This is a first shot for client enrollment fix. I had to pull the new
version of xmlrpc-c from koji as it is not in updates-testing repo yet:

http://koji.fedoraproject.org/koji/buildinfo?buildID=257947

Fixed curl package is already in stable repos.

Unfortunately, it seems that credentials are not delegated yet. I still
get "did not receive Kerberos credentials" error from the server. Any
idea what went wrong? Adding xmlrpc-c maintainer on CC.

Thanks,
Martin
>From 251ca0fdc1374c96ce87e18970a27936edecdf6a Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Thu, 11 Aug 2011 10:42:29 +0200
Subject: [PATCH] Fix client enrollment

Enable GSSAPI credentials delegation in xmlrpc-c/curl to fix client
enrollment. The unconditional GSSAPI was previously dropped from
curl because of CVE-2011-2192.

https://fedorahosted.org/freeipa/ticket/1452
---
 freeipa.spec.in       |   29 +++++++++++++++++++++++++++--
 ipa-client/ipa-join.c |    2 ++
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 5dda8116aa86ce326a146ba55a4a44daac8474b8..83c91d7c63c2adbe1a8e04da3b329c51a3dd9a03 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -36,8 +36,18 @@ BuildRequires:  openldap-devel
 BuildRequires:  krb5-devel
 BuildRequires:  krb5-workstation
 BuildRequires:  libuuid-devel
-BuildRequires:  xmlrpc-c-devel
+%if 0%{?fedora} >= 16
+BuildRequires:  libcurl-devel >= 7.21.7-2
+BuildRequires:  xmlrpc-c-devel >= 1.27.4
+%else
+%if 0%{?fedora} >= 15
+BuildRequires:  libcurl-devel >= 7.21.3-9
+BuildRequires:  xmlrpc-c-devel >= 1.25.4
+%else
 BuildRequires:  libcurl-devel
+BuildRequires:  xmlrpc-c-devel
+%endif
+%endif
 BuildRequires:  popt-devel
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -150,7 +160,18 @@ Requires: krb5-workstation
 Requires: authconfig
 Requires: pam_krb5
 Requires: wget
-Requires: xmlrpc-c
+%if 0%{?fedora} >= 16
+BuildRequires:  libcurl >= 7.21.7-2
+BuildRequires:  xmlrpc-c >= 1.27.4
+%else
+%if 0%{?fedora} >= 15
+BuildRequires:  libcurl >= 7.21.3-9
+BuildRequires:  xmlrpc-c >= 1.25.4
+%else
+BuildRequires:  libcurl
+BuildRequires:  xmlrpc-c
+%endif
+%endif
 Requires: sssd >= 1.5.1
 Requires: certmonger >= 0.26
 Requires: nss-tools
@@ -514,6 +535,10 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
 
 %changelog
+* Thu Aug 11 2011 Martin Kosek <mko...@redhat.com> - 2.0.90-11
+- Set min nvr of xmlrpc-c and libcurl to make sure GSSAPI delegation
+  support is in
+
 * Tue Aug 2 2011 Endi S. Dewata <edew...@redhat.com> - 2.0.90-10
 - Add *.ico files
 
diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c
index 95f2939cd9812d70aab6d29fb526ac9eb7b5479d..23af923e9d3ae1c466ffa19ea5f2aaac89ebec37 100644
--- a/ipa-client/ipa-join.c
+++ b/ipa-client/ipa-join.c
@@ -149,6 +149,8 @@ callRPC(xmlrpc_env *            const envP,
     curlXportParmsP->no_ssl_verifypeer = 1;
     curlXportParmsP->no_ssl_verifyhost = 1;
     curlXportParmsP->cainfo = "/etc/ipa/ca.crt";
+    /* Enable GSSAPI credentials delegation */
+    curlXportParmsP->gssapi_delegation = 1;
 
     clientparms.transport = "curl";
     clientparms.transportparmsP = (struct xmlrpc_xportparms *)
-- 
1.7.6

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to