diff options
author | Russ Allbery <eagle@eyrie.org> | 2013-12-09 22:57:52 -0800 |
---|---|---|
committer | Russ Allbery <eagle@eyrie.org> | 2013-12-09 22:57:52 -0800 |
commit | ae0671c1201efab217605263f24b204b9ac6c089 (patch) | |
tree | 7161bf4e93a1888c9e3f75f77b0021787781ac5e | |
parent | 0dea93872ae115fae9b779a3d7ea4a7176161262 (diff) | |
parent | d25926ce187353b6a0df67e0fa49e416d715ca25 (diff) |
Imported Upstream version 3.0
-rw-r--r-- | Makefile.in | 6 | ||||
-rw-r--r-- | NEWS | 5 | ||||
-rw-r--r-- | README | 3 | ||||
-rw-r--r-- | config.h.in | 9 | ||||
-rwxr-xr-x | configure | 90 | ||||
-rw-r--r-- | configure.ac | 15 | ||||
-rw-r--r-- | plugin/general.c | 14 | ||||
-rw-r--r-- | plugin/instance.c | 18 | ||||
-rw-r--r-- | portable/kadmin.h | 8 |
9 files changed, 49 insertions, 119 deletions
diff --git a/Makefile.in b/Makefile.in index fe4b431..c553831 100644 --- a/Makefile.in +++ b/Makefile.in @@ -100,10 +100,10 @@ check_PROGRAMS = tests/runtests$(EXEEXT) \ subdir = . DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(top_srcdir)/configure $(am__configure_deps) \ - $(srcdir)/config.h.in $(top_srcdir)/portable/snprintf.c \ - $(top_srcdir)/portable/asprintf.c \ + $(srcdir)/config.h.in $(top_srcdir)/portable/asprintf.c \ + $(top_srcdir)/portable/strndup.c \ $(top_srcdir)/portable/krb5-profile.c \ - $(top_srcdir)/portable/strndup.c $(dist_sbin_SCRIPTS) \ + $(top_srcdir)/portable/snprintf.c $(dist_sbin_SCRIPTS) \ $(top_srcdir)/build-aux/depcomp $(dist_man_MANS) NEWS README \ TODO build-aux/ar-lib build-aux/compile build-aux/config.guess \ build-aux/config.sub build-aux/depcomp build-aux/install-sh \ @@ -24,9 +24,8 @@ krb5-sync 3.0 (2013-12-09) still provided. Add a new string krb5.conf option, ad_base_instance, which, if set, - changes the way that password synchronization is handled. This option - is only available for Heimdal, not for MIT Kerberos. When this option - is set, the password for the principal formed by appending that + changes the way that password synchronization is handled. When this + option is set, the password for the principal formed by appending that instance to a base principal is propagated to Active Directory as the password for the base principal. For example, if this is set to the string "windows", the password of the principal "user/windows" is @@ -255,9 +255,6 @@ CONFIGURATION ad_base_instance - This option is only available if built with Heimdal. It will result - in an initialization error if set when using MIT Kerberos. - If ad_base_instance is set, then any password change for a single-component principal (such as user@EXAMPLE.COM) will be handled somewhat specially. diff --git a/config.h.in b/config.h.in index 5712dee..bc28ecd 100644 --- a/config.h.in +++ b/config.h.in @@ -35,6 +35,9 @@ /* Define to enable kadmin server features. */ #undef HAVE_KADM5SRV +/* Define to 1 if you have the `kadm5_init_krb5_context' function. */ +#undef HAVE_KADM5_INIT_KRB5_CONTEXT + /* Define to 1 if you have the `kadm5_init_with_skey_ctx' function. */ #undef HAVE_KADM5_INIT_WITH_SKEY_CTX @@ -84,18 +87,12 @@ /* Define to 1 if you have the <krb5.h> header file. */ #undef HAVE_KRB5_H -/* Define if your Kerberos implementation is Heimdal. */ -#undef HAVE_KRB5_HEIMDAL - /* Define to 1 if you have the <krb5/kadm5_hook_plugin.h> header file. */ #undef HAVE_KRB5_KADM5_HOOK_PLUGIN_H /* Define to 1 if you have the <krb5/krb5.h> header file. */ #undef HAVE_KRB5_KRB5_H -/* Define if your Kerberos implementation is MIT. */ -#undef HAVE_KRB5_MIT - /* Define to 1 if you have the `krb5_principal_get_comp_string' function. */ #undef HAVE_KRB5_PRINCIPAL_GET_COMP_STRING @@ -2136,63 +2136,6 @@ $as_echo "$ac_res" >&6; } } # ac_fn_c_check_type -# ac_fn_c_check_member LINENO AGGR MEMBER VAR INCLUDES -# ---------------------------------------------------- -# Tries to find if the field MEMBER exists in type AGGR, after including -# INCLUDES, setting cache variable VAR accordingly. -ac_fn_c_check_member () -{ - as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2.