>From edad1854da5c495ca625a160e8d4c0cba8d42798 Mon Sep 17 00:00:00 2001 From: Gordon Ross Date: Fri, 6 May 2011 15:13:33 -0700 Subject: [PATCH] Fix Samba3 on OpenIndiana. I'd like Samba to use the native OpenLDAP and MIT Kerberos libs. Attached are some patches to do that. (relative to git master) It does not build for me without these. (OpenIndiana is an off-shoot of OpenSolaris See http://www.openindiana.org) --- auth/kerberos/gssapi_pac.c | 20 ++++++++++++++++++++ lib/replace/system/kerberos.h | 4 +++- source3/configure.in | 26 +++++++++++++++++++++----- source3/wscript | 2 +- 4 files changed, 45 insertions(+), 7 deletions(-) diff --git a/auth/kerberos/gssapi_pac.c b/auth/kerberos/gssapi_pac.c index d89a649..3b56116 100644 --- a/auth/kerberos/gssapi_pac.c +++ b/auth/kerberos/gssapi_pac.c @@ -23,6 +23,26 @@ #include "libcli/auth/krb5_wrap.h" +/* + * These are not exported by Solaris -lkrb5 + * Maybe move to libreplace somewhere? + */ +#ifndef HAVE_GSS_MECH_KRB5 +static const gss_OID_desc krb5_gss_oid_array[] = { + /* this is the official, rfc-specified OID */ + { 9, "\052\206\110\206\367\022\001\002\002" }, + /* this is the pre-RFC mech OID */ + { 5, "\053\005\001\005\002" }, + /* this is the unofficial, incorrect mech OID emitted by MS */ + { 9, "\052\206\110\202\367\022\001\002\002" }, + { 0, 0 } +}; + +const gss_OID_desc * const gss_mech_krb5 = krb5_gss_oid_array+0; +const gss_OID_desc * const gss_mech_krb5_old = krb5_gss_oid_array+1; +const gss_OID_desc * const gss_mech_krb5_wrong = krb5_gss_oid_array+2; +#endif /* HAVE_GSS_MECH_KRB5 */ + /* The Heimdal OID for getting the PAC */ #define EXTRACT_PAC_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH 8 /* EXTRACTION OID AUTHZ ID */ diff --git a/lib/replace/system/kerberos.h b/lib/replace/system/kerberos.h index 6d8c59f..ec3eff1 100644 --- a/lib/replace/system/kerberos.h +++ b/lib/replace/system/kerberos.h @@ -37,7 +37,9 @@ #include #endif -#if HAVE_GSSAPI_GSSAPI_H +#if HAVE_GSSAPI_GSSAPI_EXT_H +#include +#elif HAVE_GSSAPI_GSSAPI_H #include #elif HAVE_GSSAPI_GSSAPI_GENERIC_H #include diff --git a/source3/configure.in b/source3/configure.in index f9263f6..11dbc28 100644 --- a/source3/configure.in +++ b/source3/configure.in @@ -3579,16 +3579,16 @@ else # Check to see whether there is enough LDAP functionality to be able # to build AD support. -# HPUX only has ldap_init; ok, we take care of this in smbldap.c +# HPUX and Solaris only has ldap_init; ok, we take care of this in smbldap.c case "$host_os" in - *hpux*) + *hpux* | *solaris*) AC_CHECK_FUNC_EXT(ldap_init,$LDAP_LIBS) if test x"$ac_cv_func_ext_ldap_init" != x"yes"; then if test x"$with_ads_support" = x"yes"; then - AC_MSG_ERROR(Active Directory support on HPUX requires ldap_init) + AC_MSG_ERROR(Active Directory support on HPUX or Solaris requires ldap_init) elif test x"$with_ads_support" = x"auto"; then - AC_MSG_WARN(Disabling Active Directory support (requires ldap_init on HPUX)) + AC_MSG_WARN(Disabling Active Directory support (requires ldap_init on HPUX or Solaris)) with_ads_support=no fi fi @@ -3638,7 +3638,6 @@ if test x"$with_ads_support" != x"no"; then ;; yes) AC_MSG_RESULT(/usr) - FOUND_KRB5=yes ;; *) AC_MSG_RESULT($withval) @@ -3727,6 +3726,21 @@ if test x"$with_ads_support" != x"no"; then fi fi + if test x$FOUND_KRB5 = x"no"; then + ################################################# + # see if this box has Solaris MIT kerberos implementation + AC_MSG_CHECKING(for Solaris MIT kerberos) + if test -x "$KRB5CONFIG" && $KRB5CONFIG --version | grep -s Solaris | grep -s MIT > /dev/null ; then + FOUND_KRB5=yes + KRB5_LIBS="-lgss -lkrb5" + KRB5_CFLAGS="`$KRB5CONFIG --cflags`" + KRB5_CPPFLAGS="`$KRB5CONFIG --cflags`" + AC_MSG_RESULT(yes) + else + AC_MSG_RESULT(no) + fi + fi + ac_save_CFLAGS=$CFLAGS ac_save_CPPFLAGS=$CPPFLAGS ac_save_LDFLAGS=$LDFLAGS @@ -3816,6 +3830,7 @@ if test x"$with_ads_support" != x"no"; then # now see if we can find the gssapi libs in standard paths if test x"$have_gssapi" != x"yes"; then AC_CHECK_LIB_EXT(gssapi_krb5, KRB5_LIBS,gss_display_status,[],[],have_gssapi=yes) + AC_CHECK_LIB_EXT(gss, KRB5_LIBS,gss_display_status,[],[],have_gssapi=yes) AC_CHECK_FUNC_EXT(gss_wrap_iov, $KRB5_LIBS) fi @@ -3870,6 +3885,7 @@ if test x"$with_ads_support" != x"no"; then AC_CHECK_FUNC_EXT(krb5_free_host_realm, $KRB5_LIBS) AC_CHECK_FUNC_EXT(gss_krb5_import_cred, $KRB5_LIBS) AC_CHECK_FUNC_EXT(gss_get_name_attribute, $KRB5_LIBS) + AC_CHECK_FUNC_EXT(gss_mech_krb5, $KRB5_LIBS) AC_CHECK_FUNC_EXT(gss_oid_equal, $KRB5_LIBS) AC_CHECK_FUNC_EXT(gss_inquire_sec_context_by_oid, $KRB5_LIBS) diff --git a/source3/wscript b/source3/wscript index 55b62d1..583e97a 100644 --- a/source3/wscript +++ b/source3/wscript @@ -632,7 +632,7 @@ msg.msg_acctrightslen = sizeof(fd); if conf.CHECK_FUNCS_IN('gss_display_status', 'gssapi') or \ conf.CHECK_FUNCS_IN('gss_display_status', 'gssapi_krb5'): have_gssapi=True - conf.CHECK_FUNCS_IN('gss_wrap_iov gss_krb5_import_cred gss_get_name_attribute gss_oid_equal gss_inquire_sec_context_by_oid', 'gssapi gssapi_krb5 krb5') + conf.CHECK_FUNCS_IN('gss_wrap_iov gss_krb5_import_cred gss_get_name_attribute gss_mech_krb5 gss_oid_equal gss_inquire_sec_context_by_oid', 'gssapi gssapi_krb5 krb5') conf.CHECK_FUNCS_IN('krb5_mk_req_extended krb5_kt_compare', 'krb5') conf.CHECK_FUNCS(''' krb5_set_real_time krb5_set_default_in_tkt_etypes krb5_set_default_tgs_enctypes -- 1.7.3.1