krb5: add wrapper for krb5_kt_have_content() krb5_kt_have_content() was introduced in MIT Kerberos 1.11. For older platforms this patch adds sss_krb5_kt_have_content() as a wrapper. Resolves https://fedorahosted.org/sssd/ticket/2518 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Add conditional build for MIT Kerberos localauth plugin This patch adds everything what is needed to build the MIT Kerberos localauth plugin if the used version of MIT Kerberos supports it. It does not implement the plugin. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Use KRB5_CFLAGS where appropriate There are cases when MIT Kerberos is installed with includes in a subdirectory of /usr/include (or /usr/local/include). In such case we have to properly use KRB5_CFLAGS to reach them. https://fedorahosted.org/sssd/ticket/2226 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

tests: Add dlopen test to make sure modules works This tests dlopens and resolves all symbols to make sure there are no missing symbols in our provider modules.

AUTOTOOLS: Add missing AC_MSG_RESULT AC_MSG_RESULT was not used everywhere after AC_MSG_CHECKING. Therefore two lines from configure output was mixed in some cases.

Allow usage of enterprise principals Enterprise principals are currently most useful for the AD provider and hence enabled here by default while for the other Kerberos based authentication providers they are disabled by default. If additional UPN suffixes are configured for the AD domain the user principal stored in the AD LDAP server might not contain the real Kerberos realm of the AD domain but one of the additional suffixes which might be completely randomly chooses, e.g. are not related to any existing DNS domain. This make it hard for a client to figure out the right KDC to send requests to. To get around this enterprise principals (see http://tools.ietf.org/html/rfc6806 for details) were introduced. Basically a default realm is added to the principal so that the Kerberos client libraries at least know where to send the request to. It is not in the responsibility of the KDC to either handle the request itself, return a client referral if he thinks a different KDC can handle the request or return and error. This feature is also use to allow authentication in AD environments with cross forest trusts. Fixes https://fedorahosted.org/sssd/ticket/1842

Add support for krb5 1.11's responder callback. krb5 1.11 adds support for a new method for responding to structured data queries. This method, called the responder, provides an alternative to the prompter interface. This patch adds support for this method. It takes the password and provides it via a responder instead of the prompter. In the case of OTP authentication, it also disables the caching of credentials (since the credentials are one-time only).

krb5: include backwards compatible declaration of krb5_trace_info krb5-1.10 used to include "struct krb5_trace_info", now krb5-1.11 includes a "krb5_trace_info" typedefed from "struct _krb5_trace_info". Do the same in the SSSD to allow compiling with both 1.10 and 1.11.

Add replacement for krb5_find_authdata() krb5_find_authdata() is only available in MIT Kerberos 1.10 or higher. To allow sssd to be compiled on platform with lower version of MIT Kerberos a replacement call is added. Please note that on those platform the replacement call will only return an error. If the krb5_find_authdata functionality is really needed on those platform it must be implemented by a different patch.

Only call krb5_set_trace_callback on platforms that support it

heimdal: fix compile error in krb5-child-test

KRB5: Auto-detect DIR cache support in configure We can't support the DIR cache features in systems with kerberos libraries older than 1.10. Make sure we don't build it on those systems.

Kerberos locator: Include the correct krb5.h header file https://fedorahosted.org/sssd/ticket/1325

Add compatibility layer for Heimdal Kerberos implementation

Add wrapper for krb5_get_init_creds_opt_set_canonicalize

Added some kerberos functions for building on RHEL5

Add support for FAST in krb5 provider

Use new MIT krb5 API for better password expiration warnings

Remove bash-isms from configure macros

Rename server/ directory to src/ Also update BUILD.txt