--- /dev/null
+# ChangeLog for www-apache/mod_auth_kerb
+# Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/www-apache/mod_auth_kerb/ChangeLog,v 1.20 2015/05/23 12:42:05 pacho Exp $
+
+ 23 May 2015; Pacho Ramos <pacho@gentoo.org>
+ -files/mod_auth_kerb-5.4-s4u2proxy-r1.patch,
+ -files/mod_auth_kerb-5.4-s4u2proxy-r2.patch:
+ drop old
+
+ 17 May 2015; Pacho Ramos <pacho@gentoo.org>
+ +files/mod_auth_kerb-5.4-s4u2proxy-r3.patch, mod_auth_kerb-5.4-r2.ebuild:
+ Try to commit the patch properly
+
+ 14 May 2015; Michael Sterrett <mr_bones_@gentoo.org>
+ -mod_auth_kerb-5.4-r1.ebuild:
+ old
+
+*mod_auth_kerb-5.4-r2 (08 May 2015)
+
+ 08 May 2015; Pacho Ramos <pacho@gentoo.org>
+ +files/mod_auth_kerb-5.4-handle-continue.patch,
+ +files/mod_auth_kerb-5.4-longuser.patch,
+ +files/mod_auth_kerb-5.4-s4u2proxy-r2.patch, +mod_auth_kerb-5.4-r2.ebuild:
+ Apply more Fedora patches with fixes, update s4u2proxy patch to support
+ heimdal (#454816 by Spooky Ghost), tmpfiles.d needed (#470942 by Azamat H.
+ Hackimov)
+
+ 17 Dec 2014; Pacho Ramos <pacho@gentoo.org> -mod_auth_kerb-5.4.ebuild,
+ mod_auth_kerb-5.4-r1.ebuild:
+ Fix dependency as this if for all apache2 versions, drop old
+
+ 10 Aug 2014; Sergei Trofimovich <slyfox@gentoo.org> mod_auth_kerb-5.3.ebuild,
+ mod_auth_kerb-5.4-r1.ebuild, mod_auth_kerb-5.4.ebuild:
+ QA: drop trailing '.' from DESCRIPTION
+
+ 15 Jan 2013; Pacho Ramos <pacho@gentoo.org>
+ +files/mod_auth_kerb-5.4-s4u2proxy-r1.patch, mod_auth_kerb-5.4-r1.ebuild:
+ Try to fix the same problem again (#452186 by Thomas Beinicke)
+
+ 11 Jan 2013; Pacho Ramos <pacho@gentoo.org>
+ files/mod_auth_kerb-5.4-s4u2proxy.patch:
+ Commit patch properly to prevent CVS keywords to be modified (#327445#c15 by
+ Zac Medico)
+
+*mod_auth_kerb-5.4-r1 (03 Jan 2013)
+
+ 03 Jan 2013; Pacho Ramos <pacho@gentoo.org>
+ +files/mod_auth_kerb-5.4-cachedir.patch,
+ +files/mod_auth_kerb-5.4-delegation.patch,
+ +files/mod_auth_kerb-5.4-fixes.patch, +files/mod_auth_kerb-5.4-httpd24.patch,
+ +files/mod_auth_kerb-5.4-rcopshack.patch,
+ +files/mod_auth_kerb-5.4-s4u2proxy.patch, +mod_auth_kerb-5.4-r1.ebuild:
+ Include Fedora patches to fix a lot of bugs and add compat with apache-2.4
+
+ 09 Dec 2012; Ulrich Müller <ulm@gentoo.org> mod_auth_kerb-5.3.ebuild,
+ mod_auth_kerb-5.4.ebuild:
+ Fix LICENSE, see LICENSE file.
+
+ 27 Nov 2012; Pacho Ramos <pacho@gentoo.org> metadata.xml:
+ Drop apache herd as discussed in http://www.gossamer-
+ threads.com/lists/gentoo/dev/262834
+
+ 16 Oct 2012; Patrick Lauer <patrick@gentoo.org> mod_auth_kerb-5.3.ebuild,
+ mod_auth_kerb-5.4.ebuild:
+ Restricting to apache 2.2, #438154
+
+*mod_auth_kerb-5.4 (17 Sep 2009)
+
+ 17 Sep 2009; Benedikt Böhm <hollow@gentoo.org> +mod_auth_kerb-5.4.ebuild:
+ version bump wrt #285259 & #269791
+
+ 29 Aug 2008; Benedikt Böhm <hollow@gentoo.org> mod_auth_kerb-5.3.ebuild:
+ add ~amd64 wrt #231474
+
+ 31 Jan 2008; Benedikt Böhm <hollow@gentoo.org>
+ files/11_mod_auth_kerb.conf, mod_auth_kerb-5.3.ebuild:
+ fix depend.apache usage wrt #208033
+
+ 27 Jan 2008; Benedikt Böhm <hollow@gentoo.org> ChangeLog, Manifest:
+ fix metadata; cleanup
+
+ 21 Sep 2007; Benedikt Böhm <hollow@gentoo.org> mod_auth_kerb-5.3.ebuild:
+ remove apache-1 cruft
+
+ 29 Jul 2007; Christian Heim <phreak@gentoo.org>
+ +files/11_mod_auth_kerb.conf, +metadata.xml, +mod_auth_kerb-5.3.ebuild:
+ Moving net-www/mod_auth_kerb to www-apache/mod_auth_kerb (#81244).
+
+ 15 Jan 2007; Luca Longinotti <chtekk@gentoo.org>
+ -files/mod_auth_kerb-5.0-CVE-2006-5989.patch,
+ -files/mod_auth_kerb-5.0-axps1.patch,
+ -files/mod_auth_kerb-5.0-cache.patch,
+ -files/mod_auth_kerb-5.0-exports.patch,
+ -files/mod_auth_kerb-5.0-gcc4.patch, metadata.xml,
+ -mod_auth_kerb-5.0_rc6.ebuild, -mod_auth_kerb-5.0_rc6-r1.ebuild,
+ -mod_auth_kerb-5.0_rc7.ebuild, -mod_auth_kerb-5.0_rc7-r1.ebuild,
+ mod_auth_kerb-5.3.ebuild:
+ Cleanup.
+
+ 15 Jan 2007; Torsten Veller <tove@gentoo.org> mod_auth_kerb-5.3.ebuild:
+ Marked stable on x86 for Ticho (#155782)
+
+ 14 Jan 2007; Christian Heim <phreak@gentoo.org>
+ mod_auth_kerb-5.0_rc7-r1.ebuild:
+ Also removing the exports patch from 5.0rc7-r1, breaks the compilation
+ (thanks to Ticho for reporting).
+
+ 13 Jan 2007; Christian Heim <phreak@gentoo.org>
+ mod_auth_kerb-5.0_rc7-r1.ebuild:
+ Removing mod_auth_kerb-5.0-cache.patch and mod_auth_kerb-5.0-axps1.patch
+ from the patchlist for mod_auth_kerb-5.0-rc7-r1 (thanks to Andrej Kacian for
+ reporting it), as UPSTREAM already included these fixes.
+
+ 10 Jan 2007; Christian Heim <phreak@gentoo.org>
+ mod_auth_kerb-5.0_rc6-r1.ebuild, mod_auth_kerb-5.0_rc7-r1.ebuild:
+ Making mod_auth_kerb-5.0-axps1.patch, mod_auth_kerb-5.0-cache.patch and
+ mod_auth_kerb-5.0-exports.patch conditional on USE=apache2, allowing
+ mod_auth_kerb to still work and compile w/ =net-www/apache-1.3*.
+
+*mod_auth_kerb-5.0_rc7-r1 (10 Jan 2007)
+*mod_auth_kerb-5.0_rc6-r1 (10 Jan 2007)
+
+ 10 Jan 2007; Christian Heim <phreak@gentoo.org>
+ +files/mod_auth_kerb-5.0-CVE-2006-5989.patch,
+ +files/mod_auth_kerb-5.0-axps1.patch,
+ +files/mod_auth_kerb-5.0-cache.patch,
+ +files/mod_auth_kerb-5.0-exports.patch,
+ +files/mod_auth_kerb-5.0-gcc4.patch, +mod_auth_kerb-5.0_rc6-r1.ebuild,
+ +mod_auth_kerb-5.0_rc7-r1.ebuild:
+ Revision bump for bug 155782 (CVE-2006-5989), also fixing compilation with
+ gcc4.
+
+*mod_auth_kerb-5.3 (07 Jan 2007)
+
+ 07 Jan 2007; Bryan Østergaard <kloeri@gentoo.org>
+ +mod_auth_kerb-5.3.ebuild:
+ Version bump, fixes bug 148158.
+
+ 05 Jun 2006; Luca Longinotti <chtekk@gentoo.org>
+ -files/4.11-r1/11_mod_auth_kerb.conf, files/11_mod_auth_kerb.conf,
+ -files/mod_auth_kerb_register.patch, metadata.xml,
+ mod_auth_kerb-5.0_rc6.ebuild, mod_auth_kerb-5.0_rc7.ebuild:
+ Cleanup and fix bug #103889.
+
+ 04 Jun 2006; Michael Stewart <vericgar@gentoo.org>
+ -mod_auth_kerb-4.11.ebuild, -mod_auth_kerb-4.11-r1.ebuild:
+ Remove old-style ebuilds
+
+ 13 May 2006; Mark Loeser <halcy0n@gentoo.org>
+ mod_auth_kerb-5.0_rc6.ebuild:
+ Stable on x86; bug #128189
+
+ 27 Apr 2006; Alec Warner <antarus@gentoo.org>
+ files/digest-mod_auth_kerb-4.11, files/digest-mod_auth_kerb-4.11-r1,
+ files/digest-mod_auth_kerb-5.0_rc6, Manifest:
+ Fixing SHA256 digest, pass four
+
+*mod_auth_kerb-5.0_rc7 (18 Apr 2006)
+
+ 18 Apr 2006; Michael Stewart <vericgar@gentoo.org>
+ +mod_auth_kerb-5.0_rc7.ebuild:
+ Version bump
+
+ 04 Mar 2005; Benedikt Boehm <hollow@gentoo.org>
+ files/4.11-r1/11_mod_auth_kerb.conf:
+ added default module config
+
+ 17 Feb 2005; Benedikt Boehm <hollow@gentoo.org>
+ mod_auth_kerb-5.0_rc6.ebuild:
+ added apache 1.3 support + clean up
+
+*mod_auth_kerb-5.0_rc6 (30 Jan 2005)
+
+ 30 Jan 2005; Benedikt Boehm <hollow@gentoo.org>
+ files/4.11-r1/11_mod_auth_kerb.conf, +mod_auth_kerb-5.0_rc6.ebuild:
+ Bump to 5.0_rc6. Uses new apache.module.eclass
+
+*mod_auth_kerb-4.11-r1 (09 Jan 2005)
+
+ 09 Jan 2005; Benedikt Boehm <hollow@gentoo.org> metadata.xml,
+ +files/4.11-r1/11_mod_auth_kerb.conf, +mod_auth_kerb-4.11-r1.ebuild:
+ Apache herd package refresh
+
+ 20 Jun 2004; Chuck Short <zul@gentoo.org> mod_auth_kerb-4.11.ebuild:
+ Ebuild cleanups.
