From owner-freebsd-bugs@FreeBSD.ORG  Wed May 26 13:01:22 2004
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9B89916A4CE
	for <freebsd-bugs@hub.freebsd.org>;
	Wed, 26 May 2004 13:01:22 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8FA7743D2D
	for <freebsd-bugs@hub.freebsd.org>;
	Wed, 26 May 2004 13:01:22 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	i4QK0js0013181	for <freebsd-bugs@freefall.freebsd.org>;
	Wed, 26 May 2004 13:00:45 -0700 (PDT)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i4QK0jjk013180;
	Wed, 26 May 2004 13:00:45 -0700 (PDT)
	(envelope-from gnats)
Resent-Date: Wed, 26 May 2004 13:00:45 -0700 (PDT)
Resent-Message-Id: <200405262000.i4QK0jjk013180@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, thn@saeab.se
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 80EB316A4CE
	for <FreeBSD-gnats-submit@freebsd.org>;
	Wed, 26 May 2004 12:52:28 -0700 (PDT)
Received: from mailfe04.swip.net (mailfe04.swip.net [212.247.154.97])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6E5A243D4C
	for <FreeBSD-gnats-submit@freebsd.org>;
	Wed, 26 May 2004 12:52:26 -0700 (PDT)
	(envelope-from root@scatcat.thn.saeab.se)
Received: from [213.100.92.163] (HELO scatcat.thn.saeab.se)
  by mailfe04.swip.net (CommuniGate Pro SMTP 4.2b4a)
  with ESMTP id 50563262; Wed, 26 May 2004 21:52:12 +0200
Received: from scatcat.thn.saeab.se (localhost [127.0.0.1])
	i4QJqASL000571;	Wed, 26 May 2004 21:52:10 +0200 (CEST)
	(envelope-from root@scatcat.thn.saeab.se)
Received: (from root@localhost)
	by scatcat.thn.saeab.se (8.12.11/8.12.11/Submit) id i4QJq9FP000570;
	Wed, 26 May 2004 21:52:09 +0200 (CEST)
	(envelope-from root)
Message-Id: <200405261952.i4QJq9FP000570@scatcat.thn.saeab.se>
Date: Wed, 26 May 2004 21:52:09 +0200 (CEST)
From: thn@saeab.se
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Subject: bin/67231: [patch] pam_krb5 doesn't honor default flags from
	/etc/krb5.conf
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: thn@saeab.se
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 26 May 2004 20:01:22 -0000


>Number:         67231
>Category:       bin
>Synopsis:       [patch] pam_krb5 doesn't honor default flags from /etc/krb5.conf
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed May 26 13:00:45 PDT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Thomas Nyström
>Release:        FreeBSD 5.2.1-RELEASE-p7 i386
>Organization:
Sv. Aktuell Elektronik AB
>Environment:
System: FreeBSD home.thn.saeab.se 5.2.1-RELEASE-p7 FreeBSD 5.2.1-RELEASE-p7 #0: Tue May 25 23:00:03 CEST 2004 root@home.thn.saeab.se:/home/obj/src/5/src/sys/THN.HOME i386

>Description:
The pam_krb5 module have no way of saying that retrieved ticket should
be without addresses. That parameter could be set in /etc/krb5.conf
but pam_krb5 doesn't honor the default flags from that file.

>How-To-Repeat:
Login using pam_krb5 and try to get tickets without addresses.
The result can be checked with 'klist -v'.
Ticket without addresses is needed if the ticket should be used
across a firewall.

>Fix:
Changed file:
__FBSDID("$FreeBSD: src/lib/libpam/modules/pam_krb5/pam_krb5.c,v 1.18 2003/05/31 17:19:03 des Exp $");

--- pam.diff begins here ---
--- pam_krb5.c.original	Wed May 26 19:42:17 2004
+++ pam_krb5.c	Wed May 26 20:54:48 2004
@@ -137,11 +137,6 @@
 
 	krb5_get_init_creds_opt_init(&opts);
 
-	if (openpam_get_option(pamh, PAM_OPT_FORWARDABLE))
-		krb5_get_init_creds_opt_set_forwardable(&opts, 1);
-
-	PAM_LOG("Credentials initialised");
-
 	krbret = krb5_cc_register(pam_context, &krb5_mcc_ops, FALSE);
 	if (krbret != 0 && krbret != KRB5_CC_TYPE_EXISTS) {
 		PAM_VERBOSE_ERROR("Kerberos 5 error");
@@ -183,6 +178,14 @@
 	}
 
 	PAM_LOG("Got principal: %s", princ_name);
+
+	krb5_get_init_creds_opt_set_default_flags(pam_context, "login",
+					    princ->realm, &opts);
+
+	if (openpam_get_option(pamh, PAM_OPT_FORWARDABLE))
+		krb5_get_init_creds_opt_set_forwardable(&opts, 1);
+
+	PAM_LOG("Credentials flags initialised");
 
 	/* Get password */
 	retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, PASSWORD_PROMPT);
--- pam.diff ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted: