From: Derrick Brashear <shadow@dementix.org>
Date: Thu, 25 Aug 2011 00:40:38 +0000 (-0400)
Subject: aklog: work around lion kerberos disaster
X-Git-Tag: openafs-devel-1_7_1~102
X-Git-Url: http://git.openafs.org/?p=openafs.git;a=commitdiff_plain;h=33bb5218ba8d6c5b5c5c4839fd31824ca90c062b;hp=3d4e111dd6c4201476e7447fdfaa27ed630032c5

aklog: work around lion kerberos disaster

fine, so, instead of needing weak crypto enabled, use krb5 config
paths trick and ship a config to deal.

Change-Id: I6e9635dfe1fe6d4633486acf1e9cc35a96f33cd6
Reviewed-on: http://gerrit.openafs.org/5310
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Tested-by: Derrick Brashear <shadow@dementix.org>
Reviewed-by: Derrick Brashear <shadow@dementix.org>
---

diff --git a/src/aklog/aklog.c b/src/aklog/aklog.c
index 2a744d2..247bff0 100644
--- a/src/aklog/aklog.c
+++ b/src/aklog/aklog.c
@@ -313,10 +313,6 @@ redirect_errors(const char *who, afs_int32 code, const char *fmt, va_list ap)
 	    krb5_svc_get_msg(code,&str);
 #elif defined(HAVE_ERROR_MESSAGE)
 	    str = error_message(code);
-#elif defined(KRB5_PROG_ETYPE_NOSUPP) && !(defined(HAVE_KRB5_ENCTYPE_ENABLE) || defined(HAVE_KRB5_ALLOW_WEAK_CRYPTO))
-	    /* Lion gives us nothing to hook here and no weak crypto switch */
-	    if (code == KRB5_PROG_ETYPE_NOSUPP)
-		str = "encryption type not supported; \"allow_weak_crypto = true\" needed in Kerberos configuration";
 #else
 	    ; /* IRIX apparently has neither: use the string we have */
 #endif
@@ -1476,7 +1472,34 @@ main(int argc, char *argv[])
     else
 	progname = argv[0];
 
-    krb5_init_context(&context);
+#if defined(KRB5_PROG_ETYPE_NOSUPP) && !(defined(HAVE_KRB5_ENCTYPE_ENABLE) || defined(HAVE_KRB5_ALLOW_WEAK_CRYPTO))
+    {
+	char *filepath = NULL, *newpath = NULL;
+	filepath = getenv("KRB5_CONFIG");
+        if (!filepath) {
+	    int slen;
+#ifndef AFS_DARWIN_ENV
+	    slen = strlen(filepath)+strlen(":/etc/krb5.conf")+1;
+	    newpath = malloc(slen);
+	    snprintf(newpath, slen, "%s:/etc/krb5.conf", filepath);
+#else
+	    slen = strlen("~/Library/Preferences/edu.mit.Kerberos:/Library/Preferences/edu.mit.Kerberos:")+strlen(AFSDIR_CLIENT_ETC_DIRPATH)+strlen("/krb5-weak.conf")+1;
+	    newpath = malloc(slen);
+	    snprintf(newpath, slen, "~/Library/Preferences/edu.mit.Kerberos:/Library/Preferences/edu.mit.Kerberos:%s/krb5-weak.conf", AFSDIR_CLIENT_ETC_DIRPATH);
+#endif
+	}
+	setenv("KRB5_CONFIG", newpath, 1);
+#endif
+	krb5_init_context(&context);
+
+#if defined(KRB5_PROG_ETYPE_NOSUPP) && !(defined(HAVE_KRB5_ENCTYPE_ENABLE) || defined(HAVE_KRB5_ALLOW_WEAK_CRYPTO))
+	free(newpath);
+	if (filepath)
+	    setenv("KRB5_CONFIG", filepath, 1);
+	else
+	    unsetenv("KRB5_CONFIG");
+    }
+#endif
     initialize_KTC_error_table ();
     initialize_U_error_table();
     initialize_RXK_error_table();
diff --git a/src/packaging/MacOS/buildpkg.sh.in b/src/packaging/MacOS/buildpkg.sh.in
index ea549f6..2b4f1cc 100644
--- a/src/packaging/MacOS/buildpkg.sh.in
+++ b/src/packaging/MacOS/buildpkg.sh.in
@@ -144,6 +144,7 @@ if [ $firstpass = yes ]; then
 	echo /Network/afs:/var/db/openafs/cache:30000 > $PKGROOT/private/var/db/openafs/etc/cacheinfo.sample
     fi
     cp afs.conf $PKGROOT/private/var/db/openafs/etc/config/afs.conf.sample
+    cp krb5-weak.conf $PKGROOT/private/var/db/openafs/etc/krb5-weak.conf
 
     cp decode-panic $PKGROOT/Library/OpenAFS/Tools/tools
     chmod a+x $PKGROOT/Library/OpenAFS/Tools/tools/decode-panic
diff --git a/src/packaging/MacOS/krb5-weak.conf b/src/packaging/MacOS/krb5-weak.conf
new file mode 100644
index 0000000..d14bb50
--- /dev/null
+++ b/src/packaging/MacOS/krb5-weak.conf
@@ -0,0 +1,2 @@
+[libdefaults]
+        allow_weak_crypto = true