+
+ 04 Apr 2004; Chuck Short <zul@gentoo.org> mod_auth_kerb-4.11.ebuild:
+ Added metadata.xml.
+
+*mod_auth_kerb-4.11 (28 Nov 2002)
+
+ 28 Nov 2002; Donny Davies <woodchip@gentoo.org> :
+ Initial import; created by me.
--- /dev/null
+AUX 11_mod_auth_kerb.conf 338 SHA256 6e07afc54b27fe6947bfdf32ac55d01f9df3deba1015078ac98a52381eabdb62 SHA512 82ea692ed8189bb3255347d5d7829f84c8b3edc66e9d99c974f9c8ed56227a60b8925eee11f027fbd694ef1be8d09ff3f4b92e96cd68a77cea84e6e237048c53 WHIRLPOOL d778c16f29ee4e9b0ffba179f2d8a171e0064469f96e605fa1097157695ea6ba957f58af87bf572ce087b38b2628a69f4f42741e2bd6d6f104538c19ca95459d
+AUX mod_auth_kerb-5.4-cachedir.patch 608 SHA256 570c9144c442ee6ef5e7cb6f6f0e7aa645fceb0693e53aa91274ac6bf397f10c SHA512 8dbb61a84fa7fb76787f71de9c70f4d41b0dd1245eff594131f1569a64331ea3bcb055d0dba178eeee71e2a125fae649561009a43b9f81c1eac08eb912dd4400 WHIRLPOOL b45bdc2f9b347356d1299ab453c37bea01865c94b7a7aac7eb93ee495ee286d0777cbd8351b1c7c8b491f4746c8d1bf783fe832b9698f2394df83454bdb9c0d2
+AUX mod_auth_kerb-5.4-delegation.patch 2589 SHA256 1c4625e1de2904957ac156df220d8d6898d89cdc4712772bd02e564673bb87b9 SHA512 c0193da69cc5a77bf4099f45e981a97af1ce1f4ca2d989aa18421aff285e9ac5693422d3755f15157cb2161af49960a6c16d773a2a60f1dcca30a73703422b7f WHIRLPOOL 5182f41e05cce675bb2aeae85ba76c4128f620067a34291fed450112cc4cf77c2635359ef18a6d6f501aa92b40d265d480fd2ea4a25207049277af2354478d7d
+AUX mod_auth_kerb-5.4-fixes.patch 1098 SHA256 1f9a21ff56473783c27cf69d78bb0618768447c71749522e39ba83c727c81335 SHA512 4881deb0accbd1ebff88a210036f2c66d443625727580ca25a8a403a96a8fa39edc2a01769584a474d1a1dbf028438a754319c3e318b2bef9114db754d542112 WHIRLPOOL 3685d3934e3a5032fafc5acae83f5574e6f493530f5d4a5c95cb8e982d6c5a1f7dc2bed0b5a6ec9004dc903c43fa80d7ee88bd60cbd5564481b80db7cd7902b1
+AUX mod_auth_kerb-5.4-handle-continue.patch 735 SHA256 24d1cc7f12be73a3f99f3943ac7171d9a87d1bb959a3d7f225e9f92109f7964d SHA512 583a10d7790987e50a9ac7c602466007f38469b38f7d3da8761c342c8ba900a18b4ff800cd2b4e82bfdb3927f14fbf09c0684b315f08e4b9604068d8a29442d8 WHIRLPOOL 86401b48be24fdd06c10ffe8bc28f74888219002b26b7919622864c0a53141e48d7db59dc7ed980dfee9290a28c2cafbe83ecfc8e05854ce967f93dcd0a54a98
+AUX mod_auth_kerb-5.4-httpd24.patch 2622 SHA256 b98c3a8720fac455f1cf78d1bf4219aef0bc49ce269d79de783db6401bed2668 SHA512 739ffc704286630af557487f93f9cbb0786ab62401fcf20b0d22dcc991388a0691bb94422f80db9fa85bfe926b28bbf96dcb5149e48118f978a38aff52856bf7 WHIRLPOOL 6c8fafa301d041b7d7816122511df9243a6f5bb947c219d35618eafcbedffb576fdff7f4a368f6ecd27eae1222f3449731baee44caa9b46757f5e0b074a16ffa
+AUX mod_auth_kerb-5.4-longuser.patch 1007 SHA256 3de2bdab5980381ba8a65f4f04931edddf1ff35f345a30ea65383a7368e01f8b SHA512 0ffd82fddb6bd9eff466c7a11f5221c5006814e8ca99aef1de48dae4537ce0d11c718506d84be572f116e74d10bb9031021ddc17a65bfc86e42edbaf77063617 WHIRLPOOL 307cef9246fe5ecdf62730898798e1af4beb2f55ff5d27017562d8f53398233cc66b9f035fa3281e47702ae2bd9ea967d28f2f71274a2a60565417c5721599c3
+AUX mod_auth_kerb-5.4-rcopshack.patch 2244 SHA256 813ad49f9c0aa8495e716a7ed902bfcef4282cb10793112ad0e92b667620e33c SHA512 4da4e51baec036fdf035ee6f215453129b4b93a7733887834c08c0c5a7610ebe8e0981ad34a5cd5ed86af58c926bd65417fe09f64ce42d56b41e5051b96f6ca5 WHIRLPOOL 18ee97dc4bab314b1943778c74c660878a8477520e5cad69e78d0e2b2c39076254cd81973987e42ee1ed8b113dcee4949b81de0976f7e4d025e29753cd952b3a
+AUX mod_auth_kerb-5.4-s4u2proxy-r3.patch 21037 SHA256 a659c054aa3739a28d21369a63921408219b434f7291d5a0806e8919ad8be4d7 SHA512 85e39f8b843bdcc10530c5eda26d24c00574235fbe9f04915c9c6273aac13b97a5729c791a9603e4f77d83801933cbb0d22aa6b2a3caf7f9cc91e46bf6530d2c WHIRLPOOL 0049d338a4381fdaa0903f3fece61e5dbd36c7f14bb2b5eec0c46e06b0d0b7f43a352c72972cc658e73d4c1c400f55853713c402af98ab91e4561fc2448959d7
+AUX mod_auth_kerb-5.4-s4u2proxy.patch 20358 SHA256 0ced12b7cb97302118d3f991e241237ec6df5d146bb6b3f479c12890b3fc8bef SHA512 a105463b277a73460fb820973d78f44d5f88961b92317a4bab13b357b8dbf5560afa4e6263b9c66ff69d1d3bf03356d3e56806b437ae6a6d8002a3549a8544e5 WHIRLPOOL f90032ae76c0e6ce4019cffc62ed26c833b6063af79e16ea989317daab7d8b8673a1660a3e27cdb5b99e83a3fc62e91d7174c5adec895bf6dc68c098594c20fa
+DIST mod_auth_kerb-5.4.tar.gz 93033 SHA256 690ddd66c6d941e2fa2dada46588329a6f57d0a3b9b2fd9bf055ebc427558265 SHA512 93fdf0e43af1c24e8c8204d09240b708747068ef99dd8d21b45cb4d132d31e6d582d49ea5e23b905f55cb0d4a20b1ecb58de1bcbfdad1d016e536fc622b63214 WHIRLPOOL 1b92217b7cf66d731a72cf9d58f188002ccadd75fc3d9075290347e6b4f1511111d3cff147fab73616951cbdb9430e8038adf5c4e204d374886bec3be69ff51c
+EBUILD mod_auth_kerb-5.4-r3.ebuild 1232 SHA256 c55cd33c12f061ba7a4ff38df994dcb9875a9e95218656e3d40d3177806fc582 SHA512 c1dd265482a899b431bc10a7710965ed133637a21ee3a3d1992bab5faa0a8f83f5371320e3ec4c7eb1d5151ba48bfa4e45eed5cf3fb6110bf5baba299d0ac096 WHIRLPOOL cb957ae085b0fd135f24a6098e04eb4f4c17d50f61b557724ee24c04196e558dbdea7d162ebf9efc10c3e611c95ea34b666dcb9f35d150913c8ecce61e4440fc
+MISC ChangeLog 7283 SHA256 07e37f53346ceab20aaaa448dca9cac13e9daa94c6d31e2a600e45d423ad4dbb SHA512 d813e61c84d9dcf1cc7e4f832d3624d0d4951a12fbf17770b431654063d4626f44991fe1ea080f289d0ee4550aafc3be06833b6cd8bbee0ff964437b539725a0 WHIRLPOOL fdcee2f3d89f14466d8c5b2832e2027bb0eafa8ca9fed2d0f51a6aaa28f51b18ffbe22d0ad63d22b81e9c17ff45d4b22b65b273936cba3c1d45c3285b55a1e24
+MISC metadata.xml 208 SHA256 98f8aa3fb70533eeab6b09d5bc30bd8f649ec13d9b04363490082fb87bb6032e SHA512 d5a7f3cb2fe57f8d7783ba358068648b122d9f5de81a17bff61ce600e42b6487e6f7e2a62c8be95cc7021cb3ea88716824b1ad0565da922ea753bea2417b3d3d WHIRLPOOL e38a6cdef2acb3efdc182efde482593790f773ab3bb9b66cced3af47e4ab39368757e17c4352c6cacaefa338341db88c3bcc3ffcd32aabd7984c5b19051a7bb7
--- /dev/null
+<IfDefine AUTH_KERB>
+LoadModule auth_kerb_module modules/mod_auth_kerb.so
+
+<Directory "/var/www/private">
+ AuthType Kerberos
+ AuthName "Kerberos Login"
+ # See the INSTALL file about howto create the keytab
+ Krb5Keytab conf/apache.keytab
+ KrbAuthRealms EXAMPLE.COM
+ Require valid-user
+</Directory>
+</IfDefine>
+
+# vim: ts=4 filetype=apache
--- /dev/null
+
+Per https://bugzilla.redhat.com//show_bug.cgi?id=796430
+switch the cache dir to be relative to runtimedir.
+
+--- mod_auth_kerb-5.4/src/mod_auth_kerb.c.cachedir
++++ mod_auth_kerb-5.4/src/mod_auth_kerb.c
+@@ -891,7 +891,7 @@ create_krb5_ccache(krb5_context kcontext
+ int ret;
+ krb5_ccache tmp_ccache = NULL;
+
+- ccname = apr_psprintf(r->connection->pool, "FILE:%s/krb5cc_apache_XXXXXX", P_tmpdir);
++ ccname = apr_pstrdup(r->connection->pool, "FILE:/run/httpd/krbcache/krb5cc_apache_XXXXXX");
+ fd = mkstemp(ccname + strlen("FILE:"));
+ if (fd < 0) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
--- /dev/null
+
+https://bugzilla.redhat.com/show_bug.cgi?id=688210
+
+--- mod_auth_kerb-5.4/src/mod_auth_kerb.c.delegation
++++ mod_auth_kerb-5.4/src/mod_auth_kerb.c
+@@ -209,6 +209,7 @@ typedef struct krb5_conn_data {
+ char *authline;
+ char *user;
+ char *mech;
++ char *ccname;
+ int last_return;
+ } krb5_conn_data;
+
+@@ -875,7 +876,7 @@ create_krb5_ccache(krb5_context kcontext
+ int ret;
+ krb5_ccache tmp_ccache = NULL;
+
+- ccname = apr_psprintf(r->pool, "FILE:%s/krb5cc_apache_XXXXXX", P_tmpdir);
++ ccname = apr_psprintf(r->connection->pool, "FILE:%s/krb5cc_apache_XXXXXX", P_tmpdir);
+ fd = mkstemp(ccname + strlen("FILE:"));
+ if (fd < 0) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+@@ -905,7 +906,7 @@ create_krb5_ccache(krb5_context kcontext
+ }
+
+ apr_table_setn(r->subprocess_env, "KRB5CCNAME", ccname);
+- apr_pool_cleanup_register(r->pool, ccname, krb5_cache_cleanup,
++ apr_pool_cleanup_register(r->connection->pool, ccname, krb5_cache_cleanup,
+ apr_pool_cleanup_null);
+
+ *ccache = tmp_ccache;
+@@ -1866,10 +1868,15 @@ already_succeeded(request_rec *r, char *
+ if (apr_pool_userdata_get((void**)&conn_data, keyname, r->connection->pool) != 0)
+ return NULL;
+
+- if(conn_data) {
+- if(strcmp(conn_data->authline, auth_line) == 0) {
+- log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "matched previous auth request");
+- return conn_data;
++ if(conn_data && conn_data->ccname != NULL) {
++ apr_finfo_t finfo;
++
++ if (apr_stat(&finfo, conn_data->ccname + strlen("FILE:"),
++ APR_FINFO_NORM, r->pool) == APR_SUCCESS
++ && (finfo.valid & APR_FINFO_TYPE)
++ && finfo.filetype == APR_REG) {
++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "matched previous auth request");
++ return conn_data;
+ }
+ }
+ return NULL;
+@@ -2001,6 +2008,8 @@ kerb_authenticate_user(request_rec *r)
+ ret = prevauth->last_return;
+ MK_USER = prevauth->user;
+ MK_AUTH_TYPE = prevauth->mech;
++ if (prevauth->ccname)
++ apr_table_setn(r->subprocess_env, "KRB5CCNAME", prevauth->ccname);
+ }
+
+ /*
+@@ -2011,6 +2020,7 @@ kerb_authenticate_user(request_rec *r)
+ prevauth->user = apr_pstrdup(r->connection->pool, MK_USER);
+ prevauth->authline = apr_pstrdup(r->connection->pool, auth_line);
+ prevauth->mech = apr_pstrdup(r->connection->pool, auth_type);
++ prevauth->ccname = apr_pstrdup(r->connection->pool, apr_table_get(r->subprocess_env, "KRB5CCNAME"));
+ prevauth->last_return = ret;
+ snprintf(keyname, sizeof(keyname) - 1,
+ "mod_auth_kerb::connection::%s::%ld",
--- /dev/null
+
+Compiler warning fixes.
+
+--- mod_auth_kerb-5.4/src/mod_auth_kerb.c.fixes
++++ mod_auth_kerb-5.4/src/mod_auth_kerb.c
+@@ -677,7 +677,8 @@ end:
+ static krb5_error_code
+ verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal,
+ const char *password, krb5_principal server,
+- krb5_keytab keytab, int krb_verify_kdc, char *krb_service_name, krb5_ccache *ccache)
++ krb5_keytab keytab, int krb_verify_kdc,
++ const char *krb_service_name, krb5_ccache *ccache)
+ {
+ krb5_creds creds;
+ krb5_get_init_creds_opt options;
+@@ -1280,6 +1281,7 @@ get_gss_creds(request_rec *r,
+ return 0;
+ }
+
++#ifndef GSSAPI_SUPPORTS_SPNEGO
+ static int
+ cmp_gss_type(gss_buffer_t token, gss_OID oid)
+ {
+@@ -1306,6 +1308,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID
+
+ return memcmp(p, oid->elements, oid->length);
+ }
++#endif
+
+ static int
+ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
+@@ -1722,7 +1725,7 @@ kerb_authenticate_user(request_rec *r)
+ return ret;
+ }
+
+-int
++static int
+ have_rcache_type(const char *type)
+ {
+ krb5_error_code ret;
--- /dev/null
+diff --git a/src/mod_auth_kerb.c b/src/mod_auth_kerb.c
+index 2aab5ee..ca81878 100644
+--- a/src/mod_auth_kerb.c
++++ b/src/mod_auth_kerb.c
+@@ -1744,7 +1744,6 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
+ goto end;
+ }
+
+-#if 0
+ /* This is a _Kerberos_ module so multiple authentication rounds aren't
+ * supported. If we wanted a generic GSS authentication we would have to do
+ * some magic with exporting context etc. */
+@@ -1752,7 +1751,6 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
+ ret = HTTP_UNAUTHORIZED;
+ goto end;
+ }
+-#endif
+
+ major_status = gss_display_name(&minor_status, client_name, &output_token, NULL);
+ gss_release_name(&minor_status, &client_name);
--- /dev/null
+
+Fixes for 2.4 API.
+
+--- mod_auth_kerb-5.4/src/mod_auth_kerb.c.httpd24
++++ mod_auth_kerb-5.4/src/mod_auth_kerb.c
+@@ -179,6 +179,16 @@ static apr_global_mutex_t *s4u2proxy_loc
+ #define PROXYREQ_PROXY STD_PROXY
+ #endif
+
++#if MODULE_MAGIC_NUMBER_MAJOR >= 20100606
++/* 2.4.x or later */
++#define WITH_HTTPD24 1
++#define client_ip(r) ((r)->useragent_ip)
++APLOG_USE_MODULE(auth_kerb);
++#else
++#define client_ip(r) ((r)->connection->remote_ip)
++#define ap_unixd_set_global_mutex_perms unixd_set_global_mutex_perms
++#endif
++
+ /***************************************************************************
+ Auth Configuration Structure
+ ***************************************************************************/
+@@ -383,7 +393,11 @@ cmd_delegationlock(cmd_parms *cmd, void
+ }
+
+ static void
+-log_rerror(const char *file, int line, int level, int status,
++log_rerror(const char *file, int line,
++#ifdef WITH_HTTPD24
++ int module_index,
++#endif
++ int level, int status,
+ const request_rec *r, const char *fmt, ...)
+ {
+ char errstr[1024];
+@@ -394,7 +408,9 @@ log_rerror(const char *file, int line, i
+ va_end(ap);
+
+
+-#ifdef STANDARD20_MODULE_STUFF
++#if defined(WITH_HTTPD24)
++ ap_log_rerror(file, line, module_index, level, status, r, "%s", errstr);
++#elif defined(STANDARD20_MODULE_STUFF)
+ ap_log_rerror(file, line, level | APLOG_NOERRNO, status, r, "%s", errstr);
+ #else
+ ap_log_rerror(file, line, level | APLOG_NOERRNO, r, "%s", errstr);
+@@ -1860,8 +1876,8 @@ already_succeeded(request_rec *r, char *
+ char keyname[1024];
+
+ snprintf(keyname, sizeof(keyname) - 1,
+- "mod_auth_kerb::connection::%s::%ld", r->connection->remote_ip,
+- r->connection->id);
++ "mod_auth_kerb::connection::%s::%ld", client_ip(r),
++ r->connection->id);
+
+ if (apr_pool_userdata_get((void**)&conn_data, keyname, r->connection->pool) != 0)
+ return NULL;
+@@ -2014,7 +2030,7 @@ kerb_authenticate_user(request_rec *r)
+ prevauth->last_return = ret;
+ snprintf(keyname, sizeof(keyname) - 1,
+ "mod_auth_kerb::connection::%s::%ld",
+- r->connection->remote_ip, r->connection->id);
++ client_ip(r), r->connection->id);
+ apr_pool_userdata_set(prevauth, keyname, NULL, r->connection->pool);
+ }
+
+@@ -2073,7 +2089,7 @@ s4u2proxylock_create(server_rec *s, apr_
+ }
+
+ #ifdef AP_NEED_SET_MUTEX_PERMS
+- rc = unixd_set_global_mutex_perms(s4u2proxy_lock);
++ rc = ap_unixd_set_global_mutex_perms(s4u2proxy_lock);
+ if (rc != APR_SUCCESS) {
+ ap_log_error(APLOG_MARK, APLOG_CRIT, rc, s,
+ "mod_auth_kerb: Parent could not set permissions "
--- /dev/null
+
+https://bugzilla.redhat.com/show_bug.cgi?id=867153
+
+Patch by: jkaluza
+
+--- mod_auth_kerb-5.4/src/mod_auth_kerb.c.longuser
++++ mod_auth_kerb-5.4/src/mod_auth_kerb.c
+@@ -80,6 +80,7 @@
+
+ #define MECH_NEGOTIATE "Negotiate"
+ #define SERVICE_NAME "HTTP"
++#define MAX_LOCAL_USERNAME 255
+
+ #include <httpd.h>
+ #include <http_config.h>
+@@ -1815,13 +1816,13 @@ do_krb5_an_to_ln(request_rec *r) {
+ krb5_get_err_text(kcontext, code));
+ goto end;
+ }
+- MK_USER_LNAME = apr_pcalloc(r->pool, strlen(MK_USER)+1);
++ MK_USER_LNAME = apr_pcalloc(r->pool, MAX_LOCAL_USERNAME+1);
+ if (MK_USER_LNAME == NULL) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "ap_pcalloc() failed (not enough memory)");
+ goto end;
+ }
+- code = krb5_aname_to_localname(kcontext, client, strlen(MK_USER), MK_USER_LNAME);
++ code = krb5_aname_to_localname(kcontext, client, MAX_LOCAL_USERNAME, MK_USER_LNAME);
+ if (code) {
+ if (code != KRB5_LNAME_NOTRANS) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
--- /dev/null
+
+Remove the Krb5 1.3.x-specific hack which mucks about with
+libkrb5 internals, and shouldn't.
+
+--- mod_auth_kerb-5.4/src/mod_auth_kerb.c.rcopshack
++++ mod_auth_kerb-5.4/src/mod_auth_kerb.c
+@@ -285,34 +285,6 @@ mkstemp(char *template)
+ }
+ #endif
+
+-#if defined(KRB5) && !defined(HEIMDAL)
+-/* Needed to work around problems with replay caches */
+-#include "mit-internals.h"
+-
+-/* This is our replacement krb5_rc_store function */
+-static krb5_error_code KRB5_LIB_FUNCTION
+-mod_auth_kerb_rc_store(krb5_context context, krb5_rcache rcache,
+- krb5_donot_replay_internal *donot_replay)
+-{
+- return 0;
+-}
+-
+-/* And this is the operations vector for our replay cache */
+-const krb5_rc_ops_internal mod_auth_kerb_rc_ops = {
+- 0,
+- "dfl",
+- krb5_rc_dfl_init,
+- krb5_rc_dfl_recover,
+- krb5_rc_dfl_destroy,
+- krb5_rc_dfl_close,
+- mod_auth_kerb_rc_store,
+- krb5_rc_dfl_expunge,
+- krb5_rc_dfl_get_span,
+- krb5_rc_dfl_get_name,
+- krb5_rc_dfl_resolve
+-};
+-#endif
+-
+ /***************************************************************************
+ Auth Configuration Initialization
+ ***************************************************************************/
+@@ -1252,31 +1224,6 @@ get_gss_creds(request_rec *r,
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+
+-#ifndef HEIMDAL
+- /*
+- * With MIT Kerberos 5 1.3.x the gss_cred_id_t is the same as
+- * krb5_gss_cred_id_t and krb5_gss_cred_id_rec contains a pointer to
+- * the replay cache.
+- * This allows us to override the replay cache function vector with
+- * our own one.
+- * Note that this is a dirty hack to get things working and there may
+- * well be unknown side-effects.
+- */
+- {
+- krb5_gss_cred_id_t gss_creds = (krb5_gss_cred_id_t) *server_creds;
+-
+- /* First we try to verify we are linked with 1.3.x to prevent from
+- crashing when linked with 1.4.x */
+- if (gss_creds && (gss_creds->usage == GSS_C_ACCEPT)) {
+- if (gss_creds->rcache && gss_creds->rcache->ops &&
+- gss_creds->rcache->ops->type &&
+- memcmp(gss_creds->rcache->ops->type, "dfl", 3) == 0)
+- /* Override the rcache operations */
+- gss_creds->rcache->ops = &mod_auth_kerb_rc_ops;
+- }
+- }
+-#endif
+-
+ return 0;
+ }
+
--- /dev/null
+\r
+Add S4U2Proxy feature:\r
+\r
+http://sourceforge.net/mailarchive/forum.php?thread_name=4EE665D1.3000308%40redhat.com&forum_name=modauthkerb-help\r
+\r
+The attached patches add support for using s4u2proxy \r
+(http://k5wiki.kerberos.org/wiki/Projects/Services4User) to allow the \r
+web service to obtain credentials on behalf of the authenticated user.\r
+\r
+The first patch adds basic support for s4u2proxy. This requires the web \r
+administrator to manually create and manage the credentails cache for \r
+the apache user (via a cron job, for example).\r
+\r
+The second patch builds on this and makes mod_auth_kerb manage the \r
+ccache instead.\r
+\r
+These are patches against the current CVS HEAD (mod_auth_krb 5.4).\r
+\r
+I've added a new module option to enable this support, \r
+KrbConstrainedDelegation. The default is off.\r
+\r
+--- mod_auth_kerb-5.4.orig/README 2008-11-26 11:51:05.000000000 -0500\r
++++ mod_auth_kerb-5.4/README 2012-01-04 11:17:22.000000000 -0500\r
+@@ -122,4 +122,16 @@ KrbSaveCredentials, the tickets will be \r
+ credential cache that will be available for the request handler. The ticket\r
+ file will be removed after request is handled.\r
+ \r
++Constrained Delegation\r
++----------------------\r
++S4U2Proxy, or constrained delegation, enables a service to use a client's\r
++ticket to itself to request another ticket for delegation. The KDC\r
++checks krbAllowedToDelegateTo to decide if it will issue a new ticket.\r
++If KrbConstrainedDelegation is enabled the server will use its own credentials\r
++to retrieve a delegated ticket for the user. For this to work the user must\r
++have a forwardable ticket (though the delegation flag need not be set).\r
++The server needs a valid credentials cache for this to work.\r
++\r
++The module itself will obtain and manage the necessary credentials.\r
++\r
+ $Id: README,v 1.12 2008/09/17 14:01:55 baalberith Exp $\r
+diff -up --recursive mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c mod_auth_kerb-5.4/src/mod_auth_kerb.c\r
+--- mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c 2011-12-09 17:55:05.000000000 -0500\r
++++ mod_auth_kerb-5.4/src/mod_auth_kerb.c 2012-03-01 14:19:40.000000000 -0500\r
+@@ -42,6 +42,31 @@\r
+ * POSSIBILITY OF SUCH DAMAGE.\r
+ */\r
+ \r
++/*\r
++ * Locking mechanism inspired by mod_rewrite.\r
++ *\r
++ * Licensed to the Apache Software Foundation (ASF) under one or more\r
++ * contributor license agreements. See the NOTICE file distributed with\r
++ * this work for additional information regarding copyright ownership.\r
++ * The ASF licenses this file to You under the Apache License, Version 2.0\r
++ * (the "License"); you may not use this file except in compliance with\r
++ * the License. You may obtain a copy of the License at\r
++ *\r
++ * http://www.apache.org/licenses/LICENSE-2.0\r
++ *\r
++ * Unless required by applicable law or agreed to in writing, software\r
++ * distributed under the License is distributed on an "AS IS" BASIS,\r
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
++ * See the License for the specific language governing permissions and\r
++ * limitations under the License.\r
++ */\r
++\r
++/*\r
++ * S4U2Proxy code\r
++ *\r
++ * Copyright (C) 2012 Red Hat\r
++ */\r
++\r
+ #ident "$Id: mod_auth_kerb.c,v 1.150 2008/12/04 10:14:03 baalberith Exp $"\r
+ \r
+ #include "config.h"\r
+@@ -49,6 +74,7 @@\r
+ #include <stdlib.h>\r
+ #include <stdio.h>\r
+ #include <stdarg.h>\r
++#include <unixd.h>\r
+ \r
+ #define MODAUTHKERB_VERSION "5.4"\r
+ \r
+@@ -122,6 +148,12 @@\r
+ module auth_kerb_module;\r
+ #endif\r
+ \r
++#ifdef STANDARD20_MODULE_STUFF\r
++/* s4u2proxy only supported in 2.0+ */\r
++static const char *lockname;\r
++static apr_global_mutex_t *s4u2proxy_lock = NULL;\r
++#endif\r
++\r
+ /*************************************************************************** \r
+ Macros To Ease Compatibility\r
+ ***************************************************************************/\r
+@@ -156,6 +188,7 @@\r
+ int krb_method_gssapi;\r
+ int krb_method_k5pass;\r
+ int krb5_do_auth_to_local;\r
++ int krb5_s4u2proxy;\r
+ #endif\r
+ #ifdef KRB4\r
+ char *krb_4_srvtab;\r
+@@ -176,6 +209,11 @@\r
+ \r
+ static const char*\r
+ krb5_save_realms(cmd_parms *cmd, void *sec, const char *arg);\r
++static const char *\r
++cmd_delegationlock(cmd_parms *cmd, void *dconf, const char *a1);\r
++\r
++static int\r
++obtain_server_credentials(request_rec *r, const char *service_name);\r
+ \r
+ #ifdef STANDARD20_MODULE_STUFF\r
+ #define command(name, func, var, type, usage) \\r
+@@ -228,6 +266,12 @@\r
+ \r
+ command("KrbLocalUserMapping", ap_set_flag_slot, krb5_do_auth_to_local,\r
+ FLAG, "Set to 'on' to have Kerberos do auth_to_local mapping of principal names to system user names."),\r
++\r
++ command("KrbConstrainedDelegation", ap_set_flag_slot, krb5_s4u2proxy,\r
++ FLAG, "Set to 'on' to have Kerberos use S4U2Proxy delegation."),\r
++\r
++ AP_INIT_TAKE1("KrbConstrainedDelegationLock", cmd_delegationlock, NULL,\r
++ RSRC_CONF, "the filename of a lockfile used for inter-process synchronization"),\r
+ #endif \r
+ \r
+ #ifdef KRB4\r
+@@ -293,6 +337,7 @@\r
+ #endif\r
+ #ifdef KRB5\r
+ ((kerb_auth_config *)rec)->krb5_do_auth_to_local = 0;\r
++ ((kerb_auth_config *)rec)->krb5_s4u2proxy = 0;\r
+ ((kerb_auth_config *)rec)->krb_method_k5pass = 1;\r
+ ((kerb_auth_config *)rec)->krb_method_gssapi = 1;\r
+ #endif\r
+@@ -310,6 +355,24 @@\r
+ return NULL;\r
+ }\r
+ \r
++static const char *\r
++cmd_delegationlock(cmd_parms *cmd, void *dconf, const char *a1)\r
++{\r
++ const char *error;\r
++\r
++ if ((error = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL)\r
++ return error;\r
++\r
++ /* fixup the path, especially for s4u2proxylock_remove() */\r
