Hi, this patch make the creation of the Kerberos locator plugin optional and adds support for older versions of MIT Kerberos (and older version of libdbus, too). It also has the promised man page.
bye, Sumit
>From 9d001217a014042d8e7a9c1a53ac341cd90b10c3 Mon Sep 17 00:00:00 2001 From: sbose <sb...@sles10.site> Date: Wed, 9 Sep 2009 12:26:07 +0200 Subject: [PATCH] added support for older MIT kerberos versions - make the build of the locator plugin optional - added a man page for the locator plugin - use krb5.h if krb5/krb5.h cannot be found - added alternatives for missing functions - set -DDBUS_API_SUBJECT_TO_CHANGE if libdbus version is lesser than 1.0.0 --- contrib/sssd.spec.in | 9 ++- server/Makefile.am | 13 +++- server/configure.ac | 6 ++ server/external/krb5.m4 | 28 +++++++++ server/man/sssd_krb5_locator_plugin.8.xml | 89 +++++++++++++++++++++++++++++ server/providers/krb5/krb5_auth.c | 3 +- server/providers/krb5/krb5_auth.h | 10 ++- server/providers/krb5/krb5_child.c | 31 +++++++++- 8 files changed, 177 insertions(+), 12 deletions(-) create mode 100644 server/man/sssd_krb5_locator_plugin.8.xml diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 408d449..786b2e9 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -92,10 +92,16 @@ rm -f \ $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.la \ $RPM_BUILD_ROOT/%{python_sitearch}/pysss.la +touch locator.filelist +if test -e $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so +then + echo %{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so > locator.filelist +fi + %clean rm -rf $RPM_BUILD_ROOT -%files +%files -f locator.filelist %defattr(-,root,root,-) %doc COPYING %{_initrddir}/%{name} @@ -109,7 +115,6 @@ rm -rf $RPM_BUILD_ROOT %{_libexecdir}/%{servicename}/ %{_libdir}/%{name}/ %{_libdir}/ldb/memberof.so -%{_libdir}/krb5/plugins/libkrb5/* %dir %{sssdstatedir} %attr(700,root,root) %dir %{dbpath} %attr(755,root,root) %dir %{pipepath} diff --git a/server/Makefile.am b/server/Makefile.am index 6ed405a..41eeefb 100644 --- a/server/Makefile.am +++ b/server/Makefile.am @@ -7,7 +7,9 @@ builddir ?= . sssdlibexecdir = $(libexecdir)/sssd sssdlibdir = $(libdir)/sssd ldblibdir = $(libdir)/ldb +if BUILD_KRB5_LOCATOR_PLUGIN krb5plugindir = @krb5pluginpath@ +endif sssdconfdir = $(sysconfdir)/sssd dbusintrospectdir = $(datarootdir)/sssd/introspect dbuspolicydir = $(sysconfdir)/dbus-1/system.d @@ -78,8 +80,10 @@ sssdlib_LTLIBRARIES = \ ldblib_LTLIBRARIES = \ memberof.la +if BUILD_KRB5_LOCATOR_PLUGIN krb5plugin_LTLIBRARIES = \ sssd_krb5_locator_plugin.la +endif noinst_LTLIBRARIES = \ libsss_crypt.la @@ -203,8 +207,8 @@ SSSD_LIBS = \ $(COLLECTION_LIBS) \ $(DHASH_LIBS) \ $(REPLACE_LIBS) \ - $(NSS_LIBS) \ - libsss_crypt.la + libsss_crypt.la \ + $(NSS_LIBS) PYTHON_BINDINGS_LIBS = \ $(TALLOC_LIBS) \ @@ -464,6 +468,7 @@ memberof_la_LDFLAGS = \ -avoid-version \ -module +if BUILD_KRB5_LOCATOR_PLUGIN sssd_krb5_locator_plugin_la_SOURCES = \ krb5_plugin/sssd_krb5_locator_plugin.c sssd_krb5_locator_plugin_la_CFLAGS = \ @@ -472,6 +477,7 @@ sssd_krb5_locator_plugin_la_CFLAGS = \ sssd_krb5_locator_plugin_la_LDFLAGS = \ -avoid-version \ -module +endif if BUILD_PYTHON_BINDINGS pysss_la_SOURCES = \ @@ -501,7 +507,8 @@ XSLTPROC_FLAGS = --catalogs --xinclude --nonet dist_man_MANS = man/sss_useradd.8 man/sss_userdel.8 man/sss_usermod.8 \ man/sss_groupadd.8 man/sss_groupdel.8 man/sss_groupmod.8 \ - man/sssd.8 man/sssd.conf.5 man/sssd-ldap.5 man/sssd-krb5.5 + man/sssd.8 man/sssd.conf.5 man/sssd-ldap.5 man/sssd-krb5.5 \ + man/sssd_krb5_locator_plugin.8 SUFFIXES = .1.xml .1 .3.xml .3 .5.xml .5 .8.xml .8 .1.xml.1: diff --git a/server/configure.ac b/server/configure.ac index 475bdca..03d2885 100644 --- a/server/configure.ac +++ b/server/configure.ac @@ -67,6 +67,12 @@ m4_include([external/python.m4]) m4_include([util/signal.m4]) PKG_CHECK_MODULES([DBUS],[dbus-1]) +dnl if test -n "`$PKG_CONFIG --modversion dbus-1 | grep '^0\.'