Commit eb7f459c authored by Russ Allbery's avatar Russ Allbery

Massive update of Kerberos compatibility code

If krb5-config produces results that don't work for Kerberos probes,
fall back on manual library probing rather than just failing.

If KRB5_CONFIG was explicitly set in the environment, don't use a
different krb5-config based on --with-krb5.  If krb5-config isn't
executable, don't use it.  This allows one to force library probing by
setting KRB5_CONFIG to point to a nonexistent file.

Sanity-check the results of krb5-config before proceeding and error
out in configure if they don't work.

Add separate --with-krb5-lib and --with-krb5-include configure options
to set the library and include directories independently, and handle
lib64 systems better and more automatically.

Import the new Kerberos compatibility layer from rra-c-util and
supplement it with the principal manipulation functions needed here.
Take advantage of it to massively simplify the code.
parent 17620150
......@@ -9,7 +9,11 @@
/config.status
/configure
/libtool
/m4/
/m4/libtool.m4
/m4/ltoptions.m4
/m4/ltsugar.m4
/m4/ltversion.m4
/m4/lt~obsolete.m4
/stamp-h1
/tools/krb5-sync
/tools/krb5-sync-backend.8
......
......@@ -10,20 +10,24 @@ ACLOCAL_AMFLAGS = -I m4
EXTRA_DIST = LICENSE autogen patches/README patches/mit-krb5-1.4.4 \
patches/stanford-krb5-1.4.4 tools/krb5-sync.pod
AM_CPPFLAGS = $(KRB5_CPPFLAGS)
noinst_LTLIBRARIES = portable/libportable.la
portable_libportable_la_SOURCES = portable/dummy.c portable/macros.h \
portable/stdbool.h portable/system.h
portable_libportable_la_LIBADD = $(LTLIBOBJS)
portable_libportable_la_SOURCES = portable/dummy.c portable/krb5-extra.c \
portable/krb5.h portable/macros.h portable/stdbool.h \
portable/system.h
portable_libportable_la_LDFLAGS = $(KRB5_LDFLAGS)
portable_libportable_la_LIBADD = $(LTLIBOBJS) $(KRB5_LIBS)
# Put the module into /usr/local/lib/kadmind by default, relative to --libdir.
moduledir = $(libdir)/kadmind
# Rules for building the password synchronization plugin.
module_LTLIBRARIES = plugin/passwd_update.la
plugin_passwd_update_la_LDFLAGS = -module -avoid-version
plugin_passwd_update_la_SOURCES = plugin/ad.c plugin/api.c plugin/error.c \
plugin/internal.h plugin/heimdal.c plugin/queue.c
plugin_passwd_update_la_LIBADD = portable/libportable.la
plugin_passwd_update_la_LDFLAGS = -module -avoid-version $(KRB5_LDFLAGS)
plugin_passwd_update_la_LIBADD = portable/libportable.la $(KRB5_LIBS)
# Rules for building the krb5-sync utility. We specify the CFLAGS to work
# around Automake's inability to link libtool objects into a program that
......@@ -33,7 +37,8 @@ plugin_passwd_update_la_LIBADD = portable/libportable.la
sbin_PROGRAMS = tools/krb5-sync
tools_krb5_sync_SOURCES = tools/krb5-sync.c $(plugin_passwd_update_la_SOURCES)
tools_krb5_sync_CFLAGS = $(AM_CFLAGS)
tools_krb5_sync_LDADD = portable/libportable.la
tools_krb5_sync_LDFLAGS = $(KRB5_LDFLAGS)
tools_krb5_sync_LDADD = portable/libportable.la $(KRB5_LIBS)
# Rules for the krb5-sync-backend script.
dist_sbin_SCRIPTS = tools/krb5-sync-backend
......
......@@ -5,17 +5,33 @@ krb5-sync 2.0 (unreleased)
Dropped support for AFS synchronization and all Kerberos v4 support.
This package now only synchronizes with Active Directory.
Add plugin support for the proposed kadmin hooks for Heimdal.
Add plugin support for the proposed kadmin hooks for Heimdal and
ported the code to Heimdal as well as MIT Kerberos.
Add an ad_ldap_base configuration option to specify the base DN for
Active Directory. Patch from Andreas Johansson.
Ignore connection timeouts from AD when running the queue with
krb5-sync-backend in silent mode.
For Kerberos libraries without krb5-config, also check for networking
libraries (-lsocket and friends) before checking for Kerberos
libraries in case shared library dependencies are broken.
Ignore connection timeouts from AD when running the queue with
krb5-sync-backend in silent mode.
If krb5-config produces results that don't work for Kerberos probes,
fall back on manual library probing rather than just failing.
If KRB5_CONFIG was explicitly set in the environment, don't use a
different krb5-config based on --with-krb5. If krb5-config isn't
executable, don't use it. This allows one to force library probing by
setting KRB5_CONFIG to point to a nonexistent file.
Sanity-check the results of krb5-config before proceeding and error
out in configure if they don't work.
Add separate --with-krb5-lib and --with-krb5-include configure options
to set the library and include directories independently, and handle
lib64 systems better and more automatically.
Enable Automake silent rules. For a quieter build, pass the
--enable-silent-rules option to configure or build with make V=0.
......
......@@ -147,11 +147,22 @@ INSTALLATION
./configure --with-krb5=/usr/pubsw
You can also individually set the paths to the include directory and the
library directory with --with-krb5-include and --with-krb5-lib. You may
need to do this if Autoconf can't figure out whether to use lib, lib32,
or lib64 on your platform. Note that these settings aren't used if a
krb5-config script is found.
To specify a particular krb5-config script to use, either set the
KRB5_CONFIG environment variable or pass it to configure like:
./configure KRB5_CONFIG=/path/to/krb5-config
To not use krb5-config and force library probing even if there is a
krb5-config script on your path, set KRB5_CONFIG to a nonexistent path:
./configure KRB5_CONFIG=/nonexistent
You can pass the --enable-reduced-depends flag to configure to try to
minimize the shared library dependencies encoded in the binaries. This
omits from the link line all the libraries included solely because the
......
......@@ -22,12 +22,15 @@ AM_DISABLE_STATIC
AC_PROG_LIBTOOL
RRA_LIB_KRB5
RRA_LIB_KRB5_SET
RRA_LIB_KRB5_SWITCH
AC_CHECK_FUNCS([krb5_get_init_creds_opt_alloc \
krb5_get_init_creds_opt_set_default_flags \
krb5_principal_get_comp_string \
krb5_principal_get_num_comp \
krb5_principal_get_realm \
krb5_principal_set_realm \
krb5_xfree])
RRA_LIB_KRB5_RESTORE
AC_SEARCH_LIBS([ldap_initialize], [ldap])
AC_HEADER_STDBOOL
......
This diff is collapsed.
dnl lib-depends.m4 -- Provides option to change library probes.
dnl Provides option to change library probes.
dnl
dnl This file provides RRA_ENABLE_REDUCED_DEPENDS, which adds the configure
dnl option --enable-reduced-depends to request that library probes assume
......@@ -12,11 +12,12 @@ dnl
dnl Written by Russ Allbery <rra@stanford.edu>
dnl Copyright 2005, 2006, 2007
dnl Board of Trustees, Leland Stanford Jr. University
dnl
dnl See LICENSE for licensing terms.
AC_DEFUN([RRA_ENABLE_REDUCED_DEPENDS],
[rra_reduced_depends=false
AC_ARG_ENABLE([reduced-depends],
[AC_HELP_STRING([--enable-reduced-depends],
[AS_HELP_STRING([--enable-reduced-depends],
[Try to minimize shared library dependencies])],
[AS_IF([test x"$enableval" = xyes], [rra_reduced_depends=true])])])
dnl Determine the library path name.
