[arch-commits] Commit in krb5/repos (16 files)
Stéphane Gaudreault
stephane at archlinux.org
Wed Dec 7 21:28:52 UTC 2011
Date: Wednesday, December 7, 2011 @ 16:28:52
Author: stephane
Revision: 144605
archrelease: copy trunk to testing-i686, testing-x86_64
Added:
krb5/repos/testing-i686/
krb5/repos/testing-i686/PKGBUILD
(from rev 144604, krb5/trunk/PKGBUILD)
krb5/repos/testing-i686/krb5-1.9.1-2011-007.patch
(from rev 144604, krb5/trunk/krb5-1.9.1-2011-007.patch)
krb5/repos/testing-i686/krb5-1.9.1-canonicalize-fallback.patch
(from rev 144604, krb5/trunk/krb5-1.9.1-canonicalize-fallback.patch)
krb5/repos/testing-i686/krb5-1.9.1-config-script.patch
(from rev 144604, krb5/trunk/krb5-1.9.1-config-script.patch)
krb5/repos/testing-i686/krb5-kadmind
(from rev 144604, krb5/trunk/krb5-kadmind)
krb5/repos/testing-i686/krb5-kdc
(from rev 144604, krb5/trunk/krb5-kdc)
krb5/repos/testing-i686/krb5-kpropd
(from rev 144604, krb5/trunk/krb5-kpropd)
krb5/repos/testing-x86_64/
krb5/repos/testing-x86_64/PKGBUILD
(from rev 144604, krb5/trunk/PKGBUILD)
krb5/repos/testing-x86_64/krb5-1.9.1-2011-007.patch
(from rev 144604, krb5/trunk/krb5-1.9.1-2011-007.patch)
krb5/repos/testing-x86_64/krb5-1.9.1-canonicalize-fallback.patch
(from rev 144604, krb5/trunk/krb5-1.9.1-canonicalize-fallback.patch)
krb5/repos/testing-x86_64/krb5-1.9.1-config-script.patch
(from rev 144604, krb5/trunk/krb5-1.9.1-config-script.patch)
krb5/repos/testing-x86_64/krb5-kadmind
(from rev 144604, krb5/trunk/krb5-kadmind)
krb5/repos/testing-x86_64/krb5-kdc
(from rev 144604, krb5/trunk/krb5-kdc)
krb5/repos/testing-x86_64/krb5-kpropd
(from rev 144604, krb5/trunk/krb5-kpropd)
-------------------------------------------------------+
testing-i686/PKGBUILD | 90 ++++++++++++++++
testing-i686/krb5-1.9.1-2011-007.patch | 40 +++++++
testing-i686/krb5-1.9.1-canonicalize-fallback.patch | 58 ++++++++++
testing-i686/krb5-1.9.1-config-script.patch | 27 ++++
testing-i686/krb5-kadmind | 40 +++++++
testing-i686/krb5-kdc | 40 +++++++
testing-i686/krb5-kpropd | 40 +++++++
testing-x86_64/PKGBUILD | 90 ++++++++++++++++
testing-x86_64/krb5-1.9.1-2011-007.patch | 40 +++++++
testing-x86_64/krb5-1.9.1-canonicalize-fallback.patch | 58 ++++++++++
testing-x86_64/krb5-1.9.1-config-script.patch | 27 ++++
testing-x86_64/krb5-kadmind | 40 +++++++
testing-x86_64/krb5-kdc | 40 +++++++
testing-x86_64/krb5-kpropd | 40 +++++++
14 files changed, 670 insertions(+)
Copied: krb5/repos/testing-i686/PKGBUILD (from rev 144604, krb5/trunk/PKGBUILD)
===================================================================
--- testing-i686/PKGBUILD (rev 0)
+++ testing-i686/PKGBUILD 2011-12-07 21:28:52 UTC (rev 144605)
@@ -0,0 +1,90 @@
+# $Id$
+# Maintainer: Stéphane Gaudreault <stephane at archlinux.org>
+
+pkgname=krb5
+pkgver=1.9.2
+pkgrel=2
+pkgdesc="The Kerberos network authentication system"
+arch=('i686' 'x86_64')
+url="http://web.mit.edu/kerberos/"
+license=('custom')
+depends=('e2fsprogs' 'libldap' 'keyutils')
+makedepends=('perl')
+provides=('heimdal')
+replaces=('heimdal')
+conflicts=('heimdal')
+backup=('etc/krb5.conf' 'var/lib/krb5kdc/kdc.conf')
+source=(http://web.mit.edu/kerberos/dist/${pkgname}/1.9/${pkgname}-${pkgver}-signed.tar
+ krb5-kadmind
+ krb5-kdc
+ krb5-kpropd
+ krb5-1.9.1-config-script.patch
+ krb5-1.9.1-2011-007.patch)
+sha1sums=('aa06f778ee1f9791cd4c5cf4c9e9465769ffec92'
+ '2aa229369079ed1bbb201a1ef72c47bf143f4dbe'
+ '77d2312ecd8bf12a6e72cc8fd871a8ac93b23393'
+ '7f402078fa65bb9ff1beb6cbbbb017450df78560'
+ '7342410760cf44bfa01bb99bb4c49e12496cb46f'
+ 'ec917dd1d1c96fa331f512331d5aa37c2e9b9df7')
+options=('!emptydirs')
+
+build() {
+ tar zxvf ${pkgname}-${pkgver}.tar.gz
+ cd "${srcdir}/${pkgname}-${pkgver}/src"
+
+ # - Make krb5-config suppress CFLAGS output when called with --libs
+ # cf https://bugzilla.redhat.com/show_bug.cgi?id=544391
+ #
+ # - Omit extra libraries because their interfaces are not exposed to applications
+ # by libkrb5, unless do_deps is set to 1, which indicates that the caller
+ # wants the whole list.
+ #
+ # Patch from upstream :
+ # http://anonsvn.mit.edu/viewvc/krb5/trunk/src/krb5-config.in?r1=23662&r2=25236
+ patch -Np2 -i ${srcdir}/krb5-1.9.1-config-script.patch
+
+ # Apply upstream patch to fix a null pointer dereference when processing TGS requests
+ # CVE-2011-1530
+ # see http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-007.txt
+ patch -Np2 -i ${srcdir}/krb5-1.9.1-2011-007.patch
+
+ # FS#25384
+ sed -i "/KRB5ROOT=/s/\/local//" util/ac_check_krb5.m4
+
+ export CFLAGS+=" -fPIC -fno-strict-aliasing -fstack-protector-all"
+ export CPPFLAGS+=" -I/usr/include/et"
+ ./configure --prefix=/usr \
+ --mandir=/usr/share/man \
+ --localstatedir=/var/lib \
+ --enable-shared \
+ --with-system-et \
+ --with-system-ss \
+ --disable-rpath \
+ --without-tcl \
+ --enable-dns-for-realm \
+ --with-ldap
+ make
+}
+
+package() {
+ cd "${srcdir}/${pkgname}-${pkgver}/src"
+ make DESTDIR="${pkgdir}" EXAMPLEDIR="/usr/share/doc/${pkgname}/examples" install
+
+ # Sample KDC config file
+ install -dm 755 "${pkgdir}"/var/lib/krb5kdc
+ install -pm 644 config-files/kdc.conf "${pkgdir}"/var/lib/krb5kdc/kdc.conf
+
+ # Default configuration file
+ install -dm 755 "${pkgdir}"/etc
+ install -pm 644 config-files/krb5.conf "${pkgdir}"/etc/krb5.conf
+
+ install -dm 755 "${pkgdir}"/etc/rc.d
+ install -m 755 ../../krb5-kdc "${pkgdir}"/etc/rc.d
+ install -m 755 ../../krb5-kadmind "${pkgdir}"/etc/rc.d
+ install -m 755 ../../krb5-kpropd "${pkgdir}"/etc/rc.d
+
+ install -dm 755 "${pkgdir}"/usr/share/aclocal
