From 10d34c1413244a648a1f26f4695cb96c18b665b5 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Aug 29 2016 17:44:23 +0000 Subject: Guess Samba client mutual flag using ap_option Resolves: #1370980 --- diff --git a/krb5-1.14.4-samba-client-mutual-flag.patch b/krb5-1.14.4-samba-client-mutual-flag.patch new file mode 100644 index 0000000..e628af6 --- /dev/null +++ b/krb5-1.14.4-samba-client-mutual-flag.patch @@ -0,0 +1,37 @@ +From dcb523a4201dc882b2c466824ee1913eaed2e30d Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 25 Aug 2016 10:41:33 +0200 +Subject: [PATCH] Guess Samba client mutual flag using ap_options + +To work correctly with older Samba clients, we should guess the mutual +flag based on the ap_options from the AP-REQ and not set it +unconditionally. Found by the Samba torture testsuite. + +[ghudson@mit.edu: edited comments and commit message] + +ticket: 8486 (new) +target_version: 1.14-next +tags: pullup +--- + src/lib/gssapi/krb5/accept_sec_context.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c +index b7fffeb..580d08c 100644 +--- a/src/lib/gssapi/krb5/accept_sec_context.c ++++ b/src/lib/gssapi/krb5/accept_sec_context.c +@@ -699,7 +699,10 @@ kg_accept_krb5(minor_status, context_handle, + goto fail; + } + +- gss_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG; ++ /* Use ap_options from the request to guess the mutual flag. */ ++ gss_flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG; ++ if (ap_req_options & AP_OPTS_MUTUAL_REQUIRED) ++ gss_flags |= GSS_C_MUTUAL_FLAG; + } else { + /* gss krb5 v1 */ + +-- +2.9.3 + diff --git a/krb5.spec b/krb5.spec index f9ec0ba..c1c0b82 100644 --- a/krb5.spec +++ b/krb5.spec @@ -13,7 +13,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.14.3 -Release: 6%{?dist} +Release: 7%{?dist} # - Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar # - The sources below are stored in a lookaside cache. Upload with @@ -68,6 +68,7 @@ Patch166: krb5-1.14.4-SNI-HTTP-Host.patch Patch167: krb5-1.15-otp-preauth-prompt-type.patch Patch168: krb5-1.15-improve-bad-password-inference.patch Patch169: krb5-1.15-kdc-error-encrypted-timestamp.patch +Patch170: krb5-1.14.4-samba-client-mutual-flag.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -281,6 +282,7 @@ ln NOTICE LICENSE %patch167 -p1 -b .otp-preauth-prompt-type %patch168 -p1 -b .improve-bad-password-inference %patch169 -p1 -b .kdc-error-encrypted-timestamp +%patch170 -p1 -b .samba-client-mutual-flag # Take the execute bit off of documentation. chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html @@ -750,6 +752,10 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Mon Aug 29 2016 Robbie Harwood - 1.14.3-7 +- Guess Samba client mutual flag using ap_option +- Resolves: #1370980 + * Thu Aug 25 2016 Robbie Harwood - 1.14.3-6 - Fix KDC return code and set prompt types for OTP client preauth - Resolves: #1370072