s4:heimdal: import lorikeet-heimdal-200906080040 (commit 904d0124b46eed7a8ad6e5b73e892ff34b6865ba)

Also including the supporting changes required to pass make test

A number of heimdal functions and constants have changed since we last
imported a tree (for the better, but inconvenient for us).

Andrew Bartlett

6 files changed, 27 insertions, 15 deletions

diff --git a/source4/auth/credentials/credentials_krb5.c b/source4/auth/credentials/credentials_krb5.c
index bc3d05f529..efcca3e269 100644
--- a/source4/auth/credentials/credentials_krb5.c
+++ b/source4/auth/credentials/credentials_krb5.c
@@ -71,7 +71,6 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
 	krb5_principal princ;
 	krb5_error_code ret;
 	char *name;
-	char **realm;
 
 	if (cred->ccache_obtained > obtained) {
 		return 0;
@@ -98,8 +97,6 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
 		return ret;
 	}
 
-	realm = krb5_princ_realm(ccache->smb_krb5_context->krb5_context, princ);
-
 	cli_credentials_set_principal(cred, name, obtained);
 
 	free(name);
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index aae04dffe2..7129db72b8 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -170,6 +170,9 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
 	gensec_gssapi_state->input_chan_bindings = GSS_C_NO_CHANNEL_BINDINGS;
 	
 	gensec_gssapi_state->want_flags = 0;
+	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation_by_kdc_policy", true)) {
+		gensec_gssapi_state->want_flags |= GSS_C_DELEG_POLICY_FLAG;
+	}
 	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) {
 		gensec_gssapi_state->want_flags |= GSS_C_MUTUAL_FLAG;
 	}
diff --git a/source4/auth/kerberos/clikrb5.c b/source4/auth/kerberos/clikrb5.c
index 68e7eb90cc..3314cbc591 100644
--- a/source4/auth/kerberos/clikrb5.c
+++ b/source4/auth/kerberos/clikrb5.c
@@ -94,11 +94,11 @@
 {
 	char *ret;
 	
-#if defined(HAVE_KRB5_GET_ERROR_STRING) && defined(HAVE_KRB5_FREE_ERROR_STRING) 	
-	char *context_error = krb5_get_error_string(context);
+#if defined(HAVE_KRB5_GET_ERROR_MESSAGE) && defined(HAVE_KRB5_FREE_ERROR_MESSAGE) 	
+	const char *context_error = krb5_get_error_message(context, code);
 	if (context_error) {
 		ret = talloc_asprintf(mem_ctx, "%s: %s", error_message(code), context_error);
-		krb5_free_error_string(context, context_error);
+		krb5_free_error_message(context, context_error);
 		return ret;
 	}
 #endif
diff --git a/source4/auth/kerberos/config.m4 b/source4/auth/kerberos/config.m4
index bf14ca0ee4..a8d55a1287 100644
--- a/source4/auth/kerberos/config.m4
+++ b/source4/auth/kerberos/config.m4
@@ -258,6 +258,8 @@ if test x"$with_krb5_support" != x"no"; then
 	AC_CHECK_FUNC_EXT(krb5_enctypes_compatible_keys, $KRB5_LIBS)
 	AC_CHECK_FUNC_EXT(krb5_get_error_string, $KRB5_LIBS)
 	AC_CHECK_FUNC_EXT(krb5_free_error_string, $KRB5_LIBS)
+	AC_CHECK_FUNC_EXT(krb5_get_error_message, $KRB5_LIBS)
+	AC_CHECK_FUNC_EXT(krb5_free_error_message, $KRB5_LIBS)
 	AC_CHECK_FUNC_EXT(krb5_initlog, $KRB5_LIBS)
 	AC_CHECK_FUNC_EXT(krb5_addlog_func, $KRB5_LIBS)
 	AC_CHECK_FUNC_EXT(krb5_set_warn_dest, $KRB5_LIBS)
diff --git a/source4/auth/kerberos/kerberos.c b/source4/auth/kerberos/kerberos.c
index 1889dcab4d..a0b21c891a 100644
--- a/source4/auth/kerberos/kerberos.c
+++ b/source4/auth/kerberos/kerberos.c
@@ -40,23 +40,27 @@
 {
 	krb5_error_code code = 0;
 	krb5_creds my_creds;
-	krb5_get_init_creds_opt options;
+	krb5_get_init_creds_opt *options;
 
-	krb5_get_init_creds_opt_init(&options);
+	if ((code = krb5_get_init_creds_opt_alloc(ctx, &options))) {
+		return code;
+	}
 
-	krb5_get_init_creds_opt_set_default_flags(ctx, NULL, NULL, &options);
+	krb5_get_init_creds_opt_set_default_flags(ctx, NULL, NULL, options);
 
 	if ((code = krb5_get_init_creds_keyblock(ctx, &my_creds, principal, keyblock,
-						 0, NULL, &options))) {
+						 0, NULL, options))) {
 		return code;
 	}
 	
 	if ((code = krb5_cc_initialize(ctx, cc, principal))) {
+		krb5_get_init_creds_opt_free(ctx, options);
 		krb5_free_cred_contents(ctx, &my_creds);
 		return code;
 	}
 	
 	if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) {
+		krb5_get_init_creds_opt_free(ctx, options);
 		krb5_free_cred_contents(ctx, &my_creds);
 		return code;
 	}
@@ -69,6 +73,7 @@
 		*kdc_time = (time_t) my_creds.times.starttime;
 	}
 
+	krb5_get_init_creds_opt_free(ctx, options);
 	krb5_free_cred_contents(ctx, &my_creds);
 	
 	return 0;
@@ -84,24 +89,28 @@
 {
 	krb5_error_code code = 0;
 	krb5_creds my_creds;
-	krb5_get_init_creds_opt options;
+	krb5_get_init_creds_opt *options;
 
-	krb5_get_init_creds_opt_init(&options);
+	if ((code = krb5_get_init_creds_opt_alloc(ctx, &options))) {
+		return code;
+	}
 
-	krb5_get_init_creds_opt_set_default_flags(ctx, NULL, NULL, &options);
+	krb5_get_init_creds_opt_set_default_flags(ctx, NULL, NULL, options);
 
 	if ((code = krb5_get_init_creds_password(ctx, &my_creds, principal, password, 
 						 NULL, 
-						 NULL, 0, NULL, &options))) {
+						 NULL, 0, NULL, options))) {
 		return code;
 	}
 	
 	if ((code = krb5_cc_initialize(ctx, cc, principal))) {
+		krb5_get_init_creds_opt_free(ctx, options);
 		krb5_free_cred_contents(ctx, &my_creds);
 		return code;
 	}
 	
 	if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) {
+		krb5_get_init_creds_opt_free(ctx, options);
 		krb5_free_cred_contents(ctx, &my_creds);
 		return code;
 	}
@@ -114,6 +123,7 @@
 		*kdc_time = (time_t) my_creds.times.starttime;
 	}
 
+	krb5_get_init_creds_opt_free(ctx, options);
 	krb5_free_cred_contents(ctx, &my_creds);
 	
 	return 0;
diff --git a/source4/auth/kerberos/kerberos_pac.c b/source4/auth/kerberos/kerberos_pac.c
index 7a36c9ddea..7a6d008562 100644
--- a/source4/auth/kerberos/kerberos_pac.c
+++ b/source4/auth/kerberos/kerberos_pac.c
@@ -96,7 +96,7 @@ krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx,
 	krb5_principal client_principal_pac;
 	int i;
 
-	krb5_clear_error_string(context);
+	krb5_clear_error_message(context);
 
 	if (k5ret) {
 		*k5ret = KRB5_PARSE_MALFORMED;