File squid-brokenad.patch of Package squid.31747
Index: helpers/external_acl/kerberos_ldap_group/support_krb5.cc
===================================================================
--- helpers/external_acl/kerberos_ldap_group/support_krb5.cc.orig
+++ helpers/external_acl/kerberos_ldap_group/support_krb5.cc
@@ -81,7 +81,7 @@ k5_error(const char* msg, krb5_error_cod
* create Kerberos memory cache
*/
int
-krb5_create_cache(char *domain)
+krb5_create_cache(struct main_args *margs, char *domain)
{
krb5_keytab keytab = 0;
@@ -178,8 +178,17 @@ krb5_create_cache(char *domain)
if (code) {
k5_error("Error while unparsing principal name",code);
} else {
- debug((char *) "%s| %s: DEBUG: Found principal name: %s\n", LogTime(), PROGRAM, principal_name);
- found = 1;
+ if (margs->brokenad == 1) {
+ if (strncmp(principal_name,"HTTP/",strlen("HTTP/")) != 0){
+ debug((char *) "%s| %s: DEBUG: Found principal without 'HTTP/' service name: %s NOT USING IT\n", LogTime(), PROGRAM, principal_name);
+ } else {
+ debug((char *) "%s| %s: DEBUG: Found principal with 'HTTP/' service name: %s\n", LogTime(), PROGRAM, principal_name);
+ found = 1;
+ }
+ } else {
+ debug((char *) "%s| %s: DEBUG: Found principal name: %s\n", LogTime(), PROGRAM, principal_name);
+ found = 1;
+ }
}
}
#if USE_HEIMDAL_KRB5 || ( HAVE_KRB5_KT_FREE_ENTRY && HAVE_DECL_KRB5_KT_FREE_ENTRY )
Index: helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc
===================================================================
--- helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc.orig
+++ helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc
@@ -61,6 +61,7 @@ init_args(struct main_args *margs)
margs->rc_allow = 0;
margs->AD = 0;
margs->mdepth = 5;
+ margs->brokenad = 0;
margs->ddomain = NULL;
margs->groups = NULL;
margs->ndoms = NULL;
@@ -179,7 +180,7 @@ main(int argc, char *const argv[])
init_args(&margs);
- while (-1 != (opt = getopt(argc, argv, "diasg:D:N:S:u:U:t:T:p:l:b:m:h"))) {
+ while (-1 != (opt = getopt(argc, argv, "diasxg:D:N:S:u:U:t:T:p:l:b:m:h"))) {
switch (opt) {
case 'd':
debug_enabled = 1;
@@ -231,6 +232,9 @@ main(int argc, char *const argv[])
case 'S':
margs.llist = xstrdup(optarg);
break;
+ case 'x':
+ margs.brokenad = 1;
+ break;
case 'h':
fprintf(stderr, "Usage: \n");
fprintf(stderr, "squid_kerb_ldap [-d] [-i] -g group list [-D domain] [-N netbios domain map] [-s] [-u ldap user] [-p ldap user password] [-l ldap url] [-b ldap bind path] [-a] [-m max depth] [-h]\n");
@@ -247,6 +251,7 @@ main(int argc, char *const argv[])
fprintf(stderr, "-l ldap url\n");
fprintf(stderr, "-b ldap bind path\n");
fprintf(stderr, "-s use SSL encryption with Kerberos authentication\n");
+ fprintf(stderr, "-x force use of HTTP/ principal on MS AD 2008\n");
fprintf(stderr, "-a allow SSL without cert verification\n");
fprintf(stderr, "-m maximal depth for recursive searches\n");
fprintf(stderr, "-h help\n");
Index: helpers/external_acl/kerberos_ldap_group/support.h
===================================================================
--- helpers/external_acl/kerberos_ldap_group/support.h.orig
+++ helpers/external_acl/kerberos_ldap_group/support.h
@@ -105,6 +105,7 @@ struct main_args {
int rc_allow;
int AD;
int mdepth;
+ int brokenad;
char *ddomain;
struct gdstruct *groups;
struct ndstruct *ndoms;
@@ -164,7 +165,7 @@ int create_nd(struct main_args *margs);
int create_ls(struct main_args *margs);
#ifdef HAVE_KRB5
-int krb5_create_cache(char *domain);
+int krb5_create_cache(struct main_args *margs, char *domain);
void krb5_cleanup(void);
#endif
Index: helpers/external_acl/kerberos_ldap_group/support_ldap.cc
===================================================================
--- helpers/external_acl/kerberos_ldap_group/support_ldap.cc.orig
+++ helpers/external_acl/kerberos_ldap_group/support_ldap.cc
@@ -898,7 +898,7 @@ get_memberof(struct main_args *margs, ch
debug((char *) "%s| %s: DEBUG: Setup Kerberos credential cache\n", LogTime(), PROGRAM);
#if HAVE_KRB5
- kc = krb5_create_cache(domain);
+ kc = krb5_create_cache(margs,domain);
if (kc) {
error((char *) "%s| %s: ERROR: Error during setup of Kerberos credential cache\n", LogTime(), PROGRAM);
}