$3" >&5 -$as_echo_n "checking for $2.$3... " >&6; } -if eval \${$4+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -$5 -int -main () -{ -static $2 ac_aggr; -if (ac_aggr.$3) -return 0; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - eval "$4=yes" -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -$5 -int -main () -{ -static $2 ac_aggr; -if (sizeof ac_aggr.$3) -return 0; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - eval "$4=yes" -else - eval "$4=no" -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -eval ac_res=\$$4 - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -$as_echo "$ac_res" >&6; } - eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno - -} # ac_fn_c_check_member - # ac_fn_c_check_decl LINENO SYMBOL VAR INCLUDES # --------------------------------------------- # Tests whether SYMBOL is declared in INCLUDES, setting cache variable VAR @@ -15934,17 +15877,7 @@ _ACEOF fi done -ac_fn_c_check_type "$LINENO" "krb5_realm" "ac_cv_type_krb5_realm" "$ac_includes_default" -if test "x$ac_cv_type_krb5_realm" = xyes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_KRB5_REALM 1 -_ACEOF - - -fi - -ac_fn_c_check_member "$LINENO" "krb5_creds" "session" "ac_cv_member_krb5_creds_session" " +ac_fn_c_check_type "$LINENO" "krb5_realm" "ac_cv_type_krb5_realm" " #if HAVE_KRB5_H # include <krb5.h> #else @@ -15952,15 +15885,15 @@ ac_fn_c_check_member "$LINENO" "krb5_creds" "session" "ac_cv_member_krb5_creds_s #endif " -if test "x$ac_cv_member_krb5_creds_session" = xyes; then : - -$as_echo "#define HAVE_KRB5_HEIMDAL 1" >>confdefs.h +if test "x$ac_cv_type_krb5_realm" = xyes; then : -else +cat >>confdefs.h <<_ACEOF +#define HAVE_KRB5_REALM 1 +_ACEOF -$as_echo "#define HAVE_KRB5_MIT 1" >>confdefs.h - for ac_header in krb5/kadm5_hook_plugin.h +else + for ac_header in krb5/kadm5_hook_plugin.h do : ac_fn_c_check_header_mongrel "$LINENO" "krb5/kadm5_hook_plugin.h" "ac_cv_header_krb5_kadm5_hook_plugin_h" "$ac_includes_default" if test "x$ac_cv_header_krb5_kadm5_hook_plugin_h" = xyes; then : @@ -16452,12 +16385,13 @@ rra_KADM5SRV_save_CPPFLAGS="$CPPFLAGS" CPPFLAGS="$KADM5SRV_CPPFLAGS $CPPFLAGS" LDFLAGS="$KADM5SRV_LDFLAGS $LDFLAGS" LIBS="$KADM5SRV_LIBS $LIBS" -for ac_func in kadm5_init_with_skey_ctx +for ac_func in kadm5_init_krb5_context kadm5_init_with_skey_ctx do : - ac_fn_c_check_func "$LINENO" "kadm5_init_with_skey_ctx" "ac_cv_func_kadm5_init_with_skey_ctx" -if test "x$ac_cv_func_kadm5_init_with_skey_ctx" = xyes; then : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +if eval test \"x\$"$as_ac_var"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF -#define HAVE_KADM5_INIT_WITH_SKEY_CTX 1 +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF fi diff --git a/configure.ac b/configure.ac index f8432d3..b2c2d45 100644 --- a/configure.ac +++ b/configure.ac @@ -26,7 +26,8 @@ LT_INIT dnl Only check for krb5/kadm5_hook_plugin.h if building with MIT, since we may dnl find a system MIT header file that can't be included when building with -dnl Heimdal. +dnl Heimdal. We use the probe for the krb5_realm data type as a proxy for +dnl whether we're building with Heimdal. RRA_LIB_KRB5 RRA_LIB_KRB5_SWITCH AC_CHECK_HEADERS([kadm5/kadm5_err.h]) @@ -39,14 +40,8 @@ AC_CHECK_FUNCS([krb5_free_default_realm \ krb5_principal_get_realm \ krb5_principal_set_realm \ krb5_xfree]) -AC_CHECK_TYPES([krb5_realm]) -AC_CHECK_MEMBER([krb5_creds.session], - [AC_DEFINE([HAVE_KRB5_HEIMDAL], [1], - [Define if your Kerberos implementation is Heimdal.])], - [AC_DEFINE([HAVE_KRB5_MIT], [1], - [Define if your Kerberos