[prev in list] [next in list] [prev in thread] [next in thread]
List: cups-commit
Subject: [cups.commit] [CUPS] r9655 - in trunk: cups man scheduler
From: cups-dev () easysw ! com
Date: 2011-03-28 23:52:36
Message-ID: 10426-cups.commit () news ! easysw ! com
[Download RAW message or body]
Author: mike
Date: 2011-03-28 16:52:32 -0700 (Mon, 28 Mar 2011)
New Revision: 9655
Log:
Clean up some of the Kerberos changes, and add support for GSSServiceName in
client.conf so it is easier to deploy system-wide configurations for the
service name.
Modified:
trunk/cups/auth.c
trunk/cups/cups-private.h
trunk/cups/usersys.c
trunk/man/client.conf.man.in
trunk/scheduler/auth.c
Modified: trunk/cups/auth.c
===================================================================
--- trunk/cups/auth.c 2011-03-28 22:59:59 UTC (rev 9654)
+++ trunk/cups/auth.c 2011-03-28 23:52:32 UTC (rev 9655)
@@ -260,8 +260,8 @@
OM_uint32 minor_status, /* Minor status code */
major_status; /* Major status code */
gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
- /* Output token */
- char *gss_service_name; /* GSS service name */
+ /* Output token */
+ _cups_globals_t *cg = _cupsGlobals(); /* Thread globals */
# ifdef __APPLE__
@@ -280,13 +280,10 @@
if (http->gssname == GSS_C_NO_NAME)
{
- if ((gss_service_name = getenv("CUPS_GSSSERVICENAME")) == NULL)
- gss_service_name = CUPS_DEFAULT_GSSSERVICENAME;
- else
- DEBUG_puts("2_cupsSetNegotiateAuthString: GSS service name set via "
- "environment variable");
+ if (!cg->gss_service_name[0])
+ _cupsSetDefaults();
- http->gssname = cups_get_gssname(http, gss_service_name);
+ http->gssname = cups_get_gssname(http, cg->gss_service_name);
}
if (http->gssctx != GSS_C_NO_CONTEXT)
@@ -298,9 +295,6 @@
major_status = gss_init_sec_context(&minor_status, GSS_C_NO_CREDENTIAL,
&http->gssctx,
http->gssname, http->gssmech,
-#ifdef GSS_C_DELEG_POLICY_FLAG
- GSS_C_DELEG_POLICY_FLAG |
-#endif /* GSS_C_DELEG_POLICY_FLAG */
GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG,
GSS_C_INDEFINITE,
GSS_C_NO_CHANNEL_BINDINGS,
Modified: trunk/cups/cups-private.h
===================================================================
--- trunk/cups/cups-private.h 2011-03-28 22:59:59 UTC (rev 9654)
+++ trunk/cups/cups-private.h 2011-03-28 23:52:32 UTC (rev 9655)
@@ -68,6 +68,12 @@
/* Number of server settings */
cups_option_t *cupsd_settings;/* Server settings */
+ /* auth.c */
+# ifdef HAVE_GSSAPI
+ char gss_service_name[32];
+ /* Kerberos service name */
+# endif /* HAVE_GSSAPI */
+
/* backend.c */
char resolved_uri[1024];
/* Buffer for cupsBackendDeviceURI */
Modified: trunk/cups/usersys.c
===================================================================
--- trunk/cups/usersys.c 2011-03-28 22:59:59 UTC (rev 9654)
+++ trunk/cups/usersys.c 2011-03-28 23:52:32 UTC (rev 9655)
@@ -3,7 +3,7 @@
*
* User, system, and password routines for CUPS.
*
- * Copyright 2007-2010 by Apple Inc.
+ * Copyright 2007-2011 by Apple Inc.
* Copyright 1997-2006 by Easy Software Products.
