+
+ if (NULL == princ) {
-+ princ_name = apr_psprintf(r->pool, "%s/%s",
-+ (service_name) ? service_name : SERVICE_NAME,
-+ ap_get_server_name(r));
-+
-+ if ((kerr = krb5_parse_name(kcontext, princ_name, &princ))) {
++ if (strchr(service_name, '/') != NULL)
++ kerr = krb5_parse_name(kcontext, service_name, &princ);
++ else
++ kerr = krb5_sname_to_principal(kcontext, ap_get_server_name(r),
++ (service_name) ? service_name : SERVICE_NAME,
++ KRB5_NT_SRV_HST, &princ);
++
++ if (kerr) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Could not parse principal %s: %s (%d) ",
-+ princ_name, error_message(kerr), kerr);
++ "Could not parse principal: %s (%d) ",
++ error_message(kerr), kerr);
+ goto unlock;
+ }
++
++ if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) {
++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++ "Could not unparse principal %s: %s (%d)",
++ princ_name, error_message(kerr), kerr);
++ }
+ } else if (NULL == princ_name) {
+ if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) {
+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
@@ -478,7 +488,7 @@ diff -up --recursive mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c mod_auth_kerb-5.
static int
authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
const char *auth_line, char **negotiate_ret_value)
-@@ -1697,10 +2052,60 @@ have_rcache_type(const char *type)
+@@ -1697,10 +2061,60 @@ have_rcache_type(const char *type)
/***************************************************************************
Module Setup/Configuration
***************************************************************************/
@@ -539,7 +549,7 @@ diff -up --recursive mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c mod_auth_kerb-5.
#ifndef HEIMDAL
/* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later.
1.3.x are covered by the hack overiding the replay calls */
-@@ -1741,6 +2146,7 @@ static int
+@@ -1741,6 +2155,7 @@ static int
kerb_init_handler(apr_pool_t *p, apr_pool_t *plog,
apr_pool_t *ptemp, server_rec *s)
{
@@ -547,7 +557,7 @@ diff -up --recursive mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c mod_auth_kerb-5.
ap_add_version_component(p, "mod_auth_kerb/" MODAUTHKERB_VERSION);
#ifndef HEIMDAL
/* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later.
-@@ -1748,14 +2154,41 @@ kerb_init_handler(apr_pool_t *p, apr_poo
+@@ -1748,14 +2163,41 @@ kerb_init_handler(apr_pool_t *p, apr_poo
if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none"))
putenv(strdup("KRB5RCACHETYPE=none"));
#endif
diff --git a/mod_auth_kerb.spec b/mod_auth_kerb.spec
index 2ff3b10..d5ad2fb 100644
--- a/mod_auth_kerb.spec
+++ b/mod_auth_kerb.spec
@@ -8,7 +8,7 @@
Summary: Kerberos authentication module for HTTP
Name: mod_auth_kerb
Version: 5.4
-Release: 24%{?dist}
+Release: 25%{?dist}
# src/mod_auth_kerb.c is under 3-clause BSD, ASL 2.0 code is patched in (-s4u2proxy.patch)
# src/mit-internals.h contains MIT-licensed code.
License: BSD and MIT and ASL 2.0
@@ -88,6 +88,11 @@ cp -p %{SOURCE2} .
%attr(0700,apache,apache) %dir /run/httpd/krbcache
%changelog
+* Wed Jan 22 2014 Rob Crittenden <rcritten at redhat.com> - 5.4-25
+- Fix principal creation in Constrained Delegation so the principal can
+ be defined in KrbServiceName rather than always computing the value.
+ (#1012665)
+
* Tue Jun 04 2013 Jan Kaluza <jkaluza at redhat.com> - 5.4-24
- don't truncate translated names with KrbLocalUserMapping
More information about the scm-commits
mailing list