Attachment #185285 for bug #217623

Lines 2-9 Link Here

(-)b/security/sssd/Makefile (-3 / +5 lines)
2	# $FreeBSD$	2	# $FreeBSD$
3		3
4	PORTNAME= sssd	4	PORTNAME= sssd
5	PORTVERSION= 1.11.7	5	PORTVERSION= 1.15.3
6	PORTREVISION= 8	6	PORTREVISION= 9
7	CATEGORIES= security	7	CATEGORIES= security
8	MASTER_SITES= https://releases.pagure.org/SSSD/${PORTNAME}/	8	MASTER_SITES= https://releases.pagure.org/SSSD/${PORTNAME}/
9		9
Lines 43-49 CONFIGURE_ARGS= --with-selinux=no --with-semanage=no \ Link Here
43	--with-db-path=/var/db/sss --with-pipe-path=/var/run/sss \	43	--with-db-path=/var/db/sss --with-pipe-path=/var/run/sss \
44	--with-pubconf-path=/var/run/sss --with-mcache-path=/var/db/sss_mc \	44	--with-pubconf-path=/var/run/sss --with-mcache-path=/var/db/sss_mc \
45	--with-unicode-lib=libunistring --with-autofs=no \	45	--with-unicode-lib=libunistring --with-autofs=no \
46	--disable-cifs-idmap-plugin --disable-config-lib	46	--disable-cifs-idmap-plugin --disable-config-lib \
		47	--without-nfsv4-idmapd-plugin --without-secrets \
		48	--without-python3-bindings --without-kcm
47	CFLAGS+= -fstack-protector-all	49	CFLAGS+= -fstack-protector-all
48	PLIST_SUB= PYTHON_VER=${PYTHON_VER}	50	PLIST_SUB= PYTHON_VER=${PYTHON_VER}
49	#DEBUG_FLAGS= -g	51	#DEBUG_FLAGS= -g

Lines 1-2 Link Here

(-)b/security/sssd/distinfo (-2 / +3 lines)
1	SHA256 (sssd-1.11.7.tar.gz) = ff12d5730a6d7d08fe11140aa58e544900b75c63902b7a07bbbc12d6a99cb5b5	1	TIMESTAMP = 1501774532
2	SIZE (sssd-1.11.7.tar.gz) = 3661227	2	SHA256 (sssd-1.15.3.tar.gz) = 6e508dc71c0e132b15db1db29d2e309d610027e89f7097ead5d7c9867f6d6634
		3	SIZE (sssd-1.15.3.tar.gz) = 5670079




--- Makefile.am.ga	2017-08-02 18:15:08.429436000 +0000
+++ Makefile.am	2017-08-02 18:28:05.077591000 +0000
@@ -501,6 +501,7 @@
+++ Makefile.am
@@ -311,6 +311,7 @@ AM_CPPFLAGS = \
     $(LIBNL_CFLAGS) \
     $(OPENLDAP_CFLAGS) \
     $(GLIB2_CFLAGS) \
     $(JOURNALD_CFLAGS) \
+    -DHOST_NAME_MAX=_POSIX_HOST_NAME_MAX \
     -DLIBDIR=\"$(libdir)\" \
     -DVARDIR=\"$(localstatedir)\" \
     -DSSS_STATEDIR=\"$(sss_statedir)\" \
@@ -614,6 +615,7 @@
     $(COLLECTION_LIBS) \
     $(DHASH_LIBS) \
     $(SSS_CRYPT_LIBS) \
     $(OPENLDAP_LIBS) \
+    $(LTLIBINTL) \
     $(SELINUX_LIBS) \
     $(TDB_LIBS)
 
@@ -667,6 +669,7 @@
@@ -433,6 +435,7 @@ dist_noinst_HEADERS = \
     src/util/sss_ssh.h \
     src/util/sss_ini.h \
     src/util/sss_format.h \

     src/util/refcount.h \
     src/util/find_uid.h \
     src/util/user_info_msg.h \
@@ -3562,9 +3565,10 @@
 # Client Libraries #
 ####################
 

     src/sss_client/nss_passwd.c \
     src/sss_client/nss_group.c \
     src/sss_client/nss_netgroup.c \
@@ -3578,9 +3582,9 @@
     src/sss_client/nss_mc_passwd.c \
     src/sss_client/nss_mc_group.c \
     src/sss_client/nss_mc_initgr.c \
     src/sss_client/nss_mc.h
-libnss_sss_la_LIBADD = \
+nss_sss_la_LIBADD = \

     -module \
     -version-info 2:0:0 \
     -Wl,--version-script,$(srcdir)/src/sss_client/sss_nss.exports
@@ -4053,6 +4057,7 @@
     $(TALLOC_LIBS) \
     $(POPT_LIBS) \
     $(OPENLDAP_LIBS) \
     $(DHASH_LIBS) \
+    $(LTLIBINTL) \
     $(KRB5_LIBS)
 
 if BUILD_SEMANAGE




--- configure.ac.orig	2013-11-06 18:35:03 UTC
+++ configure.ac
@@ -5,15 +5,15 @@ AC_INIT([sssd],
         VERSION_NUMBER,
         [sssd-devel@lists.fedorahosted.org])
 
+AC_CONFIG_SRCDIR([BUILD.txt])
+AC_CONFIG_AUX_DIR([build])
+
 m4_ifdef([AC_USE_SYSTEM_EXTENSIONS],
     [AC_USE_SYSTEM_EXTENSIONS],
     [AC_GNU_SOURCE])
 
 CFLAGS="$CFLAGS -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE"
 
-AC_CONFIG_SRCDIR([BUILD.txt])
-AC_CONFIG_AUX_DIR([build])
-
 AM_INIT_AUTOMAKE([-Wall foreign subdir-objects tar-pax])
 AM_PROG_CC_C_O
 m4_ifdef([AM_PROG_AR], [AM_PROG_AR])




--- src/external/krb5.m4.ga	2017-07-25 10:09:02.000000000 +0000
+++ src/external/krb5.m4	2017-08-03 16:57:39.646287000 +0000
@@ -10,6 +10,7 @@
+++ src/external/krb5.m4
@@ -9,7 +9,7 @@ if test x$KRB5_CFLAGS != x; then
     KRB5_PASSED_CFLAGS=$KRB5_CFLAGS
 fi
 
 AC_PATH_TOOL(KRB5_CONFIG, krb5-config)
+AC_PATH_PROG(KRB5_CONFIG, krb5-config, [], [/usr/local/bin:$PATH])
 AC_MSG_CHECKING(for working krb5-config)
 if test -x "$KRB5_CONFIG"; then




--- src/providers/ldap/ldap_auth.c.ga	2017-07-25 10:09:02.000000000 +0000
+++ src/providers/ldap/ldap_auth.c	2017-08-03 18:07:22.269610000 +0000
--- src/providers/ldap/ldap_auth.c
+++ src/providers/ldap/ldap_auth.c
@@ -37,7 +37,6 @@
 #include <sys/time.h>
 #include <strings.h>

 #include <security/pam_modules.h>
 
 #include "util/util.h"
@@ -52,6 +51,22 @@
 
 #define LDAP_PWEXPIRE_WARNING_TIME 0
 
+struct spwd
+{

+  long int sp_min;            /* Minimum number of days between changes.  */
+  long int sp_max;            /* Maximum number of days between changes.  */
+  long int sp_warn;           /* Number of days to warn user to change
+                                the password.  */
+  long int sp_inact;          /* Number of days the account may be
+                                inactive.  */
+  long int sp_expire;         /* Number of days since 1970-01-01 until
+                                account expires.  */
+  unsigned long int sp_flag;  /* Reserved.  */
+};
+
 static errno_t add_expired_warning(struct pam_data *pd, long exp_time)
 {
     int ret;
@@ -97,9 +112,9 @@
         return EINVAL;
     }
 
+    tzset();
     expire_time = mktime(&tm);
     if (expire_time == -1) {
         DEBUG(SSSDBG_CRIT_FAILURE,
@@ -116,12 +132,10 @@ static errno_t check_pwexpire_kerberos(const char *expire_date, time_t now,
         return EINVAL;
     }
 
-    tzset();
-    expire_time -= timezone;
     DEBUG(SSSDBG_TRACE_ALL,
-          "Time info: tzname[0] [%s] tzname[1] [%s] timezone [%ld] "
-           "daylight [%d] now [%ld] expire_time [%ld].\n", tzname[0],

 
     if (difftime(now, expire_time) > 0.0) {
         DEBUG(SSSDBG_CONF_SETTINGS, "Kerberos password expired.\n");
@@ -935,7 +950,7 @@
     DEBUG(SSSDBG_OP_FAILURE,
           "starting password change request for user [%s].\n", pd->user);
 
     state->pd = pd;
     state->be_ctx = params->be_ctx;
-    pd->pam_status = PAM_SYSTEM_ERR;
+    pd->pam_status = PAM_SERVICE_ERR;
 
     switch (pd->cmd) {
     case SSS_PAM_AUTHENTICATE:
@@ -1038,7 +1053,7 @@
         state->pd->pam_status = PAM_BAD_ITEM;
         break;
     default:
-        state->pd->pam_status = PAM_SYSTEM_ERR;
+        state->pd->pam_status = PAM_SERVICE_ERR;
         break;
     }
 
@@ -1131,7 +1146,7 @@
     DEBUG(SSSDBG_OP_FAILURE,
           "starting password change request for user [%s].\n", pd->user);
 
-    pd->pam_status = PAM_SYSTEM_ERR;
+    pd->pam_status = PAM_SERVICE_ERR;
 
     if (pd->cmd != SSS_PAM_CHAUTHTOK && pd->cmd != SSS_PAM_CHAUTHTOK_PRELIM) {
         DEBUG(SSSDBG_OP_FAILURE,
@@ -1280,7 +1295,7 @@
             be_mark_offline(state->be_ctx);
             break;
         default:
-            state->pd->pam_status = PAM_SYSTEM_ERR;
+            state->pd->pam_status = PAM_SERVICE_ERR;
             break;
         }
 
@@ -1342,7 +1357,7 @@
                                                     state->sh, state->dn,
                                                     lastchanged_name);
         if (subreq == NULL) {

             goto done;
         }
 
@@ -1368,7 +1383,7 @@
     talloc_free(subreq);
 
     ret = sdap_modify_shadow_lastchange_recv(req);
     if (ret != EOK) {
-        state->pd->pam_status = PAM_SYSTEM_ERR;
+        state->pd->pam_status = PAM_SERVICE_ERR;
         goto done;
     }
 
@@ -1193,7 +1207,7 @@ void sdap_pam_auth_handler(struct be_req *breq)
         goto done;
     }
 
-    pd->pam_status = PAM_SYSTEM_ERR;
+    pd->pam_status = PAM_SERVICE_ERR;
 
     switch (pd->cmd) {
     case SSS_PAM_AUTHENTICATE:
@@ -1291,7 +1305,7 @@ static void sdap_pam_auth_done(struct tevent_req *req)
         state->pd->pam_status = PAM_NEW_AUTHTOK_REQD;
         break;
     default:
-        state->pd->pam_status = PAM_SYSTEM_ERR;
+        state->pd->pam_status = PAM_SERVICE_ERR;
         dp_err = DP_ERR_FATAL;
     }
 




--- src/providers/ldap/sdap_access.c.ga	2017-07-25 10:09:02.000000000 +0000
+++ src/providers/ldap/sdap_access.c	2017-08-03 18:27:25.934434000 +0000
@@ -556,9 +556,9 @@
+++ src/providers/ldap/sdap_access.c
@@ -499,6 +499,7 @@ static bool nds_check_expired(const char *exp_time_str)
         return true;
     }
 
+    tzset();
     expire_time = mktime(&tm);
     if (expire_time == -1) {
         DEBUG(SSSDBG_CRIT_FAILURE,
@@ -506,13 +507,11 @@ static bool nds_check_expired(const char *exp_time_str)
         return true;
     }
 
-    tzset();
-    expire_time -= timezone;
     now = time(NULL);
     DEBUG(SSSDBG_TRACE_ALL,
-          "Time info: tzname[0] [%s] tzname[1] [%s] timezone [%ld] "




--- src/sss_client/common.c.ga	2017-07-25 10:09:02.000000000 +0000
+++ src/sss_client/common.c	2017-08-03 18:50:08.436441000 +0000
--- src/sss_client/common.c
+++ src/sss_client/common.c
@@ -25,6 +25,7 @@
 #include "config.h"
 

 
 #if HAVE_PTHREAD
 #include <pthread.h>
@@ -124,7 +126,6 @@
             *errnop = error;
             break;
         case 0:

             break;
         case 1:
             if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
@@ -232,7 +233,6 @@
             *errnop = error;
             break;
         case 0:

             break;
         case 1:
             if (pfd.revents & (POLLHUP)) {
@@ -669,7 +669,6 @@
             *errnop = error;
             break;
         case 0:

             break;
         case 1:
             if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
@@ -719,7 +718,7 @@
     /* avoid looping in the nss daemon */
     envval = getenv("_SSS_LOOPS");
     if (envval && strcmp(envval, "NO") == 0) {

     }
 
     ret = sss_cli_check_socket(errnop, SSS_NSS_SOCKET_NAME);
@@ -729,7 +728,7 @@
         errno = 0;
         return NSS_STATUS_NOTFOUND;
 #else
-        return NSS_STATUS_UNAVAIL;
+        return NS_UNAVAIL;
 #endif
     }
 
@@ -752,9 +751,9 @@
     }
     switch (ret) {
     case SSS_STATUS_TRYAGAIN:
-        return NSS_STATUS_TRYAGAIN;

+        return NS_SUCCESS;
     case SSS_STATUS_UNAVAIL:
     default:
 #ifdef NONSTANDARD_SSS_NSS_BEHAVIOUR
@@ -762,7 +761,7 @@
         errno = 0;
         return NSS_STATUS_NOTFOUND;
 #else
-        return NSS_STATUS_UNAVAIL;
+        return NS_UNAVAIL;
 #endif
     }
 }
 




--- src/util/server.c	2017-08-08 13:00:54.275998000 +0000
+++ src/util/server.c	2017-08-08 13:05:02.782158000 +0000
@@ -307,10 +307,13 @@ static void setup_signals(void)
+++ src/util/server.c
@@ -322,12 +322,14 @@ static void setup_signals(void)
     BlockSignals(false, SIGTERM);
 
     CatchSignal(SIGHUP, sig_hup);
-
 #ifndef HAVE_PRCTL
-        /* If prctl is not defined on the system, try to handle
-         * some common termination signals gracefully */




diff --git src/util/signal.c src/util/signal.c
index 053457b..bb8f8be 100644
--- src/util/signal.c
+++ src/util/signal.c
@@ -28,45 +28,6 @@
  * @brief Signal handling
  */
 
-/****************************************************************************
- Catch child exits and reap the child zombie status.
-****************************************************************************/
-
-static void sig_cld(int signum)
-{
-	while (waitpid((pid_t)-1,(int *)NULL, WNOHANG) > 0)
-		;
-
-	/*
-	 * Turns out it's *really* important not to
-	 * restore the signal handler here if we have real POSIX
-	 * signal handling. If we do, then we get the signal re-delivered
-	 * immediately - hey presto - instant loop ! JRA.
-	 */
-
-#if !defined(HAVE_SIGACTION)
-	CatchSignal(SIGCLD, sig_cld);
-#endif
-}
-
-/****************************************************************************
-catch child exits - leave status;
-****************************************************************************/
-
-static void sig_cld_leave_status(int signum)
-{
-	/*
-	 * Turns out it's *really* important not to
-	 * restore the signal handler here if we have real POSIX
-	 * signal handling. If we do, then we get the signal re-delivered
-	 * immediately - hey presto - instant loop ! JRA.
-	 */
-
-#if !defined(HAVE_SIGACTION)
-	CatchSignal(SIGCLD, sig_cld_leave_status);
-#endif
-}
-
 /**
  Block sigs.
 **/
@@ -126,21 +87,3 @@ void (*CatchSignal(int signum,void (*handler)(int )))(int)
 	return signal(signum, handler);
 #endif
 }
-
-/**
- Ignore SIGCLD via whatever means is necessary for this OS.
-**/
-
-void CatchChild(void)
-{
-	CatchSignal(SIGCLD, sig_cld);
-}
-
-/**
- Catch SIGCLD but leave the child around so it's status can be reaped.
-**/
-
-void CatchChildLeaveStatus(void)
-{
-	CatchSignal(SIGCLD, sig_cld_leave_status);
-}




--- src/util/sss_ldap.c	2017-08-08 13:26:57.528648000 +0000
+++ src/util/sss_ldap.c	2017-08-08 15:26:30.504250000 +0000
@@ -214,6 +214,9 @@ static errno_t unset_fcntl_flags(int fd,
     flags &= ~fl_flags;
 
     ret = fcntl(fd, F_SETFL, flags);
     ret = connect(state->fd, (struct sockaddr *) &state->addr,
                   state->addr_len);
+    if (errno == EISCONN) {
+        ret = EOK;
+    }
     if (ret != EOK) {
         ret = errno;
         DEBUG(SSSDBG_CRIT_FAILURE,
@@ -346,7 +349,7 @@ struct tevent_req *sss_ldap_init_send(TALLOC_CTX *mem_ctx,
           "Using file descriptor [%d] for LDAP connection.\n", state->sd);
 
     subreq = sdap_async_sys_connect_send(state, ev, state->sd,
-                                         (struct sockaddr *) addr, addr_len);
+                                         (struct sockaddr *) addr, sizeof(struct sockaddr));
     if (subreq == NULL) {
         ret = ENOMEM;
         DEBUG(SSSDBG_CRIT_FAILURE, "sdap_async_sys_connect_send failed.\n");




--- src/util/util.h.ga	2017-08-08 16:36:09.070328000 +0000
+++ src/util/util.h	2017-08-08 16:45:26.801638000 +0000
@@ -618,6 +618,7 @@ char * sss_replace_space(TALLOC_CTX *mem
+++ src/util/util.h
@@ -227,8 +227,6 @@ void sig_term(int sig);
 #include <signal.h>
 void BlockSignals(bool block, int signum);
 void (*CatchSignal(int signum,void (*handler)(int )))(int);
-void CatchChild(void);
-void CatchChildLeaveStatus(void);
 
 /* from memory.c */
 typedef int (void_destructor_fn_t)(void *);
@@ -542,5 +540,6 @@ char * sss_replace_space(TALLOC_CTX *mem_ctx,
 char * sss_reverse_replace_space(TALLOC_CTX *mem_ctx,
                                  const char *orig_name,
                                  const char replace_char);
+#include "util/sss_bsd_errno.h"
 
 #define GUID_BIN_LENGTH 16
 /* 16 2-digit hex values + 4 dashes + terminating 0 */




--- src/external/pac_responder.m4.ga	2017-08-08 16:52:35.337535000 +0000
+++ src/external/pac_responder.m4	2017-08-08 16:55:22.087338000 +0000
@@ -7,7 +7,7 @@ AC_ARG_ENABLE([pac-responder],
 krb5_version_ok=no
 if test x$build_pac_responder = xyes
 then
-    AC_PATH_PROG(KRB5_CONFIG, krb5-config)
+    AC_PATH_PROG(KRB5_CONFIG, krb5-config, [], [/usr/local/bin:$PATH])
     AC_MSG_CHECKING(for supported MIT krb5 version)
     KRB5_VERSION="`$KRB5_CONFIG --version`"
     case $KRB5_VERSION in
         Kerberos\ 5\ release\ 1.9* | \
         Kerberos\ 5\ release\ 1.10* | \
         Kerberos\ 5\ release\ 1.11* | \
-        Kerberos\ 5\ release\ 1.12*)
+        Kerberos\ 5\ release\ 1.12* | \
+        Kerberos\ 5\ release\ 1.13* | \
+        Kerberos\ 5\ release\ 1.14* | \
+        Kerberos\ 5\ release\ 1.15*)
             krb5_version_ok=yes
             AC_MSG_RESULT([yes])
             ;;

Return to bug 217623

Lines 1-24 Link Here

(-)b/security/sssd/files/patch-Makefile.am (-17 / +15 lines)
1	diff --git Makefile.am Makefile.am	1	--- Makefile.am.ga 2017-08-02 18:15:08.429436000 +0000
2	index fd74d85..4a7e6ae 100644	2	+++ Makefile.am 2017-08-02 18:28:05.077591000 +0000
3	--- Makefile.am	3	@@ -501,6 +501,7 @@
4	+++ Makefile.am
5	@@ -311,6 +311,7 @@ AM_CPPFLAGS = \
6	$(LIBNL_CFLAGS) \
7	$(OPENLDAP_CFLAGS) \	4	$(OPENLDAP_CFLAGS) \
8	$(GLIB2_CFLAGS) \	5	$(GLIB2_CFLAGS) \
		6	$(JOURNALD_CFLAGS) \
9	+ -DHOST_NAME_MAX=_POSIX_HOST_NAME_MAX \	7	+ -DHOST_NAME_MAX=_POSIX_HOST_NAME_MAX \
10	-DLIBDIR=\"$(libdir)\" \	8	-DLIBDIR=\"$(libdir)\" \
11	-DVARDIR=\"$(localstatedir)\" \	9	-DVARDIR=\"$(localstatedir)\" \
12	-DSHLIBEXT=\"$(SHLIBEXT)\" \	10	-DSSS_STATEDIR=\"$(sss_statedir)\" \
13	@@ -378,6 +379,7 @@ SSSD_LIBS = \	11	@@ -614,6 +615,7 @@
		12	$(COLLECTION_LIBS) \
14	$(DHASH_LIBS) \	13	$(DHASH_LIBS) \
15	$(SSS_CRYPT_LIBS) \
16	$(OPENLDAP_LIBS) \	14	$(OPENLDAP_LIBS) \
17	+ $(LTLIBINTL) \	15	+ $(LTLIBINTL) \
		16	$(SELINUX_LIBS) \
18	$(TDB_LIBS)	17	$(TDB_LIBS)
19		18
20	PYTHON_BINDINGS_LIBS = \	19	@@ -667,6 +669,7 @@
21	@@ -433,6 +435,7 @@ dist_noinst_HEADERS = \
22	src/util/sss_ssh.h \	20	src/util/sss_ssh.h \
23	src/util/sss_ini.h \	21	src/util/sss_ini.h \
24	src/util/sss_format.h \	22	src/util/sss_format.h \
Lines 26-32 index fd74d85..4a7e6ae 100644 Link Here
26	src/util/refcount.h \	24	src/util/refcount.h \
27	src/util/find_uid.h \	25	src/util/find_uid.h \
28	src/util/user_info_msg.h \	26	src/util/user_info_msg.h \
29	@@ -1700,9 +1703,10 @@ endif	27	@@ -3562,9 +3565,10 @@
30	# Client Libraries #	28	# Client Libraries #
31	####################	29	####################
32		30
Lines 39-47 index fd74d85..4a7e6ae 100644 Link Here
39	src/sss_client/nss_passwd.c \	37	src/sss_client/nss_passwd.c \
40	src/sss_client/nss_group.c \	38	src/sss_client/nss_group.c \
41	src/sss_client/nss_netgroup.c \	39	src/sss_client/nss_netgroup.c \
42	@@ -1715,9 +1719,9 @@ libnss_sss_la_SOURCES = \	40	@@ -3578,9 +3582,9 @@
43	src/sss_client/nss_mc_passwd.c \
44	src/sss_client/nss_mc_group.c \	41	src/sss_client/nss_mc_group.c \
		42	src/sss_client/nss_mc_initgr.c \
45	src/sss_client/nss_mc.h	43	src/sss_client/nss_mc.h
46	-libnss_sss_la_LIBADD = \	44	-libnss_sss_la_LIBADD = \
47	+nss_sss_la_LIBADD = \	45	+nss_sss_la_LIBADD = \
Lines 51-61 index fd74d85..4a7e6ae 100644 Link Here
51	-module \	49	-module \
52	-version-info 2:0:0 \	50	-version-info 2:0:0 \
53	-Wl,--version-script,$(srcdir)/src/sss_client/sss_nss.exports	51	-Wl,--version-script,$(srcdir)/src/sss_client/sss_nss.exports
54	@@ -2086,6 +2090,7 @@ ldap_child_LDADD = \	52	@@ -4053,6 +4057,7 @@
		53	$(TALLOC_LIBS) \
55	$(POPT_LIBS) \	54	$(POPT_LIBS) \
56	$(OPENLDAP_LIBS) \
57	$(DHASH_LIBS) \	55	$(DHASH_LIBS) \
58	+ $(LTLIBINTL) \	56	+ $(LTLIBINTL) \
59	$(KRB5_LIBS)	57	$(KRB5_LIBS)
60		58
61	proxy_child_SOURCES = \	59	if BUILD_SEMANAGE

Removed Link Here

(-)a/security/sssd/files/patch-configure.ac (-21 lines)
1	--- configure.ac.orig 2013-11-06 18:35:03 UTC
2	+++ configure.ac
3	@@ -5,15 +5,15 @@ AC_INIT([sssd],
4	VERSION_NUMBER,
5	[sssd-devel@lists.fedorahosted.org])
6
7	+AC_CONFIG_SRCDIR([BUILD.txt])
8	+AC_CONFIG_AUX_DIR([build])
9	+
10	m4_ifdef([AC_USE_SYSTEM_EXTENSIONS],
11	[AC_USE_SYSTEM_EXTENSIONS],
12	[AC_GNU_SOURCE])
13
14	CFLAGS="$CFLAGS -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE"
15
16	-AC_CONFIG_SRCDIR([BUILD.txt])
17	-AC_CONFIG_AUX_DIR([build])
18	-
19	AM_INIT_AUTOMAKE([-Wall foreign subdir-objects tar-pax])
20	AM_PROG_CC_C_O
21	m4_ifdef([AM_PROG_AR], [AM_PROG_AR])

Lines 1-12 Link Here

(-)b/security/sssd/files/patch-src__external__krb5.m4 (-7 / +4 lines)
1	diff --git src/external/krb5.m4 src/external/krb5.m4	1	--- src/external/krb5.m4.ga 2017-07-25 10:09:02.000000000 +0000
2	index 861c8c9..978ec03 100644	2	+++ src/external/krb5.m4 2017-08-03 16:57:39.646287000 +0000
3	--- src/external/krb5.m4	3	@@ -10,6 +10,7 @@
4	+++ src/external/krb5.m4
5	@@ -9,7 +9,7 @@ if test x$KRB5_CFLAGS != x; then
6	KRB5_PASSED_CFLAGS=$KRB5_CFLAGS
7	fi	4	fi
8		5
9	-AC_PATH_PROG(KRB5_CONFIG, krb5-config)	6	AC_PATH_TOOL(KRB5_CONFIG, krb5-config)
10	+AC_PATH_PROG(KRB5_CONFIG, krb5-config, [], [/usr/local/bin:$PATH])	7	+AC_PATH_PROG(KRB5_CONFIG, krb5-config, [], [/usr/local/bin:$PATH])
11	AC_MSG_CHECKING(for working krb5-config)	8	AC_MSG_CHECKING(for working krb5-config)
12	if test -x "$KRB5_CONFIG"; then	9	if test -x "$KRB5_CONFIG"; then

Lines 1-7 Link Here

(-)b/security/sssd/files/patch-src__providers__ldap__ldap_auth.c (-51 / +38 lines)
1	diff --git src/providers/ldap/ldap_auth.c src/providers/ldap/ldap_auth.c	1	--- src/providers/ldap/ldap_auth.c.ga 2017-07-25 10:09:02.000000000 +0000
2	index 2aacce0..e019cf7 100644	2	+++ src/providers/ldap/ldap_auth.c 2017-08-03 18:07:22.269610000 +0000
3	--- src/providers/ldap/ldap_auth.c
4	+++ src/providers/ldap/ldap_auth.c
5	@@ -37,7 +37,6 @@	3	@@ -37,7 +37,6 @@
6	#include <sys/time.h>	4	#include <sys/time.h>
7	#include <strings.h>	5	#include <strings.h>
Lines 10-18 index 2aacce0..e019cf7 100644 Link Here
10	#include <security/pam_modules.h>	8	#include <security/pam_modules.h>
11		9
12	#include "util/util.h"	10	#include "util/util.h"
13	@@ -56,6 +55,22 @@ enum pwexpire {	11	@@ -52,6 +51,22 @@
14	PWEXPIRE_SHADOW	12
15	};	13	#define LDAP_PWEXPIRE_WARNING_TIME 0
16		14
17	+struct spwd	15	+struct spwd
18	+{	16	+{
Lines 22-52 index 2aacce0..e019cf7 100644 Link Here
22	+ long int sp_min; /* Minimum number of days between changes. */	20	+ long int sp_min; /* Minimum number of days between changes. */
23	+ long int sp_max; /* Maximum number of days between changes. */	21	+ long int sp_max; /* Maximum number of days between changes. */
24	+ long int sp_warn; /* Number of days to warn user to change	22	+ long int sp_warn; /* Number of days to warn user to change
25	+ the password. */	23	+ the password. */
26	+ long int sp_inact; /* Number of days the account may be	24	+ long int sp_inact; /* Number of days the account may be
27	+ inactive. */	25	+ inactive. */
28	+ long int sp_expire; /* Number of days since 1970-01-01 until	26	+ long int sp_expire; /* Number of days since 1970-01-01 until
29	+ account expires. */	27	+ account expires. */
30	+ unsigned long int sp_flag; /* Reserved. */	28	+ unsigned long int sp_flag; /* Reserved. */
31	+};	29	+};
32	+	30	+
33	static errno_t add_expired_warning(struct pam_data *pd, long exp_time)	31	static errno_t add_expired_warning(struct pam_data *pd, long exp_time)
34	{	32	{
35	int ret;	33	int ret;
36	@@ -109,6 +124,7 @@ static errno_t check_pwexpire_kerberos(const char *expire_date, time_t now,	34	@@ -97,9 +112,9 @@
37	return EINVAL;
38	}
39
40	+ tzset();
41	expire_time = mktime(&tm);
42	if (expire_time == -1) {
43	DEBUG(SSSDBG_CRIT_FAILURE,
44	@@ -116,12 +132,10 @@ static errno_t check_pwexpire_kerberos(const char *expire_date, time_t now,
45	return EINVAL;
46	}	35	}
47		36
48	- tzset();
49	- expire_time -= timezone;
50	DEBUG(SSSDBG_TRACE_ALL,	37	DEBUG(SSSDBG_TRACE_ALL,
51	- "Time info: tzname[0] [%s] tzname[1] [%s] timezone [%ld] "	38	- "Time info: tzname[0] [%s] tzname[1] [%s] timezone [%ld] "
52	- "daylight [%d] now [%ld] expire_time [%ld].\n", tzname[0],	39	- "daylight [%d] now [%ld] expire_time [%ld].\n", tzname[0],
Lines 57-81 index 2aacce0..e019cf7 100644 Link Here
57		44
58	if (difftime(now, expire_time) > 0.0) {	45	if (difftime(now, expire_time) > 0.0) {
59	DEBUG(SSSDBG_CONF_SETTINGS, "Kerberos password expired.\n");	46	DEBUG(SSSDBG_CONF_SETTINGS, "Kerberos password expired.\n");
60	@@ -924,7 +938,7 @@ void sdap_pam_chpass_handler(struct be_req *breq)	47	@@ -935,7 +950,7 @@
61	DEBUG(SSSDBG_OP_FAILURE,
62	"starting password change request for user [%s].\n", pd->user);
63		48
		49	state->pd = pd;
		50	state->be_ctx = params->be_ctx;
64	- pd->pam_status = PAM_SYSTEM_ERR;	51	- pd->pam_status = PAM_SYSTEM_ERR;
65	+ pd->pam_status = PAM_SERVICE_ERR;	52	+ pd->pam_status = PAM_SERVICE_ERR;
66		53
67	if (pd->cmd != SSS_PAM_CHAUTHTOK && pd->cmd != SSS_PAM_CHAUTHTOK_PRELIM) {	54	switch (pd->cmd) {
68	DEBUG(SSSDBG_OP_FAILURE,	55	case SSS_PAM_AUTHENTICATE:
69	@@ -1069,7 +1083,7 @@ static void sdap_auth4chpass_done(struct tevent_req *req)	56	@@ -1038,7 +1053,7 @@
70	dp_err = DP_ERR_OFFLINE;	57	state->pd->pam_status = PAM_BAD_ITEM;
71	break;	58	break;
72	default:	59	default:
73	- state->pd->pam_status = PAM_SYSTEM_ERR;	60	- state->pd->pam_status = PAM_SYSTEM_ERR;
74	+ state->pd->pam_status = PAM_SERVICE_ERR;	61	+ state->pd->pam_status = PAM_SERVICE_ERR;
		62	break;
75	}	63	}
76		64
77	done:	65	@@ -1131,7 +1146,7 @@
78	@@ -1131,7 +1145,7 @@ static void sdap_pam_chpass_done(struct tevent_req *req)	66	DEBUG(SSSDBG_OP_FAILURE,
		67	"starting password change request for user [%s].\n", pd->user);
		68
		69	- pd->pam_status = PAM_SYSTEM_ERR;
		70	+ pd->pam_status = PAM_SERVICE_ERR;
		71
		72	if (pd->cmd != SSS_PAM_CHAUTHTOK && pd->cmd != SSS_PAM_CHAUTHTOK_PRELIM) {
		73	DEBUG(SSSDBG_OP_FAILURE,
		74	@@ -1280,7 +1295,7 @@
		75	be_mark_offline(state->be_ctx);
		76	break;
		77	default:
		78	- state->pd->pam_status = PAM_SYSTEM_ERR;
		79	+ state->pd->pam_status = PAM_SERVICE_ERR;
		80	break;
		81	}
		82
		83	@@ -1342,7 +1357,7 @@
79	state->sh, state->dn,	84	state->sh, state->dn,
80	lastchanged_name);	85	lastchanged_name);
81	if (subreq == NULL) {	86	if (subreq == NULL) {
Lines 84-113 index 2aacce0..e019cf7 100644 Link Here
84	goto done;	89	goto done;
85	}	90	}
86		91
87	@@ -1152,7 +1166,7 @@ static void sdap_lastchange_done(struct tevent_req *req)	92	@@ -1368,7 +1383,7 @@
		93	talloc_free(subreq);
88		94
89	ret = sdap_modify_shadow_lastchange_recv(req);
90	if (ret != EOK) {	95	if (ret != EOK) {
91	- state->pd->pam_status = PAM_SYSTEM_ERR;	96	- state->pd->pam_status = PAM_SYSTEM_ERR;
92	+ state->pd->pam_status = PAM_SERVICE_ERR;	97	+ state->pd->pam_status = PAM_SERVICE_ERR;
93	goto done;	98	goto done;
94	}	99	}
95		100
96	@@ -1193,7 +1207,7 @@ void sdap_pam_auth_handler(struct be_req *breq)
97	goto done;
98	}
99
100	- pd->pam_status = PAM_SYSTEM_ERR;
101	+ pd->pam_status = PAM_SERVICE_ERR;
102
103	switch (pd->cmd) {
104	case SSS_PAM_AUTHENTICATE:
105	@@ -1291,7 +1305,7 @@ static void sdap_pam_auth_done(struct tevent_req *req)
106	state->pd->pam_status = PAM_NEW_AUTHTOK_REQD;
107	break;
108	default:
109	- state->pd->pam_status = PAM_SYSTEM_ERR;
110	+ state->pd->pam_status = PAM_SERVICE_ERR;
111	dp_err = DP_ERR_FATAL;
112	}
113

Lines 1-21 Link Here

(-)b/security/sssd/files/patch-src__providers__ldap__sdap_access.c (-17 / +3 lines)
1	diff --git src/providers/ldap/sdap_access.c src/providers/ldap/sdap_access.c	1	--- src/providers/ldap/sdap_access.c.ga 2017-07-25 10:09:02.000000000 +0000
2	index 880735e..d349dcf 100644	2	+++ src/providers/ldap/sdap_access.c 2017-08-03 18:27:25.934434000 +0000
3	--- src/providers/ldap/sdap_access.c	3	@@ -556,9 +556,9 @@
4	+++ src/providers/ldap/sdap_access.c
5	@@ -499,6 +499,7 @@ static bool nds_check_expired(const char *exp_time_str)
6	return true;
7	}
8		4
9	+ tzset();
10	expire_time = mktime(&tm);
11	if (expire_time == -1) {
12	DEBUG(SSSDBG_CRIT_FAILURE,
13	@@ -506,13 +507,11 @@ static bool nds_check_expired(const char *exp_time_str)
14	return true;
15	}
16
17	- tzset();
18	- expire_time -= timezone;
19	now = time(NULL);	5	now = time(NULL);
20	DEBUG(SSSDBG_TRACE_ALL,	6	DEBUG(SSSDBG_TRACE_ALL,
21	- "Time info: tzname[0] [%s] tzname[1] [%s] timezone [%ld] "	7	- "Time info: tzname[0] [%s] tzname[1] [%s] timezone [%ld] "

Lines 1-7 Link Here

(-)b/security/sssd/files/patch-src__sss_client__common.c (-11 / +19 lines)
1	diff --git src/sss_client/common.c src/sss_client/common.c	1	--- src/sss_client/common.c.ga 2017-07-25 10:09:02.000000000 +0000
2	index ec5c708..5d17eed 100644	2	+++ src/sss_client/common.c 2017-08-03 18:50:08.436441000 +0000
3	--- src/sss_client/common.c
4	+++ src/sss_client/common.c
5	@@ -25,6 +25,7 @@	3	@@ -25,6 +25,7 @@
6	#include "config.h"	4	#include "config.h"
7		5
Lines 18-24 index ec5c708..5d17eed 100644 Link Here
18		16
19	#if HAVE_PTHREAD	17	#if HAVE_PTHREAD
20	#include <pthread.h>	18	#include <pthread.h>
21	@@ -124,7 +126,6 @@ static enum sss_status sss_cli_send_req(enum sss_cli_command cmd,	19	@@ -124,7 +126,6 @@
22	*errnop = error;	20	*errnop = error;
23	break;	21	break;
24	case 0:	22	case 0:
Lines 26-32 index ec5c708..5d17eed 100644 Link Here
26	break;	24	break;
27	case 1:	25	case 1:
28	if (pfd.revents & (POLLERR \| POLLHUP \| POLLNVAL)) {	26	if (pfd.revents & (POLLERR \| POLLHUP \| POLLNVAL)) {
29	@@ -232,7 +233,6 @@ static enum sss_status sss_cli_recv_rep(enum sss_cli_command cmd,	27	@@ -232,7 +233,6 @@
30	*errnop = error;	28	*errnop = error;
31	break;	29	break;
32	case 0:	30	case 0:
Lines 34-40 index ec5c708..5d17eed 100644 Link Here
34	break;	32	break;
35	case 1:	33	case 1:
36	if (pfd.revents & (POLLHUP)) {	34	if (pfd.revents & (POLLHUP)) {
37	@@ -669,7 +669,6 @@ static enum sss_status sss_cli_check_socket(int errnop, const char socket_name	35	@@ -669,7 +669,6 @@
38	*errnop = error;	36	*errnop = error;
39	break;	37	break;
40	case 0:	38	case 0:
Lines 42-48 index ec5c708..5d17eed 100644 Link Here
42	break;	40	break;
43	case 1:	41	case 1:
44	if (pfd.revents & (POLLERR \| POLLHUP \| POLLNVAL)) {	42	if (pfd.revents & (POLLERR \| POLLHUP \| POLLNVAL)) {
45	@@ -719,23 +718,23 @@ enum nss_status sss_nss_make_request(enum sss_cli_command cmd,	43	@@ -719,7 +718,7 @@
46	/* avoid looping in the nss daemon */	44	/* avoid looping in the nss daemon */
47	envval = getenv("_SSS_LOOPS");	45	envval = getenv("_SSS_LOOPS");
48	if (envval && strcmp(envval, "NO") == 0) {	46	if (envval && strcmp(envval, "NO") == 0) {
Lines 51-62 index ec5c708..5d17eed 100644 Link Here
51	}	49	}
52		50
53	ret = sss_cli_check_socket(errnop, SSS_NSS_SOCKET_NAME);	51	ret = sss_cli_check_socket(errnop, SSS_NSS_SOCKET_NAME);
54	if (ret != SSS_STATUS_SUCCESS) {	52	@@ -729,7 +728,7 @@
		53	errno = 0;
		54	return NSS_STATUS_NOTFOUND;
		55	#else
55	- return NSS_STATUS_UNAVAIL;	56	- return NSS_STATUS_UNAVAIL;
56	+ return NS_UNAVAIL;	57	+ return NS_UNAVAIL;
		58	#endif
57	}	59	}
58		60
59	ret = sss_cli_make_request_nochecks(cmd, rd, repbuf, replen, errnop);	61	@@ -752,9 +751,9 @@
		62	}
60	switch (ret) {	63	switch (ret) {
61	case SSS_STATUS_TRYAGAIN:	64	case SSS_STATUS_TRYAGAIN:
62	- return NSS_STATUS_TRYAGAIN;	65	- return NSS_STATUS_TRYAGAIN;
Lines 66-73 index ec5c708..5d17eed 100644 Link Here
66	+ return NS_SUCCESS;	69	+ return NS_SUCCESS;
67	case SSS_STATUS_UNAVAIL:	70	case SSS_STATUS_UNAVAIL:
68	default:	71	default:
		72	#ifdef NONSTANDARD_SSS_NSS_BEHAVIOUR
		73	@@ -762,7 +761,7 @@
		74	errno = 0;
		75	return NSS_STATUS_NOTFOUND;
		76	#else
69	- return NSS_STATUS_UNAVAIL;	77	- return NSS_STATUS_UNAVAIL;
70	+ return NS_UNAVAIL;	78	+ return NS_UNAVAIL;
		79	#endif
71	}	80	}
72	}	81	}
73

