Imported Upstream version 3.0

9 files changed, 49 insertions, 119 deletions

diff --git a/Makefile.in b/Makefile.in
index fe4b431..c553831 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -100,10 +100,10 @@ check_PROGRAMS = tests/runtests$(EXEEXT) \
 subdir = .
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(top_srcdir)/configure $(am__configure_deps) \
-	$(srcdir)/config.h.in $(top_srcdir)/portable/snprintf.c \
-	$(top_srcdir)/portable/asprintf.c \
+	$(srcdir)/config.h.in $(top_srcdir)/portable/asprintf.c \
+	$(top_srcdir)/portable/strndup.c \
 	$(top_srcdir)/portable/krb5-profile.c \
-	$(top_srcdir)/portable/strndup.c $(dist_sbin_SCRIPTS) \
+	$(top_srcdir)/portable/snprintf.c $(dist_sbin_SCRIPTS) \
 	$(top_srcdir)/build-aux/depcomp $(dist_man_MANS) NEWS README \
 	TODO build-aux/ar-lib build-aux/compile build-aux/config.guess \
 	build-aux/config.sub build-aux/depcomp build-aux/install-sh \
diff --git a/NEWS b/NEWS
index 040e548..31ecb87 100644
--- a/NEWS
+++ b/NEWS
@@ -24,9 +24,8 @@ krb5-sync 3.0 (2013-12-09)
     still provided.
 
     Add a new string krb5.conf option, ad_base_instance, which, if set,
-    changes the way that password synchronization is handled.  This option
-    is only available for Heimdal, not for MIT Kerberos.  When this option
-    is set, the password for the principal formed by appending that
+    changes the way that password synchronization is handled.  When this
+    option is set, the password for the principal formed by appending that
     instance to a base principal is propagated to Active Directory as the
     password for the base principal.  For example, if this is set to the
     string "windows", the password of the principal "user/windows" is
diff --git a/README b/README
index 3a6ec2d..1d2456c 100644
--- a/README
+++ b/README
@@ -255,9 +255,6 @@ CONFIGURATION
 
   ad_base_instance
 
-      This option is only available if built with Heimdal.  It will result
-      in an initialization error if set when using MIT Kerberos.
-
       If ad_base_instance is set, then any password change for a
       single-component principal (such as user@EXAMPLE.COM) will be
       handled somewhat specially.
diff --git a/config.h.in b/config.h.in
index 5712dee..bc28ecd 100644
--- a/config.h.in
+++ b/config.h.in
@@ -35,6 +35,9 @@
 /* Define to enable kadmin server features. */
 #undef HAVE_KADM5SRV
 
+/* Define to 1 if you have the `kadm5_init_krb5_context' function. */
+#undef HAVE_KADM5_INIT_KRB5_CONTEXT
+
 /* Define to 1 if you have the `kadm5_init_with_skey_ctx' function. */
 #undef HAVE_KADM5_INIT_WITH_SKEY_CTX
 
@@ -84,18 +87,12 @@
 /* Define to 1 if you have the <krb5.h> header file. */
 #undef HAVE_KRB5_H
 
-/* Define if your Kerberos implementation is Heimdal. */
-#undef HAVE_KRB5_HEIMDAL
-
 /* Define to 1 if you have the <krb5/kadm5_hook_plugin.h> header file. */
 #undef HAVE_KRB5_KADM5_HOOK_PLUGIN_H
 
 /* Define to 1 if you have the <krb5/krb5.h> header file. */
 #undef HAVE_KRB5_KRB5_H
 
-/* Define if your Kerberos implementation is MIT. */
-#undef HAVE_KRB5_MIT
-
 /* Define to 1 if you have the `krb5_principal_get_comp_string' function. */
 #undef HAVE_KRB5_PRINCIPAL_GET_COMP_STRING
 
diff --git a/configure b/configure
index d20bdf4..69de1b3 100755
--- a/configure
+++ b/configure
@@ -2136,63 +2136,6 @@ $as_echo "$ac_res" >&6; }
 
 } # ac_fn_c_check_type
 
-# ac_fn_c_check_member LINENO AGGR MEMBER VAR INCLUDES
-# ----------------------------------------------------
-# Tries to find if the field MEMBER exists in type AGGR, after including
-# INCLUDES, setting cache variable VAR accordingly.
-ac_fn_c_check_member ()
-{
-  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2.$3" >&5
-$as_echo_n "checking for $2.$3... " >&6; }
-if eval \${$4+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-$5
-int
-main ()
-{
-static $2 ac_aggr;
-if (ac_aggr.$3)
-return 0;
-  ;
-  return 0;
-}
-_ACEOF
-if ac_fn_c_try_compile "$LINENO"; then :
-  eval "$4=yes"
-else
-  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-$5
-int
-main ()
-{
-static $2 ac_aggr;
-if (sizeof ac_aggr.$3)
-return 0;
-  ;
-  return 0;
-}
-_ACEOF
-if ac_fn_c_try_compile "$LINENO"; then :
-  eval "$4=yes"
-else
-  eval "$4=no"
-fi
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-eval ac_res=\$$4
-	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
-  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
-
-} # ac_fn_c_check_member
-
 # ac_fn_c_check_decl LINENO SYMBOL VAR INCLUDES
 # ---------------------------------------------
 # Tests whether SYMBOL is declared in INCLUDES, setting cache variable VAR
@@ -15934,17 +15877,7 @@ _ACEOF
 fi
 done
 
-ac_fn_c_check_type "$LINENO" "krb5_realm" "ac_cv_type_krb5_realm" "$ac_includes_default"
-if test "x$ac_cv_type_krb5_realm" = xyes; then :
-
-cat >>confdefs.h <<_ACEOF
-#define HAVE_KRB5_REALM 1
-_ACEOF
-
-
-fi
-
-ac_fn_c_check_member "$LINENO" "krb5_creds" "session" "ac_cv_member_krb5_creds_session" "
+ac_fn_c_check_type "$LINENO" "krb5_realm" "ac_cv_type_krb5_realm" "
 #if HAVE_KRB5_H
 # include <krb5.h>
 #else
@@ -15952,15 +15885,15 @@ ac_fn_c_check_member "$LINENO" "krb5_creds" "session" "ac_cv_member_krb5_creds_s
 #endif
 
 "
-if test "x$ac_cv_member_krb5_creds_session" = xyes; then :
-
-$as_echo "#define HAVE_KRB5_HEIMDAL 1" >>confdefs.h
+if test "x$ac_cv_type_krb5_realm" = xyes; then :
 
-else
+cat >>confdefs.h <<_ACEOF
+#define HAVE_KRB5_REALM 1
+_ACEOF
 
-$as_echo "#define HAVE_KRB5_MIT 1" >>confdefs.h
 
-     for ac_header in krb5/kadm5_hook_plugin.h
+else
+  for ac_header in krb5/kadm5_hook_plugin.h
 do :
   ac_fn_c_check_header_mongrel "$LINENO" "krb5/kadm5_hook_plugin.h" "ac_cv_header_krb5_kadm5_hook_plugin_h" "$ac_includes_default"
 if test "x$ac_cv_header_krb5_kadm5_hook_plugin_h" = xyes; then :
@@ -16452,12 +16385,13 @@ rra_KADM5SRV_save_CPPFLAGS="$CPPFLAGS"
  CPPFLAGS="$KADM5SRV_CPPFLAGS $CPPFLAGS"
  LDFLAGS="$KADM5SRV_LDFLAGS $LDFLAGS"
  LIBS="$KADM5SRV_LIBS $LIBS"
-for ac_func in kadm5_init_with_skey_ctx
+for ac_func in kadm5_init_krb5_context kadm5_init_with_skey_ctx
 do :
-  ac_fn_c_check_func "$LINENO" "kadm5_init_with_skey_ctx" "ac_cv_func_kadm5_init_with_skey_ctx"
-if test "x$ac_cv_func_kadm5_init_with_skey_ctx" = xyes; then :
+  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
   cat >>confdefs.h <<_ACEOF
-#define HAVE_KADM5_INIT_WITH_SKEY_CTX 1
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
 _ACEOF
 
 fi
diff --git a/configure.ac b/configure.ac
index f8432d3..b2c2d45 100644
--- a/configure.ac
+++ b/configure.ac
@@ -26,7 +26,8 @@ LT_INIT
 
 dnl Only check for krb5/kadm5_hook_plugin.h if building with MIT, since we may
 dnl find a system MIT header file that can't be included when building with
-dnl Heimdal.
+dnl Heimdal.  We use the probe for the krb5_realm data type as a proxy for
+dnl whether we're building with Heimdal.
 RRA_LIB_KRB5
 RRA_LIB_KRB5_SWITCH
 AC_CHECK_HEADERS([kadm5/kadm5_err.h])
@@ -39,14 +40,8 @@ AC_CHECK_FUNCS([krb5_free_default_realm \
     krb5_principal_get_realm \
     krb5_principal_set_realm \
     krb5_xfree])
-AC_CHECK_TYPES([krb5_realm])
-AC_CHECK_MEMBER([krb5_creds.session],
-    [AC_DEFINE([HAVE_KRB5_HEIMDAL], [1],
-        [Define if your Kerberos implementation is Heimdal.])],
-    [AC_DEFINE([HAVE_KRB5_MIT], [1],
-        [Define if your Kerberos implementation is MIT.])
-     AC_CHECK_HEADERS([krb5/kadm5_hook_plugin.h])],
-    [RRA_INCLUDES_KRB5])
+AC_CHECK_TYPES([krb5_realm], [],
+    [AC_CHECK_HEADERS([krb5/kadm5_hook_plugin.h])], [RRA_INCLUDES_KRB5])
 AC_CHECK_FUNCS([krb5_get_init_creds_opt_free],
     [RRA_FUNC_KRB5_GET_INIT_CREDS_OPT_FREE_ARGS])
 AC_CHECK_FUNCS([krb5_appdefault_string], [],
@@ -57,7 +52,7 @@ RRA_LIB_KRB5_RESTORE
 
 RRA_LIB_KADM5SRV
 RRA_LIB_KADM5SRV_SWITCH
-AC_CHECK_FUNCS([kadm5_init_with_skey_ctx])
+AC_CHECK_FUNCS([kadm5_init_krb5_context kadm5_init_with_skey_ctx])
 RRA_LIB_KADM5SRV_RESTORE
 
 RRA_LIB_LDAP
diff --git a/plugin/general.c b/plugin/general.c
index b6bb6a1..1639ddc 100644
--- a/plugin/general.c
+++ b/plugin/general.c
@@ -55,20 +55,8 @@ sync_init(krb5_context ctx, kadm5_hook_modinfo **result)
     /* Get allowed instances from krb5.conf. */
     sync_config_list(ctx, "ad_instances", &config->ad_instances);
 
-    /*
-     * See if we're propagating an instance to the base account in AD.  This
-     * option is not supported on MIT Kerberos and results in an error there,
-     * since calling libkadm5srv functions from inside a plugin appears to
-     * result in corruption with MIT Kerberos (at least in 1.10.1).
-     */
+    /* See if we're propagating an instance to the base account in AD. */
     sync_config_string(ctx, "ad_base_instance", &config->ad_base_instance);
-#if HAVE_KRB5_MIT
-    if (config->ad_base_instance != NULL) {
-        sync_close(ctx, config);
-        return sync_error_config(ctx, "ad_base_instance not supported on MIT"
-                                 " Kerberos");
-    }
-#endif
 
     /* See if we're forcing queuing of all changes. */
     sync_config_boolean(ctx, "ad_queue_only", &config->ad_queue_only);
diff --git a/plugin/instance.c b/plugin/instance.c
index 87e1cbd..dce3072 100644
--- a/plugin/instance.c
+++ b/plugin/instance.c
@@ -34,6 +34,7 @@ sync_instance_exists(krb5_context ctx, krb5_principal base,
     krb5_principal princ = NULL;
     krb5_error_code code;
     const char *realm;
+    krb5_context kadm_ctx = NULL;
     kadm5_config_params params;
     void *handle = NULL;
     int mask;
@@ -59,12 +60,20 @@ sync_instance_exists(krb5_context ctx, krb5_principal base,
     if (code != 0)
         goto fail;
 
-    /* Open the local KDB and look up this new principal. */
+    /*
+     * Open the local KDB and look up this new principal.  We need to use a
+     * separate Kerberos context from the one passed in by our caller.
+     * Otherwise, on MIT Kerberos, we tromp on kadmind's copy of the KDB,
+     * with bad results.
+     */
+    code = kadm5_init_krb5_context(&kadm_ctx);
+    if (code != 0)
+        goto fail;
     memset(&params, 0, sizeof(params));
     params.realm = (char *) realm;
     params.mask = KADM5_CONFIG_REALM;
-    code = kadm5_init_with_skey_ctx(ctx, (char *) "kadmin/admin", NULL, NULL,
-                                    &params, KADM5_STRUCT_VERSION,
+    code = kadm5_init_with_skey_ctx(kadm_ctx, (char *) "kadmin/admin", NULL,
+                                    NULL, &params, KADM5_STRUCT_VERSION,
                                     KADM5_API_VERSION_2, &handle);
     if (code != 0)
         goto fail;
@@ -77,10 +86,13 @@ sync_instance_exists(krb5_context ctx, krb5_principal base,
         kadm5_free_principal_ent(handle, &ent);
     }
     kadm5_destroy(handle);
+    krb5_free_context(kadm_ctx);
     krb5_free_principal(ctx, princ);
     return 0;
 
 fail:
+    if (kadm_ctx != NULL)
+        krb5_free_context(kadm_ctx);
     if (princ != NULL)
         krb5_free_principal(ctx, princ);
     return code;
diff --git a/portable/kadmin.h b/portable/kadmin.h
index f410481..95f6d4b 100644
--- a/portable/kadmin.h
+++ b/portable/kadmin.h
@@ -56,6 +56,14 @@
 #endif
 
 /*
+ * MIT Kerberos provides this function for pure kadmin clients to get a
+ * Kerberos context.  With Heimdal, just use krb5_init_context.
+ */
+#ifndef HAVE_KADM5_INIT_KRB5_CONTEXT
+# define kadm5_init_krb5_context(c) krb5_init_context(c)
+#endif
+
+/*
  * Heimdal provides _ctx functions that take an existing context.  MIT always
  * requires the context be passed in.  Code should use the _ctx variant, and
  * the below will fix it up if built against MIT.