Redo Kerberos cached credentials so they work.

scheduler/ipp.c:
    - save_krb5_creds(): Use global KerberosContext, pass full path when
      using krb5_cc_resolve(), and add support for new krb5_cc_new_unique()
      API, when available.

scheduler/job.c:
    - free_job(): Use krb5_cc_destroy() to unlink the cache file.

scheduler/job.h:
    - Add ccache to job structure.

scheduler/cupsd.h:
    - Add server-wide Kerberos context.

scheduler/main.c:
    - main(): Initialize and free Kerberos context.

git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@6755 7a7537e8-13f0-0310-91df-b6672ffda945

diff --git a/CHANGES.txt b/CHANGES.txt
index 592fc4233075346fb9e5485c7c60243f507a2819..49c6ce59f6a39cbe725c17b3990db4091cde0af2 100644 (file)
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -4,6 +4,8 @@ CHANGES.txt - 2007-08-01
 
 CHANGES IN CUPS V1.3.0
 
+       - Fixed generation of Kerberos credentials for remote
+         printing.
        - Added Portuguese and updated Italian message catalogs.
 
 

diff --git a/config-scripts/cups-gssapi.m4 b/config-scripts/cups-gssapi.m4
index 2fed2e2e70f1a3159b05699acc3749bf6f5c1b03..9d50a3cbfe5a5e36b197853e865fbb2e0ffb93cd 100644 (file)
--- a/config-scripts/cups-gssapi.m4
+++ b/config-scripts/cups-gssapi.m4
@@ -60,7 +60,7 @@ if test x$enable_gssapi != xno; then
 
                AC_CHECK_FUNC(gsskrb5_register_acceptor_identity, 
                              AC_DEFINE(HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY))
-               AC_CHECK_FUNC(krb5_cc_resolve, AC_DEFINE(HAVE_KRB5_CC_RESOLVE))
+               AC_CHECK_FUNC(krb5_cc_new_unique, AC_DEFINE(HAVE_KRB5_CC_NEW_UNIQUE))
 
                AC_MSG_CHECKING(for GSS_C_NT_HOSTBASED_SERVICE)
                if test $ac_cv_header_gssapi_gssapi_h = yes; then

diff --git a/config.h.in b/config.h.in
index 4cb260138551fec14d91e5a2af4d09d1a2bd318a..dbda149b5f522eda4a2911ae67d236a1389dfeb6 100644 (file)
--- a/config.h.in
+++ b/config.h.in
@@ -495,7 +495,7 @@
 #undef HAVE_GSSAPI_GSSAPI_KRB5_H
 #undef HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY
 #undef HAVE_GSS_C_NT_HOSTBASED_SERVICE
-#undef HAVE_KRB5_CC_RESOLVE
+#undef HAVE_KRB5_CC_NEW_UNIQUE
 #undef HAVE_KRB5_H
 #undef HAVE_HEIMDAL
 

diff --git a/scheduler/cupsd.h b/scheduler/cupsd.h
index 8253f8653dca0f93662fb0ee1ce3594544e34065..4c43db75eff1a9c9f95adf6cf871e5e7ef9a47bc 100644 (file)
--- a/scheduler/cupsd.h
+++ b/scheduler/cupsd.h
@@ -158,6 +158,11 @@ VAR time_t         ReloadTime      VALUE(0);
                                        /* Time of reload request... */
 VAR int                        NeedReload      VALUE(RELOAD_ALL);
                                        /* Need to load configuration? */
+
+#ifdef HAVE_GSSAPI
+VAR krb5_context       KerberosContext;/* Kerberos context for credentials */
+#endif /* HAVE_GSSAPI */
+
 #ifdef HAVE_LAUNCH_H
 VAR int                        Launchd         VALUE(0);
                                        /* Running from launchd */

diff --git a/scheduler/ipp.c b/scheduler/ipp.c
index f7c473dac05f21346003f3df8c9ebeabc052d13b..7e7634b06505fb5b1ffc3b987b014a5aa9699ad1 100644 (file)
--- a/scheduler/ipp.c
+++ b/scheduler/ipp.c
@@ -8255,72 +8255,56 @@ static void
 save_krb5_creds(cupsd_client_t *con,   /* I - Client connection */
                 cupsd_job_t    *job)   /* I - Job */
 {
-  krb5_context krb_context;            /* Kerberos context */
-  krb5_ccache  ccache;                 /* Credentials cache */
+#  ifndef HAVE_KRB5_CC_NEW_UNIQUE
+  char         cachename[1024];        /* Name of resolved cache */
+#  endif /* !HAVE_KRB5_CC_NEW_UNIQUE */
   OM_uint32    major_status,           /* Major status code */
                minor_status;           /* Minor status code */
 
 
 #  ifdef __APPLE__
-   /*
-    * If the weak-linked GSSAPI/Kerberos library is not present, don't try
-    * to use it...
-    */
-
-    if (krb5_init_context == NULL)
-    {
-      cupsdLogMessage(CUPSD_LOG_DEBUG,
-                     "save_krb5_creds: GSSAPI/Kerberos framework is not "
-                     "present");
-      return;
-    }
-#  endif /* __APPLE__ */
-
  /*
-  * Setup a cached context for the job filters to use...
+  * If the weak-linked GSSAPI/Kerberos library is not present, don't try
+  * to use it...
   */
 
-  if (krb5_init_context(&krb_context))
-  {
-    cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to initialize Kerberos context");
+  if (krb5_init_context == NULL)
     return;
-  }
+#  endif /* __APPLE__ */
 
  /*
   * We MUST create a file-based cache because memory-based caches are
   * only valid for the current process/address space.
   */
 
-#  ifdef HAVE_KRB5_CC_RESOLVE
-  if (krb5_cc_resolve(krb_context, "FILE:", &ccache))
-#  elif defined(HAVE_HEIMDAL)
-  if (krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))
+#  ifdef HAVE_KRB5_CC_NEW_UNIQUE
+  if (krb5_cc_new_unique(KerberosContext, "FILE", NULL, &(job->ccache)))
 #  else
-  if (krb5_cc_gen_new(krb_context, &ccache))
-#  endif /* HAVE_HEIMDAL */
+  snprintf(cachename, sizeof(cachename), "FILE:%s/k%05d", RequestRoot, job->id);
+
+  if (krb5_cc_resolve(KerberosContext, cachename, &(job->ccache)))
+#  endif /* HAVE_KRB5_CC_NEW_UNIQUE */
   {
     cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to create new credentials");
     return;
   }
 
   major_status = gss_krb5_copy_ccache(&minor_status, con->gss_delegated_cred,
-                                     ccache);
+                                     job->ccache);
 
   if (GSS_ERROR(major_status))
   {
     cupsdLogGSSMessage(CUPSD_LOG_ERROR, major_status, minor_status,
                        "Unable to import client credentials cache");
-    krb5_cc_destroy(krb_context, ccache);
+    krb5_cc_destroy(KerberosContext, job->ccache);
     return;
   }
 
-  cupsdSetStringf(&(job->ccname), "KRB5CCNAME=FILE:%s",
-                  krb5_cc_get_name(krb_context, ccache));
+  cupsdSetStringf(&(job->ccname), "KRB5CCNAME=%s",
+                  krb5_cc_get_name(KerberosContext, job->ccache));
 
   cupsdLogMessage(CUPSD_LOG_DEBUG2, "[Job %d] save_krb5_creds: %s", job->id,
                   job->ccname);
-
-  krb5_cc_close(krb_context, ccache);
 }
 #endif /* HAVE_GSSAPI && HAVE_KRB5_H */
 

diff --git a/scheduler/job.c b/scheduler/job.c
index 1643f7a8cb6a6d0c514837535425cfba7a723914..0dbbd9aca079809ab8cd3ed47a47c99b46e31d8e 100644 (file)
--- a/scheduler/job.c
+++ b/scheduler/job.c
@@ -1793,15 +1793,10 @@ free_job(cupsd_job_t *job)              /* I - Job */
   if (job->ccname)
   {
    /*
-    * First erase the credential cache file, then clear the string referencing
-    * it.  We know the filename since the string will be of the form
-    * "KRB5CCNAME=FILE:/foo/bar"...
+    * Destroy the credential cache and clear the KRB5CCNAME env var string.
     */
 
-    if (cupsdRemoveFile(job->ccname + 16) && errno != ENOENT)
-      cupsdLogMessage(CUPSD_LOG_ERROR,
-                      "[Job %d] Unable to remove Kerberos credential cache: %s",
-                     job->id, strerror(errno));
+    krb5_cc_destroy(KerberosContext, job->ccache);
 
     cupsdClearString(&job->ccname);
   }

diff --git a/scheduler/job.h b/scheduler/job.h
index 749bdde9f8f79bcce860e6330893df9a975f6baf..6585d5d841b67d9e9beb1decf827457fa2a41825 100644 (file)
--- a/scheduler/job.h
+++ b/scheduler/job.h
@@ -57,6 +57,7 @@ typedef struct cupsd_job_s
                        *auth_domain,   /* AUTH_DOMAIN environment variable, if any */
                        *auth_password; /* AUTH_PASSWORD environment variable, if any */
 #ifdef HAVE_GSSAPI
+  krb5_ccache          ccache;         /* Kerberos credential cache */
   char                 *ccname;        /* KRB5CCNAME environment variable */
 #endif /* HAVE_GSSAPI */
 } cupsd_job_t;

diff --git a/scheduler/main.c b/scheduler/main.c
index a3543c8529507b283a0f9e990ba52afe707f17a4..32500517b106d9c22316b8fec482d1482499a971 100644 (file)
--- a/scheduler/main.c
+++ b/scheduler/main.c
@@ -462,6 +462,24 @@ main(int  argc,                            /* I - Number of command-line args */
     PSQUpdateQuotaProc = dlsym(PSQLibRef, PSQLibFuncName);
 #endif /* __APPLE__ && HAVE_DLFCN_H */
 
+#ifdef HAVE_GSSAPI
+#  ifdef __APPLE__
+ /*
+  * If the weak-linked GSSAPI/Kerberos library is not present, don't try
+  * to use it...
+  */
+
+  if (krb5_init_context != NULL)
+#  endif /* __APPLE__ */
+
+ /*
+  * Setup a Kerberos context for the scheduler to use...
+  */
+
+  if (krb5_init_context(&KerberosContext))
+    cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to initialize Kerberos context");
+#endif /* HAVE_GSSAPI */
+
  /*
   * Startup the server...
   */
@@ -971,6 +989,23 @@ main(int  argc,                            /* I - Number of command-line args */
   cupsdStopSystemMonitor();
 #endif /* __APPLE__ */
 
+#ifdef HAVE_GSSAPI
+#  ifdef __APPLE__
+ /*
+  * If the weak-linked GSSAPI/Kerberos library is not present, don't try
+  * to use it...
+  */
+
+  if (krb5_init_context != NULL)
+#  endif /* __APPLE__ */
+
+ /*
+  * Free the scheduler's Kerberos context...
+  */
+
+  krb5_free_context(KerberosContext);
+#endif /* HAVE_GSSAPI */
+
 #ifdef HAVE_LAUNCHD
  /*
   * Update the launchd KeepAlive file as needed...