diff options
author | Russ Allbery <eagle@eyrie.org> | 2013-12-09 20:58:28 -0800 |
---|---|---|
committer | Russ Allbery <eagle@eyrie.org> | 2013-12-09 20:58:28 -0800 |
commit | 0dea93872ae115fae9b779a3d7ea4a7176161262 (patch) | |
tree | 8a65d665ecceb7ec2a0e0a4e0a22a63851c60c16 | |
parent | 986295eaf893e631699883b09e9851bc52126d2f (diff) | |
parent | 0ea873a8dea1f2d0258e781a7a7538bf34cb474f (diff) |
Imported Upstream version 3.0
-rw-r--r-- | Makefile.in | 4 | ||||
-rw-r--r-- | NEWS | 9 | ||||
-rw-r--r-- | README | 25 | ||||
-rw-r--r-- | config.h.in | 17 | ||||
-rwxr-xr-x | configure | 283 | ||||
-rw-r--r-- | configure.ac | 13 | ||||
-rw-r--r-- | plugin/general.c | 14 |
7 files changed, 333 insertions, 32 deletions
diff --git a/Makefile.in b/Makefile.in index 65e87de..fe4b431 100644 --- a/Makefile.in +++ b/Makefile.in @@ -101,9 +101,9 @@ subdir = . DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(top_srcdir)/configure $(am__configure_deps) \ $(srcdir)/config.h.in $(top_srcdir)/portable/snprintf.c \ - $(top_srcdir)/portable/strndup.c \ + $(top_srcdir)/portable/asprintf.c \ $(top_srcdir)/portable/krb5-profile.c \ - $(top_srcdir)/portable/asprintf.c $(dist_sbin_SCRIPTS) \ + $(top_srcdir)/portable/strndup.c $(dist_sbin_SCRIPTS) \ $(top_srcdir)/build-aux/depcomp $(dist_man_MANS) NEWS README \ TODO build-aux/ar-lib build-aux/compile build-aux/config.guess \ build-aux/config.sub build-aux/depcomp build-aux/install-sh \ @@ -24,11 +24,12 @@ krb5-sync 3.0 (2013-12-09) still provided. Add a new string krb5.conf option, ad_base_instance, which, if set, - changes the way that password synchronization is handled. When this - option is set, the password for the principal formed by appending that + changes the way that password synchronization is handled. This option + is only available for Heimdal, not for MIT Kerberos. When this option + is set, the password for the principal formed by appending that instance to a base principal is propagated to Active Directory as the - password for the base principal. So, for instance, if this is set to - the string "windows", the password of the principal "user/windows" is + password for the base principal. For example, if this is set to the + string "windows", the password of the principal "user/windows" is propagated to Active Directory as the password for the principal "user" and password changes for the principal "user" are ignored. This special behavior only happens if "user/windows" exists in the @@ -255,6 +255,9 @@ CONFIGURATION ad_base_instance + This option is only available if built with Heimdal. It will result + in an initialization error if set when using MIT Kerberos. + If ad_base_instance is set, then any password change for a single-component principal (such as user@EXAMPLE.COM) will be handled somewhat specially. @@ -345,14 +348,14 @@ CONFIGURATION used by kadmind: [plugins] - kadm5_hook = { - module = krb5_sync:/usr/local/lib/krb5/plugins/kadm5_hook/sync.so - } + kadm5_hook = { + module = sync:/usr/local/lib/krb5/plugins/kadm5_hook/sync.so + } - You may wish to install krb5_sync.so under a krb5/plugins/kadm5_hook in - the library directory used for your Kerberos installation instead, if - that is not /usr/local/lib, in which case you can use - "kadm5_hook/sync.so" as the relative path to the plugin. + You may wish to install sync.so under a krb5/plugins/kadm5_hook in the + library directory used for your Kerberos installation instead, if that + is not /usr/local/lib, in which case you can use "kadm5_hook/sync.so" as + the relative path to the plugin. The kadmind patch for Heimdal adds a configuration option for the krb5.conf file in the [kadmin] section. If this option is not set, the @@ -365,14 +368,6 @@ CONFIGURATION to the configuration file used by kadmind and kpasswdd. Update the path for wherever the krb5-sync plugin is located. - The kadmind patch for older versions of MIT adds a similar configuration - option for the kdc.conf. To use the plugin on older versions