implementation is MIT.]) - AC_CHECK_HEADERS([krb5/kadm5_hook_plugin.h])], - [RRA_INCLUDES_KRB5]) +AC_CHECK_TYPES([krb5_realm], [], + [AC_CHECK_HEADERS([krb5/kadm5_hook_plugin.h])], [RRA_INCLUDES_KRB5]) AC_CHECK_FUNCS([krb5_get_init_creds_opt_free], [RRA_FUNC_KRB5_GET_INIT_CREDS_OPT_FREE_ARGS]) AC_CHECK_FUNCS([krb5_appdefault_string], [], @@ -57,7 +52,7 @@ RRA_LIB_KRB5_RESTORE RRA_LIB_KADM5SRV RRA_LIB_KADM5SRV_SWITCH -AC_CHECK_FUNCS([kadm5_init_with_skey_ctx]) +AC_CHECK_FUNCS([kadm5_init_krb5_context kadm5_init_with_skey_ctx]) RRA_LIB_KADM5SRV_RESTORE RRA_LIB_LDAP diff --git a/plugin/general.c b/plugin/general.c index b6bb6a1..1639ddc 100644 --- a/plugin/general.c +++ b/plugin/general.c @@ -55,20 +55,8 @@ sync_init(krb5_context ctx, kadm5_hook_modinfo **result) /* Get allowed instances from krb5.conf. */ sync_config_list(ctx, "ad_instances", &config->ad_instances); - /* - * See if we're propagating an instance to the base account in AD. This - * option is not supported on MIT Kerberos and results in an error there, - * since calling libkadm5srv functions from inside a plugin appears to - * result in corruption with MIT Kerberos (at least in 1.10.1). - */ + /* See if we're propagating an instance to the base account in AD. */ sync_config_string(ctx, "ad_base_instance", &config->ad_base_instance); -#if HAVE_KRB5_MIT - if (config->ad_base_instance != NULL) { - sync_close(ctx, config); - return sync_error_config(ctx, "ad_base_instance not supported on MIT" - " Kerberos"); - } -#endif /* See if we're forcing queuing of all changes. */ sync_config_boolean(ctx, "ad_queue_only", &config->ad_queue_only); diff --git a/plugin/instance.c b/plugin/instance.c index 87e1cbd..dce3072 100644 --- a/plugin/instance.c +++ b/plugin/instance.c @@ -34,6 +34,7 @@ sync_instance_exists(krb5_context ctx, krb5_principal base, krb5_principal princ = NULL; krb5_error_code code; const char *realm; + krb5_context kadm_ctx = NULL; kadm5_config_params params; void *handle = NULL; int mask; @@ -59,12 +60,20 @@ sync_instance_exists(krb5_context ctx, krb5_principal base, if (code != 0) goto fail; - /* Open the local KDB and look up this new principal. */ + /* + * Open the local KDB and look up this new principal. We need to use a + * separate Kerberos context from the one passed in by our caller. + * Otherwise, on MIT Kerberos, we tromp on kadmind's copy of the KDB, + * with bad results. + */ + code = kadm5_init_krb5_context(&kadm_ctx); + if (code != 0) + goto fail; memset(¶ms, 0, sizeof(params)); params.realm = (char *) realm; params.mask = KADM5_CONFIG_REALM; - code = kadm5_init_with_skey_ctx(ctx, (char *) "kadmin/admin", NULL, NULL, - ¶ms, KADM5_STRUCT_VERSION, + code = kadm5_init_with_skey_ctx(kadm_ctx, (char *) "kadmin/admin", NULL, + NULL, ¶ms, KADM5_STRUCT_VERSION, KADM5_API_VERSION_2, &handle); if (code != 0) goto fail; @@ -77,10 +86,13 @@ sync_instance_exists(krb5_context ctx, krb5_principal base, kadm5_free_principal_ent(handle, &ent); } kadm5_destroy(handle); + krb5_free_context(kadm_ctx); krb5_free_principal(ctx, princ); return 0; fail: + if (kadm_ctx != NULL) + krb5_free_context(kadm_ctx); if (princ != NULL) krb5_free_principal(ctx, princ); return code; diff --git a/portable/kadmin.h b/portable/kadmin.h index f410481..95f6d4b 100644 --- a/portable/kadmin.h +++ b/portable/kadmin.h @@ -56,6 +56,14 @@ #endif /* + * MIT Kerberos provides this function for pure kadmin clients to get a + * Kerberos context. With Heimdal, just use krb5_init_context. + */ +#ifndef HAVE_KADM5_INIT_KRB5_CONTEXT +# define kadm5_init_krb5_context(c) krb5_init_context(c) +#endif + +/* * Heimdal provides _ctx functions that take an existing context. MIT always * requires the context be passed in. Code should use the _ctx variant, and * the below will fix it up if built against MIT. |