From patchwork Fri Mar 29 09:48:32 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alex Dubov <oakad@yahoo.com>
X-Patchwork-Id: 2364831
Return-Path: <linux-nfs-owner@vger.kernel.org>
X-Original-To: patchwork-linux-nfs@patchwork.kernel.org
Delivered-To: patchwork-process-083081@patchwork2.kernel.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by patchwork2.kernel.org (Postfix) with ESMTP id C671BDFB79
	for <patchwork-linux-nfs@patchwork.kernel.org>;
	Fri, 29 Mar 2013 09:49:17 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754407Ab3C2JtL (ORCPT
	<rfc822;patchwork-linux-nfs@patchwork.kernel.org>);
	Fri, 29 Mar 2013 05:49:11 -0400
Received: from nm22.bullet.mail.bf1.yahoo.com ([98.139.212.181]:23529 "EHLO
	nm22.bullet.mail.bf1.yahoo.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S1754388Ab3C2JtK (ORCPT
	<rfc822; linux-nfs@vger.kernel.org>); Fri, 29 Mar 2013 05:49:10 -0400
Received: from [98.139.212.151] by nm22.bullet.mail.bf1.yahoo.com with NNFMP;
	29 Mar 2013 09:49:08 -0000
Received: from [98.139.213.6] by tm8.bullet.mail.bf1.yahoo.com with NNFMP;
	29 Mar 2013 09:49:08 -0000
Received: from [127.0.0.1] by smtp106.mail.bf1.yahoo.com with NNFMP;
	29 Mar 2013 09:49:08 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024;
	t=1364550548; bh=aqEQVAvk1F9jzX0etroquFwT4VctlT79GBS5kMFuCAU=;
	h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:X-Rocket-Received:From:To:Cc:Subject:Date:Message-Id:X-Mailer;
	b=5MsmTlJslOUE5X2p3kPxZLwb/WSaVn5YjlpPGiN3oi5oZeOmse5D4OB5ZmYIRAKwx/bs35rmbNAeHmN8y/awXIAFmtZC5aNjj7Dj5W8yuKFDZV/pLc4YIsC5WcCQlXi6Q2x4dlBWZ6cjcse/kxWJnhesrESnTdogHzyQTt+Kft4=
X-Yahoo-Newman-Id: 775076.36252.bm@smtp106.mail.bf1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: 0OY86joVM1la1Zm9oUdYLLBIb2kRg_3KArnBPxjwdBIpdQl
	R3tcLSYWWw2FXbz0QJUzs5AIAi42Wwx4ASSkAFXCNeAQwuaUz0eB7Cs6Qd6L
	uRSTyTew4LZJKPeS5QqYzbL1p9WpeZeK3Gwl0oA2kSA96KdDgYX.iJPAQQjT
	ZsOqzZWCy_QnnKkWl_VYwjPpzBssF_cvUcAwuj_6QIh7dKajPmA2z.X1Zyvi
	PjeeRBL5JJRlLZqJ9751X5OsTsdbRs8FrE1HMMwf2ILIyXyxAQFoN31SpCFd
	rNGxsK3CS_p_nNvx3icIh68kHmOWKthXaLHh632HZrZjx64P._Rgp8UehMar
	LJbvt7MEwCM5GMphGFKIKJYR3dUAx1mRSMzcSOWxfLXrleWKMcuKf9Cj9WWG
	PiH5FXInSVZ3nlx6wGQXsTOhTDjIEgZO0cPu8hNQcQ89Fp8VineKmT5LcsIS
	JDL5_NN21IU6SQc13j5UnErMjswMoVmy9YfvLCDEQ71vLhpE86T45iSKJql8 -
X-Yahoo-SMTP: c4FnseaswBAMSJyggUzY6aFd
X-Rocket-Received: from mercador.fritz.box (oakad@60.241.78.133 with login)
	by smtp106.mail.bf1.yahoo.com with SMTP;
	29 Mar 2013 02:49:08 -0700 PDT
From: oakad@yahoo.com
To: simo@redhat.com
Cc: steved@redhat.com, linux-nfs@vger.kernel.org,
	Alex Dubov <oakad@yahoo.com>
Subject: [PATCH] Fix compilation against Heimdal kerberos implementation
Date: Fri, 29 Mar 2013 20:48:32 +1100
Message-Id: <1364550512-14832-1-git-send-email-oakad@yahoo.com>
X-Mailer: git-send-email 1.7.4.5
Sender: linux-nfs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-nfs.vger.kernel.org>
X-Mailing-List: linux-nfs@vger.kernel.org

From: Alex Dubov <oakad@yahoo.com>

There appear to be only 3 issues remaining with Heimdal after removal of
compulsory dependency on libgssglue:

1. On some systems, only libroken.so is available (small fix to kerberos5.m4)

2. krb5_util.c:check_for_target - Heimdal variant constructs a "pattern"
   principal and uses krb5_cc_retrieve_cred to get a matching credential.
   This should work on mit-krb5, so old method of iterating over every
   credential in cache may possibly be dropped outright and "#$if" guard
   omitted.
   For the sake of the above I reformatted the old approach to make it a bit
   more clear what's going on there.

3. krb5_util.c:gssd_k5_err_msg - krb5_get_err_text is marked as deprecated,
   at least on Heimdal. If krb5_get_error_message is available, it should not
   be reached at all, thus "#elif" guard.

Signed-off-by: Alex Dubov <oakad@yahoo.com>
---
 aclocal/kerberos5.m4   |    7 +++--
 utils/gssd/krb5_util.c |   55 ++++++++++++++++++++++++++++++++++++-----------
 2 files changed, 46 insertions(+), 16 deletions(-)

diff --git a/aclocal/kerberos5.m4 b/aclocal/kerberos5.m4
index 0bf35d3..ebf6f20 100644
--- a/aclocal/kerberos5.m4
+++ b/aclocal/kerberos5.m4
@@ -56,9 +56,10 @@ AC_DEFUN([AC_KERBEROS_V5],[
          break
       dnl The following ugly hack brought on by the split installation
       dnl of Heimdal Kerberos on SuSe
-      elif test \( -f $dir/include/heim_err.h -o\
-      		 -f $dir/include/heimdal/heim_err.h \) -a \
-                -f $dir/lib/libroken.a; then
+      elif test \( \( -f $dir/include/heim_err.h -o\
+                      -f $dir/include/heimdal/heim_err.h \) -a \
+                   \( -f $dir/lib/libroken.a -o\
+                      -f $dir/lib/libroken.so \) \) ; then
          AC_DEFINE(HAVE_HEIMDAL, 1, [Define this if you have Heimdal Kerberos libraries])
          KRBDIR="$dir"
          gssapi_lib=gssapi
diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index 20b55b3..adef268 100644
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -958,29 +958,57 @@ check_for_tgt(krb5_context context, krb5_ccache ccache,
 {
 	krb5_error_code ret;
 	krb5_creds creds;
-	krb5_cc_cursor cur;
 	int found = 0;
 
+#if HAVE_HEIMDAL
+	krb5_creds pattern;
+	krb5_const_realm client_realm;
+
+	krb5_cc_clear_mcred(&pattern);
+
+	client_realm = krb5_principal_get_realm(context, principal);
+
+	ret = krb5_make_principal(context, &pattern.server,
+				  client_realm, KRB5_TGS_NAME, client_realm,
+				  NULL);
+	if (ret) {
+		krb5_err(context, 1, ret, "krb5_make_principal");
+		return 0;
+	}
+
+	pattern.client = principal;
+
+	ret = krb5_cc_retrieve_cred(context, ccache, 0, &pattern, &creds);
+	krb5_free_principal(context, pattern.server);
+
+	if (ret) {
+		if (ret != KRB5_CC_END)
+			krb5_err(context, 1, ret, "krb5_cc_retrieve_cred");
+	} else
+		found = creds.times.endtime > time(NULL);
+
+	krb5_free_cred_contents(context, &creds);
+#else
+	krb5_cc_cursor cur;
 	ret = krb5_cc_start_seq_get(context, ccache, &cur);
 	if (ret) 
 		return 0;
 
 	while (!found &&
 		(ret = krb5_cc_next_cred(context, ccache, &cur, &creds)) == 0) {
-		if (creds.server->length == 2 &&
-				data_is_equal(creds.server->realm,
-					      principal->realm) &&
-				creds.server->data[0].length == 6 &&
-				memcmp(creds.server->data[0].data,
-						"krbtgt", 6) == 0 &&
-				data_is_equal(creds.server->data[1],
-					      principal->realm) &&
-				creds.times.endtime > time(NULL))
-			found = 1;
+		if (
+			creds.server->length == 2
+			&& data_is_equal(creds.server->realm, principal->realm)
+			&& creds.server->data[0].length == 6
+			&& memcmp(creds.server->data[0].data, "krbtgt", 6) == 0
+			&& data_is_equal(creds.server->data[1],
+					 principal->realm)
+			&& creds.times.endtime > time(NULL)
+		) found = 1;
 		krb5_free_cred_contents(context, &creds);
 	}
 	krb5_cc_end_seq_get(context, ccache, &cur);
-
+#endif
 	return found;
 }
 
@@ -1326,12 +1354,13 @@ gssd_k5_err_msg(krb5_context context, krb5_error_code code)
 		return msg;
 #if HAVE_KRB5
 	return strdup(error_message(code));
-#else
+#elif !HAVE_KRB5_GET_ERROR_MESSAGE
 	if (context != NULL)
 		return strdup(krb5_get_err_text(context, code));
 	else
 		return strdup(error_message(code));
 #endif
+	return NULL;
 }
 
 /*