of MIT, - add a line like: - - pwupdate_plugin = /usr/local/lib/krb5/plugins/kadm5_hook/sync.so - - to the local realm sub-section of the [realms] section. - ACTIVE DIRECTORY SETUP You need to create an Active Directory user account to be used by the diff --git a/config.h.in b/config.h.in index e5a3a6a..5712dee 100644 --- a/config.h.in +++ b/config.h.in @@ -84,12 +84,18 @@ /* Define to 1 if you have the <krb5.h> header file. */ #undef HAVE_KRB5_H +/* Define if your Kerberos implementation is Heimdal. */ +#undef HAVE_KRB5_HEIMDAL + /* Define to 1 if you have the <krb5/kadm5_hook_plugin.h> header file. */ #undef HAVE_KRB5_KADM5_HOOK_PLUGIN_H /* Define to 1 if you have the <krb5/krb5.h> header file. */ #undef HAVE_KRB5_KRB5_H +/* Define if your Kerberos implementation is MIT. */ +#undef HAVE_KRB5_MIT + /* Define to 1 if you have the `krb5_principal_get_comp_string' function. */ #undef HAVE_KRB5_PRINCIPAL_GET_COMP_STRING @@ -224,6 +230,17 @@ /* Version number of package */ #undef VERSION +/* Enable large inode numbers on Mac OS X 10.5. */ +#ifndef _DARWIN_USE_64_BIT_INODE +# define _DARWIN_USE_64_BIT_INODE 1 +#endif + +/* Number of bits in a file offset, on hosts where this is settable. */ +#undef _FILE_OFFSET_BITS + +/* Define for large files, on AIX-style hosts. */ +#undef _LARGE_FILES + /* Define to 1 if on MINIX. */ #undef _MINIX @@ -770,6 +770,7 @@ enable_option_checking enable_silent_rules enable_maintainer_mode enable_dependency_tracking +enable_largefile enable_static enable_shared with_pic @@ -1425,6 +1426,7 @@ Optional Features: do not reject slow dependency extractors --disable-dependency-tracking speeds up one-time build + --disable-largefile omit support for large files --enable-static[=PKGS] build static libraries [default=no] --enable-shared[=PKGS] build shared libraries [default=yes] --enable-fast-install[=PKGS] @@ -2134,6 +2136,63 @@ $as_echo "$ac_res" >&6; } } # ac_fn_c_check_type +# ac_fn_c_check_member LINENO AGGR MEMBER VAR INCLUDES +# ---------------------------------------------------- +# Tries to find if the field MEMBER exists in type AGGR, after including +# INCLUDES, setting cache variable VAR accordingly. +ac_fn_c_check_member () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2.$3" >&5 +$as_echo_n "checking for $2.$3... " >&6; } +if eval \${$4+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$5 +int +main () +{ +static $2 ac_aggr; +if (ac_aggr.$3) +return 0; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + eval "$4=yes" +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$5 +int +main () +{ +static $2 ac_aggr; +if (sizeof ac_aggr.$3) +return 0; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + eval "$4=yes" +else + eval "$4=no" +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +eval ac_res=\$$4 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + +} # ac_fn_c_check_member + # ac_fn_c_check_decl LINENO SYMBOL VAR INCLUDES # --------------------------------------------- # Tests whether SYMBOL is declared in INCLUDES, setting cache variable VAR @@ -4716,6 +4775,205 @@ $as_echo "$ac_cv_safe_to_define___extensions__" >&6; } $as_echo "#define _TANDEM_SOURCE 1" >>confdefs.h +# Check whether --enable-largefile was given. +if test "${enable_largefile+set}" = set; then : + enableval=$enable_largefile; +fi + +if test "$enable_largefile" != no; then + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for special C compiler options needed for large files" >&5 +$as_echo_n "checking for special C compiler options needed for large files... " >&6; } +if ${ac_cv_sys_largefile_CC+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_cv_sys_largefile_CC=no + if test "$GCC" != yes; then + ac_save_CC=$CC + while :; do + # IRIX 6.2 and later do not support large files by default, + # so use the C compiler's -n32 option if that helps. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include <sys/types.h> + /* Check that off_t can represent 2**63 - 1 correctly. + We can't simply define LARGE_OFF_T to be 9223372036854775807, + since some C++ compilers masquerading as C compilers + incorrectly reject 9223372036854775807. */ +#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62)) + int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 + && LARGE_OFF_T % 2147483647 == 1) + ? 1 : -1]; +int +main () +{ + + ; + return 0; +} +_ACEOF + if ac_fn_c_try_compile "$LINENO"; then : + break +fi +rm -f core conftest.err conftest.$ac_objext + CC="$CC -n32" + if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_sys_largefile_CC=' -n32'; break +fi +rm -f core conftest.err conftest.$ac_objext + break + done + CC=$ac_save_CC + rm -f conftest.$ac_ext + fi +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sys_largefile_CC" >&5 +$as_echo "$ac_cv_sys_largefile_CC" >&6; } + if test "$ac_cv_sys_largefile_CC" != no; then + CC=$CC$ac_cv_sys_largefile_CC + fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for _FILE_OFFSET_BITS value needed for large files" >&5 +$as_echo_n "checking for _FILE_OFFSET_BITS value needed for large files... " >&6; } +if ${ac_cv_sys_file_offset_bits+:} false; then : + $as_echo_n "(cached) " >&6 +else + while :; do + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include <sys/types.h> + /* Check that off_t can represent 2**63 - 1 correctly. + We can't simply define LARGE_OFF_T to be 9223372036854775807, + since some C++ compilers masquerading as C compilers + incorrectly reject 9223372036854775807. */ +#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62)) + int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 + && LARGE_OFF_T % 2147483647 == 1) + ? 1 : -1]; +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_sys_file_offset_bits=no; break +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#define _FILE_OFFSET_BITS 64 +#include <sys/types.h> + /* Check that off_t can represent 2**63 - 1 correctly. + We can't simply define LARGE_OFF_T to be 9223372036854775807, + since some C++ compilers masquerading as C compilers + incorrectly reject 9223372036854775807. */ +#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62)) + int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 + && LARGE_OFF_T % 2147483647 == 1) + ? 1 : -1]; +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_sys_file_offset_bits=64; break +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + ac_cv_sys_file_offset_bits=unknown + break +done +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sys_file_offset_bits" >&5 +$as_echo "$ac_cv_sys_file_offset_bits" >&6; } +case $ac_cv_sys_file_offset_bits in #( + no | unknown) ;; + *) +cat >>confdefs.h <<_ACEOF +#define _FILE_OFFSET_BITS $ac_cv_sys_file_offset_bits +_ACEOF +;; +esac +rm -rf conftest* + if test $ac_cv_sys_file_offset_bits = unknown; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for _LARGE_FILES value needed for large files" >&5 +$as_echo_n "checking for _LARGE_FILES value needed for large files... " >&6; } +if ${ac_cv_sys_large_files+:} false; then : + $as_echo_n "(cached) " >&6 +else + while :; do + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include <sys/types.h> + /* Check that off_t can represent 2**63 - 1 correctly. + We can't simply define LARGE_OFF_T to be 9223372036854775807, + since some C++ compilers masquerading as C compilers + incorrectly reject 9223372036854775807. */ +#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62)) + int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 + && LARGE_OFF_T % 2147483647 == 1) + ? 1 : -1]; +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_sys_large_files=no; break +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#define _LARGE_FILES 1 +#include <sys/types.h> + /* Check that off_t can represent 2**63 - 1 correctly. + We can't simply define LARGE_OFF_T to be 9223372036854775807, + since some C++ compilers masquerading as C compilers + incorrectly reject 9223372036854775807. */ +#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62)) + int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 + && LARGE_OFF_T % 2147483647 == 1) + ? 1 : -1]; +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_sys_large_files=1; break +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + ac_cv_sys_large_files=unknown + break +done +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sys_large_files" >&5 +$as_echo "$ac_cv_sys_large_files" >&6; } +case $ac_cv_sys_large_files in #( + no | unknown) ;; + *) +cat >>confdefs.h <<_ACEOF +#define _LARGE_FILES $ac_cv_sys_large_files +_ACEOF +;; +esac +rm -rf conftest* + fi + + +fi if test -n "$ac_tool_prefix"; then @@ -4889,6 +5147,7 @@ unknown) ;; esac + # Check whether --enable-static was given. if test "${enable_static+set}" = set; then : enableval=$enable_static; p=${PACKAGE-default} @@ -15675,7 +15934,17 @@ _ACEOF fi done -ac_fn_c_check_type "$LINENO" "krb5_realm" "ac_cv_type_krb5_realm" " +ac_fn_c_check_type "$LINENO" "krb5_realm" "ac_cv_type_krb5_realm" "$ac_includes_default" +if test "x$ac_cv_type_krb5_realm" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_KRB5_REALM 1 +_ACEOF + + +fi + +ac_fn_c_check_member "$LINENO" "krb5_creds" "session" "ac_cv_member_krb5_creds_session" " #if HAVE_KRB5_H # include <krb5.h> #else @@ -15683,15 +15952,15 @@ ac_fn_c_check_type "$LINENO" "krb5_realm" "ac_cv_type_krb5_realm" " #endif " -if test "x$ac_cv_type_krb5_realm" = xyes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_KRB5_REALM 1 -_ACEOF +if test "x$ac_cv_member_krb5_creds_session" = xyes; then : +$as_echo "#define HAVE_KRB5_HEIMDAL 1" >>confdefs.h else - for ac_header in krb5/kadm5_hook_plugin.h + +$as_echo "#define HAVE_KRB5_MIT 1" >>confdefs.h + + for ac_header in krb5/kadm5_hook_plugin.h do : ac_fn_c_check_header_mongrel "$LINENO" "krb5/kadm5_hook_plugin.h" "ac_cv_header_krb5_kadm5_hook_plugin_h" "$ac_includes_default" if test "x$ac_cv_header_krb5_kadm5_hook_plugin_h" = xyes; then : diff --git a/configure.ac b/configure.ac index 811e4aa..f8432d3 100644 --- a/configure.ac +++ b/configure.ac @@ -17,9 +17,10 @@ AM_MAINTAINER_MODE AC_PROG_CC AC_USE_SYSTEM_EXTENSIONS +AC_SYS_LARGEFILE AM_PROG_CC_C_O -AC_PROG_INSTALL m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) +AC_PROG_INSTALL AM_DISABLE_STATIC LT_INIT @@ -38,8 +39,14 @@ AC_CHECK_FUNCS([krb5_free_default_realm \ krb5_principal_get_realm \ krb5_principal_set_realm \ krb5_xfree]) -AC_CHECK_TYPES([krb5_realm], [], - [AC_CHECK_HEADERS([krb5/kadm5_hook_plugin.h])], [RRA_INCLUDES_KRB5]) +AC_CHECK_TYPES([krb5_realm]) +AC_CHECK_MEMBER([krb5_creds.session], + [AC_DEFINE([HAVE_KRB5_HEIMDAL], [1], + [Define if your Kerberos implementation is Heimdal.])], + [AC_DEFINE([HAVE_KRB5_MIT], [1], + [Define if your Kerberos implementation is MIT.]) + AC_CHECK_HEADERS([krb5/kadm5_hook_plugin.h])], + [RRA_INCLUDES_KRB5]) AC_CHECK_FUNCS([krb5_get_init_creds_opt_free], [RRA_FUNC_KRB5_GET_INIT_CREDS_OPT_FREE_ARGS]) AC_CHECK_FUNCS([krb5_appdefault_string], [], diff --git a/plugin/general.c b/plugin/general.c index 1639ddc..b6bb6a1 100644 --- a/plugin/general.c +++ b/plugin/general.c @@ -55,8 +55,20 @@ sync_init(krb5_context ctx, kadm5_hook_modinfo **result) /* Get allowed instances from krb5.conf. */ sync_config_list(ctx, "ad_instances", &config->ad_instances); - /* See if we're propagating an instance to the base account in AD. */ + /* + * See if we're propagating an instance to the base account in AD. This + * option is not supported on MIT Kerberos and results in an error there, + * since calling libkadm5srv functions from inside a plugin appears to + * result in corruption with MIT Kerberos (at least in 1.10.1). + */ sync_config_string(ctx, "ad_base_instance", &config->ad_base_instance); +#if HAVE_KRB5_MIT + if (config->ad_base_instance != NULL) { + sync_close(ctx, config); + return sync_error_config(ctx, "ad_base_instance not supported on MIT" + " Kerberos"); + } +#endif /* See if we're forcing queuing of all changes. */ sync_config_boolean(ctx, "ad_queue_only", &config->ad_queue_only); |