`" ; then +if ! $PKG_CONFIG --atleast-version 1.0.0 dbus-1; then + DBUS_CFLAGS="$DBUS_CFLAGS -DDBUS_API_SUBJECT_TO_CHANGE" + AC_MSG_RESULT([setting -DDBUS_API_SUBJECT_TO_CHANGE]) +fi + if test x$has_dbus != xno; then SAFE_LDFLAGS="$LDFLAGS" LDFLAGS="$DBUS_LIBS" diff --git a/server/external/krb5.m4 b/server/external/krb5.m4 index 1ed5064..95cd386 100644 --- a/server/external/krb5.m4 +++ b/server/external/krb5.m4 @@ -9,3 +9,31 @@ if test -x "$KRB5_CONFIG"; then else AC_MSG_ERROR(no. Please install MIT kerberos devel package) fi + +SAVE_CFLAGS=$CFLAGS +SAVE_LIBS=$LIBS +CFLAGS="$CFLAGS $KRB5_CFLAGS" +LIBS="$LIBS $KRB5_LIBS" +AC_CHECK_HEADERS([krb5.h krb5/krb5.h]) +AC_CHECK_FUNCS([krb5_get_init_creds_opt_alloc krb5_get_error_message]) +CFLAGS=$SAVE_CFLAGS +LIBS=$SAVE_LIBS + +if test x$ac_cv_header_krb5_h != xyes -a x$ac_cv_header_krb5_krb5_h != xyes +then + AC_MSG_ERROR(you must have Kerberos 5 header files to build sssd) +fi + +AC_ARG_ENABLE([krb5-locator-plugin], + [AS_HELP_STRING([--disable-krb5-locator-plugin], + [do not build Kerberos locator plugin])], + [build_locator=$enableval], + [build_locator=yes]) + +AC_CHECK_HEADER([krb5/locate_plugin.h], + [have_locate_plugin=yes], + [have_locate_plugin=no] + [AC_MSG_NOTICE([Kerberos locator plugin cannot be build])]) +AM_CONDITIONAL([BUILD_KRB5_LOCATOR_PLUGIN], + [test x$have_locate_plugin == xyes -a x$build_locator == xyes]) + diff --git a/server/man/sssd_krb5_locator_plugin.8.xml b/server/man/sssd_krb5_locator_plugin.8.xml new file mode 100644 index 0000000..6c60431 --- /dev/null +++ b/server/man/sssd_krb5_locator_plugin.8.xml @@ -0,0 +1,89 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN" +"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> +<reference> +<title>SSSD Manual pages</title> +<refentry> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" /> + + <refmeta> + <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> + <manvolnum>8</manvolnum> + </refmeta> + + <refnamediv id='name'> + <refname>sssd_krb5_locator_plugin</refname> + <refpurpose>the configuration file for SSSD</refpurpose> + </refnamediv> + + <refsect1 id='description'> + <title>DESCRIPTION</title> + <para> + The Kerberos locator plugin + <command>sssd_krb5_locator_plugin</command> is used by the Kerberos + provider of + <citerefentry> + <refentrytitle>sssd</refentrytitle> + <manvolnum>8</manvolnum> + </citerefentry> + to tell the Kerberos libraries what Realm and which KDC to use. + Typically this is done in + <citerefentry> + <refentrytitle>krb5.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> + which is always read by the Kerberos libraries. To simplyfy the + configuration the Realm and the KDC can be defined in + <citerefentry> + <refentrytitle>sssd.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> + as described in + <citerefentry> + <refentrytitle>sssd-krb5.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> + </para> + <para> + <citerefentry> + <refentrytitle>sssd</refentrytitle> + <manvolnum>8</manvolnum> + </citerefentry> + puts the Realm and the name or IP address of the KDC into the + enviroment variables SSSD_KRB5_REALM and SSSD_KRB5_KDC respectively. + When <command>sssd_krb5_locator_plugin</command> is called by the + kerberos libraries it reads and evaluates these variable and returns + them to the libraries. + </para> + </refsect1> + + <refsect1 id='notes'> + <title>NOTES</title> + <para> + Not all Kerberos implementations support the use of plugins. If + <command>sssd_krb5_locator_plugin</command> is not available on + your system you have to edit /etc/krb5.conf to reflect your + Kerberos setup. + </para> + <para> + If the enviroment variable SSSD_KRB5_LOCATOR_DEBUG is set to any + value debug messages will be sent to stderr. + </para> + </refsect1> + + <refsect1 