dnl
dnl Red Hat systems and some other Linux systems use lib64 and lib32 rather
dnl than just lib in some circumstances. This file provides an Autoconf
dnl macro, RRA_SET_LDFLAGS, which given a variable, a prefix, and an optional
dnl suffix, adds -Lprefix/lib, -Lprefix/lib32, or -Lprefix/lib64 to the
dnl variable depending on which directories exist and the size of a long in
dnl the compilation environment. If a suffix is given, a slash and that
dnl suffix will be appended, to allow for adding a subdirectory of the library
dnl directory.
dnl
dnl This file also provides the Autoconf macro RRA_SET_LIBDIR, which sets the
dnl libdir variable to PREFIX/lib{,32,64} as appropriate.
dnl
dnl Written by Russ Allbery <rra@stanford.edu>
dnl Copyright 2008, 2009 Board of Trustees, Leland Stanford Jr. University
dnl
dnl See LICENSE for licensing terms.
dnl Probe for the alternate library name that we should attempt on this
dnl architecture, given the size of an int, and set rra_lib_arch_name to that
dnl name. Separated out so that it can be AC_REQUIRE'd and not run multiple
dnl times.
dnl
dnl There is an unfortunate abstraction violation here where we assume we know
dnl the cache variable name used by Autoconf. Unfortunately, Autoconf doesn't
dnl provide any other way of getting at that information in shell that I can
dnl see.
AC_DEFUN([_RRA_LIB_ARCH_NAME],
[rra_lib_arch_name=lib
AC_CHECK_SIZEOF([long])
AS_IF([test "$ac_cv_sizeof_long" -eq 4 && test -d /usr/lib32],
[rra_lib_arch_name=lib32],
[AS_IF([test "$ac_cv_sizeof_long" -eq 8 && test -d /usr/lib64],
[rra_lib_arch_name=lib64])])])
dnl Set VARIABLE to -LPREFIX/lib{,32,64} or -LPREFIX/lib{,32,64}/SUFFIX as
dnl appropriate.
AC_DEFUN([RRA_SET_LDFLAGS],
[AC_REQUIRE([_RRA_LIB_ARCH_NAME])
AS_IF([test -d "$2/$rra_lib_arch_name"],
[AS_IF([test x"$3" = x],
[$1="[$]$1 -L$2/${rra_lib_arch_name}"],
[$1="[$]$1 -L$2/${rra_lib_arch_name}/$3"])],
[AS_IF([test x"$3" = x],
[$1="[$]$1 -L$2/lib"],
[$1="[$]$1 -L$2/lib/$3"])])
$1=`echo "[$]$1" | sed -e 's/^ *//'`])
dnl Set libdir to PREFIX/lib{,32,64} as appropriate.
AC_DEFUN([RRA_SET_LIBDIR],
[AC_REQUIRE([_RRA_LIB_ARCH_NAME])
AS_IF([test -d "$1/$rra_lib_arch_name"],
[libdir="$1/${rra_lib_arch_name}"],
[libdir="$1/lib"])])
......@@ -13,14 +13,13 @@
*/
#include <config.h>
#include <portable/krb5.h>
#include <portable/system.h>
/* Need to determine why this is deprecated. */
#define LDAP_DEPRECATED 1
#include <com_err.h>
#include <errno.h>
#include <krb5.h>
#include <ldap.h>
#include <syslog.h>
......@@ -48,6 +47,7 @@ get_creds(struct plugin_config *config, krb5_context ctx, krb5_ccache *cc,
krb5_principal princ;
krb5_get_init_creds_opt *opts;
krb5_error_code ret;
const char *realm;
ret = krb5_kt_resolve(ctx, config->ad_keytab, &kt);
if (ret != 0) {
......@@ -63,39 +63,23 @@ get_creds(struct plugin_config *config, krb5_context ctx, krb5_ccache *cc,
config->ad_principal);
return 1;
}
#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
ret = krb5_get_init_creds_opt_alloc(ctx, &opts);
if (ret != 0) {
pwupdate_set_error(errstr, errstrlen, ctx, ret,
"error allocating credential options");
return 1;
}
#else
opts = calloc(1, sizeof(krb5_get_init_creds_opt));
if (opts == NULL) {
