Imported Upstream version 3.0

author: Russ Allbery <eagle@eyrie.org> 2013-12-09 20:58:28 -0800
committer: Russ Allbery <eagle@eyrie.org> 2013-12-09 20:58:28 -0800
commit: 0dea93872ae115fae9b779a3d7ea4a7176161262 (patch)
tree: 8a65d665ecceb7ec2a0e0a4e0a22a63851c60c16
parent: 986295eaf893e631699883b09e9851bc52126d2f (diff)
parent: 0ea873a8dea1f2d0258e781a7a7538bf34cb474f (diff)
7 files changed, 333 insertions, 32 deletions
diff --git a/Makefile.in b/Makefile.in
index 65e87de..fe4b431 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -101,9 +101,9 @@ subdir = .
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(top_srcdir)/configure $(am__configure_deps) \
 	$(srcdir)/config.h.in $(top_srcdir)/portable/snprintf.c \
-	$(top_srcdir)/portable/strndup.c \
+	$(top_srcdir)/portable/asprintf.c \
 	$(top_srcdir)/portable/krb5-profile.c \
-	$(top_srcdir)/portable/asprintf.c $(dist_sbin_SCRIPTS) \
+	$(top_srcdir)/portable/strndup.c $(dist_sbin_SCRIPTS) \
 	$(top_srcdir)/build-aux/depcomp $(dist_man_MANS) NEWS README \
 	TODO build-aux/ar-lib build-aux/compile build-aux/config.guess \
 	build-aux/config.sub build-aux/depcomp build-aux/install-sh \
diff --git a/NEWS b/NEWS
index 629eda2..040e548 100644
--- a/NEWS
+++ b/NEWS
@@ -24,11 +24,12 @@ krb5-sync 3.0 (2013-12-09)
     still provided.
 
     Add a new string krb5.conf option, ad_base_instance, which, if set,
-    changes the way that password synchronization is handled.  When this
-    option is set, the password for the principal formed by appending that
+    changes the way that password synchronization is handled.  This option
+    is only available for Heimdal, not for MIT Kerberos.  When this option
+    is set, the password for the principal formed by appending that
     instance to a base principal is propagated to Active Directory as the
-    password for the base principal.  So, for instance, if this is set to
-    the string "windows", the password of the principal "user/windows" is
+    password for the base principal.  For example, if this is set to the
+    string "windows", the password of the principal "user/windows" is
     propagated to Active Directory as the password for the principal
     "user" and password changes for the principal "user" are ignored.
     This special behavior only happens if "user/windows" exists in the
diff --git a/README b/README
index 73fd700..3a6ec2d 100644
--- a/README
+++ b/README
@@ -255,6 +255,9 @@ CONFIGURATION
 
   ad_base_instance
 
+      This option is only available if built with Heimdal.  It will result
+      in an initialization error if set when using MIT Kerberos.
+
       If ad_base_instance is set, then any password change for a
       single-component principal (such as user@EXAMPLE.COM) will be
       handled somewhat specially.
@@ -345,14 +348,14 @@ CONFIGURATION
   used by kadmind:
 
     [plugins]
-      kadm5_hook = {
-        module = krb5_sync:/usr/local/lib/krb5/plugins/kadm5_hook/sync.so
-      }
+        kadm5_hook = {
+            module = sync:/usr/local/lib/krb5/plugins/kadm5_hook/sync.so
+        }
 
-  You may wish to install krb5_sync.so under a krb5/plugins/kadm5_hook in
-  the library directory used for your Kerberos installation instead, if
-  that is not /usr/local/lib, in which case you can use
-  "kadm5_hook/sync.so" as the relative path to the plugin.
+  You may wish to install sync.so under a krb5/plugins/kadm5_hook in the
+  library directory used for your Kerberos installation instead, if that
+  is not /usr/local/lib, in which case you can use "kadm5_hook/sync.so" as
+  the relative path to the plugin.
 
   The kadmind patch for Heimdal adds a configuration option for the
   krb5.conf file in the [kadmin] section.  If this option is not set, the
@@ -365,14 +368,6 @@ CONFIGURATION
   to the configuration file used by kadmind and kpasswdd.  Update the path
   for wherever the krb5-sync plugin is located.
 
