detect support for gssapi. Some heimdal compatibility has been added.
Thanks to Bjorn Fernhomberg for the integration and heimdal work.
-dnl $Id: configure.in,v 1.190 2003-06-12 23:15:06 srittau Exp $
+dnl $Id: configure.in,v 1.191 2003-09-03 18:27:13 samnoble Exp $
dnl configure.in for netatalk
AC_INIT(etc/afpd/main.c)
dnl Check for optional server location protocol support (used by MacOS X)
NETATALK_SRVLOC
+dnl Check for gssapi
+NETATALK_GSSAPI_CHECK
+
dnl Check for PAM libs
AC_PATH_PAM([
use_pam_so=yes
# conditionally build some modules
#
+if USE_GSSAPI
+UAMS_GENERIC = uams_guest.la uams_passwd.la uams_gss.la
+else
UAMS_GENERIC = uams_guest.la uams_passwd.la
+endif
if USE_DHX
UAMS_DHX_GENERIC = uams_randnum.la uams_pgp.la uams_dhx_passwd.la
uams_pgp_la_SOURCES = uams_pgp.c
uams_dhx_passwd_la_SOURCES = uams_dhx_passwd.c crypt.c crypt.h
uams_dhx_pam_la_SOURCES = uams_dhx_pam.c crypt.c crypt.h
+uams_gss_la_SOURCES = uams_gss.c
#
# flags
uams_pgp_la_CFLAGS = @CFLAGS@ $(CRYPT_CFLAGS)
uams_dhx_passwd_la_CFLAGS = @CFLAGS@ @SSL_CFLAGS@
uams_dhx_pam_la_CFLAGS = @CFLAGS@ @SSL_CFLAGS@
+uams_gss_la_CFLAGS = @CFLAGS@ @GSSAPI_CFLAGS@
uams_guest_la_LDFLAGS = -module -avoid-version
uams_randnum_la_LDFLAGS = -module -avoid-version $(CRYPT_LIBS)
uams_pgp_la_LDFLAGS = -module -avoid-version $(CRYPT_LIBS)
uams_dhx_passwd_la_LDFLAGS = -module -avoid-version @SSL_LIBS@
uams_dhx_pam_la_LDFLAGS = -module -avoid-version @SSL_LIBS@ -lpam
+uams_gss_la_LDFLAGS = -module -avoid-version @GSSAPI_LIBS@
#
# module compilation
/*
- * $Id: uams_gss.c,v 1.1 2003-08-22 17:12:45 samnoble Exp $
+ * $Id: uams_gss.c,v 1.2 2003-09-03 18:27:14 samnoble Exp $
*
* Copyright (c) 1990,1993 Regents of The University of Michigan.
* Copyright (c) 1999 Adrian Sun (asun@u.washington.edu)
#endif /* STDC_HEADERS */
#include <atalk/logger.h>
-
-// #include <security/pam_appl.h>
-
#include <atalk/afp.h>
#include <atalk/uam.h>
+#include <errno.h>
+
+#if HAVE_GSSAPI_H
+#include <gssapi.h>
+#endif /* HAVE_GSSAPI_H */
+
+#if HAVE_GSSAPI_GSSAPI_H
#include <gssapi/gssapi.h>
+#endif /* HAVE_GSSAPI_GSSAPI_H */
+
+#if HAVE_GSSAPI_GSSAPI_GENERIC_H
#include <gssapi/gssapi_generic.h>
+#endif /* HAVE_GSSAPI_GSSAPI_GENERIC_H */
+
+#if HAVE_GSSAPI_GSSAPI_KRB5_H
#include <gssapi/gssapi_krb5.h>
+#endif /* HAVE_GSSAPI_GSSAPI_KRB5_H */
+
+#if HAVE_COM_ERR_H
+#include <com_err.h>
+#endif /* HAVE_COM_ERR_H */
+
+/* This is a Heimdal/MIT compatibiility fix */
+#ifndef GSS_C_NT_HOSTBASED_SERVICE
+#define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
+#endif
+
+#define MIN(a, b) ((a > b) ? b : a)
/* The following routine is derived from code found in some GSS
* documentation from SUN.
if (flags & GSS_C_INTEG_FLAG)
LOG(log_debug, logtype_uams, "uams_gss.c :context flag: GSS_C_INTEG_FLAG" );
}
-/* We work around something I don't entirely understand... */
-#if !defined (GSS_C_NT_HOSTBASED_SERVICE)
-#define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
-#endif
-#define MIN(a, b) ((a > b) ? b : a)
/* return 0 on success */
static int do_gss_auth( char *service, char *ibuf, int ticket_len,
char *rbuf, int *rbuflen, char *username, int ulen )
ticket_buffer.value = ibuf;
authenticator_buff.length = 0;
authenticator_buff.value = NULL;
- LOG(log_debug, logtype_uams, "uams_gss.c :do_gss_auth: accepting context" );
+ LOG(log_debug, logtype_uams,
+ "uams_gss.c :do_gss_auth: accepting context (ticketlen: %u, value: %X)",
+ ticket_buffer.length, ticket_buffer.value );
major_status = gss_accept_sec_context( &minor_status, &context_handle,
server_creds, &ticket_buffer, GSS_C_NO_CHANNEL_BINDINGS,
&client_name, NULL, &authenticator_buff,
/* Clean up after ourselves */
gss_release_name( &minor_status, &client_name );
- gss_release_buffer( &minor_status, &authenticator_buff );
+
+ if (authenticator_buff.value)
+ gss_release_buffer( &minor_status, &authenticator_buff );
+
gss_delete_sec_context( &minor_status,
&context_handle, NULL );
} else {
{
if (uam_register(UAM_SERVER_LOGIN_EXT, path, "Client Krb v2",
gss_login, gss_logincont, gss_logout, gss_login_ext) < 0)
- return -1;
+ if (uam_register( UAM_SERVER_LOGIN, path, "Client Krb v2",
+ gss_login, gss_logincont, gss_logout ) < 0)
+ return -1;
- return 0;
+ return 0;
}
static void uam_cleanup(void)
--- /dev/null
+dnl $Id: gssapi-check.m4,v 1.1 2003-09-03 18:27:14 samnoble Exp $
+dnl Autoconf macro to check for kerberos/gssapi support
+dnl based on samba3 configure.in
+dnl modified for netatalk use by bfernhomberg
+
+AC_DEFUN([NETATALK_GSSAPI_CHECK],
+[
+ FOUND_GSSAPI=no
+ GSSAPI_LIBS=""
+ GSSAPI_CFLAGS=""
+
+ AC_ARG_WITH(gssapi,
+ [ --with-gssapi[=DIR] compile Kerberos V UAM],
+ [compilegssapi=$withval],
+ [compilegssapi=no]
+ )
+
+ if test x"$compilegssapi" != x"no"; then
+
+ if test "x$compilegssapi" != "xyes"; then
+ GSSAPI_CFLAGS="-I$withval/include"
+ GSSAPI_CPPFLAGS="-I$withval/include"
+ GSSAPI_LDFLAGS="-L$withval/lib"
+ FOUND_GSSAPI=yes
+ AC_MSG_CHECKING([checking for GSSAPI support in])
+ AC_MSG_RESULT([$compilegssapi])
+ fi
+
+
+ # Do no harm to the values of CFLAGS and LIBS while testing for
+ # Kerberos support.
+
+ ac_save_CFLAGS=$CFLAGS
+ ac_save_CPPFLAGS=$CPPFLAGS
+ ac_save_LDFLAGS=$LDFLAGS
+ ac_save_LIBS=$LIBS
+
+ if test x$FOUND_GSSAPI = x"no"; then
+ #################################################
+ # check for krb5-config from recent MIT and Heimdal kerberos 5
+ AC_PATH_PROG(KRB5_CONFIG, krb5-config)
+ AC_MSG_CHECKING(for working krb5-config)
+ if test -x "$KRB5_CONFIG"; then
+ ac_save_CFLAGS=$CFLAGS
+ CFLAGS="";export CFLAGS
+ ac_save_LDFLAGS=$LDFLAGS
+ LDFLAGS="";export LDFLAGS
+ GSSAPI_LIBS="`$KRB5_CONFIG --libs gssapi`"
+ GSSAPI_CFLAGS="`$KRB5_CONFIG --cflags | sed s/@INCLUDE_des@//`"
+ GSSAPI_CPPFLAGS="`$KRB5_CONFIG --cflags | sed s/@INCLUDE_des@//`"
