--- pam-krb5-migrate-0.0.10.orig/pam_krb5_migrate.c +++ pam-krb5-migrate-0.0.10/pam_krb5_migrate.c @@ -290,12 +290,23 @@ } #endif +#ifdef KADM5_INIT_WITH_SKEY_7_ARGS kret = kadm5_init_with_skey(princstr, keytab_name, KADM5_ADMIN_SERVICE, ¶ms, KADM5_STRUCT_VERSION, KADM5_API_VERSION_2, &handle); +#else + kret = kadm5_init_with_skey(context, + princstr, keytab_name, + KADM5_ADMIN_SERVICE, + ¶ms, + KADM5_STRUCT_VERSION, + KADM5_API_VERSION_2, + NULL, &handle); +#endif + free(princstr); princstr = NULL; --- pam-krb5-migrate-0.0.10.orig/pam_krb5_migrate.h +++ pam-krb5-migrate-0.0.10/pam_krb5_migrate.h @@ -32,7 +32,11 @@ #include #include #include +#ifdef HAVE_KADM5_KADM_ERR_H +#include +#else #include +#endif #ifndef LINUX --- pam-krb5-migrate-0.0.10.orig/CHANGELOG +++ pam-krb5-migrate-0.0.10/CHANGELOG @@ -1,6 +1,9 @@ Version 0.0.10 15 Sep 2011 - cope with kadm5_free_policy_ent having a different number of arguments in Heimdal. + - cope with kadm5_init_with_skey having a different number of arguments + in MIT Kerberos. + - support kadm_err.h header used by MIT in addition to kadm5_err.h. - allow overriding KRB5CONFIG environment variable, useful when there are multiple Kerberos versions on the system. --- pam-krb5-migrate-0.0.10.orig/configure.ac +++ pam-krb5-migrate-0.0.10/configure.ac @@ -1,7 +1,7 @@ AC_INIT(pam-krb5-migrate, 0.0.10, [jelmer@samba.org]) AC_PROG_CC AC_ARG_VAR(KRB5CONFIG, [Path to krb5-config script]) -AC_PATH_PROGS(KRB5CONFIG, $ac_cv_env_KRB5CONFIG_value, krb5-config krb5-config.heimdal) +AC_PATH_PROGS(KRB5CONFIG, $ac_cv_env_KRB5CONFIG_value krb5-config krb5-config.heimdal) AC_CHECK_LIB(pam, pam_get_item, [], [AC_MSG_ERROR([pam not found])]) save_LIBS="$LIBS" save_CFLAGS="$CFLAGS" @@ -9,12 +9,12 @@ CFLAGS="$CFLAGS `$ac_cv_path_KRB5CONFIG --cflags kadm-client`" AC_CHECK_FUNCS(kadm5_get_policy) PKG_CHECK_MODULES(COM_ERR, com_err) +AC_CHECK_HEADERS(kadm5/kadm_err.h) AC_COMPILE_CHECK([number of arguments to kadm5_free_policy_ent], [ #include #include #include -#include ], [ kadm5_free_policy_ent(NULL); ], [ @@ -22,6 +22,23 @@ AC_DEFINE(KADM5_FREE_POLICY_ENT_1_ARG)], [ AC_MSG_RESULT(2) ] ) + +AC_COMPILE_CHECK([number of arguments to kadm5_init_with_skey], +[ +#include +#include +#include +], +[ +kadm5_init_with_skey(NULL, NULL, NULL, NULL, NULL, NULL, NULL); +], +[ +AC_MSG_RESULT(7) +AC_DEFINE(KADM5_INIT_WITH_SKEY_7_ARGS)], +[ + AC_MSG_RESULT(9) +]) + LIBS="$save_LIBS" AC_CONFIG_FILES([Makefile.settings]) AC_OUTPUT --- pam-krb5-migrate-0.0.10.orig/debian/libpam-krb5-migrate-heimdal.pam-config +++ pam-krb5-migrate-0.0.10/debian/libpam-krb5-migrate-heimdal.pam-config @@ -0,0 +1,8 @@ +Name: Kerberos password synchronization +Default: yes +Priority: 0 +Auth-Type: Additional +Auth-Initial: + optional pam_krb5_migrate.so +Auth-Final: + optional pam_krb5_migrate.so --- pam-krb5-migrate-0.0.10.orig/debian/install +++ pam-krb5-migrate-0.0.10/debian/install @@ -0,0 +1,3 @@ +lib/security/pam_krb5_migrate.so +usr/share/man/man7/pam_krb5_migrate.7 +usr/share/pam-configs/krb5-migrate-heimdal --- pam-krb5-migrate-0.0.10.orig/debian/libpam-krb5-migrate-heimdal.postinst +++ pam-krb5-migrate-0.0.10/debian/libpam-krb5-migrate-heimdal.postinst @@ -0,0 +1,7 @@ +#!/bin/sh + +set -e + +pam-auth-update --package + +#DEBHELPER# --- pam-krb5-migrate-0.0.10.orig/debian/watch +++ pam-krb5-migrate-0.0.10/debian/watch @@ -0,0 +1,2 @@ +version=3 +http://samba.org/~jelmer/pam_krb5_migrate/pam-krb5-migrate-(.*).tar.gz --- pam-krb5-migrate-0.0.10.orig/debian/README.Debian +++ pam-krb5-migrate-0.0.10/debian/README.Debian @@ -0,0 +1,51 @@ +pam-krb5-migrate for Debian +--------------------------- +This package has been built with support for accessing the Kerberos +administration over the network. + +SETTING UP THE PAM_KRB5_MIGRATE MODULE + +If you do not already have a KDC, you will need to set up a Kerberos +database for your realm. See the Kerberos V5 Installation Guide for +details. + +If you will be updating against a live database from a machine other than +the KDC, or if you intend to run the migration module on more than one +machine at a time, you will need to use kadmin (or kadmin.local) to create +a special Kerberos principal called pam_migrate/, where + is the full domain name (FQDN) of the host where you're +deploying the pam module. + +% kadmin +Authenticating as principal admin/admin@REALM with password. +kadmin.local: add --use-defaults -r pam_migrate/hostname@REALM +WARNING: no policy specified for pam_migrate/hostname@REALM; defaulting to no policy +Principal "pam_migrate/hostname@REALM" created. + +Then extract the key for this principal to a keytab for use on the host: + +kadmin.local: ext -k /var/kerberos/krb5kdc/hostname.keytab pam_migrate/hostname +Entry for principal pam_migrate/hostname with kvno 4, encryption type DES cbc mode with CRC-32 added to keytab +WRFILE:/var/kerberos/krb5kdc/hostname.keytab. +Entry for principal pam_migrate/hostname with kvno 4, encryption type Triple DES cbc mode raw added to keytab +WRFILE:/var/kerberos/krb5kdc/hostname.keytab. + + +This principal should *only* have permission to add principals to the +database and should have no other permissions. To give the principal +permission to add to the database, add this line to the top of your +kadmind.acl file: + +pam_migrate/hostname@REALM add + +You can also give all principals of the form pam_migrate/ +permission to add by using the line + +pam_migrate/*@REALM add + +You will then need to copy your new keytab (securely!) to the appropriate +machine and install it as /etc/security/pam_krb5.keytab. Like all +keytabs, this file should be readable only by root and should be treated +with the utmost care when transferring it to the destination host. +*Anyone with access to this keytab will be able to create new Kerberos +principals in your realm.* --- pam-krb5-migrate-0.0.10.orig/debian/control +++ pam-krb5-migrate-0.0.10/debian/control @@ -0,0 +1,24 @@ +Source: pam-krb5-migrate +Section: admin +Priority: optional +Maintainer: Jelmer Vernooij +Standards-Version: 3.9.2 +Build-Depends: comerr-dev, + debhelper (>= 5.0.2), + dh-autoreconf, + heimdal-dev (>= 1.0.0) | heimdal-multidev (>= 1.4.0+git20110124.dfsg.1-2), + libpam-dev, + pkg-config +Vcs-Bzr: http://people.samba.org/bzr/jelmer/pam_krb5_migrate/unstable + +Package: libpam-krb5-migrate-heimdal +Architecture: any +Depends: libpam-runtime (>= 1.0.1-6), ${misc:Depends}, ${shlibs:Depends} +Description: PAM module for migrating to Kerberos + A stackable authentication module that takes a username and password from an + earlier module in the stack and attempts to transparently add the user to a + Kerberos realm using the Kerberos 5 kadmin service. The module can be used to + ease the administrative burdens of migrating a large installed userbase from + pre-existing authentication methods to a Kerberos-based setup. + . + This package allows updating the database of a remote Heimdal server. --- pam-krb5-migrate-0.0.10.orig/debian/compat +++ pam-krb5-migrate-0.0.10/debian/compat @@ -0,0 +1 @@ +5 --- pam-krb5-migrate-0.0.10.orig/debian/changelog +++ pam-krb5-migrate-0.0.10/debian/changelog @@ -0,0 +1,60 @@ +pam-krb5-migrate (0.0.10-1) unstable; urgency=low + + * New upstream snapshot. + + Fixes compatibility with newer versions of Heimdal. LP: #832901 + * Bump standards version to 3.9.2 (no changes). + * Allow building against heimdal-multidev (which allows parallel + installation of krb5-multidev) as alternative to heimdal-dev. + + -- Jelmer Vernooij Thu, 15 Sep 2011 18:08:21 +0200 + +pam-krb5-migrate (0.0.9-1) unstable; urgency=low + + * Change section to admin. + * New upstream release. + + Includes proper configure file. (Closes: #539203) + + -- Jelmer Vernooij Thu, 30 Jul 2009 12:02:28 +0200 + +pam-krb5-migrate (0.0.8+bzr39-1) unstable; urgency=low + + * Bump standards version to 3.8.2. + * New upstream snapshot. + * Install pam-auth-update profile. + + -- Jelmer Vernooij Wed, 29 Jul 2009 19:26:18 +0200 + +pam-krb5-migrate (0.0.8-2) unstable; urgency=low + + * Use gcc rather than ld for linking. (Closes: #495167) + + -- Jelmer Vernooij Thu, 21 Aug 2008 17:04:17 +0200 + +pam-krb5-migrate (0.0.8-1) unstable; urgency=low + + * New upstream release. + + Fixes compatibility with newer Heimdal versions. (Closes: #445579) + * Link with -z defs to force build failure in the future when there are + missing symbols. + * Allow Debian Maintainer uploads. + + -- Jelmer Vernooij Mon, 10 Dec 2007 20:59:40 +0100 + +pam-krb5-migrate (0.0.7-1) unstable; urgency=low + + * Include syslog.h. (Closes: #441683) + * Fix building twice in a row. (Closes: #424346) + + -- Jelmer Vernooij Thu, 13 Sep 2007 18:29:08 +0200 + +pam-krb5-migrate (0.0.6-1) unstable; urgency=low + + * New upstream release. + + -- Jelmer Vernooij Fri, 27 Apr 2007 22:15:01 +0200 + +pam-krb5-migrate (0.0.5-1) unstable; urgency=low + + * Initial release. (Closes: #413820) + + -- Jelmer Vernooij Sat, 11 Nov 2006 13:58:49 +0100 --- pam-krb5-migrate-0.0.10.orig/debian/libpam-krb5-migrate-heimdal.prerm +++ pam-krb5-migrate-0.0.10/debian/libpam-krb5-migrate-heimdal.prerm @@ -0,0 +1,9 @@ +#!/bin/sh + +set -e + +if [ "$1" = "remove" ]; then + pam-auth-update --package --remove krb5-migrate-heimdal +fi + +#DEBHELPER# --- pam-krb5-migrate-0.0.10.orig/debian/copyright +++ pam-krb5-migrate-0.0.10/debian/copyright @@ -0,0 +1,24 @@ +This package was Debianized by Jelmer Vernooij +on Sat Nov 11 14:01:19 CET 2006. + +The upstream source was downloaded from http://samba.org/~jelmer/pam_krb5_migrate. + +Copyright (C) 2000-2001 Steve Langasek + +License: + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 dated June, 1991. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, + MA 02110-1301, USA. + +The GPL-2 is available on Debian systems in /usr/share/common-licenses/GPL-2. --- pam-krb5-migrate-0.0.10.orig/debian/rules +++ pam-krb5-migrate-0.0.10/debian/rules @@ -0,0 +1,55 @@ +#!/usr/bin/make -f +# Based on debian/rules from libpam-heimdal + +DESTDIR=$(CURDIR)/debian/tmp + +configure: configure-stamp +configure-stamp: + dh_testdir + dh_autoreconf + KRB5CONFIG=krb5-config.heimdal CFLAGS=-fPIC ./configure --prefix=/usr + touch configure-stamp + +build: build-stamp +build-stamp: configure + dh_testdir + $(MAKE) + touch build-stamp + +clean: + dh_testdir + dh_testroot + rm -f build-stamp configure-stamp + [ ! -f Makefile.settings ] || $(MAKE) distclean + dh_clean + +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + $(MAKE) install DESTDIR=$(DESTDIR) + mkdir -p $(DESTDIR)/usr/share/pam-configs + install -m 0644 debian/libpam-krb5-migrate-heimdal.pam-config $(DESTDIR)/usr/share/pam-configs/krb5-migrate-heimdal + dh_install --list-missing --fail-missing --sourcedir=$(DESTDIR) + + +binary-indep: build install +binary-arch: build install + dh_testdir + dh_testroot + dh_installdocs -a README + dh_installchangelogs -a CHANGELOG + dh_installexamples -a + dh_installman -a pam_krb5_migrate.7 + dh_strip -a + dh_compress -a + dh_fixperms -a + dh_installdeb -a + dh_shlibdeps -a + dh_gencontrol -a + dh_md5sums -a + dh_builddeb -a + +binary: binary-indep binary-arch +.PHONY: configure build clean binary-indep binary-arch binary install