+ install -m 644 util/ac_check_krb5.m4 "${pkgdir}"/usr/share/aclocal
+
+ install -Dm644 "${srcdir}"/${pkgname}-${pkgver}/NOTICE "${pkgdir}"/usr/share/licenses/${pkgname}/LICENSE
+}
Copied: krb5/repos/testing-i686/krb5-1.9.1-2011-007.patch (from rev 144604, krb5/trunk/krb5-1.9.1-2011-007.patch)
===================================================================
--- testing-i686/krb5-1.9.1-2011-007.patch (rev 0)
+++ testing-i686/krb5-1.9.1-2011-007.patch 2011-12-07 21:28:52 UTC (rev 144605)
@@ -0,0 +1,40 @@
+diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in
+index f46cad3..102fbaa 100644
+--- a/src/kdc/Makefile.in
++++ b/src/kdc/Makefile.in
+@@ -67,6 +67,7 @@ check-unix:: rtest
+
+ check-pytests::
+ $(RUNPYTEST) $(srcdir)/t_workers.py $(PYTESTFLAGS)
++ $(RUNPYTEST) $(srcdir)/t_emptytgt.py $(PYTESTFLAGS)
+
+ install::
+ $(INSTALL_PROGRAM) krb5kdc ${DESTDIR}$(SERVER_BINDIR)/krb5kdc
+diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
+index c169c54..840a2ef 100644
+--- a/src/kdc/do_tgs_req.c
++++ b/src/kdc/do_tgs_req.c
+@@ -243,7 +243,8 @@ tgt_again:
+ if (!tgs_1 || !data_eq(*server_1, *tgs_1)) {
+ errcode = find_alternate_tgs(request, &server);
+ firstpass = 0;
+- goto tgt_again;
++ if (errcode == 0)
++ goto tgt_again;
+ }
+ }
+ status = "UNKNOWN_SERVER";
+diff --git a/src/kdc/t_emptytgt.py b/src/kdc/t_emptytgt.py
+new file mode 100644
+index 0000000..1760bcd
+--- /dev/null
++++ b/src/kdc/t_emptytgt.py
+@@ -0,0 +1,8 @@
++#!/usr/bin/python
++from k5test import *
++
++realm = K5Realm(start_kadmind=False, create_host=False)
++output = realm.run_as_client([kvno, 'krbtgt/'], expected_code=1)
++if 'not found in Kerberos database' not in output:
++ fail('TGT lookup for empty realm failed in unexpected way')
++success('Empty tgt lookup.')
Copied: krb5/repos/testing-i686/krb5-1.9.1-canonicalize-fallback.patch (from rev 144604, krb5/trunk/krb5-1.9.1-canonicalize-fallback.patch)
===================================================================
--- testing-i686/krb5-1.9.1-canonicalize-fallback.patch (rev 0)
+++ testing-i686/krb5-1.9.1-canonicalize-fallback.patch 2011-12-07 21:28:52 UTC (rev 144605)
@@ -0,0 +1,58 @@
+diff -Naur krb5-1.9.1.ori/src/lib/krb5/krb/get_creds.c krb5-1.9.1/src/lib/krb5/krb/get_creds.c
+--- krb5-1.9.1.ori/src/lib/krb5/krb/get_creds.c 2011-02-09 16:55:36.000000000 -0500
++++ krb5-1.9.1/src/lib/krb5/krb/get_creds.c 2011-09-26 18:42:01.465190278 -0400
+@@ -470,13 +470,10 @@
+
+ /***** STATE_REFERRALS *****/
+
+-/*
+- * Possibly retry a request in the fallback realm after a referral request
+- * failure in the local realm. Expects ctx->reply_code to be set to the error
+- * from a referral request.
+- */
++/* Possibly try a non-referral request after a referral request failure.
++ * Expects ctx->reply_code to be set to the error from a referral request. */
+ static krb5_error_code
+-try_fallback_realm(krb5_context context, krb5_tkt_creds_context ctx)
++try_fallback(krb5_context context, krb5_tkt_creds_context ctx)
+ {
+ krb5_error_code code;
+ char **hrealms;
+@@ -485,9 +482,10 @@
+ if (ctx->referral_count > 1)
+ return ctx->reply_code;
+
+- /* Only fall back if the original request used the referral realm. */
++ /* If the request used a specified realm, make a non-referral request to
++ * that realm (in case it's a KDC which rejects KDC_OPT_CANONICALIZE). */
+ if (!krb5_is_referral_realm(&ctx->req_server->realm))
+- return ctx->reply_code;
++ return begin_non_referral(context, ctx);
+
+ if (ctx->server->length < 2) {
+ /* We need a type/host format principal to find a fallback realm. */
+@@ -500,10 +498,10 @@
+ if (code != 0)
+ return code;
+
+- /* Give up if the fallback realm isn't any different. */
++ /* If the fallback realm isn't any different, use the existing TGT. */
+ if (data_eq_string(ctx->server->realm, hrealms[0])) {
+ krb5_free_host_realm(context, hrealms);
+- return ctx->reply_code;
++ return begin_non_referral(context, ctx);
+ }
+
+ /* Rewrite server->realm to be the fallback realm. */
+@@ -540,9 +538,9 @@
+ krb5_error_code code;
+ const krb5_data *referral_realm;
+
+- /* Possibly retry with the fallback realm on error. */
++ /* Possibly try a non-referral fallback request on error. */
+ if (ctx->reply_code != 0)
+- return try_fallback_realm(context, ctx);
++ return try_fallback(context, ctx);
+
+ if (krb5_principal_compare(context, ctx->reply_creds->server,
+ ctx->server)) {
Copied: krb5/repos/testing-i686/krb5-1.9.1-config-script.patch (from rev 144604, krb5/trunk/krb5-1.9.1-config-script.patch)
===================================================================
--- testing-i686/krb5-1.9.1-config-script.patch (rev 0)
+++ testing-i686/krb5-1.9.1-config-script.patch 2011-12-07 21:28:52 UTC (rev 144605)
@@ -0,0 +1,27 @@
+diff -Naur krb5-1.9.1.ori/src/krb5-config.in krb5-1.9.1/src/krb5-config.in
+--- krb5-1.9.1.ori/src/krb5-config.in 2010-01-19 13:44:57.000000000 -0500
++++ krb5-1.9.1/src/krb5-config.in 2011-09-26 18:27:09.018487087 -0400
+@@ -186,7 +186,7 @@
+ -e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \
+ -e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \
+ -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
+- -e 's#\$(CFLAGS)#'"$CFLAGS"'#'`
++ -e 's#\$(CFLAGS)##'`
+
+ if test $library = 'kdb'; then
+ lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
+@@ -214,9 +214,13 @@
+ fi
+
+ if test $library = 'krb5'; then
+- lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $DL_LIB"
++ lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err"
+ fi
+
++ # If we ever support a flag to generate output suitable for static
++ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB"
++ # here.
++
+ echo $lib_flags
+ fi
+
Copied: krb5/repos/testing-i686/krb5-kadmind (from rev 144604, krb5/trunk/krb5-kadmind)
===================================================================
--- testing-i686/krb5-kadmind (rev 0)
+++ testing-i686/krb5-kadmind 2011-12-07 21:28:52 UTC (rev 144605)
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+# general config
+. /etc/rc.conf
+. /etc/rc.d/functions
+
+PID=`pidof -o %PPID /usr/sbin/kadmind`
+case "$1" in
+ start)
+ stat_busy "Starting Kerberos Admin Daemon"
+ if [ -z "$PID" ]; then
+ /usr/sbin/kadmind
+ fi
+ if [ ! -z "$PID" -o $? -gt 0 ]; then
+ stat_fail
+ else
+ add_daemon krb5-kadmind
+ stat_done
+ fi
+ ;;
+ stop)
+ stat_busy "Stopping Kerberos Admin Daemon"
+ [ ! -z "$PID" ] && kill $PID &> /dev/null
+ if [ $? -gt 0 ]; then
+ stat_fail
+ else
+ rm_daemon krb5-kadmind
+ stat_done
+ fi
+ ;;
+ restart)
+ $0 stop
+ sleep 1
+ $0 start
+ ;;
+ *)
+ echo "usage: $0 {start|stop|restart}"
+ ;;
+esac
+exit 0
Copied: krb5/repos/testing-i686/krb5-kdc (from rev 144604, krb5/trunk/krb5-kdc)
===================================================================
--- testing-i686/krb5-kdc (rev 0)
+++ testing-i686/krb5-kdc 2011-12-07 21:28:52 UTC (rev 144605)
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+# general config
+. /etc/rc.conf
+. /etc/rc.d/functions
+
+PID=`pidof -o %PPID /usr/sbin/krb5kdc`
+case "$1" in
+ start)
+ stat_busy "Starting Kerberos Authentication"
+ if [ -z "$PID" ]; then
+ /usr/sbin/krb5kdc
+ fi
+ if [ ! -z "$PID" -o $? -gt 0 ]; then
+ stat_fail
+ else
+ add_daemon krb5-kdc
+ stat_done
+ fi
+ ;;
+ stop)
+ stat_busy "Stopping Kerberos Authentication"
+ [ ! -z "$PID" ] && kill $PID &> /dev/null
+ if [ $? -gt 0 ]; then
+ stat_fail
+ else
+ rm_daemon krb5-kdc
+ stat_done
+ fi
+ ;;
+ restart)
+ $0 stop
+ sleep 1
+ $0 start
+ ;;
+ *)
+ echo "usage: $0 {start|stop|restart}"
+ ;;
+esac
+exit 0
Copied: krb5/repos/testing-i686/krb5-kpropd (from rev 144604, krb5/trunk/krb5-kpropd)
===================================================================
--- testing-i686/krb5-kpropd (rev 0)
+++ testing-i686/krb5-kpropd 2011-12-07 21:28:52 UTC (rev 144605)
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+# general config
+. /etc/rc.conf
+. /etc/rc.d/functions
+
+PID=`pidof -o %PPID /usr/sbin/kpropd`
+case "$1" in
+ start)
+ stat_busy "Starting Kerberos Database Propagation Daemon"
+ if [ -z "$PID" ]; then
+ /usr/sbin/kpropd -S
+ fi
+ if [ ! -z "$PID" -o $? -gt 0 ]; then
+ stat_fail
+ else
+ add_daemon kpropd
+ stat_done
+ fi
+ ;;
+ stop)
+ stat_busy "Stopping Kerberos Database Propagation Daemon"
+ [ ! -z "$PID" ] && kill $PID &> /dev/null
+ if [ $? -gt 0 ]; then
+ stat_fail
+ else
+ rm_daemon kpropd
+ stat_done
+ fi
+ ;;
+ restart)
+ $0 stop
+ sleep 1
+ $0 start
+ ;;
+ *)
+ echo "usage: $0 {start|stop|restart}"
+ ;;
+esac
+exit 0
Copied: krb5/repos/testing-x86_64/PKGBUILD (from rev 144604, krb5/trunk/PKGBUILD)
===================================================================
--- testing-x86_64/PKGBUILD (rev 0)
+++ testing-x86_64/PKGBUILD 2011-12-07 21:28:52 UTC (rev 144605)
@@ -0,0 +1,90 @@
+# $Id$
+# Maintainer: Stéphane Gaudreault <stephane at archlinux.org>
+
+pkgname=krb5
+pkgver=1.9.2
+pkgrel=2
+pkgdesc="The Kerberos network authentication system"
+arch=('i686' 'x86_64')
+url="http://web.mit.edu/kerberos/"
+license=('custom')
+depends=('e2fsprogs' 'libldap' 'keyutils')
+makedepends=('perl')
+provides=('heimdal')
+replaces=('heimdal')
+conflicts=('heimdal')
+backup=('etc/krb5.conf' 'var/lib/krb5kdc/kdc.conf')
+source=(http://web.mit.edu/kerberos/dist/${pkgname}/1.9/${pkgname}-${pkgver}-signed.tar
+ krb5-kadmind
+ krb5-kdc
+ krb5-kpropd
+ krb5-1.9.1-config-script.patch
+ krb5-1.9.1-2011-007.patch)
+sha1sums=('aa06f778ee1f9791cd4c5cf4c9e9465769ffec92'
+ '2aa229369079ed1bbb201a1ef72c47bf143f4dbe'
+ '77d2312ecd8bf12a6e72cc8fd871a8ac93b23393'
+ '7f402078fa65bb9ff1beb6cbbbb017450df78560'
+ '7342410760cf44bfa01bb99bb4c49e12496cb46f'
+ 'ec917dd1d1c96fa331f512331d5aa37c2e9b9df7')
+options=('!emptydirs')
+
+build() {
+ tar zxvf ${pkgname}-${pkgver}.tar.gz
+ cd "${srcdir}/${pkgname}-${pkgver}/src"
+
+ # - Make krb5-config suppress CFLAGS output when called with --libs
+ # cf https://bugzilla.redhat.com/show_bug.cgi?id=544391
+ #
+ # - Omit extra libraries because their interfaces are not exposed to applications
+ # by libkrb5, unless do_deps is set to 1, which indicates that the caller
+ # wants the whole list.
+ #
+ # Patch from upstream :
+ # http://anonsvn.mit.edu/viewvc/krb5/trunk/src/krb5-config.in?r1=23662&r2=25236
+ patch -Np2 -i ${srcdir}/krb5-1.9.1-config-script.patch
+
+ # Apply upstream patch to fix a null pointer dereference when processing TGS requests
+ # CVE-2011-1530
+ # see http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-007.txt
+ patch -Np2 -i ${srcdir}/krb5-1.9.1-2011-007.patch
+
+ # FS#25384
+ sed -i "/KRB5ROOT=/s/\/local//" util/ac_check_krb5.m4
+
+ export CFLAGS+=" -fPIC -fno-strict-aliasing -fstack-protector-all"
+ export CPPFLAGS+=" -I/usr/include/et"
+ ./configure --prefix=/usr \
+ --mandir=/usr/share/man \
+ --localstatedir=/var/lib \
+ --enable-shared \
+ --with-system-et \
+ --with-system-ss \
+ --disable-rpath \
+ --without-tcl \
+ --enable-dns-for-realm \
+ --with-ldap
+ make
+}
+
+package() {
+ cd "${srcdir}/${pkgname}-${pkgver}/src"
+ make DESTDIR="${pkgdir}" EXAMPLEDIR="/usr/share/doc/${pkgname}/examples" install
+
+ # Sample KDC config file
+ install -dm 755 "${pkgdir}"/var/lib/krb5kdc
+ install -pm 644 config-files/kdc.conf "${pkgdir}"/var/lib/krb5kdc/kdc.conf
+
+ # Default configuration file
+ install -dm 755 "${pkgdir}"/etc
+ install -pm 644 config-files/krb5.conf "${pkgdir}"/etc/krb5.conf
+
+ install -dm 755 "${pkgdir}"/etc/rc.d
+ install -m 755 ../../krb5-kdc "${pkgdir}"/etc/rc.d
+ install -m 755 ../../krb5-kadmind "${pkgdir}"/etc/rc.d
+ install -m 755 ../../krb5-kpropd "${pkgdir}"/etc/rc.d
+
+ install -dm 755 "${pkgdir}"/usr/share/aclocal
+ install -m 644 util/ac_check_krb5.m4 "${pkgdir}"/usr/share/aclocal
+
+ install -Dm644 "${srcdir}"/${pkgname}-${pkgver}/NOTICE "${pkgdir}"/usr/share/licenses/${pkgname}/LICENSE
+}
Copied: krb5/repos/testing-x86_64/krb5-1.9.1-2011-007.patch (from rev 144604, krb5/trunk/krb5-1.9.1-2011-007.patch)
===================================================================
--- testing-x86_64/krb5-1.9.1-2011-007.patch (rev 0)
+++ testing-x86_64/krb5-1.9.1-2011-007.patch 2011-12-07 21:28:52 UTC (rev 144605)
@@ -0,0 +1,40 @@
+diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in
+index f46cad3..102fbaa 100644
+--- a/src/kdc/Makefile.in
++++ b/src/kdc/Makefile.in
+@@ -67,6 +67,7 @@ check-unix:: rtest
+
+ check-pytests::
+ $(RUNPYTEST) $(srcdir)/t_workers.py $(PYTESTFLAGS)
++ $(RUNPYTEST) $(srcdir)/t_emptytgt.py $(PYTESTFLAGS)
+
+ install::
+ $(INSTALL_PROGRAM) krb5kdc ${DESTDIR}$(SERVER_BINDIR)/krb5kdc
+diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
+index c169c54..840a2ef 100644
+--- a/src/kdc/do_tgs_req.c
++++ b/src/kdc/do_tgs_req.c
+@@ -243,7 +243,8 @@ tgt_again:
+ if (!tgs_1 || !data_eq(*server_1, *tgs_1)) {
+ errcode = find_alternate_tgs(request, &server);
+ firstpass = 0;
+- goto tgt_again;
++ if (errcode == 0)
++ goto tgt_again;
+ }
+ }
+ status = "UNKNOWN_SERVER";
+diff --git a/src/kdc/t_emptytgt.py b/src/kdc/t_emptytgt.py
+new file mode 100644
+index 0000000..1760bcd
+--- /dev/null
++++ b/src/kdc/t_emptytgt.py
+@@ -0,0 +1,8 @@
++#!/usr/bin/python
++from k5test import *
++
++realm = K5Realm(start_kadmind=False, create_host=False)
++output = realm.run_as_client([kvno, 'krbtgt/'], expected_code=1)
++if 'not found in Kerberos database' not in output:
++ fail('TGT lookup for empty realm failed in unexpected way')
++success('Empty tgt lookup.')
Copied: krb5/repos/testing-x86_64/krb5-1.9.1-canonicalize-fallback.patch (from rev 144604, krb5/trunk/krb5-1.9.1-canonicalize-fallback.patch)
===================================================================
--- testing-x86_64/krb5-1.9.1-canonicalize-fallback.patch (rev 0)
+++ testing-x86_64/krb5-1.9.1-canonicalize-fallback.patch 2011-12-07 21:28:52 UTC (rev 144605)
@@ -0,0 +1,58 @@
+diff -Naur krb5-1.9.1.ori/src/lib/krb5/krb/get_creds.c krb5-1.9.1/src/lib/krb5/krb/get_creds.c
+--- krb5-1.9.1.ori/src/lib/krb5/krb/get_creds.c 2011-02-09 16:55:36.000000000 -0500
++++ krb5-1.9.1/src/lib/krb5/krb/get_creds.c 2011-09-26 18:42:01.465190278 -0400
+@@ -470,13 +470,10 @@
+
+ /***** STATE_REFERRALS *****/
+
+-/*
+- * Possibly retry a request in the fallback realm after a referral request
+- * failure in the local realm. Expects ctx->reply_code to be set to the error
+- * from a referral request.
+- */
++/* Possibly try a non-referral request after a referral request failure.
++ * Expects ctx->reply_code to be set to the error from a referral request. */
+ static krb5_error_code
+-try_fallback_realm(krb5_context context, krb5_tkt_creds_context ctx)
++try_fallback(krb5_context context, krb5_tkt_creds_context ctx)
+ {
+ krb5_error_code code;
+ char **hrealms;
+@@ -485,9 +482,10 @@
+ if (ctx->referral_count > 1)
+ return ctx->reply_code;
+
+- /* Only fall back if the original request used the referral realm. */
++ /* If the request used a specified realm, make a non-referral request to
++ * that realm (in case it's a KDC which rejects KDC_OPT_CANONICALIZE). */
+ if (!krb5_is_referral_realm(&ctx->req_server->realm))
+- return ctx->reply_code;
++ return begin_non_referral(context, ctx);
+
+ if (ctx->server->length < 2) {
+ /* We need a type/host format principal to find a fallback realm. */
+@@ -500,10 +498,10 @@
+ if (code != 0)
+ return code;
+
+- /* Give up if the fallback realm isn't any different. */
++ /* If the fallback realm isn't any different, use the existing TGT. */
+ if (data_eq_string(ctx->server->realm, hrealms[0])) {
+ krb5_free_host_realm(context, hrealms);
+- return ctx->reply_code;
++ return begin_non_referral(context, ctx);
+ }
+
+ /* Rewrite server->realm to be the fallback realm. */
+@@ -540,9 +538,9 @@
+ krb5_error_code code;
+ const krb5_data *referral_realm;
+
+- /* Possibly retry with the fallback realm on error. */
++ /* Possibly try a non-referral fallback request on error. */
+ if (ctx->reply_code != 0)
+- return try_fallback_realm(context, ctx);
++ return try_fallback(context, ctx);
+
+ if (krb5_principal_compare(context, ctx->reply_creds->server,
+ ctx->server)) {
Copied: krb5/repos/testing-x86_64/krb5-1.9.1-config-script.patch (from rev 144604, krb5/trunk/krb5-1.9.1-config-script.patch)
===================================================================
--- testing-x86_64/krb5-1.9.1-config-script.patch (rev 0)
+++ testing-x86_64/krb5-1.9.1-config-script.patch 2011-12-07 21:28:52 UTC (rev 144605)
@@ -0,0 +1,27 @@
+diff -Naur krb5-1.9.1.ori/src/krb5-config.in krb5-1.9.1/src/krb5-config.in
+--- krb5-1.9.1.ori/src/krb5-config.in 2010-01-19 13:44:57.000000000 -0500
++++ krb5-1.9.1/src/krb5-config.in 2011-09-26 18:27:09.018487087 -0400
+@@ -186,7 +186,7 @@
+ -e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \
+ -e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \
+ -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
+- -e 's#\$(CFLAGS)#'"$CFLAGS"'#'`
++ -e 's#\$(CFLAGS)##'`
+
+ if test $library = 'kdb'; then
+ lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
+@@ -214,9 +214,13 @@
+ fi
+
+ if test $library = 'krb5'; then
+- lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $DL_LIB"
++ lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err"
+ fi
+
++ # If we ever support a flag to generate output suitable for static
++ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB"
++ # here.
++
+ echo $lib_flags
+ fi
+
Copied: krb5/repos/testing-x86_64/krb5-kadmind (from rev 144604, krb5/trunk/krb5-kadmind)
===================================================================
--- testing-x86_64/krb5-kadmind (rev 0)
+++ testing-x86_64/krb5-kadmind 2011-12-07 21:28:52 UTC (rev 144605)
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+# general config
+. /etc/rc.conf
+. /etc/rc.d/functions
+
+PID=`pidof -o %PPID /usr/sbin/kadmind`
+case "$1" in
+ start)
+ stat_busy "Starting Kerberos Admin Daemon"
+ if [ -z "$PID" ]; then
+ /usr/sbin/kadmind
+ fi
+ if [ ! -z "$PID" -o $? -gt 0 ]; then
+ stat_fail
+ else
+ add_daemon krb5-kadmind
+ stat_done
+ fi
+ ;;
+ stop)
+ stat_busy "Stopping Kerberos Admin Daemon"
+ [ ! -z "$PID" ] && kill $PID &> /dev/null
+ if [ $? -gt 0 ]; then
+ stat_fail
+ else
+ rm_daemon krb5-kadmind
+ stat_done
+ fi
+ ;;
+ restart)
+ $0 stop
+ sleep 1
+ $0 start
+ ;;
+ *)
+ echo "usage: $0 {start|stop|restart}"
+ ;;
+esac
+exit 0
Copied: krb5/repos/testing-x86_64/krb5-kdc (from rev 144604, krb5/trunk/krb5-kdc)
===================================================================
--- testing-x86_64/krb5-kdc (rev 0)
+++ testing-x86_64/krb5-kdc 2011-12-07 21:28:52 UTC (rev 144605)
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+# general config
+. /etc/rc.conf
+. /etc/rc.d/functions
+
+PID=`pidof -o %PPID /usr/sbin/krb5kdc`
+case "$1" in
+ start)
+ stat_busy "Starting Kerberos Authentication"
+ if [ -z "$PID" ]; then
+ /usr/sbin/krb5kdc
+ fi
+ if [ ! -z "$PID" -o $? -gt 0 ]; then
+ stat_fail
+ else
+ add_daemon krb5-kdc
+ stat_done
+ fi
+ ;;
+ stop)
+ stat_busy "Stopping Kerberos Authentication"
+ [ ! -z "$PID" ] && kill $PID &> /dev/null
+ if [ $? -gt 0 ]; then
+ stat_fail
+ else
+ rm_daemon krb5-kdc
+ stat_done
+ fi
+ ;;
+ restart)
+ $0 stop
+ sleep 1
+ $0 start
+ ;;
+ *)
+ echo "usage: $0 {start|stop|restart}"
+ ;;
+esac
+exit 0
Copied: krb5/repos/testing-x86_64/krb5-kpropd (from rev 144604, krb5/trunk/krb5-kpropd)
===================================================================
--- testing-x86_64/krb5-kpropd (rev 0)
+++ testing-x86_64/krb5-kpropd 2011-12-07 21:28:52 UTC (rev 144605)
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+# general config
+. /etc/rc.conf
+. /etc/rc.d/functions
+
+PID=`pidof -o %PPID /usr/sbin/kpropd`
+case "$1" in
+ start)
+ stat_busy "Starting Kerberos Database Propagation Daemon"
+ if [ -z "$PID" ]; then
+ /usr/sbin/kpropd -S
+ fi
+ if [ ! -z "$PID" -o $? -gt 0 ]; then
+ stat_fail
+ else
+ add_daemon kpropd
+ stat_done
+ fi
+ ;;
+ stop)
+ stat_busy "Stopping Kerberos Database Propagation Daemon"
+ [ ! -z "$PID" ] && kill $PID &> /dev/null
+ if [ $? -gt 0 ]; then
+ stat_fail
+ else
+ rm_daemon kpropd
+ stat_done
+ fi
+ ;;
+ restart)
+ $0 stop
+ sleep 1
+ $0 start
+ ;;
+ *)
+ echo "usage: $0 {start|stop|restart}"
+ ;;
+esac
+exit 0
More information about the arch-commits
mailing list