pwupdate_set_error(errstr, errstrlen, ctx, errno,
"error allocating credential options");
return 1;
}
krb5_get_init_creds_opt_init(opts);
#endif
realm = krb5_principal_get_realm(ctx, princ);
krb5_get_init_creds_opt_set_default_flags(ctx, "k5start", realm, opts);
memset(&creds, 0, sizeof(creds));
ret = krb5_get_init_creds_keytab(ctx, &creds, princ, kt, 0, NULL, opts);
if (ret != 0) {
pwupdate_set_error(errstr, errstrlen, ctx, ret,
"unable to get initial credentials");
#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
krb5_get_init_creds_opt_free(ctx, opts);
#else
free(opts);
#endif
return 1;
}
#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
krb5_get_init_creds_opt_free(ctx, opts);
#else
free(opts);
#endif
ret = krb5_kt_close(ctx, kt);
if (ret != 0) {
pwupdate_set_error(errstr, errstrlen, ctx, ret,
......@@ -141,11 +125,7 @@ get_ad_principal(krb5_context ctx, const char *realm,
ret = krb5_copy_principal(ctx, principal, ad_principal);
if (ret != 0)
return ret;
#ifdef HAVE_KRB5_PRINCIPAL_SET_REALM
krb5_principal_set_realm(ctx, *ad_principal, realm);
#else
krb5_set_principal_realm(ctx, *ad_principal, realm);
#endif
return 0;
}
......@@ -221,11 +201,7 @@ pwupdate_ad_change(struct plugin_config *config, krb5_context ctx,
done:
if (target != NULL)
#ifdef HAVE_KRB5_XFREE
krb5_xfree(target);
#else
krb5_free_unparsed_name(ctx, target);
#endif
krb5_cc_destroy(ctx, ccache);
return code;
}
......
......@@ -19,23 +19,14 @@
*/
#include <config.h>
#include <portable/krb5.h>
#include <portable/system.h>
#include <com_err.h>
#include <errno.h>
#include <krb5.h>
#include <syslog.h>
#include <plugin/internal.h>
/*
* The code below was written to the Heimdal API. Adjust to MIT Kerberos if
* necessary.
*/
#ifndef HAVE_KRB5_PRINCIPAL_GET_NUM_COMP
# define krb5_principal_get_num_comp(c, p) krb5_princ_size((c), (p))
#endif
/*
* Load a string option from Kerberos appdefaults, setting the default to NULL
......@@ -130,7 +121,7 @@ create_context(krb5_context *ctx, char *errstr, int errstrlen)
* otherwise.
*/
static int
instance_allowed(const char *allowed, const char *instance, size_t length)
instance_allowed(const char *allowed, const char *instance)
{
const char *p, *i, *end;
int checking, okay;
......@@ -138,7 +129,7 @@ instance_allowed(const char *allowed, const char *instance, size_t length)
if (allowed == NULL || instance == NULL)
return 0;
i = instance;
end = i + length;
end = i + strlen(instance);
checking = 1;
okay = 0;
for (p = allowed; *p != '\0'; p++) {
......@@ -179,20 +170,9 @@ principal_allowed(struct plugin_config *config, krb5_context ctx,
char *display;
krb5_error_code ret;
const char *instance;
size_t instlen;
#ifndef HAVE_KRB5_PRINCIPAL_GET_COMP_STRING
const krb5_data *instdata;
#endif
#ifdef HAVE_KRB5_PRINCIPAL_GET_COMP_STRING
instance = krb5_principal_get_comp_string(ctx, principal, 1);
instlen = strlen(instance);
#else
instdata = krb5_princ_component(ctx, principal, 1);
instance = instdata->data;
instlen = instdata->length;
#endif
if (ad && instance_allowed(config->ad_instances, instance, instlen))
if (ad && instance_allowed(config->ad_instances, instance))
return 1;
ret = krb5_unparse_name(ctx, principal, &display);
if (ret != 0)
......
......@@ -12,73 +12,16 @@
*/
#include <config.h>
#include <portable/krb5.h>
#include <portable/system.h>
#include <krb5.h>
#if !defined(HAVE_KRB5_GET_ERROR_MESSAGE) && !defined(HAVE_KRB5_GET_ERR_TEXT)
# if defined(HAVE_IBM_SVC_KRB5_SVC_H)
# include <ibm_svc/krb5_svc.h>
# elif defined(HAVE_ET_COM_ERR_H)
# include <et/com_err.h>
# else
# include <com_err.h>
# endif
#endif
#include <plugin/internal.h>
/*
* This string is returned for unknown error messages. We use a static
* variable so that we can be sure not to free it.
*/
static const char error_unknown[] = "unknown error";
/*
* Given a Kerberos error code, return the corresponding error. Prefer the
* Kerberos interface if available since it will provide context-specific
* error information, whereas the error_message() call will only provide a
* fixed message.
*/
static const char *
get_error(krb5_context ctx, krb5_error_code code)
{
const char *msg = NULL;
#if defined(HAVE_KRB5_GET_ERROR_MESSAGE)
msg = krb5_get_error_message(ctx, code);
#elif defined(HAVE_KRB5_GET_ERR_TEXT)
msg = krb5_get_err_text(ctx, code);
#elif defined(HAVE_KRB5_SVC_GET_MSG)
krb5_svc_get_msg(code, &msg);
#else
msg = error_message(code);
#endif
if (msg == NULL)
return error_unknown;
else
return msg;
}
/*
* Free an error string if necessary.
*/
static void
free_error(krb5_context ctx, const char *msg)
{
if (msg == error_unknown)
return;
#if defined(HAVE_KRB5_FREE_ERROR_MESSAGE)
krb5_free_error_message(ctx, msg);
#elif defined(HAVE_KRB5_SVC_GET_MSG)
krb5_free_string((char *) msg);
#endif
}
/*
* Given an error buffer, its length, a Kerberos context, a Kerberos error,
* and a format string, write the resulting error string into the buffer and
* append the Kerberos error. This is the public interface called by the rest
* of the plugin.
* append the Kerberos error.
*/
void
pwupdate_set_error(char *buffer, size_t length, krb5_context ctx,
......@@ -93,8 +36,8 @@ pwupdate_set_error(char *buffer, size_t length, krb5_context ctx,
va_end(args);
if (used < 0 || (size_t) used >= length)
return;
message = get_error(ctx, code);
message = krb5_get_error_message(ctx, code);
if (message != NULL)
snprintf(buffer + used, length - used, ": %s", message);
free_error(ctx, message);
krb5_free_error_message(ctx, message);
}
......@@ -15,11 +15,11 @@
*/
#include <config.h>
#include <portable/krb5.h>
#include <portable/system.h>
#include <dirent.h>
#include <fcntl.h>
#include <krb5.h>
#include <sys/file.h>
#include <time.h>
......
/*
* Portability glue functions for Kerberos.
*
* This file provides definitions of the interfaces that portable/krb5.h
* ensures exist if the function wasn't available in the Kerberos libraries.
* Everything in this file will be protected by #ifndef. If the native
* Kerberos libraries are fully capable, this file will be skipped.
*
* Written by Russ Allbery <rra@stanford.edu>
* This work is hereby placed in the public domain by its author.
*/
#include <config.h>
#include <portable/krb5.h>
#include <portable/system.h>
#include <errno.h>
/* Figure out what header files to include for error reporting. */
#if !defined(HAVE_KRB5_GET_ERROR_MESSAGE) && !defined(HAVE_KRB5_GET_ERR_TEXT)
# if !defined(HAVE_KRB5_GET_ERROR_STRING)
# if defined(HAVE_IBM_SVC_KRB5_SVC_H)
# include <ibm_svc/krb5_svc.h>
# elif defined(HAVE_ET_COM_ERR_H)
# include <et/com_err.h>
# else
# include <com_err.h>
# endif
# endif
#endif
/* Used for unused parameters to silence gcc warnings. */
#define UNUSED __attribute__((__unused__))
/*
* This string is returned for unknown error messages. We use a static
* variable so that we can be sure not to free it.
