diff options
| author | Nalin Dahyabhai <nalin@dahyabhai.net> | 2011-06-20 13:34:21 -0400 |
|---|---|---|
| committer | Nalin Dahyabhai <nalin@dahyabhai.net> | 2011-06-20 13:34:21 -0400 |
| commit | 092982212a8df87234f588a92f5240a724521352 (patch) | |
| tree | f01b0fa982ba54178cc64cf45629c853ad4bd414 | |
| parent | e1fdb930380dcdcaea154e2b83d4676cb803b9ea (diff) | |
| download | krb5-092982212a8df87234f588a92f5240a724521352.tar.gz krb5-092982212a8df87234f588a92f5240a724521352.tar.xz krb5-092982212a8df87234f588a92f5240a724521352.zip | |
- apply upstream patch by way of Burt Holzman to fall back to a non-referralkrb5-1.9.1-4.fc16
method in cases where we might be derailed by a KDC that rejects the
canonicalize option (for example, those from the RHEL 2.1 or 3 era) (#713518)
| -rw-r--r-- | krb5-1.9-canonicalize-fallback.patch | 59 | ||||
| -rw-r--r-- | krb5.spec | 9 |
2 files changed, 67 insertions, 1 deletions
diff --git a/krb5-1.9-canonicalize-fallback.patch b/krb5-1.9-canonicalize-fallback.patch new file mode 100644 index 0000000..897910b --- /dev/null +++ b/krb5-1.9-canonicalize-fallback.patch @@ -0,0 +1,59 @@ +From RT#6917. + +--- a/src/lib/krb5/krb/get_creds.c ++++ b/src/lib/krb5/krb/get_creds.c +@@ -466,13 +466,10 @@ begin_non_referral(krb5_context context, krb5_tkt_creds_context ctx) + + /***** STATE_REFERRALS *****/ + +-/* +- * Possibly retry a request in the fallback realm after a referral request +- * failure in the local realm. Expects ctx->reply_code to be set to the error +- * from a referral request. +- */ ++/* Possibly try a non-referral request after a referral request failure. ++ * Expects ctx->reply_code to be set to the error from a referral request. */ + static krb5_error_code +-try_fallback_realm(krb5_context context, krb5_tkt_creds_context ctx) ++try_fallback(krb5_context context, krb5_tkt_creds_context ctx) + { + krb5_error_code code; + char **hrealms; +@@ -481,9 +478,10 @@ try_fallback_realm(krb5_context context, krb5_tkt_creds_context ctx) + if (ctx->referral_count > 1) + return ctx->reply_code; + +- /* Only fall back if the original request used the referral realm. */ ++ /* If the request used a specified realm, make a non-referral request to ++ * that realm (in case it's a KDC which rejects KDC_OPT_CANONICALIZE). */ + if (!krb5_is_referral_realm(&ctx->req_server->realm)) +- return ctx->reply_code; ++ return begin_non_referral(context, ctx); + + if (ctx->server->length < 2) { + /* We need a type/host format principal to find a fallback realm. */ +@@ -496,10 +494,10 @@ try_fallback_realm(krb5_context context, krb5_tkt_creds_context ctx) + if (code != 0) + return code; + +- /* Give up if the fallback realm isn't any different. */ ++ /* If the fallback realm isn't any different, use the existing TGT. */ + if (data_eq_string(ctx->server->realm, hrealms[0])) { + krb5_free_host_realm(context, hrealms); +- return ctx->reply_code; ++ return begin_non_referral(context, ctx); + } + + /* Rewrite server->realm to be the fallback realm. */ +@@ -536,9 +534,9 @@ step_referrals(krb5_context context, krb5_tkt_creds_context ctx) + krb5_error_code code; + const krb5_data *referral_realm; + +- /* Possibly retry with the fallback realm on error. */ ++ /* Possibly try a non-referral fallback request on error. */ + if (ctx->reply_code != 0) +- return try_fallback_realm(context, ctx); ++ return try_fallback(context, ctx); + + if (krb5_principal_compare(context, ctx->reply_creds->server, + ctx->server)) { @@ -6,7 +6,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.9.1 -Release: 3%{?dist} +Release: 4%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9.1-signed.tar Source0: krb5-%{version}.tar.gz @@ -54,6 +54,7 @@ Patch77: krb5-1.9-paren.patch Patch78: krb5-trunk-chpw-err.patch Patch79: krb5-klist_s.patch Patch80: krb5-trunk-kadmin-oldproto.patch +Patch81: krb5-1.9-canonicalize-fallback.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -199,6 +200,7 @@ ln -s NOTICE LICENSE %patch78 -p0 -b .chpw-err %patch79 -p1 -b .klist_s %patch80 -p0 -b .kadmin-oldproto +%patch81 -p1 -b .canonicalize-fallback gzip doc/*.ps sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex @@ -658,6 +660,11 @@ exit 0 %{_sbindir}/uuserver %changelog +* Mon Jun 20 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.1-4 +- apply upstream patch by way of Burt Holzman to fall back to a non-referral + method in cases where we might be derailed by a KDC that rejects the + canonicalize option (for example, those from the RHEL 2.1 or 3 era) (#713518) + * Tue Jun 14 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.1-3 - pull a fix from SVN to get libgssrpc clients (e.g. kadmin) authenticating using the old protocol over IPv4 again (RT#6920) |