krb5/patches/069-k5identity-disable.patch

#
# This patch fixes an issue where the k5identity built-in ccache selection
# plugin is calling fopen() for a .k5identity file located in a user's home
# directory.  The problem with this is that this behavior can cause gssd to
# hang when trying to estabish a gss security context on behalf of a user whose
# home dir is NFS sec=krb5 protected.  Since the plugin implementation does not
# provide a means of setting a plugin to disabled state by default we are
# disabling the k5identity plugin from being registered which basically
# disables the plugin completely.
#
# This problem has been reported to MIT via this ticket:
# 8420 built in plugins need a method to disable/enable by default
# Once the fix for 8420 is in Userland then:
# 23514346 The k5identity tests should be re-enabled when MIT ticket 8420 is fixed upstream
# should also be addressed.
#
# Patch source: in-house
#
--- a/src/lib/krb5/ccache/ccselect.c
+++ b/src/lib/krb5/ccache/ccselect.c
@@ -59,12 +59,17 @@ load_modules(krb5_context context)
     krb5_plugin_initvt_fn *modules = NULL, *mod;
     size_t count;

-#ifndef _WIN32
+    /*
+     * This plugin tries to access a .k5identity file in a user's home dir
+     * which causes the Solaris gssd to hang when that home dir is shared as a
+     * sec=krb5 protected NFS share so we are disabling this for now.
+     */
+#if 0 /* ************ Begin IFDEF'ed OUT ***************************** */
     ret = k5_plugin_register(context, PLUGIN_INTERFACE_CCSELECT, "k5identity",
                              ccselect_k5identity_initvt);
     if (ret != 0)
         goto cleanup;
-#endif
+#endif /* ************** END IFDEF'ed OUT ***************************** */

     ret = k5_plugin_register(context, PLUGIN_INTERFACE_CCSELECT, "realm",
                              ccselect_realm_initvt);
--- a/src/man/krb5.conf.man
+++ b/src/man/krb5.conf.man
@@ -943,10 +943,6 @@ dynamic modules, the following built\-in modules exist (and may be
 disabled with the disable tag):
 .INDENT 0.0
 .TP
-.B \fBk5identity\fP
-Uses a .k5identity file in the user\(aqs home directory to select a
-client principal
-.TP
 .B \fBrealm\fP
 Uses the service realm to guess an appropriate cache from the
 collection
--- a/src/tests/gssapi/t_ccselect.py
+++ b/src/tests/gssapi/t_ccselect.py
@@ -103,22 +103,24 @@ r1.run(['./t_ccselect', gssserver], expected_code=1)
 r1.kinit(bob, password('bob'))

 # Try some cache selections using .k5identity.
-k5id = open(os.path.join(r1.testdir, '.k5identity'), 'w')
-k5id.write('%s realm=%s\n' % (alice, r1.realm))
-k5id.write('%s service=ho*t host=%s\n' % (zaphod, hostname))
-k5id.write('noprinc service=bogus')
-k5id.close()
-output = r1.run(['./t_ccselect', host1])
-if output != (alice + '\n'):
-    fail('alice not chosen via .k5identity realm line.')
-output = r2.run(['./t_ccselect', gssserver])
-if output != (zaphod + '\n'):
-    fail('zaphod not chosen via .k5identity service/host line.')
-output = r1.run(['./t_ccselect', refserver])
-if output != (bob + '\n'):
-    fail('bob not chosen via primary cache when no .k5identity line matches.')
-output = r1.run(['./t_ccselect', 'h:bogus@' + hostname], expected_code=1)
-if 'Can\'t find client principal noprinc' not in output:
-    fail('Expected error not seen when k5identity selects bad principal.')
+#k5id = open(os.path.join(r1.testdir, '.k5identity'), 'w')
+#k5id.write('%s realm=%s\n' % (alice, r1.realm))
+#k5id.write('%s service=ho*t host=%s\n' % (zaphod, hostname))
+#k5id.write('noprinc service=bogus')
+#k5id.close()
+#output = r1.run(['./t_ccselect', host1])
+#if output != (alice + '\n'):
+#    fail('alice not chosen via .k5identity realm line.')
+#output = r2.run(['./t_ccselect', gssserver])
+#if output != (zaphod + '\n'):
+#    fail('zaphod not chosen via .k5identity service/host line.')
+#output = r1.run(['./t_ccselect', refserver])
+#if output != (bob + '\n'):
+#    fail('bob not chosen via primary cache when no .k5identity line matches.')
+#output = r1.run(['./t_ccselect', 'h:bogus@' + hostname], expected_code=1)
+#if 'Can\'t find client principal noprinc' not in output:
+#    fail('Expected error not seen when k5identity selects bad principal.')
+sys.stderr.write("Support of k5identity ccselect plugin disabled, skipping "
+    "k5identity tests...\n");

 success('GSSAPI credential selection tests')
--- a/src/tests/gssapi/t_client_keytab.py
+++ b/src/tests/gssapi/t_client_keytab.py
@@ -21,15 +21,17 @@ if realm.user_princ not in out:
 realm.run([kdestroy])

 # Test 2: no name/cache specified, pick principal from k5identity
-k5idname = os.path.join(realm.testdir, '.k5identity')
-k5id = open(k5idname, 'w')
-k5id.write('%s service=host host=%s\n' % (bob, hostname))
-k5id.close()
-out = realm.run(['./t_ccselect', gssserver])
-if bob not in out:
-    fail('Authenticated as wrong principal')
-os.remove(k5idname)
-realm.run([kdestroy])
+#k5idname = os.path.join(realm.testdir, '.k5identity')
+#k5id = open(k5idname, 'w')
+#k5id.write('%s service=host host=%s\n' % (bob, hostname))
+#k5id.close()
+#out = realm.run(['./t_ccselect', gssserver])
+#if bob not in out:
+#    fail('Authenticated as wrong principal')
+#os.remove(k5idname)
+#realm.run([kdestroy])
+sys.stderr.write("Support of k5identity ccselect plugin disabled, skipping "
+    "Test 2...\n");

 # Test 3: no name/cache specified, default ccache has name but no creds
 realm.run(['./ccinit', realm.ccache, bob])