*
* These coded instructions, statements, and computer programs are the
@@ -57,6 +57,9 @@
_cups_globals_t *cg,
const char *cups_encryption,
const char *cups_server,
+#ifdef HAVE_GSSAPI
+ const char *cups_gssservicename,
+#endif /* HAVE_GSSAPI */
const char *cups_anyroot,
const char *cups_expiredroot,
const char *cups_expiredcerts);
@@ -519,6 +522,9 @@
const char *home, /* Home directory of user */
*cups_encryption, /* CUPS_ENCRYPTION env var */
*cups_server, /* CUPS_SERVER env var */
+#ifdef HAVE_GSSAPI
+ *cups_gssservicename, /* CUPS_GSSSERVICENAME env var */
+#endif /* HAVE_GSSAPI */
*cups_anyroot, /* CUPS_ANYROOT env var */
*cups_expiredroot, /* CUPS_EXPIREDROOT env var */
*cups_expiredcerts; /* CUPS_EXPIREDCERTS env var */
@@ -532,11 +538,14 @@
* First collect environment variables...
*/
- cups_encryption = getenv("CUPS_ENCRYPTION");
- cups_server = getenv("CUPS_SERVER");
- cups_anyroot = getenv("CUPS_ANYROOT");
- cups_expiredroot = getenv("CUPS_EXPIREDROOT");
- cups_expiredcerts = getenv("CUPS_EXPIREDCERTS");
+ cups_encryption = getenv("CUPS_ENCRYPTION");
+ cups_server = getenv("CUPS_SERVER");
+#ifdef HAVE_GSSAPI
+ cups_gssservicename = getenv("CUPS_GSSSERVICENAME");
+#endif /* HAVE_GSSAPI */
+ cups_anyroot = getenv("CUPS_ANYROOT");
+ cups_expiredroot = getenv("CUPS_EXPIREDROOT");
+ cups_expiredcerts = getenv("CUPS_EXPIREDCERTS");
/*
* Then, if needed, read the ~/.cups/client.conf or /etc/cups/client.conf
@@ -575,6 +584,9 @@
*/
cups_read_client_conf(fp, cg, cups_encryption, cups_server,
+#ifdef HAVE_GSSAPI
+ cups_gssservicename,
+#endif /* HAVE_GSSAPI */
cups_anyroot, cups_expiredroot,
cups_expiredcerts);
cupsFileClose(fp);
@@ -592,6 +604,10 @@
_cups_globals_t *cg, /* I - Global data */
const char *cups_encryption, /* I - CUPS_ENCRYPTION env var */
const char *cups_server, /* I - CUPS_SERVER env var */
+#ifdef HAVE_GSSAPI
+ const char *cups_gssservicename,
+ /* I - CUPS_GSSSERVICENAME env var */
+#endif /* HAVE_GSSAPI */
const char *cups_anyroot, /* I - CUPS_ANYROOT env var */
const char *cups_expiredroot, /* I - CUPS_EXPIREDROOT env var */
const char *cups_expiredcerts) /* I - CUPS_EXPIREDCERTS env var */
@@ -604,6 +620,9 @@
any_root[1024], /* AllowAnyRoot value */
expired_root[1024], /* AllowExpiredRoot value */
expired_certs[1024]; /* AllowExpiredCerts value */
+#ifdef HAVE_GSSAPI
+ char gss_service_name[32]; /* GSSServiceName value */
+#endif /* HAVE_GSSAPI */
/*
@@ -642,6 +661,14 @@
strlcpy(expired_certs, value, sizeof(expired_certs));
cups_expiredcerts = expired_certs;
}
+#ifdef HAVE_GSSAPI
+ else if (!cups_gssservicename && !strcasecmp(line, "GSSServiceName") &&
+ value)
+ {
+ strlcpy(gss_service_name, value, sizeof(gss_service_name));
+ cups_gssservicename = gss_service_name;
+ }
+#endif /* HAVE_GSSAPI */
}
/*
@@ -730,6 +757,14 @@
cg->ipp_port = ntohs(service->s_port);
}
+#ifdef HAVE_GSSAPI
+ if (!cups_gssservicename)
+ cups_gssservicename = CUPS_DEFAULT_GSSSERVICENAME;
+
+ strlcpy(cg->gss_service_name, cups_gssservicename,
+ sizeof(cg->gss_service_name));
+#endif /* HAVE_GSSAPI */
+
if (cups_anyroot)
cg->any_root = !strcasecmp(cups_anyroot, "yes") ||
!strcasecmp(cups_anyroot, "on") ||
Modified: trunk/man/client.conf.man.in
===================================================================
--- trunk/man/client.conf.man.in 2011-03-28 22:59:59 UTC (rev 9654)
+++ trunk/man/client.conf.man.in 2011-03-28 23:52:32 UTC (rev 9655)
@@ -1,9 +1,9 @@
.\"
.\" "$Id$"
.\"
-.\" client.conf man page for the Common UNIX Printing System (CUPS).