id='see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> +</refentry> +</reference> diff --git a/server/providers/krb5/krb5_auth.c b/server/providers/krb5/krb5_auth.c index 03e7903..631f708 100644 --- a/server/providers/krb5/krb5_auth.c +++ b/server/providers/krb5/krb5_auth.c @@ -22,10 +22,9 @@ along with this program. If not, see <http://www.gnu.org/licenses/>. */ - #include <errno.h> #include <sys/time.h> -#include <krb5/krb5.h> + #include <sys/types.h> #include <sys/wait.h> #include <unistd.h> diff --git a/server/providers/krb5/krb5_auth.h b/server/providers/krb5/krb5_auth.h index 4e65d9f..9a7807e 100644 --- a/server/providers/krb5/krb5_auth.h +++ b/server/providers/krb5/krb5_auth.h @@ -26,8 +26,15 @@ #ifndef __KRB5_AUTH_H__ #define __KRB5_AUTH_H__ +#include "config.h" + #include <stdbool.h> + +#ifdef HAVE_KRB5_KRB5_H #include <krb5/krb5.h> +#else +#include <krb5.h> +#endif #define MAX_CHILD_MSG_SIZE 255 #define CCACHE_ENV_NAME "KRB5CCNAME" @@ -79,9 +86,6 @@ struct krb5_ctx { action_type action; - int num_pa_opts; - krb5_gic_opt_pa_data *pa_opts; - char *kdcip; char *realm; bool try_simple_upn; diff --git a/server/providers/krb5/krb5_child.c b/server/providers/krb5/krb5_child.c index 3673c74..4f3a62c 100644 --- a/server/providers/krb5/krb5_child.c +++ b/server/providers/krb5/krb5_child.c @@ -22,7 +22,6 @@ along with this program. If not, see <http://www.gnu.org/licenses/>. */ -#include <krb5/krb5.h> #include <sys/types.h> #include <unistd.h> #include <sys/stat.h> @@ -53,6 +52,7 @@ struct krb5_req { char *ccname; }; +#ifdef HAVE_KRB5_GET_ERROR_MESSAGE static krb5_context krb5_error_ctx; static const char *__krb5_error_msg; #define KRB5_DEBUG(level, krb5_error) do { \ @@ -60,6 +60,11 @@ static const char *__krb5_error_msg; DEBUG(level, ("%d: [%d][%s]\n", __LINE__, krb5_error, __krb5_error_msg)); \ krb5_free_error_message(krb5_error_ctx, __krb5_error_msg); \ } while(0); +#else +#define KRB5_DEBUG(level, krb5_error) do { \ + DEBUG(level, ("%d: kerberos error [%d]\n", __LINE__, krb5_error)); \ +} while(0); +#endif struct response { size_t max_size; @@ -138,6 +143,7 @@ static struct response *prepare_response_message(struct krb5_req *kr, ret = pack_response_packet(resp, PAM_SUCCESS, PAM_ENV_ITEM, msg); talloc_zfree(msg); } else { +#ifdef HAVE_KRB5_GET_ERROR_MESSAGE krb5_msg = krb5_get_error_message(krb5_error_ctx, kerr); if (krb5_msg == NULL) { DEBUG(1, ("krb5_get_error_message failed.\n")); @@ -146,6 +152,11 @@ static struct response *prepare_response_message(struct krb5_req *kr, ret = pack_response_packet(resp, pam_status, PAM_USER_INFO, krb5_msg); krb5_free_error_message(krb5_error_ctx, krb5_msg); +#else + msg = talloc_asprintf(kr, "Kerberos error [%d]", kerr); + ret = pack_response_packet(resp, pam_status, PAM_USER_INFO, msg); + talloc_zfree(msg); +#endif } if (ret != EOK) { @@ -441,8 +452,14 @@ static int krb5_cleanup(void *ptr) struct krb5_req *kr = talloc_get_type(ptr, struct krb5_req); if (kr == NULL) return EOK; - if (kr->options != NULL) + if (kr->options != NULL) { +#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC krb5_get_init_creds_opt_free(kr->ctx, kr->options); +#else + free(kr->options); +#endif + } + if (kr->creds != NULL) { krb5_free_cred_contents(kr->ctx, kr->creds); krb5_free_creds(kr->ctx, kr->creds); @@ -539,11 +556,21 @@ static int krb5_setup(struct pam_data *pd, const char *user_princ_str, goto failed; } +#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC kerr = krb5_get_init_creds_opt_alloc(kr->ctx, &kr->options); if (kerr != 0) { KRB5_DEBUG(1, kerr); goto failed; } +#else + kr->options = calloc(1, sizeof(krb5_get_init_creds_opt)); + if (kr->options == NULL) { + DEBUG(1, ("calloc failed.\n")); + kerr = ENOMEM; + goto failed; + } + krb5_get_init_creds_opt_init(&kr->options); +#endif /* TODO: set options, e.g. * krb5_get_init_creds_opt_set_tkt_life -- 1.6.2.5
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel