Mercurial Mercurial > upstream > oracle > userland-gate / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/krb5/patches/031-kinit-support.patch
changeset 5490 9bf0bc57423a
child 6599 1d033832c5e7 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/patches/031-kinit-support.patch	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,151 @@
+#
+# This patch is to provide additional Solaris krb5.conf parameter support 
+# for kinit command:
+#
+#	forwardable = [true | false]
+#	proxiable = [true | false]
+#	renewable = [true | false]
+#	noaddresses = [true | false]
+#
+# Confirmed with MIT dev team. They won't accept this patch as enhancement.
+# We will maintain it as patch.
+# Patch source: in-house
+#
+--- ORIGINAL/src/clients/kinit/kinit.c	2015-04-30 13:46:57.411641188 -0700
++++ MODIFIED/src/clients/kinit/kinit.c	2015-05-12 11:22:49.905473473 -0700
+@@ -36,6 +36,7 @@
+ #include <errno.h>
+ #include <com_err.h>
+ #include <kerberosv5/private/ktwarn.h>
++#include "../../lib/krb5/prof_solaris.h"
+ 
+ #ifdef GETOPT_LONG
+ #include <getopt.h>
+@@ -135,6 +136,34 @@ struct k_opts
+     int enterprise;
+ };
+ 
++int	forwardable_flag = 0;
++int	renewable_flag = 0;
++int	proxiable_flag = 0;
++int	no_address_flag = 0;
++profile_options_boolean	config_option[] = {
++	{ "forwardable",	&forwardable_flag,	0 },
++	{ "renewable",		&renewable_flag,	0 },
++	{ "proxiable",		&proxiable_flag,	0 },
++	{ "no_addresses",	&no_address_flag,	0 },
++	{ NULL,			NULL,			0 }
++};
++
++char	*renew_timeval=NULL;
++char	*life_timeval=NULL;
++int	lifetime_specified;
++int	renewtime_specified;
++
++profile_option_strings	config_times[] = {
++	{ "ticket_lifetime",	&life_timeval,	0 },
++	{ "renew_lifetime",	&renew_timeval,	0 },
++	{ NULL,			NULL,		0 }
++};
++
++char	*realmdef[] = { "realms", NULL, "kinit", NULL };
++char	*appdef[] = { "appdefaults", "kinit", NULL };
++
++#define	krb_realm		(*(realmdef + 1))
++
+ struct k5_data
+ {
+     krb5_context ctx;
+@@ -720,6 +749,8 @@ k5_kinit(opts, k5)
+     krb5_error_code code = 0;
+     krb5_get_init_creds_opt *options = NULL;
+     int i;
++    krb5_timestamp now;
++    krb5_deltat lifetime = 0, rlife = 0, krb5_max_duration;
+ 
+     memset(&my_creds, 0, sizeof(my_creds));
+ 
+@@ -728,6 +759,83 @@ k5_kinit(opts, k5)
+         goto cleanup;
+ 
+     /*
++     * If either tkt life or renew life weren't set earlier take common steps to
++     * get the krb5.conf parameter values.
++     * Also, check krb5.conf for proxiable/forwardable/renewable/no_address
++     * parameter values.
++     */
++    if ((code = krb5_timeofday(k5->ctx, &now))) {
++        com_err(progname, code, gettext("while getting time of day"));
++        exit(1);
++    }
++    krb5_max_duration = KRB5_KDB_EXPIRATION - now - 60*60;
++
++    if (opts->lifetime == 0 || opts->rlife == 0) {
++
++	krb_realm = krb5_princ_realm(k5->ctx, k5->me)->data;
++	/* realm params take precedence */
++	profile_get_options_string(k5->ctx->profile, realmdef, config_times);
++	profile_get_options_string(k5->ctx->profile, appdef, config_times);
++
++	/* if the input opts doesn't have lifetime set and the krb5.conf
++	 * parameter has been set, use that.
++	 */
++	if (opts->lifetime == 0 && life_timeval != NULL) {
++	    code = krb5_string_to_deltat(life_timeval, &lifetime);
++	    if (code != 0 || lifetime == 0 || lifetime > krb5_max_duration) {
++		fprintf(stderr, gettext("Bad max_life "
++			    "value in Kerberos config file %s\n"),
++			life_timeval);
++		exit(1);
++	    }
++	    opts->lifetime = lifetime;
++	}
++	if (opts->rlife == 0 && renew_timeval != NULL) {
++	    code = krb5_string_to_deltat(renew_timeval, &rlife);
++	    if (code != 0 || rlife == 0 || rlife > krb5_max_duration) {
++		fprintf(stderr, gettext("Bad max_renewable_life "
++			    "value in Kerberos config file %s\n"),
++			renew_timeval);
++		exit(1);
++	    }
++	    opts->rlife = rlife;
++	}
++    }
++
++    /*
++     * If lifetime is not set on the cmdline or in the krb5.conf
++     * file, default to max.
++     */
++    if (opts->lifetime == 0)
++        opts->lifetime = krb5_max_duration;
++
++
++    profile_get_options_boolean(k5->ctx->profile, 
++				realmdef, config_option); 
++    profile_get_options_boolean(k5->ctx->profile, 
++				appdef, config_option); 
++
++
++    /* cmdline opts take precedence over krb5.conf file values */
++    if (!opts->not_proxiable && proxiable_flag) {
++        krb5_get_init_creds_opt_set_proxiable(options, 1);
++    }
++    if (!opts->not_forwardable && forwardable_flag) {
++        krb5_get_init_creds_opt_set_forwardable(options, 1);
++    }
++    if (renewable_flag) {
++        /*
++         * If this flag is set in krb5.conf, but rlife is 0, then
++         * set it to the max (and let the KDC sort it out).
++         */
++        opts->rlife = opts->rlife ? opts->rlife : krb5_max_duration;
++    }
++    if (no_address_flag) {
++        /* cmdline opts will overwrite this below if needbe */
++        krb5_get_init_creds_opt_set_address_list(options, NULL);
++    }
++
++    /*
+       From this point on, we can goto cleanup because my_creds is
+       initialized.
+     */
upstream/oracle/userland-gate