*/
static const char error_unknown[] = "unknown error";
#ifndef HAVE_KRB5_GET_ERROR_MESSAGE
/*
* Given a Kerberos error code, return the corresponding error. Prefer the
* Kerberos interface if available since it will provide context-specific
* error information, whereas the error_message() call will only provide a
* fixed message.
*/
const char *
krb5_get_error_message(krb5_context ctx UNUSED, krb5_error_code code UNUSED)
{
const char *msg = NULL;
# if defined(HAVE_KRB5_GET_ERROR_STRING)
msg = krb5_get_error_string(ctx);
# elif defined(HAVE_KRB5_GET_ERR_TEXT)
msg = krb5_get_err_text(ctx, code);
# elif defined(HAVE_KRB5_SVC_GET_MSG)
krb5_svc_get_msg(code, (char **) &msg);
# else
msg = error_message(code);
# endif
if (msg == NULL)
return error_unknown;
else
return msg;
}
#endif /* !HAVE_KRB5_GET_ERROR_MESSAGE */
#ifndef HAVE_KRB5_FREE_ERROR_MESSAGE
/*
* Free an error string if necessary. If we returned a static string, make
* sure we don't free it.
*
* This code assumes that the set of implementations that have
* krb5_free_error_message is a subset of those with krb5_get_error_message.
* If this assumption ever breaks, we may call the wrong free function.
*/
static void
krb5_free_error_message(krb5_context ctx UNUSED, const char *msg)
{
if (msg == error_unknown)
return;
# if defined(HAVE_KRB5_GET_ERROR_STRING)
krb5_free_error_string(ctx, (char *) msg);
# elif defined(HAVE_KRB5_SVC_GET_MSG)
krb5_free_string(ctx, (char *) msg);
# endif
}
#endif /* !HAVE_KRB5_FREE_ERROR_MESSAGE */
#ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
/*
* Allocate and initialize a krb5_get_init_creds_opt struct. This code
* assumes that an all-zero bit pattern will create a NULL pointer.
*/
krb5_error_code
krb5_get_init_creds_opt_alloc(krb5_context ctx, krb5_get_init_creds_opt **opts)
{
*opts = calloc(1, sizeof(krb5_get_init_creds_opt));
if (*opts == NULL)
return errno;
krb5_get_init_creds_opt_init(*opts);
return 0;
}
#endif /* !HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC */
#ifndef HAVE_KRB5_PRINCIPAL_GET_REALM
/*
* Return the realm of a principal as a const char *.
*/
const char *
krb5_principal_get_realm(krb5_context ctx UNUSED, krb5_const_principal princ)
{
const krb5_data *data;
data = krb5_princ_realm(ctx, princ);
if (data == NULL || data->data == NULL)
return NULL;
return data->data;
}
#endif /* !HAVE_KRB5_PRINCIPAL_GET_REALM */
/*
* Portability wrapper around krb5.h.
*
* This header includes krb5.h and then adjusts for various portability
* issues, primarily between MIT Kerberos and Heimdal, so that code can be
* written to a consistent API.
*
* Unfortunately, due to the nature of the differences between MIT Kerberos
* and Heimdal, it's not possible to write code to either one of the APIs and
* adjust for the other one. In general, this header tries to make available
* the Heimdal API and fix it for MIT Kerberos, but there are places where MIT
* Kerberos requires a more specific call. For those cases, it provides the
* most specific interface.
*
* For example, MIT Kerberos has krb5_free_unparsed_name() whereas Heimdal
* prefers the generic krb5_xfree(). In this case, this header provides
* krb5_free_unparsed_name() for both APIs since it's the most specific call.
*
* Written by Russ Allbery <rra@stanford.edu>
* This work is hereby placed in the public domain by its author.
*/
#ifndef PORTABLE_KRB5_H
#define PORTABLE_KRB5_H 1
#include <config.h>
#include <portable/macros.h>
#include <krb5.h>
BEGIN_DECLS
/* Default to a hidden visibility for all portability functions. */
#pragma GCC visibility push(hidden)
/* Heimdal: krb5_xfree, MIT: krb5_free_unparsed_name. */
#ifdef HAVE_KRB5_XFREE
# define krb5_free_unparsed_name(c, p) krb5_xfree(p)
#endif
/*
* krb5_{get,free}_error_message are the preferred APIs for both current MIT
* and current Heimdal, but there are tons of older APIs we may have to fall
* back on for earlier versions.
*
* This function should be called immediately after the corresponding error
* without any intervening Kerberos calls. Otherwise, the correct error
* message and supporting information may not be returned.
*/
#ifndef HAVE_KRB5_GET_ERROR_MESSAGE
const char *krb5_get_error_message(krb5_context, krb5_error_code);
#endif
#ifndef HAVE_KRB5_FREE_ERROR_MESSAGE
void krb5_free_error_message(krb5_context, const char *);
#endif
/*
* Both current MIT and current Heimdal prefer _opt_alloc, but older versions
* of both require allocating your own struct and calling _opt_init.
*/
#ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
krb5_error_code krb5_get_init_creds_opt_alloc(krb5_context,
krb5_get_init_creds_opt **);
#endif
/* Heimdal-specific. */
#ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_DEFAULT_FLAGS
#define krb5_get_init_creds_opt_set_default_flags(c, p, r, o) /* empty */
#endif
/*
* Heimdal provides a nice function that just returns a const char *. On MIT,
* there's an accessor macro that returns the krb5_data pointer, wihch
* requires more work to get at the underlying char *.
*/
#ifndef HAVE_KRB5_PRINCIPAL_GET_REALM
const char *krb5_principal_get_realm(krb5_context, krb5_const_principal);
#endif
/*
* Adjust for other MIT versus Heimdal differences for principal data
* extraction and manipulation. The krb5_principal_* functions are all
* Heimdal and the other interfaces are MIT.
*
* Some versions of Heimdal don't export krb5_principal_get_num_comp from
* libkrb5. In that case, just look in the data structure.
*/
#ifndef HAVE_KRB5_PRINCIPAL_SET_REALM
# define krb5_principal_set_realm(c, p, r) \
krb5_set_principal_realm((c), (p), (r))
#endif
#ifndef HAVE_KRB5_PRINCIPAL_GET_COMP_STRING
# define krb5_principal_get_comp_string(c, p, n) \
((krb5_princ_component((c), (p), (n)))->data)
#endif
#ifndef HAVE_KRB5_PRINCIPAL_GET_NUM_COMP
# if defined(HAVE_KRB5_PRINC_SIZE) || defined(krb5_princ_size)
# define krb5_principal_get_num_comp(c, p) krb5_princ_size((c), (p))
# else
# define krb5_principal_get_num_comp(c, p) ((p)->name.name_string.len)
# endif
#endif
/* Undo default visibility change. */
#pragma GCC visibility pop
#endif /* !PORTABLE_KRB5_H */
......@@ -16,11 +16,10 @@
*/
#include <config.h>
#include <portable/krb5.h>
#include <portable/system.h>
#include <com_err.h>
#include <errno.h>
#include <krb5.h>
#include <syslog.h>
#include <plugin/internal.h>
......@@ -246,7 +245,7 @@ main(int argc, char *argv[])
ret = krb5_init_context(&ctx);
if (ret != 0) {
fprintf(stderr, "Cannot initialize Kerberos context: %s\n",
error_message(ret));
krb5_get_error_message(ctx, ret));
exit(1);
}
......@@ -263,7 +262,7 @@ main(int argc, char *argv[])
ret = krb5_parse_name(ctx, user, &principal);
if (ret != 0) {
fprintf(stderr, "Cannot parse user %s into principal: %s", user,
error_message(ret));
krb5_get_error_message(ctx, ret));
exit(1);
}
if (password != NULL)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment