Accepting request 226292 from home:bmanojlovic:branches:server:proxy

- added patch to force kerberos principalname handling ( http://bugs.squid-cache.org/show_bug.cgi?id=4042 ) OBS-URL: https://build.opensuse.org/request/show/226292 OBS-URL: https://build.opensuse.org/package/show/server:proxy/squid?expand=0&rev=53
2014-03-16 13:39:08 +00:00 · 2014-03-16 13:39:08 +00:00 · e331af6a50
commit e331af6a50
parent b16b6d18da
3 changed files with 116 additions and 0 deletions
--- a/squid-3.4.2-brokenad.patch
+++ b/squid-3.4.2-brokenad.patch
@ -0,0 +1,106 @@
+Index: helpers/external_acl/kerberos_ldap_group/support_krb5.cc
+===================================================================
+--- helpers/external_acl/kerberos_ldap_group/support_krb5.cc.orig	2013-12-30 12:33:27.000000000 +0100
+++ helpers/external_acl/kerberos_ldap_group/support_krb5.cc	2014-03-15 00:41:12.581050607 +0100
+@@ -52,7 +52,7 @@ krb5_cleanup()
+  * create Kerberos memory cache
+  */
+ int
+-krb5_create_cache(char *domain)
+krb5_create_cache(struct main_args *margs, char *domain)
+ {
+ 
+     krb5_keytab keytab = 0;
+@@ -130,8 +130,17 @@ krb5_create_cache(char *domain)
+             if (code) {
+                 error((char *) "%s| %s: ERROR: Error while unparsing principal name : %s\n", LogTime(), PROGRAM, error_message(code));
+             } else {
+-                debug((char *) "%s| %s: DEBUG: Found principal name: %s\n", LogTime(), PROGRAM, principal_name);
+-                found = 1;
+		if (margs->brokenad == 1) {
+                    if (!strncmp(principal_name,"HTTP/",strlen("HTTP/"))==0){
+                        debug((char *) "%s| %s: DEBUG: Found principal without 'HTTP/' service name: %s NOT USING IT\n", LogTime(), PROGRAM, principal_name);
+                    } else {
+                        debug((char *) "%s| %s: DEBUG: Found principal with 'HTTP/' service name: %s\n", LogTime(), PROGRAM, principal_name);
+                        found = 1;
+                    }
+                } else {
+                    debug((char *) "%s| %s: DEBUG: Found principal  name: %s\n", LogTime(), PROGRAM, principal_name);
+                    found = 1;
+                }
+             }
+         }
+ #if defined(HAVE_HEIMDAL_KERBEROS) || ( defined(HAVE_KRB5_KT_FREE_ENTRY) && HAVE_DECL_KRB5_KT_FREE_ENTRY==1)
+Index: helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc
+===================================================================
+--- helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc.orig	2013-12-30 12:33:27.000000000 +0100
+++ helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc	2014-03-15 00:39:14.653271451 +0100
+@@ -57,6 +57,7 @@ init_args(struct main_args *margs)
+     margs->rc_allow = 0;
+     margs->AD = 0;
+     margs->mdepth = 5;
+    margs->brokenad = 0;
+     margs->ddomain = NULL;
+     margs->groups = NULL;
+     margs->ndoms = NULL;
+@@ -176,7 +177,7 @@ main(int argc, char *const argv[])
+ 
+     init_args(&margs);
+ 
+-    while (-1 != (opt = getopt(argc, argv, "diasg:D:N:S:u:U:t:T:p:l:b:m:h"))) {
+    while (-1 != (opt = getopt(argc, argv, "diasxg:D:N:S:u:U:t:T:p:l:b:m:h"))) {
+         switch (opt) {
+         case 'd':
+             debug_enabled = 1;
+@@ -228,6 +229,9 @@ main(int argc, char *const argv[])
+         case 'S':
+             margs.llist = xstrdup(optarg);
+             break;
+        case 'x':
+            margs.brokenad = 1;
+            break;
+         case 'h':
+             fprintf(stderr, "Usage: \n");
+             fprintf(stderr, "squid_kerb_ldap [-d] [-i] -g group list [-D domain] [-N netbios domain map] [-s] [-u ldap user] [-p ldap user password] [-l ldap url] [-b ldap bind path] [-a] [-m max depth] [-h]\n");
+@@ -244,6 +248,7 @@ main(int argc, char *const argv[])
+             fprintf(stderr, "-l ldap url\n");
+             fprintf(stderr, "-b ldap bind path\n");
+             fprintf(stderr, "-s use SSL encryption with Kerberos authentication\n");
+            fprintf(stderr, "-x force use of HTTP/ principal on ms ad 2008\n");
+             fprintf(stderr, "-a allow SSL without cert verification\n");
+             fprintf(stderr, "-m maximal depth for recursive searches\n");
+             fprintf(stderr, "-h help\n");
+Index: helpers/external_acl/kerberos_ldap_group/support.h
+===================================================================
+--- helpers/external_acl/kerberos_ldap_group/support.h.orig	2013-12-30 12:33:27.000000000 +0100
+++ helpers/external_acl/kerberos_ldap_group/support.h	2014-03-15 00:08:50.918686771 +0100
+@@ -97,6 +97,7 @@ struct main_args {
+     int rc_allow;
+     int AD;
+     int mdepth;
+    int brokenad;
+     char *ddomain;
+     struct gdstruct *groups;
+     struct ndstruct *ndoms;
+@@ -156,7 +157,7 @@ int create_nd(struct main_args *margs);
+ int create_ls(struct main_args *margs);
+ 
+ #ifdef HAVE_KRB5
+-int krb5_create_cache(char *domain);
+int krb5_create_cache(struct main_args *margs, char *domain);
+ void krb5_cleanup(void);
+ #endif
+ 
+Index: helpers/external_acl/kerberos_ldap_group/support_ldap.cc
+===================================================================
+--- helpers/external_acl/kerberos_ldap_group/support_ldap.cc.orig	2013-12-30 12:33:27.000000000 +0100
+++ helpers/external_acl/kerberos_ldap_group/support_ldap.cc	2014-03-15 00:14:51.423011652 +0100
+@@ -801,7 +801,7 @@ get_memberof(struct main_args *margs, ch
+         debug((char *) "%s| %s: DEBUG: Setup Kerberos credential cache\n", LogTime(), PROGRAM);
+ 
+ #ifdef HAVE_KRB5
+-        kc = krb5_create_cache(domain);
+        kc = krb5_create_cache(margs,domain);
+         if (kc) {
+             error((char *) "%s| %s: ERROR: Error during setup of Kerberos credential cache\n", LogTime(), PROGRAM);
+         }
--- a/squid.changes
+++ b/squid.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Sun Mar 16 08:54:50 UTC 2014 - boris@steki.net
+
+- added patch to force kerberos principalname handling
+  ( http://bugs.squid-cache.org/show_bug.cgi?id=4042 ) 
+
 -------------------------------------------------------------------
 Sat Mar 15 12:11:30 UTC 2014 - chris@computersalat.de

--- a/squid.spec
+++ b/squid.spec
@ -60,6 +60,8 @@ Patch101:       %{name}-nobuilddates.patch
 ## File is compiled without RPM_OPT_FLAGS
 # squid3 no-rpm-opt-flags <cmdline>:./cf_gen.cc
 Patch102:       %{name}-compiled_without_RPM_OPT_FLAGS.patch
+# patch fixes kerberos principalname handling (http://bugs.squid-cache.org/show_bug.cgi?id=4042)
+Patch103:       squid-3.4.2-brokenad.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         %fillup_prereq
 PreReq:         %insserv_prereq
@ -136,6 +138,7 @@ perl -p -i -e 's|/usr/local/bin/perl|/usr/bin/perl|' `find -name "*.pl"`
 chmod a-x CREDITS
 %patch101
 %patch102
+%patch103

 %build
 export CFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF"
@ -219,6 +222,7 @@ mv %{buildroot}%{_sbindir}/cachemgr.cgi %{buildroot}/%{_libdir}/%{name}
 install -d -m 755 doc/contrib
 install %{SOURCE6} doc/contrib
 install -D -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/pam.d/%{name}
+install -D -m 644 ./helpers/external_acl/kerberos_ldap_group/ext_kerberos_ldap_group_acl.8 %{buildroot}%{_mandir}/man8/ext_kerberos_ldap_group_acl.8

 rm -rf %{buildroot}%{squidconfdir}/errors
 for i in errors/*; do