+ CFLAGS=$ac_save_CFLAGS;export CFLAGS
+ LDFLAGS=$ac_save_LDFLAGS;export LDFLAGS
+ FOUND_GSSAPI=yes
+ AC_MSG_RESULT(yes)
+ else
+ AC_MSG_RESULT(no. Fallback to previous krb5 detection strategy)
+ fi
+ fi
+
+ if test x$FOUND_GSSAPI = x"no"; then
+ #################################################
+ # see if this box has the SuSE location for the heimdal krb implementation
+ AC_MSG_CHECKING(for /usr/include/heimdal)
+ if test -d /usr/include/heimdal; then
+ if test -f /usr/lib/heimdal/lib/libkrb5.a; then
+ GSSAPI_CFLAGS="-I/usr/include/heimdal"
+ GSSAPI_CPPFLAGS="-I/usr/include/heimdal"
+ GSSAPI_LDFLAGS="-L/usr/lib/heimdal/lib"
+ AC_MSG_RESULT(yes)
+ FOUND_GSSAPI=yes
+ else
+ GSSAPI_CFLAGS="-I/usr/include/heimdal"
+ GSSAPI_CPPFLAGS="-I/usr/include/heimdal"
+ AC_MSG_RESULT(yes)
+ FOUND_GSSAPI=yes
+ fi
+ else
+ AC_MSG_RESULT(no)
+ fi
+ fi
+
+ if test x$FOUND_GSSAPI = x"no"; then
+ #################################################
+ # see if this box has the RedHat location for kerberos
+ AC_MSG_CHECKING(for /usr/kerberos)
+ if test -d /usr/kerberos -a -f /usr/kerberos/lib/libkrb5.a; then
+ GSSAPI_LDFLAGS="-L/usr/kerberos/lib"
+ GSSAPI_CFLAGS="-I/usr/kerberos/include"
+ GSSAPI_CPPFLAGS="-I/usr/kerberos/include"
+ AC_MSG_RESULT(yes)
+ else
+ AC_MSG_RESULT(no)
+ fi
+ fi
+
+ CFLAGS="$CFLAGS $GSSAPI_CFLAGS"
+ CPPFLAGS="$CPPFLAGS $GSSAPI_CPPFLAGS"
+ LDFLAGS="$LDFLAGS $GSSAPI_LDFLAGS"
+ LIBS="$GSSAPI_LIBS"
+
+
+ # check for gssapi headers
+
+ gss_headers_found=no
+ AC_CHECK_HEADERS(gssapi.h gssapi/gssapi_generic.h gssapi/gssapi.h gssapi/gssapi_krb5.h,[gss_headers_found=yes],[],[])
+ if test x"$gss_headers_found" = x"no"; then
+ AC_MSG_ERROR([GSSAPI installation not found, headers missing])
+ fi
+
+ # check for libs
+
+ AC_CHECK_LIB(gssapi, gss_display_status)
+ AC_CHECK_LIB(gssapi_krb5, gss_display_status)
+
+ # check for functions
+
+ AC_CHECK_FUNC(gss_acquire_cred,[],[AC_MSG_ERROR([GSSAPI: required function gss_acquire_cred missing])])
+
+ # Heimdal/MIT compatibility fix
+ if test "$ac_cv_header_gssapi_h" = "yes"; then
+ AC_EGREP_HEADER(GSS_C_NT_HOSTBASED_SERVICE, gssapi.h, AC_DEFINE(HAVE_GSS_C_NT_HOSTBASED_SERVICE,1,[Wheter GSS_C_NT_HOSTBASED_SERVICE is in gssapi.h]))
+ else
+ AC_EGREP_HEADER(GSS_C_NT_HOSTBASED_SERVICE, gssapi/gssapi.h, AC_DEFINE(HAVE_GSS_C_NT_HOSTBASED_SERVICE,1,[Wheter GSS_C_NT_HOSTBASED_SERVICE is in gssapi.h]))
+ fi
+
+
+ AC_MSG_CHECKING(whether GSSAPI support is used)
+ if test x"$ac_cv_lib_gssapi_gss_display_status" = x"yes" || test x"$ac_cv_lib_gssapi_krb5_gss_display_status" = x"yes"; then
+ AC_DEFINE(HAVE_GSSAPI,1,[Whether to enable GSSAPI support])
+ AC_MSG_RESULT([yes])
+ GSSAPI_LIBS="$LIBS $LDLAGS"
+ else
+ AC_MSG_RESULT([no])
+ AC_MSG_ERROR([GSSAPI installation not found])
+ GSSAPI_LIBS=""
+ fi
+
+ LIBS="$ac_save_LIBS"
+ CFLAGS="$ac_save_CFLAGS"
+ LDFLAGS="$ac_save_LDFLAGS"
+ CPPFLAGS="$ac_save_CPPFLAGS"
+ fi
+
+ AM_CONDITIONAL(USE_GSSAPI, test x"$ac_cv_lib_gssapi_gss_display_status" = x"yes")
+ AC_SUBST(GSSAPI_LIBS)
+ AC_SUBST(GSSAPI_CFLAGS)
+
+])