++ lockname = ap_server_root_relative(cmd->pool, a1);\r
++\r
++ if (!lockname) {\r
++ return apr_pstrcat(cmd->pool, "Invalid KrbConstrainedDelegationLock path ", a1, NULL);\r
++ }\r
++\r
++ return NULL;\r
++}\r
++\r
+ static void\r
+ log_rerror(const char *file, int line, int level, int status,\r
+ const request_rec *r, const char *fmt, ...)\r
+@@ -1161,6 +1224,7 @@\r
+ gss_buffer_desc token = GSS_C_EMPTY_BUFFER;\r
+ OM_uint32 major_status, minor_status, minor_status2;\r
+ gss_name_t server_name = GSS_C_NO_NAME;\r
++ gss_cred_usage_t usage = GSS_C_ACCEPT;\r
+ char buf[1024];\r
+ int have_server_princ;\r
+ \r
+@@ -1203,10 +1267,14 @@\r
+ \r
+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Acquiring creds for %s",\r
+ token.value);\r
++ if (conf->krb5_s4u2proxy) {\r
++ usage = GSS_C_BOTH;\r
++ obtain_server_credentials(r, conf->krb_service_name);\r
++ }\r
+ gss_release_buffer(&minor_status, &token);\r
+ \r
+ major_status = gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE,\r
+- GSS_C_NO_OID_SET, GSS_C_ACCEPT,\r
++ GSS_C_NO_OID_SET, usage,\r
+ server_creds, NULL, NULL);\r
+ gss_release_name(&minor_status2, &server_name);\r
+ if (GSS_ERROR(major_status)) {\r
+@@ -1248,6 +1316,305 @@\r
+ }\r
+ #endif\r
+ \r
++/* Renew the ticket if it will expire in under a minute */\r
++#define RENEWAL_TIME 60\r
++\r
++/*\r
++ * Services4U2Proxy lets a server prinicipal request another service\r
++ * principal on behalf of a user. To do this the Apache service needs\r
++ * to have its own ccache. This will ensure that the ccache has a valid\r
++ * principal and will initialize or renew new credentials when needed.\r
++ */\r
++\r
++static int\r
++verify_server_credentials(request_rec *r,\r
++ krb5_context kcontext,\r
++ krb5_ccache ccache,\r
++ krb5_principal princ,\r
++ int *renew\r
++)\r
++{\r
++ krb5_creds match_cred;\r
++ krb5_creds creds;\r
++ char * princ_name = NULL;\r
++ char *tgs_princ_name = NULL;\r
++ krb5_timestamp now;\r
++ krb5_error_code kerr = 0;\r
++\r
++ *renew = 0;\r
++\r
++ memset (&match_cred, 0, sizeof(match_cred));\r
++ memset (&creds, 0, sizeof(creds));\r
++\r
++ if (NULL == ccache || NULL == princ) {\r
++ /* Nothing to verify */\r
++ *renew = 1;\r
++ goto cleanup;\r
++ }\r
++\r
++ if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) {\r
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,\r
++ "Could not unparse principal %s (%d)",\r
++ error_message(kerr), kerr);\r
++ goto cleanup;\r
++ }\r
++\r
++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,\r
++ "Using principal %s for s4u2proxy", princ_name);\r
++\r
++#ifdef HEIMDAL\r
++ tgs_princ_name = apr_psprintf(r->pool, "%s/%s@%s", KRB5_TGS_NAME,\r
++ krb5_principal_get_realm(kcontext, princ),\r
++ krb5_principal_get_realm(kcontext, princ));\r
++#else\r
++ tgs_princ_name = apr_psprintf(r->pool, "%s/%.*s@%.*s", KRB5_TGS_NAME,\r
++ krb5_princ_realm(kcontext, princ)->length,\r
++ krb5_princ_realm(kcontext, princ)->data,\r
++ krb5_princ_realm(kcontext, princ)->length,\r
++ krb5_princ_realm(kcontext, princ)->data);\r
++#endif\r
++\r
++ if ((kerr = krb5_parse_name(kcontext, tgs_princ_name, &match_cred.server))) \r
++ {\r
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,\r
++ "Could not parse principal %s: %s (%d)",\r
++ tgs_princ_name, error_message(kerr), kerr);\r
++ goto cleanup;\r
++ }\r
++\r
++ match_cred.client = princ;\r
++\r
++ if ((kerr = krb5_cc_retrieve_cred(kcontext, ccache, 0, &match_cred, &creds)))\r
++ {\r
++ krb5_unparse_name(kcontext, princ, &princ_name);\r
++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,\r
++ "Could not unparse principal %s: %s (%d)",\r
++ princ_name, error_message(kerr), kerr);\r
++ goto cleanup;\r
++ }\r
++\r
++ if ((kerr = krb5_timeofday(kcontext, &now))) {\r
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,\r
++ "Could not get current time: %d (%s)",\r
++ kerr, error_message(kerr));\r
++ goto cleanup;\r
++ }\r
++\r
++ if (now > (creds.times.endtime + RENEWAL_TIME)) {\r
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,\r
++ "Credentials for %s have expired or will soon "\r
++ "expire - now %d endtime %d",\r
++ princ_name, now, creds.times.endtime);\r
++ *renew = 1;\r
++ } else {\r
++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,\r
++ "Credentials for %s will expire at "\r
++ "%d, it is now %d", princ_name, creds.times.endtime, now);\r
++ }\r
++\r
++cleanup:\r
++ /* Closing context, ccache, etc happens elsewhere */\r
++ if (match_cred.server) {\r
++ krb5_free_principal(kcontext, match_cred.server);\r
++ }\r
++ if (creds.client) {\r
++ krb5_free_cred_contents(kcontext, &creds);\r
++ }\r
++\r
++ return kerr;\r
++}\r
++\r
++static int\r
++obtain_server_credentials(request_rec *r,\r
++ const char *service_name)\r
++{\r
++ krb5_context kcontext = NULL;\r
++ krb5_keytab keytab = NULL;\r
++ krb5_ccache ccache = NULL;\r
++ char * princ_name = NULL;\r
++ char *tgs_princ_name = NULL;\r
++ krb5_error_code kerr = 0;\r
++ krb5_principal princ = NULL;\r
++ krb5_creds creds;\r
++ krb5_get_init_creds_opt gicopts;\r
++ int renew = 0;\r
++ apr_status_t rv = 0;\r
++\r
++ memset(&creds, 0, sizeof(creds));\r
++\r
++ if ((kerr = krb5_init_context(&kcontext))) {\r
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,\r
++ "Kerberos context initialization failed: %s (%d)", error_message(kerr), kerr);\r
++ goto done;\r
++ }\r
++\r
++ if ((kerr = krb5_cc_default(kcontext, &ccache))) {\r
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,\r
++ "Could not get default Kerberos ccache: %s (%d)",\r
++ error_message(kerr), kerr);\r
++ goto done;\r
++ }\r
++\r
++ if ((kerr = krb5_cc_get_principal(kcontext, ccache, &princ))) {\r
++ char * name = NULL;\r
++\r
++ if ((asprintf(&name, "%s:%s", krb5_cc_get_type(kcontext, ccache),\r
++ krb5_cc_get_name(kcontext, ccache))) == -1) {\r
++ kerr = KRB5_CC_NOMEM;\r
++ goto done;\r
++ }\r
++\r
++ if (KRB5_FCC_NOFILE == kerr) {\r
++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,\r
++ "Credentials cache %s not found, create one", name);\r
++ krb5_cc_close(kcontext, ccache);\r
++ ccache = NULL;\r
++ free(name);\r
++ } else {\r
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,\r
++ "Failure to open credentials cache %s: %s (%d)",\r
++ name, error_message(kerr), kerr);\r
++ free(name);\r
++ goto done;\r
++ }\r
++ }\r
++\r
++ kerr = verify_server_credentials(r, kcontext, ccache, princ, &renew);\r
++\r
++ if (kerr || !renew) {\r
++ goto done;\r
++ }\r
++\r
++#ifdef STANDARD20_MODULE_STUFF\r
++ if (s4u2proxy_lock) {\r
++ rv = apr_global_mutex_lock(s4u2proxy_lock);\r
++ if (rv != APR_SUCCESS) {\r
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,\r
++ "apr_global_mutex_lock(s4u2proxy_lock) "\r
++ "failed");\r
++ }\r
++ }\r
++#endif\r
++\r
++ /* We have the lock, check again to be sure another process hasn't already\r
++ * renewed the ticket.\r
++ */\r
++ kerr = verify_server_credentials(r, kcontext, ccache, princ, &renew);\r
++ if (kerr || !renew) {\r
++ goto unlock;\r
++ }\r
++\r
++ if (NULL == princ) {\r
++ princ_name = apr_psprintf(r->pool, "%s/%s",\r
++ (service_name) ? service_name : SERVICE_NAME,\r
++ ap_get_server_name(r));\r
++\r
++ if ((kerr = krb5_parse_name(kcontext, princ_name, &princ))) {\r
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,\r
++ "Could not parse principal %s: %s (%d) ",\r
++ princ_name, error_message(kerr), kerr);\r
++ goto unlock;\r
++ }\r
++ } else if (NULL == princ_name) {\r
++ if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) {\r
++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,\r
++ "Could not unparse principal %s: %s (%d)",\r
++ princ_name, error_message(kerr), kerr);\r
++ goto unlock;\r
++ }\r
++ }\r
++\r
++ if ((kerr = krb5_kt_default(kcontext, &keytab))) {\r
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,\r
++ "Unable to get default keytab: %s (%d)",\r
++ error_message(kerr), kerr);\r
++ goto unlock;\r
++ }\r
++\r
++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,\r
++ "Obtaining new credentials for %s", princ_name);\r
++ krb5_get_init_creds_opt_init(&gicopts);\r
++ krb5_get_init_creds_opt_set_forwardable(&gicopts, 1);\r
++\r
++#ifdef HEIMDAL\r
++ tgs_princ_name = apr_psprintf(r->pool, "%s/%s@%s", KRB5_TGS_NAME,\r
++ krb5_principal_get_realm(kcontext, princ),\r
++ krb5_principal_get_realm(kcontext, princ));\r
++#else\r
++ tgs_princ_name = apr_psprintf(r->pool, "%s/%.*s@%.*s", KRB5_TGS_NAME,\r
++ krb5_princ_realm(kcontext, princ)->length,\r
++ krb5_princ_realm(kcontext, princ)->data,\r
++ krb5_princ_realm(kcontext, princ)->length,\r
++ krb5_princ_realm(kcontext, princ)->data);\r
++#endif\r
++\r
++ if ((kerr = krb5_get_init_creds_keytab(kcontext, &creds, princ, keytab,\r
++ 0, tgs_princ_name, &gicopts))) {\r
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,\r
++ "Failed to obtain credentials for principal %s: "\r
++ "%s (%d)", princ_name, error_message(kerr), kerr);\r
++ goto unlock;\r
++ }\r
++\r
++ krb5_kt_close(kcontext, keytab);\r
++ keytab = NULL;\r
++\r
++ if (NULL == ccache) {\r
++ if ((kerr = krb5_cc_default(kcontext, &ccache))) {\r
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,\r
++ "Failed to open default ccache: %s (%d)",\r
++ error_message(kerr), kerr);\r
++ goto unlock;\r
++ }\r
++ }\r
++\r
++ if ((kerr = krb5_cc_initialize(kcontext, ccache, princ))) {\r
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,\r
++ "Failed to initialize ccache for %s: %s (%d)",\r
++ princ_name, error_message(kerr), kerr);\r
++ goto unlock;\r
++ }\r
++\r
++ if ((kerr = krb5_cc_store_cred(kcontext, ccache, &creds))) {\r
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,\r
++ "Failed to store %s in ccache: %s (%d)",\r
++ princ_name, error_message(kerr), kerr);\r
++ goto unlock;\r
++ }\r
++\r
++unlock:\r
++#ifdef STANDARD20_MODULE_STUFF\r
++ if (s4u2proxy_lock) {\r
++ apr_global_mutex_unlock(s4u2proxy_lock);\r
++ if (rv != APR_SUCCESS) {\r
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,\r
++ "apr_global_mutex_unlock(s4u2proxy_lock) "\r
++ "failed");\r
++ }\r
++ }\r
++#endif\r
++\r
++done:\r
++ if (0 == kerr)\r
++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,\r
++ "Done obtaining credentials for s4u2proxy");\r
++ else\r
++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,\r
++ "Failed to obtain credentials for s4u2proxy");\r
++\r
++ if (creds.client) {\r
++ krb5_free_cred_contents(kcontext, &creds);\r
++ }\r
++ if (ccache) {\r
++ krb5_cc_close(kcontext, ccache);\r
++ }\r
++ if (kcontext) {\r
++ krb5_free_context(kcontext);\r
++ }\r
++\r
++ return kerr;\r
++}\r
++\r
+ static int\r
+ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,\r
+ const char *auth_line, char **negotiate_ret_value)\r
+@@ -1688,10 +2055,60 @@\r
+ /*************************************************************************** \r
+ Module Setup/Configuration\r
+ ***************************************************************************/\r
++#ifdef STANDARD20_MODULE_STUFF\r
++static apr_status_t\r
++s4u2proxylock_create(server_rec *s, apr_pool_t *p)\r
++{\r
++ apr_status_t rc;\r
++\r
++ /* only operate if a lockfile is used */\r
++ if (lockname == NULL || *(lockname) == '\0') {\r
++ return APR_SUCCESS;\r
++ }\r
++\r
++ /* create the lockfile */\r
++ rc = apr_global_mutex_create(&s4u2proxy_lock, lockname,\r
++ APR_LOCK_DEFAULT, p);\r
++ if (rc != APR_SUCCESS) {\r
++ ap_log_error(APLOG_MARK, APLOG_CRIT, rc, s,\r
++ "Parent could not create lock file %s", lockname);\r
++ return rc;\r
++ }\r
++\r
++#ifdef AP_NEED_SET_MUTEX_PERMS\r
++ rc = unixd_set_global_mutex_perms(s4u2proxy_lock);\r
++ if (rc != APR_SUCCESS) {\r
++ ap_log_error(APLOG_MARK, APLOG_CRIT, rc, s,\r
++ "mod_auth_kerb: Parent could not set permissions "\r
++ "on lock; check User and Group directives");\r
++ return rc;\r
++ }\r
++#endif\r
++\r
++ return APR_SUCCESS;\r
++}\r
++\r
++static apr_status_t\r
++s4u2proxylock_remove(void *unused)\r
++{\r
++ /* only operate if a lockfile is used */\r
++ if (lockname == NULL || *(lockname) == '\0') {\r
++ return APR_SUCCESS;\r
++ }\r
++\r
++ /* destroy the rewritelock */\r
++ apr_global_mutex_destroy(s4u2proxy_lock);\r
++ s4u2proxy_lock = NULL;\r
++ lockname = NULL;\r
++ return APR_SUCCESS;\r
++}\r
++#endif\r
++\r
+ #ifndef STANDARD20_MODULE_STUFF\r
+ static void\r
+ kerb_module_init(server_rec *dummy, pool *p)\r
+ {\r
++ apr_status_t status;\r
+ #ifndef HEIMDAL\r
+ /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later.\r
+ 1.3.x are covered by the hack overiding the replay calls */\r
+@@ -1732,6 +2149,7 @@\r
+ kerb_init_handler(apr_pool_t *p, apr_pool_t *plog,\r
+ apr_pool_t *ptemp, server_rec *s)\r
+ {\r
++ apr_status_t rv;\r
+ ap_add_version_component(p, "mod_auth_kerb/" MODAUTHKERB_VERSION);\r
+ #ifndef HEIMDAL\r
+ /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later.\r
+@@ -1739,14 +2157,41 @@\r
+ if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none"))\r
+ putenv(strdup("KRB5RCACHETYPE=none"));\r
+ #endif\r
++#ifdef STANDARD20_MODULE_STUFF\r
++ rv = s4u2proxylock_create(s, p);\r
++ if (rv != APR_SUCCESS) {\r
++ return HTTP_INTERNAL_SERVER_ERROR;\r
++ }\r
++\r
++ apr_pool_cleanup_register(p, (void *)s, s4u2proxylock_remove,\r
++ apr_pool_cleanup_null);\r
++#endif\r
+ \r
+ return OK;\r
+ }\r
+ \r
+ static void\r
++initialize_child(apr_pool_t *p, server_rec *s)\r
++{\r
++ apr_status_t rv = 0;\r
++\r
++#ifdef STANDARD20_MODULE_STUFF\r
++ if (lockname != NULL && *(lockname) != '\0') {\r
++ rv = apr_global_mutex_child_init(&s4u2proxy_lock, lockname, p);\r
++ if (rv != APR_SUCCESS) {\r
++ ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s,\r
++ "mod_auth_kerb: could not init s4u2proxy_lock"\r
++ " in child");\r
++ }\r
++ }\r
++#endif\r
++}\r
++\r
++static void\r
+ kerb_register_hooks(apr_pool_t *p)\r
+ {\r
+ ap_hook_post_config(kerb_init_handler, NULL, NULL, APR_HOOK_MIDDLE);\r
++ ap_hook_child_init(initialize_child, NULL, NULL, APR_HOOK_MIDDLE);\r
+ ap_hook_check_user_id(kerb_authenticate_user, NULL, NULL, APR_HOOK_MIDDLE);\r
+ }\r
+ \r
--- /dev/null
+
+Add S4U2Proxy feature:
+
+http://sourceforge.net/mailarchive/forum.php?thread_name=4EE665D1.3000308%40redhat.com&forum_name=modauthkerb-help
+
+The attached patches add support for using s4u2proxy
+(http://k5wiki.kerberos.org/wiki/Projects/Services4User) to allow the
+web service to obtain credentials on behalf of the authenticated user.
+
+The first patch adds basic support for s4u2proxy. This requires the web
+administrator to manually create and manage the credentails cache for
+the apache user (via a cron job, for example).
+
+The second patch builds on this and makes mod_auth_kerb manage the
+ccache instead.
+
+These are patches against the current CVS HEAD (mod_auth_krb 5.4).
+
+I've added a new module option to enable this support,
+KrbConstrainedDelegation. The default is off.
+
+--- mod_auth_kerb-5.4.orig/README 2008-11-26 11:51:05.000000000 -0500
++++ mod_auth_kerb-5.4/README 2012-01-04 11:17:22.000000000 -0500
+@@ -122,4 +122,16 @@ KrbSaveCredentials, the tickets will be
+ credential cache that will be available for the request handler. The ticket
+ file will be removed after request is handled.
+
++Constrained Delegation
++----------------------
++S4U2Proxy, or constrained delegation, enables a service to use a client's
++ticket to itself to request another ticket for delegation. The KDC
++checks krbAllowedToDelegateTo to decide if it will issue a new ticket.
++If KrbConstrainedDelegation is enabled the server will use its own credentials
++to retrieve a delegated ticket for the user. For this to work the user must
++have a forwardable ticket (though the delegation flag need not be set).
++The server needs a valid credentials cache for this to work.
++
++The module itself will obtain and manage the necessary credentials.
++
+ $Id: mod_auth_kerb-5.4-s4u2proxy.patch,v 1.2 2013/01/11 20:41:59 pacho Exp $
+diff -up --recursive mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c mod_auth_kerb-5.4/src/mod_auth_kerb.c
+--- mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c 2011-12-09 17:55:05.000000000 -0500
++++ mod_auth_kerb-5.4/src/mod_auth_kerb.c 2012-03-01 14:19:40.000000000 -0500
+@@ -42,6 +42,31 @@
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
++/*
++ * Locking mechanism inspired by mod_rewrite.
++ *
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++
++/*
++ * S4U2Proxy code
++ *
++ * Copyright (C) 2012 Red Hat
++ */
++
+ #ident "$Id: mod_auth_kerb-5.4-s4u2proxy.patch,v 1.2 2013/01/11 20:41:59 pacho Exp $"
+
+ #include "config.h"
+@@ -49,6 +74,7 @@
+ #include <stdlib.h>
+ #include <stdio.h>
+ #include <stdarg.h>
++#include <unixd.h>
+
+ #define MODAUTHKERB_VERSION "5.4"
+
+@@ -131,6 +157,12 @@ module AP_MODULE_DECLARE_DATA auth_kerb_
+ module auth_kerb_module;
+ #endif
+
++#ifdef STANDARD20_MODULE_STUFF
++/* s4u2proxy only supported in 2.0+ */
++static const char *lockname;
++static apr_global_mutex_t *s4u2proxy_lock = NULL;
++#endif
++
+ /***************************************************************************
+ Macros To Ease Compatibility
+ ***************************************************************************/
+@@ -165,6 +197,7 @@ typedef struct {
+ int krb_method_gssapi;
+ int krb_method_k5pass;
+ int krb5_do_auth_to_local;
++ int krb5_s4u2proxy;
+ #endif
+ #ifdef KRB4
+ char *krb_4_srvtab;
+@@ -185,6 +218,11 @@ set_kerb_auth_headers(request_rec *r, co
+
+ static const char*
+ krb5_save_realms(cmd_parms *cmd, void *sec, const char *arg);
++static const char *
++cmd_delegationlock(cmd_parms *cmd, void *dconf, const char *a1);
++
++static int
++obtain_server_credentials(request_rec *r, const char *service_name);
+
+ #ifdef STANDARD20_MODULE_STUFF
+ #define command(name, func, var, type, usage) \
+@@ -237,6 +275,12 @@ static const command_rec kerb_auth_cmds[
+
+ command("KrbLocalUserMapping", ap_set_flag_slot, krb5_do_auth_to_local,
+ FLAG, "Set to 'on' to have Kerberos do auth_to_local mapping of principal names to system user names."),
++
++ command("KrbConstrainedDelegation", ap_set_flag_slot, krb5_s4u2proxy,
++ FLAG, "Set to 'on' to have Kerberos use S4U2Proxy delegation."),
++
++ AP_INIT_TAKE1("KrbConstrainedDelegationLock", cmd_delegationlock, NULL,
++ RSRC_CONF, "the filename of a lockfile used for inter-process synchronization"),
+ #endif
+
+ #ifdef KRB4
+@@ -302,6 +346,7 @@ static void *kerb_dir_create_config(MK_P
+ #endif
+ #ifdef KRB5
+ ((kerb_auth_config *)rec)->krb5_do_auth_to_local = 0;
++ ((kerb_auth_config *)rec)->krb5_s4u2proxy = 0;
+ ((kerb_auth_config *)rec)->krb_method_k5pass = 1;
+ ((kerb_auth_config *)rec)->krb_method_gssapi = 1;
+ #endif
+@@ -319,6 +364,24 @@ krb5_save_realms(cmd_parms *cmd, void *v
+ return NULL;
+ }
+
++static const char *
++cmd_delegationlock(cmd_parms *cmd, void *dconf, const char *a1)
++{
++ const char *error;
++
++ if ((error = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL)
++ return error;
++
++ /* fixup the path, especially for s4u2proxylock_remove() */
++ lockname = ap_server_root_relative(cmd->pool, a1);
++
++ if (!lockname) {
++ return apr_pstrcat(cmd->pool, "Invalid KrbConstrainedDelegationLock path ", a1, NULL);
++ }
++
++ return NULL;
++}
++
+ static void
+ log_rerror(const char *file, int line, int level, int status,
+ const request_rec *r, const char *fmt, ...)
+@@ -1170,6 +1233,7 @@ get_gss_creds(request_rec *r,
+ gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
+ OM_uint32 major_status, minor_status, minor_status2;
+ gss_name_t server_name = GSS_C_NO_NAME;
++ gss_cred_usage_t usage = GSS_C_ACCEPT;
+ char buf[1024];
+ int have_server_princ;
+
+@@ -1212,10 +1276,14 @@ get_gss_creds(request_rec *r,
+
+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Acquiring creds for %s",
+ token.value);
++ if (conf->krb5_s4u2proxy) {
++ usage = GSS_C_BOTH;
++ obtain_server_credentials(r, conf->krb_service_name);
++ }
+ gss_release_buffer(&minor_status, &token);
+
+ major_status = gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE,
+- GSS_C_NO_OID_SET, GSS_C_ACCEPT,
++ GSS_C_NO_OID_SET, usage,
+ server_creds, NULL, NULL);
+ gss_release_name(&minor_status2, &server_name);
+ if (GSS_ERROR(major_status)) {
+@@ -1257,6 +1325,293 @@ cmp_gss_type(gss_buffer_t token, gss_OID
+ }
+ #endif
+
++/* Renew the ticket if it will expire in under a minute */
++#define RENEWAL_TIME 60
++
++/*
++ * Services4U2Proxy lets a server prinicipal request another service
++ * principal on behalf of a user. To do this the Apache service needs
++ * to have its own ccache. This will ensure that the ccache has a valid
++ * principal and will initialize or renew new credentials when needed.
++ */
++
++static int
++verify_server_credentials(request_rec *r,
++ krb5_context kcontext,
++ krb5_ccache ccache,
++ krb5_principal princ,
++ int *renew
++)
++{
++ krb5_creds match_cred;
++ krb5_creds creds;
++ char * princ_name = NULL;
++ char *tgs_princ_name = NULL;
++ krb5_timestamp now;
++ krb5_error_code kerr = 0;
++
++ *renew = 0;
++
++ memset (&match_cred, 0, sizeof(match_cred));
++ memset (&creds, 0, sizeof(creds));
++
++ if (NULL == ccache || NULL == princ) {
++ /* Nothing to verify */
++ *renew = 1;
++ goto cleanup;
++ }
++
++ if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Could not unparse principal %s (%d)",
++ error_message(kerr), kerr);
++ goto cleanup;
++ }
++
++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++ "Using principal %s for s4u2proxy", princ_name);
++
++ tgs_princ_name = apr_psprintf(r->pool, "%s/%.*s@%.*s", KRB5_TGS_NAME,
++ krb5_princ_realm(kcontext, princ)->length,
++ krb5_princ_realm(kcontext, princ)->data,
++ krb5_princ_realm(kcontext, princ)->length,
++ krb5_princ_realm(kcontext, princ)->data);
++
++ if ((kerr = krb5_parse_name(kcontext, tgs_princ_name, &match_cred.server)))
++ {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Could not parse principal %s: %s (%d)",
++ tgs_princ_name, error_message(kerr), kerr);
++ goto cleanup;
++ }
++
++ match_cred.client = princ;
++
++ if ((kerr = krb5_cc_retrieve_cred(kcontext, ccache, 0, &match_cred, &creds)))
++ {
++ krb5_unparse_name(kcontext, princ, &princ_name);
++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++ "Could not unparse principal %s: %s (%d)",
++ princ_name, error_message(kerr), kerr);
++ goto cleanup;
++ }
++
++ if ((kerr = krb5_timeofday(kcontext, &now))) {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Could not get current time: %d (%s)",
++ kerr, error_message(kerr));
++ goto cleanup;
++ }
++
++ if (now > (creds.times.endtime + RENEWAL_TIME)) {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Credentials for %s have expired or will soon "
++ "expire - now %d endtime %d",
++ princ_name, now, creds.times.endtime);
++ *renew = 1;
++ } else {
++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++ "Credentials for %s will expire at "
++ "%d, it is now %d", princ_name, creds.times.endtime, now);
++ }
++
++cleanup:
++ /* Closing context, ccache, etc happens elsewhere */
++ if (match_cred.server) {
++ krb5_free_principal(kcontext, match_cred.server);
++ }
++ if (creds.client) {
++ krb5_free_cred_contents(kcontext, &creds);
++ }
++
++ return kerr;
++}
++
++static int
++obtain_server_credentials(request_rec *r,
++ const char *service_name)
++{
++ krb5_context kcontext = NULL;
++ krb5_keytab keytab = NULL;
++ krb5_ccache ccache = NULL;
++ char * princ_name = NULL;
++ char *tgs_princ_name = NULL;
++ krb5_error_code kerr = 0;
++ krb5_principal princ = NULL;
++ krb5_creds creds;
++ krb5_get_init_creds_opt gicopts;
++ int renew = 0;
++ apr_status_t rv = 0;
++
++ memset(&creds, 0, sizeof(creds));
++
++ if ((kerr = krb5_init_context(&kcontext))) {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Kerberos context initialization failed: %s (%d)", error_message(kerr), kerr);
++ goto done;
++ }
++
++ if ((kerr = krb5_cc_default(kcontext, &ccache))) {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Could not get default Kerberos ccache: %s (%d)",
++ error_message(kerr), kerr);
++ goto done;
++ }
++
++ if ((kerr = krb5_cc_get_principal(kcontext, ccache, &princ))) {
++ char * name = NULL;
++
++ if ((asprintf(&name, "%s:%s", krb5_cc_get_type(kcontext, ccache),
++ krb5_cc_get_name(kcontext, ccache))) == -1) {
++ kerr = KRB5_CC_NOMEM;
++ goto done;
++ }
++
++ if (KRB5_FCC_NOFILE == kerr) {
++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++ "Credentials cache %s not found, create one", name);
++ krb5_cc_close(kcontext, ccache);
++ ccache = NULL;
++ free(name);
++ } else {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Failure to open credentials cache %s: %s (%d)",
++ name, error_message(kerr), kerr);
++ free(name);
++ goto done;
++ }
++ }
++
++ kerr = verify_server_credentials(r, kcontext, ccache, princ, &renew);
++
++ if (kerr || !renew) {
++ goto done;
++ }
++
++#ifdef STANDARD20_MODULE_STUFF
++ if (s4u2proxy_lock) {
++ rv = apr_global_mutex_lock(s4u2proxy_lock);
++ if (rv != APR_SUCCESS) {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
++ "apr_global_mutex_lock(s4u2proxy_lock) "
++ "failed");
++ }
++ }
++#endif
++
++ /* We have the lock, check again to be sure another process hasn't already
++ * renewed the ticket.