-  The kadmind patch for older versions of MIT adds a similar configuration
-  option for the kdc.conf.  To use the plugin on older versions of MIT,
-  add a line like:
-
-      pwupdate_plugin = /usr/local/lib/krb5/plugins/kadm5_hook/sync.so
-
-  to the local realm sub-section of the [realms] section.
-
 ACTIVE DIRECTORY SETUP
 
   You need to create an Active Directory user account to be used by the
diff --git a/config.h.in b/config.h.in
index e5a3a6a..5712dee 100644
--- a/config.h.in
+++ b/config.h.in
@@ -84,12 +84,18 @@
 /* Define to 1 if you have the <krb5.h> header file. */
 #undef HAVE_KRB5_H
 
+/* Define if your Kerberos implementation is Heimdal. */
+#undef HAVE_KRB5_HEIMDAL
+
 /* Define to 1 if you have the <krb5/kadm5_hook_plugin.h> header file. */
 #undef HAVE_KRB5_KADM5_HOOK_PLUGIN_H
 
 /* Define to 1 if you have the <krb5/krb5.h> header file. */
 #undef HAVE_KRB5_KRB5_H
 
+/* Define if your Kerberos implementation is MIT. */
+#undef HAVE_KRB5_MIT
+
 /* Define to 1 if you have the `krb5_principal_get_comp_string' function. */
 #undef HAVE_KRB5_PRINCIPAL_GET_COMP_STRING
 
@@ -224,6 +230,17 @@
 /* Version number of package */
 #undef VERSION
 
+/* Enable large inode numbers on Mac OS X 10.5.  */
+#ifndef _DARWIN_USE_64_BIT_INODE
+# define _DARWIN_USE_64_BIT_INODE 1
+#endif
+
+/* Number of bits in a file offset, on hosts where this is settable. */
+#undef _FILE_OFFSET_BITS
+
+/* Define for large files, on AIX-style hosts. */
+#undef _LARGE_FILES
+
 /* Define to 1 if on MINIX. */
 #undef _MINIX
 
diff --git a/configure b/configure
index 7f970ad..d20bdf4 100755
--- a/configure
+++ b/configure
@@ -770,6 +770,7 @@ enable_option_checking
 enable_silent_rules
 enable_maintainer_mode
 enable_dependency_tracking
+enable_largefile
 enable_static
 enable_shared
 with_pic
@@ -1425,6 +1426,7 @@ Optional Features:
                           do not reject slow dependency extractors
   --disable-dependency-tracking
                           speeds up one-time build
+  --disable-largefile     omit support for large files
   --enable-static[=PKGS]  build static libraries [default=no]
   --enable-shared[=PKGS]  build shared libraries [default=yes]
   --enable-fast-install[=PKGS]
@@ -2134,6 +2136,63 @@ $as_echo "$ac_res" >&6; }
 
 } # ac_fn_c_check_type
 
+# ac_fn_c_check_member LINENO AGGR MEMBER VAR INCLUDES
+# ----------------------------------------------------
+# Tries to find if the field MEMBER exists in type AGGR, after including
+# INCLUDES, setting cache variable VAR accordingly.
+ac_fn_c_check_member ()
+{
+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2.$3" >&5
+$as_echo_n "checking for $2.$3... " >&6; }
+if eval \${$4+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+$5
+int
+main ()
+{
+static $2 ac_aggr;
+if (ac_aggr.$3)
+return 0;
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  eval "$4=yes"
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+$5
+int
+main ()
+{
+static $2 ac_aggr;
+if (sizeof ac_aggr.$3)
+return 0;
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  eval "$4=yes"
+else
+  eval "$4=no"
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+eval ac_res=\$$4
+	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
+
+} # ac_fn_c_check_member
+
 # ac_fn_c_check_decl LINENO SYMBOL VAR INCLUDES
 # ---------------------------------------------
 # Tests whether SYMBOL is declared in INCLUDES, setting cache variable VAR
@@ -4716,6 +4775,205 @@ $as_echo "$ac_cv_safe_to_define___extensions__" >&6; }
   $as_echo "#define _TANDEM_SOURCE 1" >>confdefs.h
 
 
+# Check whether --enable-largefile was given.
+if test "${enable_largefile+set}" = set; then :
+  enableval=$enable_largefile;
+fi
+
+if test "$enable_largefile" != no; then
+
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for special C compiler options needed for large files" >&5
+$as_echo_n "checking for special C compiler options needed for large files... " >&6; }
+if ${ac_cv_sys_largefile_CC+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_cv_sys_largefile_CC=no
+     if test "$GCC" != yes; then
+       ac_save_CC=$CC
+       while :; do
+	 # IRIX 6.2 and later do not support large files by default,
+	 # so use the C compiler's -n32 option if that helps.
+	 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <sys/types.h>
+ /* Check that off_t can represent 2**63 - 1 correctly.
+    We can't simply define LARGE_OFF_T to be 9223372036854775807,
+    since some C++ compilers masquerading as C compilers
+    incorrectly reject 9223372036854775807.  */
+#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+  int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
+		       && LARGE_OFF_T % 2147483647 == 1)
+		      ? 1 : -1];
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+	 if ac_fn_c_try_compile "$LINENO"; then :
+  break
+fi
+rm -f core conftest.err conftest.$ac_objext
+	 CC="$CC -n32"
+	 if ac_fn_c_try_compile "$LINENO"; then :
+  ac_cv_sys_largefile_CC=' -n32'; break
+fi
+rm -f core conftest.err conftest.$ac_objext
+	 break
+       done
+       CC=$ac_save_CC
+       rm -f conftest.$ac_ext
+    fi
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sys_largefile_CC" >&5
+$as_echo "$ac_cv_sys_largefile_CC" >&6; }
+  if test "$ac_cv_sys_largefile_CC" != no; then
+    CC=$CC$ac_cv_sys_largefile_CC
+  fi
+
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for _FILE_OFFSET_BITS value needed for large files" >&5
+$as_echo_n "checking for _FILE_OFFSET_BITS value needed for large files... " >&6; }
+if ${ac_cv_sys_file_offset_bits+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  while :; do
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <sys/types.h>
+ /* Check that off_t can represent 2**63 - 1 correctly.
+    We can't simply define LARGE_OFF_T to be 9223372036854775807,
+    since some C++ compilers masquerading as C compilers
+    incorrectly reject 9223372036854775807.  */
+#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+  int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
+		       && LARGE_OFF_T % 2147483647 == 1)
+		      ? 1 : -1];
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ac_cv_sys_file_offset_bits=no; break
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#define _FILE_OFFSET_BITS 64
+#include <sys/types.h>
+ /* Check that off_t can represent 2**63 - 1 correctly.
+    We can't simply define LARGE_OFF_T to be 9223372036854775807,
+    since some C++ compilers masquerading as C compilers
+    incorrectly reject 9223372036854775807.  */
+#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+  int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
+		       && LARGE_OFF_T % 2147483647 == 1)
+		      ? 1 : -1];
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ac_cv_sys_file_offset_bits=64; break
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+  ac_cv_sys_file_offset_bits=unknown
+  break
+done
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sys_file_offset_bits" >&5
+$as_echo "$ac_cv_sys_file_offset_bits" >&6; }
+case $ac_cv_sys_file_offset_bits in #(
+  no | unknown) ;;
+  *)
+cat >>confdefs.h <<_ACEOF
+#define _FILE_OFFSET_BITS $ac_cv_sys_file_offset_bits
+_ACEOF
+;;
+esac
+rm -rf conftest*
+  if test $ac_cv_sys_file_offset_bits = unknown; then
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for _LARGE_FILES value needed for large files" >&5
+$as_echo_n "checking for _LARGE_FILES value needed for large files... " >&6; }
+if ${ac_cv_sys_large_files+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  while :; do
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <sys/types.h>
+ /* Check that off_t can represent 2**63 - 1 correctly.
+    We can't simply define LARGE_OFF_T to be 9223372036854775807,
+    since some C++ compilers masquerading as C compilers
+    incorrectly reject 9223372036854775807.  */
+#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+  int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
+		       && LARGE_OFF_T % 2147483647 == 1)
+		      ? 1 : -1];
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ac_cv_sys_large_files=no; break
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#define _LARGE_FILES 1
+#include <sys/types.h>
+ /* Check that off_t can represent 2**63 - 1 correctly.
+    We can't simply define LARGE_OFF_T to be 9223372036854775807,
+    since some C++ compilers masquerading as C compilers
+    incorrectly reject 9223372036854775807.  */
+#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+  int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
+		       && LARGE_OFF_T % 2147483647 == 1)
+		      ? 1 : -1];
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ac_cv_sys_large_files=1; break
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+  ac_cv_sys_large_files=unknown
+  break
+done
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sys_large_files" >&5
+$as_echo "$ac_cv_sys_large_files" >&6; }
+case $ac_cv_sys_large_files in #(
+  no | unknown) ;;
+  *)
+cat >>confdefs.h <<_ACEOF
+#define _LARGE_FILES $ac_cv_sys_large_files
+_ACEOF
+;;
+esac
+rm -rf conftest*
+  fi
+
+
+fi
 
 
 if test -n "$ac_tool_prefix"; then
@@ -4889,6 +5147,7 @@ unknown)
   ;;
 esac
 
+
 # Check whether --enable-static was given.
 if test "${enable_static+set}" = set; then :
   enableval=$enable_static; p=${PACKAGE-default}
@@ -15675,7 +15934,17 @@ _ACEOF
 fi
 done
 
-ac_fn_c_check_type "$LINENO" "krb5_realm" "ac_cv_type_krb5_realm" "
+ac_fn_c_check_type "$LINENO" "krb5_realm" "ac_cv_type_krb5_realm" "$ac_includes_default"
+if test "x$ac_cv_type_krb5_realm" = xyes; then :
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_KRB5_REALM 1
+_ACEOF
+
+
+fi
+
+ac_fn_c_check_member "$LINENO" "krb5_creds" "session" "ac_cv_member_krb5_creds_session" "
 #if HAVE_KRB5_H
 # include <krb5.h>
 #else
@@ -15683,15 +15952,15 @@ ac_fn_c_check_type "$LINENO" "krb5_realm" "ac_cv_type_krb5_realm" "
 #endif
 
 "
-if test "x$ac_cv_type_krb5_realm" = xyes; then :
-
-cat >>confdefs.h <<_ACEOF
-#define HAVE_KRB5_REALM 1
-_ACEOF
+if test "x$ac_cv_member_krb5_creds_session" = xyes; then :
 
+$as_echo "#define HAVE_KRB5_HEIMDAL 1" >>confdefs.h
 
 else
-  for ac_header in krb5/kadm5_hook_plugin.h
+
+$as_echo "#define HAVE_KRB5_MIT 1" >>confdefs.h
+
+     for ac_header in krb5/kadm5_hook_plugin.h
 do :
   ac_fn_c_check_header_mongrel "$LINENO" "krb5/kadm5_hook_plugin.h" "ac_cv_header_krb5_kadm5_hook_plugin_h" "$ac_includes_default"
 if test "x$ac_cv_header_krb5_kadm5_hook_plugin_h" = xyes; then :
diff --git a/configure.ac b/configure.ac
index 811e4aa..f8432d3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -17,9 +17,10 @@ AM_MAINTAINER_MODE
 
 AC_PROG_CC
 AC_USE_SYSTEM_EXTENSIONS
+AC_SYS_LARGEFILE
 AM_PROG_CC_C_O
-AC_PROG_INSTALL
 m4_ifdef([AM_PROG_AR], [AM_PROG_AR])
+AC_PROG_INSTALL
 AM_DISABLE_STATIC
 LT_INIT
 
@@ -38,8 +39,14 @@ AC_CHECK_FUNCS([krb5_free_default_realm \
     krb5_principal_get_realm \
     krb5_principal_set_realm \
     krb5_xfree])
-AC_CHECK_TYPES([krb5_realm], [],
-    [AC_CHECK_HEADERS([krb5/kadm5_hook_plugin.h])], [RRA_INCLUDES_KRB5])
+AC_CHECK_TYPES([krb5_realm])
+AC_CHECK_MEMBER([krb5_creds.session],
+    [AC_DEFINE([HAVE_KRB5_HEIMDAL], [1],
+        [Define if your Kerberos implementation is Heimdal.])],
+    [AC_DEFINE([HAVE_KRB5_MIT], [1],
+        [Define if your Kerberos implementation is MIT.])
+     AC_CHECK_HEADERS([krb5/kadm5_hook_plugin.h])],
+    [RRA_INCLUDES_KRB5])
 AC_CHECK_FUNCS([krb5_get_init_creds_opt_free],
     [RRA_FUNC_KRB5_GET_INIT_CREDS_OPT_FREE_ARGS])
 AC_CHECK_FUNCS([krb5_appdefault_string], [],
diff --git a/plugin/general.c b/plugin/general.c
index 1639ddc..b6bb6a1 100644
--- a/plugin/general.c
+++ b/plugin/general.c
@@ -55,8 +55,20 @@ sync_init(krb5_context ctx, kadm5_hook_modinfo **result)
     /* Get allowed instances from krb5.conf. */
     sync_config_list(ctx, "ad_instances", &config->ad_instances);
 
-    /* See if we're propagating an instance to the base account in AD. */
+    /*
+     * See if we're propagating an instance to the base account in AD.  This
+     * option is not supported on MIT Kerberos and results in an error there,
+     * since calling libkadm5srv functions from inside a plugin appears to
+     * result in corruption with MIT Kerberos (at least in 1.10.1).
+     */
     sync_config_string(ctx, "ad_base_instance", &config->ad_base_instance);
+#if HAVE_KRB5_MIT
+    if (config->ad_base_instance != NULL) {
+        sync_close(ctx, config);
+        return sync_error_config(ctx, "ad_base_instance not supported on MIT"
+                                 " Kerberos");
+    }
+#endif
 
     /* See if we're forcing queuing of all changes. */
     sync_config_boolean(ctx, "ad_queue_only", &config->ad_queue_only);
author	Russ Allbery <eagle@eyrie.org>	2013-12-09 20:58:28 -0800
committer	Russ Allbery <eagle@eyrie.org>	2013-12-09 20:58:28 -0800
commit	0dea93872ae115fae9b779a3d7ea4a7176161262 (patch)
tree	8a65d665ecceb7ec2a0e0a4e0a22a63851c60c16
parent	986295eaf893e631699883b09e9851bc52126d2f (diff)
parent	0ea873a8dea1f2d0258e781a7a7538bf34cb474f (diff)