aklog: work around lion kerberos disaster

fine, so, instead of needing weak crypto enabled, use krb5 config paths trick and ship a config to deal. Change-Id: I6e9635dfe1fe6d4633486acf1e9cc35a96f33cd6 Reviewed-on: http://gerrit.openafs.org/5310 Tested-by: BuildBot <buildbot@rampaginggeek.com> Tested-by: Derrick Brashear <shadow@dementix.org> Reviewed-by: Derrick Brashear <shadow@dementix.org>
2025-01-19 23:40:13 +00:00 · 2011-08-24 20:40:38 -04:00 · 2011-08-24 20:40:38 -04:00 · 33bb5218ba
commit 33bb5218ba
parent 3d4e111dd6
3 changed files with 31 additions and 5 deletions
--- a/src/aklog/aklog.c
+++ b/src/aklog/aklog.c
@ -313,10 +313,6 @@ redirect_errors(const char *who, afs_int32 code, const char *fmt, va_list ap)
 	    krb5_svc_get_msg(code,&str);
 #elif defined(HAVE_ERROR_MESSAGE)
 	    str = error_message(code);
-#elif defined(KRB5_PROG_ETYPE_NOSUPP) && !(defined(HAVE_KRB5_ENCTYPE_ENABLE) || defined(HAVE_KRB5_ALLOW_WEAK_CRYPTO))
-	    /* Lion gives us nothing to hook here and no weak crypto switch */
-	    if (code == KRB5_PROG_ETYPE_NOSUPP)
-		str = "encryption type not supported; \"allow_weak_crypto = true\" needed in Kerberos configuration";
 #else
 	    ; /* IRIX apparently has neither: use the string we have */
 #endif
@ -1476,7 +1472,34 @@ main(int argc, char *argv[])
    else
 	progname = argv[0];

-    krb5_init_context(&context);
+#if defined(KRB5_PROG_ETYPE_NOSUPP) && !(defined(HAVE_KRB5_ENCTYPE_ENABLE) || defined(HAVE_KRB5_ALLOW_WEAK_CRYPTO))
+    {
+	char *filepath = NULL, *newpath = NULL;
+	filepath = getenv("KRB5_CONFIG");
+        if (!filepath) {
+	    int slen;
+#ifndef AFS_DARWIN_ENV
+	    slen = strlen(filepath)+strlen(":/etc/krb5.conf")+1;
+	    newpath = malloc(slen);
+	    snprintf(newpath, slen, "%s:/etc/krb5.conf", filepath);
+#else
+	    slen = strlen("~/Library/Preferences/edu.mit.Kerberos:/Library/Preferences/edu.mit.Kerberos:")+strlen(AFSDIR_CLIENT_ETC_DIRPATH)+strlen("/krb5-weak.conf")+1;
+	    newpath = malloc(slen);
+	    snprintf(newpath, slen, "~/Library/Preferences/edu.mit.Kerberos:/Library/Preferences/edu.mit.Kerberos:%s/krb5-weak.conf", AFSDIR_CLIENT_ETC_DIRPATH);
+#endif
+	}
+	setenv("KRB5_CONFIG", newpath, 1);
+#endif
+	krb5_init_context(&context);
+
+#if defined(KRB5_PROG_ETYPE_NOSUPP) && !(defined(HAVE_KRB5_ENCTYPE_ENABLE) || defined(HAVE_KRB5_ALLOW_WEAK_CRYPTO))
+	free(newpath);
+	if (filepath)
+	    setenv("KRB5_CONFIG", filepath, 1);
+	else
+	    unsetenv("KRB5_CONFIG");
+    }
+#endif
    initialize_KTC_error_table ();
    initialize_U_error_table();
    initialize_RXK_error_table();
--- a/src/packaging/MacOS/buildpkg.sh.in
+++ b/src/packaging/MacOS/buildpkg.sh.in
@ -144,6 +144,7 @@ if [ $firstpass = yes ]; then
 	echo /Network/afs:/var/db/openafs/cache:30000 > $PKGROOT/private/var/db/openafs/etc/cacheinfo.sample
    fi
    cp afs.conf $PKGROOT/private/var/db/openafs/etc/config/afs.conf.sample
+    cp krb5-weak.conf $PKGROOT/private/var/db/openafs/etc/krb5-weak.conf

    cp decode-panic $PKGROOT/Library/OpenAFS/Tools/tools
    chmod a+x $PKGROOT/Library/OpenAFS/Tools/tools/decode-panic
--- a/src/packaging/MacOS/krb5-weak.conf
+++ b/src/packaging/MacOS/krb5-weak.conf
@ -0,0 +1,2 @@
+[libdefaults]
+        allow_weak_crypto = true