++ */
++ kerr = verify_server_credentials(r, kcontext, ccache, princ, &renew);
++ if (kerr || !renew) {
++ goto unlock;
++ }
++
++ if (NULL == princ) {
++ princ_name = apr_psprintf(r->pool, "%s/%s",
++ (service_name) ? service_name : SERVICE_NAME,
++ ap_get_server_name(r));
++
++ if ((kerr = krb5_parse_name(kcontext, princ_name, &princ))) {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Could not parse principal %s: %s (%d) ",
++ princ_name, error_message(kerr), kerr);
++ goto unlock;
++ }
++ } else if (NULL == princ_name) {
++ if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) {
++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++ "Could not unparse principal %s: %s (%d)",
++ princ_name, error_message(kerr), kerr);
++ goto unlock;
++ }
++ }
++
++ if ((kerr = krb5_kt_default(kcontext, &keytab))) {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Unable to get default keytab: %s (%d)",
++ error_message(kerr), kerr);
++ goto unlock;
++ }
++
++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++ "Obtaining new credentials for %s", princ_name);
++ krb5_get_init_creds_opt_init(&gicopts);
++ krb5_get_init_creds_opt_set_forwardable(&gicopts, 1);
++
++ tgs_princ_name = apr_psprintf(r->pool, "%s/%.*s@%.*s", KRB5_TGS_NAME,
++ krb5_princ_realm(kcontext, princ)->length,
++ krb5_princ_realm(kcontext, princ)->data,
++ krb5_princ_realm(kcontext, princ)->length,
++ krb5_princ_realm(kcontext, princ)->data);
++
++ if ((kerr = krb5_get_init_creds_keytab(kcontext, &creds, princ, keytab,
++ 0, tgs_princ_name, &gicopts))) {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Failed to obtain credentials for principal %s: "
++ "%s (%d)", princ_name, error_message(kerr), kerr);
++ goto unlock;
++ }
++
++ krb5_kt_close(kcontext, keytab);
++ keytab = NULL;
++
++ if (NULL == ccache) {
++ if ((kerr = krb5_cc_default(kcontext, &ccache))) {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Failed to open default ccache: %s (%d)",
++ error_message(kerr), kerr);
++ goto unlock;
++ }
++ }
++
++ if ((kerr = krb5_cc_initialize(kcontext, ccache, princ))) {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Failed to initialize ccache for %s: %s (%d)",
++ princ_name, error_message(kerr), kerr);
++ goto unlock;
++ }
++
++ if ((kerr = krb5_cc_store_cred(kcontext, ccache, &creds))) {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Failed to store %s in ccache: %s (%d)",
++ princ_name, error_message(kerr), kerr);
++ goto unlock;
++ }
++
++unlock:
++#ifdef STANDARD20_MODULE_STUFF
++ if (s4u2proxy_lock) {
++ apr_global_mutex_unlock(s4u2proxy_lock);
++ if (rv != APR_SUCCESS) {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
++ "apr_global_mutex_unlock(s4u2proxy_lock) "
++ "failed");
++ }
++ }
++#endif
++
++done:
++ if (0 == kerr)
++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++ "Done obtaining credentials for s4u2proxy");
++ else
++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++ "Failed to obtain credentials for s4u2proxy");
++
++ if (creds.client) {
++ krb5_free_cred_contents(kcontext, &creds);
++ }
++ if (ccache) {
++ krb5_cc_close(kcontext, ccache);
++ }
++ if (kcontext) {
++ krb5_free_context(kcontext);
++ }
++
++ return kerr;
++}
++
+ static int
+ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
+ const char *auth_line, char **negotiate_ret_value)
+@@ -1697,10 +2052,60 @@ have_rcache_type(const char *type)
+ /***************************************************************************
+ Module Setup/Configuration
+ ***************************************************************************/
++#ifdef STANDARD20_MODULE_STUFF
++static apr_status_t
++s4u2proxylock_create(server_rec *s, apr_pool_t *p)
++{
++ apr_status_t rc;
++
++ /* only operate if a lockfile is used */
++ if (lockname == NULL || *(lockname) == '\0') {
++ return APR_SUCCESS;
++ }
++
++ /* create the lockfile */
++ rc = apr_global_mutex_create(&s4u2proxy_lock, lockname,
++ APR_LOCK_DEFAULT, p);
++ if (rc != APR_SUCCESS) {
++ ap_log_error(APLOG_MARK, APLOG_CRIT, rc, s,
++ "Parent could not create lock file %s", lockname);
++ return rc;
++ }
++
++#ifdef AP_NEED_SET_MUTEX_PERMS
++ rc = unixd_set_global_mutex_perms(s4u2proxy_lock);
++ if (rc != APR_SUCCESS) {
++ ap_log_error(APLOG_MARK, APLOG_CRIT, rc, s,
++ "mod_auth_kerb: Parent could not set permissions "
++ "on lock; check User and Group directives");
++ return rc;
++ }
++#endif
++
++ return APR_SUCCESS;
++}
++
++static apr_status_t
++s4u2proxylock_remove(void *unused)
++{
++ /* only operate if a lockfile is used */
++ if (lockname == NULL || *(lockname) == '\0') {
++ return APR_SUCCESS;
++ }
++
++ /* destroy the rewritelock */
++ apr_global_mutex_destroy(s4u2proxy_lock);
++ s4u2proxy_lock = NULL;
++ lockname = NULL;
++ return APR_SUCCESS;
++}
++#endif
++
+ #ifndef STANDARD20_MODULE_STUFF
+ static void
+ kerb_module_init(server_rec *dummy, pool *p)
+ {
++ apr_status_t status;
+ #ifndef HEIMDAL
+ /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later.
+ 1.3.x are covered by the hack overiding the replay calls */
+@@ -1741,6 +2146,7 @@ static int
+ kerb_init_handler(apr_pool_t *p, apr_pool_t *plog,
+ apr_pool_t *ptemp, server_rec *s)
+ {
++ apr_status_t rv;
+ ap_add_version_component(p, "mod_auth_kerb/" MODAUTHKERB_VERSION);
+ #ifndef HEIMDAL
+ /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later.
+@@ -1748,14 +2154,41 @@ kerb_init_handler(apr_pool_t *p, apr_poo
+ if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none"))
+ putenv(strdup("KRB5RCACHETYPE=none"));
+ #endif
++#ifdef STANDARD20_MODULE_STUFF
++ rv = s4u2proxylock_create(s, p);
++ if (rv != APR_SUCCESS) {
++ return HTTP_INTERNAL_SERVER_ERROR;
++ }
++
++ apr_pool_cleanup_register(p, (void *)s, s4u2proxylock_remove,
++ apr_pool_cleanup_null);
++#endif
+
+ return OK;
+ }
+
+ static void
++initialize_child(apr_pool_t *p, server_rec *s)
++{
++ apr_status_t rv = 0;
++
++#ifdef STANDARD20_MODULE_STUFF
++ if (lockname != NULL && *(lockname) != '\0') {
++ rv = apr_global_mutex_child_init(&s4u2proxy_lock, lockname, p);
++ if (rv != APR_SUCCESS) {
++ ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s,
++ "mod_auth_kerb: could not init s4u2proxy_lock"
++ " in child");
++ }
++ }
++#endif
++}
++
++static void
+ kerb_register_hooks(apr_pool_t *p)
+ {
+ ap_hook_post_config(kerb_init_handler, NULL, NULL, APR_HOOK_MIDDLE);
++ ap_hook_child_init(initialize_child, NULL, NULL, APR_HOOK_MIDDLE);
+ ap_hook_check_user_id(kerb_authenticate_user, NULL, NULL, APR_HOOK_MIDDLE);
+ }
+
--- /dev/null
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+<maintainer><email>maintainer-needed@gentoo.org</email></maintainer>
+</pkgmetadata>
--- /dev/null
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/www-apache/mod_auth_kerb/mod_auth_kerb-5.4-r2.ebuild,v 1.2 2015/05/17 10:55:22 pacho Exp $
+
+EAPI=5
+inherit apache-module eutils systemd
+
+DESCRIPTION="An Apache authentication module using Kerberos"
+HOMEPAGE="http://modauthkerb.sourceforge.net/"
+SRC_URI="mirror://sourceforge/modauthkerb/${P}.tar.gz"
+
+LICENSE="BSD openafs-krb5-a HPND"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE=""
+
+DEPEND="virtual/krb5"
+RDEPEND="${DEPEND}"
+
+APACHE2_MOD_CONF="11_${PN}"
+APACHE2_MOD_DEFINE="AUTH_KERB"
+
+DOCFILES="INSTALL README"
+
+need_apache2
+
+src_prepare() {
+ epatch "${FILESDIR}"/${P}-rcopshack.patch
+ epatch "${FILESDIR}"/${P}-fixes.patch
+ epatch "${FILESDIR}"/${P}-s4u2proxy-r3.patch
+ epatch "${FILESDIR}"/${P}-httpd24.patch
+ epatch "${FILESDIR}"/${P}-delegation.patch
+ epatch "${FILESDIR}"/${P}-cachedir.patch
+ epatch "${FILESDIR}"/${P}-longuser.patch
+ epatch "${FILESDIR}"/${P}-handle-continue.patch
+}
+
+src_configure() {
+ CFLAGS="" APXS="${APXS}" econf --with-krb5=/usr --without-krb4
+}
+
+src_compile() {
+ emake
+}
+
+src_install() {
+ apache-module_src_install
+ systemd_dotmpfilesd "${FILESDIR}/11_${PN}.conf"
+}
projects / portage.git / commitdiff