[linux-cifs-client] Patch to get cifs.upcall to compile with Heimdal

Jeff Layton jlayton at samba.org
Wed Mar 31 13:16:07 MDT 2010 

On Wed, 31 Mar 2010 18:13:40 +0200
Torsten Kurbad <samba-technical at tk-webart.de> wrote:

Thanks for the patch. FWIW, it would be preferable to base this on the git
tree and generate the patch using git-format-patch. Comments inline...

> diff -urN cifs-utils-4.1.orig//cifs.upcall.c cifs-utils-4.1//cifs.upcall.c
> --- cifs-utils-4.1.orig//cifs.upcall.c	2010-03-23 14:47:07.000000000 +0100
> +++ cifs-utils-4.1//cifs.upcall.c	2010-03-31 17:53:39.425556256 +0200
> @@ -31,7 +31,11 @@
>  
>  #include <string.h>
>  #include <getopt.h>
> +#ifdef HAVE_KRB5_KRB5_H
>  #include <krb5/krb5.h>
> +#elif defined(HAVE_KRB5_H)
> +#include <krb5.h>
> +#endif

^^^^
I think it would be better to munge the CFLAGS so that
-I/usr/include/krb5 precedes the other paths if HAVE_KRB5_KRB5_H is
set. That would leave cifs.upcall.c with less #ifdef goop.

>  #include <syslog.h>
>  #include <dirent.h>
>  #include <sys/types.h>
> @@ -275,7 +279,8 @@
>  		goto out_free_principal;
>  	}
>  
> -	in_creds.keyblock.enctype = 0;
> +	/* Removed to support Heimdal */
> +	// in_creds.keyblock.enctype = 0; */
^^^^
Just remove those lines -- no need to comment them out.

>  	ret = krb5_get_credentials(context, 0, ccache, &in_creds, &out_creds);
>  	krb5_free_principal(context, in_creds.server);
>  	if (ret) {
> @@ -294,7 +299,11 @@
>  		goto out_free_creds;
>  	}
>  
> +#ifdef HAVE_KRB5_AUTH_CON_GETSENDSUBKEY
>  	ret = krb5_auth_con_getsendsubkey(context, auth_context, &tokb);
> +#else
> +	ret = krb5_auth_con_getlocalsubkey(context, auth_context, &tokb);
> +#endif
>  	if (ret) {
>  		syslog(LOG_DEBUG, "%s: unable to get session key for %s",
>  				__func__, principal);
> @@ -302,7 +311,12 @@
>  	}
>  
>  	*mechtoken = data_blob(apreq_pkt.data, apreq_pkt.length);
> +
> +#ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE /* Heimdal */
> +	*sess_key = data_blob(tokb->keyvalue.data, tokb->keyvalue.length);
> +#else /* MIT */
>  	*sess_key = data_blob(tokb->contents, tokb->length);
> +#endif
>  

I think it would be better to declare the same macros that samba uses:

KRB5_KEY_DATA
KRB5_KEY_LENGTH

...you could put them in replace.h and have them do something different
based on HAVE_KRB5_KEYBLOCK_KEYVALUE. That makes the code look cleaner
and makes it easier to get this sort of thing right if we need to do
this in the future.

>  	krb5_free_keyblock(context, tokb);
>  out_free_creds:
> diff -urN cifs-utils-4.1.orig//configure.ac cifs-utils-4.1//configure.ac
> --- cifs-utils-4.1.orig//configure.ac	2010-03-23 14:47:07.000000000 +0100
> +++ cifs-utils-4.1//configure.ac	2010-03-31 17:54:31.847532077 +0200
> @@ -25,15 +25,39 @@
>  AC_CHECK_HEADERS([arpa/inet.h fcntl.h inttypes.h limits.h mntent.h netdb.h stddef.h stdint.h stdlib.h string.h strings.h sys/mount.h sys/param.h sys/socket.h sys/time.h syslog.h unistd.h], , [AC_MSG_ERROR([necessary header(s) not found])])
>  
>  if test $enable_cifsupcall != "no"; then
> -	AC_CHECK_HEADERS([krb5/krb5.h], ,[
> -				if test "$enable_cifsupcall" = "yes"; then
> -					AC_MSG_ERROR([krb5/krb5.h not found, consider installing krb5-libs-devel.])
> -				else
> -					AC_MSG_WARN([krb5/krb5.h not found, consider installing krb5-libs-devel. Disabling cifs.upcall.])
> -					enable_cifsupcall="no"
> -				fi
> -			])
> +	AC_CHECK_HEADERS([krb5.h krb5/krb5.h])
> +	if test x$ac_cv_header_krb5_krb5_h != xyes ; then
> +		if test x$ac_cv_header_krb5_h != xyes ; then
> +			if test "$enable_cifsupcall" = "yes"; then
> +				AC_MSG_ERROR([krb5.h not found, consider installing krb5-libs-devel.])
> +			else
> +				AC_MSG_WARN([krb5.h not found, consider installing krb5-libs-devel. Disabling cifs.upcall.])
> +				enable_cifsupcall="no"
> +			fi
> +		fi
> +	fi
> +fi
> +
> +if test $enable_cifsupcall != "no"; then
> +	if test x$ac_cv_header_krb5_krb5_h = xyes ; then
> +		krb5_include="#include <krb5/krb5.h>"
> +	fi
> +	if test x$ac_cv_header_krb5_h = xyes ; then
> +		krb5_include="#include <krb5.h>"
> +	fi
> +
> +	AC_CACHE_CHECK([for keyvalue in krb5_keyblock],
> +		[ac_cv_have_krb5_keyblock_keyvalue],[
> +			AC_TRY_COMPILE([$krb5_include],
> +			[krb5_keyblock key; key.keyvalue.data = NULL;],
> +			ac_cv_have_krb5_keyblock_keyvalue=yes,
> +			ac_cv_have_krb5_keyblock_keyvalue=no)])
> +	if test x"$ac_cv_have_krb5_keyblock_keyvalue" = x"yes" ; then
> +		AC_DEFINE(HAVE_KRB5_KEYBLOCK_KEYVALUE,1,
> +			[Whether the krb5_keyblock struct has a keyvalue property])
> +	fi
>  fi
> +
>  if test $enable_cifsupcall != "no"; then
>  	AC_CHECK_HEADERS([talloc.h], , [
>  				if test "$enable_cifsupcall" = "yes"; then
> @@ -55,6 +79,10 @@
>  			])
>  fi
>  
> +if test $enable_cifsupcall != "no"; then
> +	AC_CHECK_LIB([krb5], [krb5_init_context])
> +fi
> +
>  # Checks for typedefs, structures, and compiler characteristics.
>  AC_HEADER_STDBOOL
>  AC_TYPE_UID_T
> @@ -73,6 +101,11 @@
>  # check for required functions
>  AC_CHECK_FUNCS([alarm atexit endpwent getmntent getpass gettimeofday inet_ntop memset realpath setenv strchr strdup strerror strncasecmp strndup strpbrk strrchr strstr strtol strtoul uname], , [AC_MSG_ERROR([necessary functions(s) not found])])
>  
> +# determine whether we can use MIT's new 'krb5_auth_con_getsendsubkey' to extract the signing key
> +if test $enable_cifsupcall != "no"; then
> +	AC_CHECK_FUNCS([krb5_auth_con_getsendsubkey])
> +fi
> +
>  # non-critical functions (we have workarounds for these)
>  if test $enable_cifsupcall != "no"; then
>  	AC_CHECK_FUNCS([krb5_principal_get_realm krb5_free_unparsed_name])

I think the rest of the patch looks ok.

Thanks,
-- 
Jeff Layton <jlayton at samba.org>

More information about the linux-cifs-client mailing list