aklog: work around lion kerberos disaster
authorDerrick Brashear <shadow@dementix.org>
Thu, 25 Aug 2011 00:40:38 +0000 (20:40 -0400)
committerDerrick Brashear <shadow@dementix.org>
Mon, 29 Aug 2011 21:09:27 +0000 (14:09 -0700)
fine, so, instead of needing weak crypto enabled, use krb5 config
paths trick and ship a config to deal.

Change-Id: I6e9635dfe1fe6d4633486acf1e9cc35a96f33cd6
Reviewed-on: http://gerrit.openafs.org/5310
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Tested-by: Derrick Brashear <shadow@dementix.org>
Reviewed-by: Derrick Brashear <shadow@dementix.org>

src/aklog/aklog.c
src/packaging/MacOS/buildpkg.sh.in
src/packaging/MacOS/krb5-weak.conf [new file with mode: 0644]

index 2a744d2..247bff0 100644 (file)
@@ -313,10 +313,6 @@ redirect_errors(const char *who, afs_int32 code, const char *fmt, va_list ap)
            krb5_svc_get_msg(code,&str);
 #elif defined(HAVE_ERROR_MESSAGE)
            str = error_message(code);
-#elif defined(KRB5_PROG_ETYPE_NOSUPP) && !(defined(HAVE_KRB5_ENCTYPE_ENABLE) || defined(HAVE_KRB5_ALLOW_WEAK_CRYPTO))
-           /* Lion gives us nothing to hook here and no weak crypto switch */
-           if (code == KRB5_PROG_ETYPE_NOSUPP)
-               str = "encryption type not supported; \"allow_weak_crypto = true\" needed in Kerberos configuration";
 #else
            ; /* IRIX apparently has neither: use the string we have */
 #endif
@@ -1476,7 +1472,34 @@ main(int argc, char *argv[])
     else
        progname = argv[0];
 
-    krb5_init_context(&context);
+#if defined(KRB5_PROG_ETYPE_NOSUPP) && !(defined(HAVE_KRB5_ENCTYPE_ENABLE) || defined(HAVE_KRB5_ALLOW_WEAK_CRYPTO))
+    {
+       char *filepath = NULL, *newpath = NULL;
+       filepath = getenv("KRB5_CONFIG");
+        if (!filepath) {
+           int slen;
+#ifndef AFS_DARWIN_ENV
+           slen = strlen(filepath)+strlen(":/etc/krb5.conf")+1;
+           newpath = malloc(slen);
+           snprintf(newpath, slen, "%s:/etc/krb5.conf", filepath);
+#else
+           slen = strlen("~/Library/Preferences/edu.mit.Kerberos:/Library/Preferences/edu.mit.Kerberos:")+strlen(AFSDIR_CLIENT_ETC_DIRPATH)+strlen("/krb5-weak.conf")+1;
+           newpath = malloc(slen);
+           snprintf(newpath, slen, "~/Library/Preferences/edu.mit.Kerberos:/Library/Preferences/edu.mit.Kerberos:%s/krb5-weak.conf", AFSDIR_CLIENT_ETC_DIRPATH);
+#endif
+       }
+       setenv("KRB5_CONFIG", newpath, 1);
+#endif
+       krb5_init_context(&context);
+
+#if defined(KRB5_PROG_ETYPE_NOSUPP) && !(defined(HAVE_KRB5_ENCTYPE_ENABLE) || defined(HAVE_KRB5_ALLOW_WEAK_CRYPTO))
+       free(newpath);
+       if (filepath)
+           setenv("KRB5_CONFIG", filepath, 1);
+       else
+           unsetenv("KRB5_CONFIG");
+    }
+#endif
     initialize_KTC_error_table ();
     initialize_U_error_table();
     initialize_RXK_error_table();
index ea549f6..2b4f1cc 100644 (file)
@@ -144,6 +144,7 @@ if [ $firstpass = yes ]; then
        echo /Network/afs:/var/db/openafs/cache:30000 > $PKGROOT/private/var/db/openafs/etc/cacheinfo.sample
     fi
     cp afs.conf $PKGROOT/private/var/db/openafs/etc/config/afs.conf.sample
+    cp krb5-weak.conf $PKGROOT/private/var/db/openafs/etc/krb5-weak.conf
 
     cp decode-panic $PKGROOT/Library/OpenAFS/Tools/tools
     chmod a+x $PKGROOT/Library/OpenAFS/Tools/tools/decode-panic
diff --git a/src/packaging/MacOS/krb5-weak.conf b/src/packaging/MacOS/krb5-weak.conf
new file mode 100644 (file)
index 0000000..d14bb50
--- /dev/null
@@ -0,0 +1,2 @@
+[libdefaults]
+        allow_weak_crypto = true