From 092982212a8df87234f588a92f5240a724521352 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Jun 20 2011 17:34:21 +0000 Subject: - apply upstream patch by way of Burt Holzman to fall back to a non-referral method in cases where we might be derailed by a KDC that rejects the canonicalize option (for example, those from the RHEL 2.1 or 3 era) (#713518) --- diff --git a/krb5-1.9-canonicalize-fallback.patch b/krb5-1.9-canonicalize-fallback.patch new file mode 100644 index 0000000..897910b --- /dev/null +++ b/krb5-1.9-canonicalize-fallback.patch @@ -0,0 +1,59 @@ +From RT#6917. + +--- a/src/lib/krb5/krb/get_creds.c ++++ b/src/lib/krb5/krb/get_creds.c +@@ -466,13 +466,10 @@ begin_non_referral(krb5_context context, krb5_tkt_creds_context ctx) + + /***** STATE_REFERRALS *****/ + +-/* +- * Possibly retry a request in the fallback realm after a referral request +- * failure in the local realm. Expects ctx->reply_code to be set to the error +- * from a referral request. +- */ ++/* Possibly try a non-referral request after a referral request failure. ++ * Expects ctx->reply_code to be set to the error from a referral request. */ + static krb5_error_code +-try_fallback_realm(krb5_context context, krb5_tkt_creds_context ctx) ++try_fallback(krb5_context context, krb5_tkt_creds_context ctx) + { + krb5_error_code code; + char **hrealms; +@@ -481,9 +478,10 @@ try_fallback_realm(krb5_context context, krb5_tkt_creds_context ctx) + if (ctx->referral_count > 1) + return ctx->reply_code; + +- /* Only fall back if the original request used the referral realm. */ ++ /* If the request used a specified realm, make a non-referral request to ++ * that realm (in case it's a KDC which rejects KDC_OPT_CANONICALIZE). */ + if (!krb5_is_referral_realm(&ctx->req_server->realm)) +- return ctx->reply_code; ++ return begin_non_referral(context, ctx); + + if (ctx->server->length < 2) { + /* We need a type/host format principal to find a fallback realm. */ +@@ -496,10 +494,10 @@ try_fallback_realm(krb5_context context, krb5_tkt_creds_context ctx) + if (code != 0) + return code; + +- /* Give up if the fallback realm isn't any different. */ ++ /* If the fallback realm isn't any different, use the existing TGT. */ + if (data_eq_string(ctx->server->realm, hrealms[0])) { + krb5_free_host_realm(context, hrealms); +- return ctx->reply_code; ++ return begin_non_referral(context, ctx); + } + + /* Rewrite server->realm to be the fallback realm. */ +@@ -536,9 +534,9 @@ step_referrals(krb5_context context, krb5_tkt_creds_context ctx) + krb5_error_code code; + const krb5_data *referral_realm; + +- /* Possibly retry with the fallback realm on error. */ ++ /* Possibly try a non-referral fallback request on error. */ + if (ctx->reply_code != 0) +- return try_fallback_realm(context, ctx); ++ return try_fallback(context, ctx); + + if (krb5_principal_compare(context, ctx->reply_creds->server, + ctx->server)) { diff --git a/krb5.spec b/krb5.spec index 75f563d..f7a77fa 100644 --- a/krb5.spec +++ b/krb5.spec @@ -6,7 +6,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.9.1 -Release: 3%{?dist} +Release: 4%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9.1-signed.tar Source0: krb5-%{version}.tar.gz @@ -54,6 +54,7 @@ Patch77: krb5-1.9-paren.patch Patch78: krb5-trunk-chpw-err.patch Patch79: krb5-klist_s.patch Patch80: krb5-trunk-kadmin-oldproto.patch +Patch81: krb5-1.9-canonicalize-fallback.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -199,6 +200,7 @@ ln -s NOTICE LICENSE %patch78 -p0 -b .chpw-err %patch79 -p1 -b .klist_s %patch80 -p0 -b .kadmin-oldproto +%patch81 -p1 -b .canonicalize-fallback gzip doc/*.ps sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex @@ -658,6 +660,11 @@ exit 0 %{_sbindir}/uuserver %changelog +* Mon Jun 20 2011 Nalin Dahyabhai 1.9.1-4 +- apply upstream patch by way of Burt Holzman to fall back to a non-referral + method in cases where we might be derailed by a KDC that rejects the + canonicalize option (for example, those from the RHEL 2.1 or 3 era) (#713518) + * Tue Jun 14 2011 Nalin Dahyabhai 1.9.1-3 - pull a fix from SVN to get libgssrpc clients (e.g. kadmin) authenticating using the old protocol over IPv4 again (RT#6920)