diff options
-rw-r--r-- | krb5-trunk-kadmin-oldproto.patch | 39 | ||||
-rw-r--r-- | krb5.spec | 6 |
2 files changed, 45 insertions, 0 deletions
diff --git a/krb5-trunk-kadmin-oldproto.patch b/krb5-trunk-kadmin-oldproto.patch new file mode 100644 index 0000000..da4172a --- /dev/null +++ b/krb5-trunk-kadmin-oldproto.patch @@ -0,0 +1,39 @@ +------------------------------------------------------------------------ +r24967 | ghudson | 2011-06-13 14:54:33 -0400 (Mon, 13 Jun 2011) | 11 lines + +ticket: 6920 +subject: Fix old-style GSSRPC authentication +target_version: 1.9.2 +tags: pullup + +r24147 (ticket #6746) made libgssrpc ignorant of the remote address of +the kadmin socket, even when it's IPv4. This made old-style GSSAPI +authentication fail because it uses the wrong channel bindings. Fix +this problem by making clnttcp_create() get the remote address from +the socket using getpeername() if the caller doesn't provide it and +it's an IPv4 address. +------------------------------------------------------------------------ +Index: src/lib/rpc/clnt_tcp.c +=================================================================== +--- src/lib/rpc/clnt_tcp.c (revision 24966) ++++ src/lib/rpc/clnt_tcp.c (revision 24967) +@@ -187,9 +187,16 @@ + ct->ct_sock = *sockp; + ct->ct_wait.tv_usec = 0; + ct->ct_waitset = FALSE; +- if (raddr == NULL) +- memset(&ct->ct_addr, 0, sizeof(ct->ct_addr)); +- else ++ if (raddr == NULL) { ++ /* Get the remote address from the socket, if it's IPv4. */ ++ struct sockaddr_in sin; ++ socklen_t len = sizeof(sin); ++ int ret = getpeername(ct->ct_sock, (struct sockaddr *)&sin, &len); ++ if (ret == 0 && len == sizeof(sin) && sin.sin_family == AF_INET) ++ ct->ct_addr = sin; ++ else ++ memset(&ct->ct_addr, 0, sizeof(ct->ct_addr)); ++ } else + ct->ct_addr = *raddr; + + /* @@ -53,6 +53,7 @@ Patch75: krb5-pkinit-debug.patch Patch77: krb5-1.9-paren.patch Patch78: krb5-trunk-chpw-err.patch Patch79: krb5-klist_s.patch +Patch80: krb5-trunk-kadmin-oldproto.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -197,6 +198,7 @@ ln -s NOTICE LICENSE %patch77 -p1 -b .paren %patch78 -p0 -b .chpw-err %patch79 -p1 -b .klist_s +%patch80 -p0 -b .kadmin-oldproto gzip doc/*.ps sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex @@ -657,6 +659,10 @@ exit 0 %changelog * Tue Jun 14 2011 Nalin Dahyabhai <nalin@redhat.com> +- pull a fix from SVN to get libgssrpc clients (e.g. kadmin) authenticating + using the old protocol over IPv4 again (RT#6920) + +* Tue Jun 14 2011 Nalin Dahyabhai <nalin@redhat.com> - incorporate a fix to teach the file labeling bits about when replay caches are expunged (#576093) |