+.\" client.conf man page for CUPS.
.\"
-.\" Copyright 2007-2009 by Apple Inc.
+.\" Copyright 2007-2011 by Apple Inc.
.\" Copyright 2006 by Easy Software Products.
.\"
.\" These coded instructions, statements, and computer programs are the
@@ -12,7 +12,7 @@
.\" which should have been included with this file. If this file is
.\" file is missing or damaged, see the license at "http://www.cups.org/".
.\"
-.TH client.conf 5 "CUPS" "25 February 2006" "Apple Inc."
+.TH client.conf 5 "CUPS" "28 March 2011" "Apple Inc."
.SH NAME
client.conf \- client configuration file for cups
.SH DESCRIPTION
@@ -34,16 +34,22 @@
Specifies the level of encryption that is required for a particular
location.
.TP 5
+GSSServiceName name
+Specifies the Kerberos service name that is used for authentication, typically
+"host", "http", or "ipp". CUPS adds the remote hostname
+("name@server.example.com") for you. The default name is
+"@CUPS_DEFAULT_GSSSERVICENAME@".
+.TP 5
ServerName hostname-or-ip-address[:port]
.TP 5
ServerName /domain/socket
.br
-Specifies the address and optionally the port to use when
-connecting to the server
+Specifies the address and optionally the port to use when connecting to the
+server.
.SH SEE ALSO
http://localhost:631/help
.SH COPYRIGHT
-Copyright 2007-2009 by Apple Inc.
+Copyright 2007-2011 by Apple Inc.
.\"
.\" End of "$Id$".
.\"
Modified: trunk/scheduler/auth.c
===================================================================
--- trunk/scheduler/auth.c 2011-03-28 22:59:59 UTC (rev 9654)
+++ trunk/scheduler/auth.c 2011-03-28 23:52:32 UTC (rev 9655)
@@ -1022,8 +1022,6 @@
}
# endif /* __APPLE__ */
-// con->gss_output_token.length = 0;
-
/*
* Find the start of the Kerberos input token...
*/
@@ -1087,12 +1085,6 @@
* Get the username associated with the client's credentials...
*/
-#if 0
- if (!con->gss_creds)
- cupsdLogMessage(CUPSD_LOG_DEBUG,
- "cupsdAuthorize: No delegated credentials!");
-#endif /* 0 */
-
if (major_status == GSS_S_CONTINUE_NEEDED)
cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status,
"cupsdAuthorize: Credentials not complete");
@@ -1105,7 +1097,6 @@
{
cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status,
"cupsdAuthorize: Error getting username");
-// gss_release_cred(&minor_status, &con->gss_creds);
gss_release_name(&minor_status, &client_name);
gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER);
return;
@@ -1122,8 +1113,6 @@
con->type = CUPSD_AUTH_NEGOTIATE;
}
-// else
-// gss_release_cred(&minor_status, &con->gss_creds);
gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER);
_______________________________________________
cups-commit mailing list
cups-commit@easysw.com
http://lists.easysw.com/mailman/listinfo/cups-commit
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic