From: Markus Moeller <huaraz@moeller.plus.com>
Date: Wed, 29 Oct 2014 04:26:36 +0000 (-0700)
Subject: negotiate_kerberos_auth: output group= kv-pair
X-Git-Tag: merge-candidate-3-v1~527
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2eb6054faf2503474cb500cdc4cb87aed073744b;p=thirdparty%2Fsquid.git

negotiate_kerberos_auth: output group= kv-pair

Output group= if negotiate_kerberos_auth can retrieve AD groups from
Kerberos ticket for further processing by squid to external helpers.
---

diff --git a/helpers/negotiate_auth/kerberos/negotiate_kerberos.h b/helpers/negotiate_auth/kerberos/negotiate_kerberos.h
index ad4ca0ac34..f3ae4e25a2 100644
--- a/helpers/negotiate_auth/kerberos/negotiate_kerberos.h
+++ b/helpers/negotiate_auth/kerberos/negotiate_kerberos.h
@@ -106,7 +106,7 @@ extern "C" {
 #define MAX_AUTHTOKEN_LEN   65535
 #endif
 #ifndef SQUID_KERB_AUTH_VERSION
-#define SQUID_KERB_AUTH_VERSION "3.0.4sq"
+#define SQUID_KERB_AUTH_VERSION "3.1.0sq"
 #endif
 
 char *gethost_name(void);
diff --git a/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc b/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc
index 1944e4e3cb..f92a6b9cef 100644
--- a/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc
+++ b/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc
@@ -432,12 +432,16 @@ main(int argc, char *const argv[])
                 debug((char *) "%s| %s: DEBUG: Groups %s\n", LogTime(), PROGRAM, ag);
             }
 #endif
-            fprintf(stdout, "AF %s %s\n", token, user);
             rfc_user = rfc1738_escape(user);
+#if HAVE_PAC_SUPPORT
+            fprintf(stdout, "AF %s %s %s\n", token, rfc_user, ag?ag:"group=");
+#else
+            fprintf(stdout, "AF %s %s\n", token, rfc_user);
+#endif
             debug((char *) "%s| %s: DEBUG: AF %s %s\n", LogTime(), PROGRAM, token, rfc_user);
             if (log)
                 fprintf(stderr, "%s| %s: INFO: User %s authenticated\n", LogTime(),
-                        PROGRAM, rfc1738_escape(user));
+                        PROGRAM, rfc_user);
             goto cleanup;
         } else {
             if (check_gss_err(major_status, minor_status, "gss_accept_sec_context()", log, 1))
@@ -468,12 +472,16 @@ main(int argc, char *const argv[])
             if (norealm && (p = strchr(user, '@')) != NULL) {
                 *p = '\0';
             }
-            fprintf(stdout, "AF %s %s\n", "AA==", user);
-            debug((char *) "%s| %s: DEBUG: AF %s %s\n", LogTime(), PROGRAM, "AA==", rfc1738_escape(user));
+            rfc_user = rfc1738_escape(user);
+#if HAVE_PAC_SUPPORT
+            fprintf(stdout, "AF %s %s %s\n", "AA==", rfc_user, ag?ag:"group=");
+#else
+            fprintf(stdout, "AF %s %s\n", "AA==", rfc_user);
+#endif
+	    debug((char *) "%s| %s: DEBUG: AF %s %s\n", LogTime(), PROGRAM, "AA==", rfc_user);
             if (log)
                 fprintf(stderr, "%s| %s: INFO: User %s authenticated\n", LogTime(),
-                        PROGRAM, rfc1738_escape(user));
-
+                        PROGRAM, rfc_user);
         }
 cleanup:
         gss_release_buffer(&minor_status, &input_token);
diff --git a/helpers/negotiate_auth/kerberos/negotiate_kerberos_pac.cc b/helpers/negotiate_auth/kerberos/negotiate_kerberos_pac.cc
index 31f22114a6..d88549fb1d 100644
--- a/helpers/negotiate_auth/kerberos/negotiate_kerberos_pac.cc
+++ b/helpers/negotiate_auth/kerberos/negotiate_kerberos_pac.cc
@@ -62,7 +62,7 @@ check_k5_err(krb5_context context, const char *function, krb5_error_code code)
 #elif HAVE_KRB5_FREE_ERROR_STRING
         krb5_free_error_string(context, (char *)errmsg);
 #else
-	xfree(errmsg);
+        xfree(errmsg);
 #endif
     }
     return code;