Lines 1-12 Link Here

(-)b/security/sssd/files/patch-src__util__server.c (-7 / +3 lines)
1	diff --git src/util/server.c src/util/server.c	1	--- src/util/server.c 2017-08-08 13:00:54.275998000 +0000
2	index 343668c..f8a1627 100644	2	+++ src/util/server.c 2017-08-08 13:05:02.782158000 +0000
3	--- src/util/server.c	3	@@ -307,10 +307,13 @@ static void setup_signals(void)
4	+++ src/util/server.c
5	@@ -322,12 +322,14 @@ static void setup_signals(void)
6	BlockSignals(false, SIGTERM);	4	BlockSignals(false, SIGTERM);
7		5
8	CatchSignal(SIGHUP, sig_hup);
9	-
10	#ifndef HAVE_PRCTL	6	#ifndef HAVE_PRCTL
11	- /* If prctl is not defined on the system, try to handle	7	- /* If prctl is not defined on the system, try to handle
12	- * some common termination signals gracefully */	8	- * some common termination signals gracefully */

Removed Link Here

(-)a/security/sssd/files/patch-src__util__signal.c (-72 lines)
1	diff --git src/util/signal.c src/util/signal.c
2	index 053457b..bb8f8be 100644
3	--- src/util/signal.c
4	+++ src/util/signal.c
5	@@ -28,45 +28,6 @@
6	* @brief Signal handling
7	*/
8
9	-/****************************************************************************
10	- Catch child exits and reap the child zombie status.
11	-****************************************************************************/
12	-
13	-static void sig_cld(int signum)
14	-{
15	- while (waitpid((pid_t)-1,(int *)NULL, WNOHANG) > 0)
16	- ;
17	-
18	- /*
19	- * Turns out it's really important not to
20	- * restore the signal handler here if we have real POSIX
21	- * signal handling. If we do, then we get the signal re-delivered
22	- * immediately - hey presto - instant loop ! JRA.
23	- */
24	-
25	-#if !defined(HAVE_SIGACTION)
26	- CatchSignal(SIGCLD, sig_cld);
27	-#endif
28	-}
29	-
30	-/****************************************************************************
31	-catch child exits - leave status;
32	-****************************************************************************/
33	-
34	-static void sig_cld_leave_status(int signum)
35	-{
36	- /*
37	- * Turns out it's really important not to
38	- * restore the signal handler here if we have real POSIX
39	- * signal handling. If we do, then we get the signal re-delivered
40	- * immediately - hey presto - instant loop ! JRA.
41	- */
42	-
43	-#if !defined(HAVE_SIGACTION)
44	- CatchSignal(SIGCLD, sig_cld_leave_status);
45	-#endif
46	-}
47	-
48	/**
49	Block sigs.
50	**/
51	@@ -126,21 +87,3 @@ void (CatchSignal(int signum,void (handler)(int )))(int)
52	return signal(signum, handler);
53	#endif
54	}
55	-
56	-/**
57	- Ignore SIGCLD via whatever means is necessary for this OS.
58	-**/
59	-
60	-void CatchChild(void)
61	-{
62	- CatchSignal(SIGCLD, sig_cld);
63	-}
64	-
65	-/**
66	- Catch SIGCLD but leave the child around so it's status can be reaped.
67	-**/
68	-
69	-void CatchChildLeaveStatus(void)
70	-{
71	- CatchSignal(SIGCLD, sig_cld_leave_status);
72	-}

Lines 1-23 Link Here

(-)b/security/sssd/files/patch-src__util__sss_ldap.c (-18 / +7 lines)
1	diff --git src/util/sss_ldap.c src/util/sss_ldap.c	1	--- src/util/sss_ldap.c 2017-08-08 13:26:57.528648000 +0000
2	index dd63b4b..0764622 100644	2	+++ src/util/sss_ldap.c 2017-08-08 15:26:30.504250000 +0000
3	--- src/util/sss_ldap.c	3	@@ -214,6 +214,9 @@ static errno_t unset_fcntl_flags(int fd,
4	+++ src/util/sss_ldap.c	4	flags &= ~fl_flags;
5	@@ -206,6 +206,9 @@ static void sdap_async_sys_connect_done(struct tevent_context *ev,	5
6	errno = 0;	6	ret = fcntl(fd, F_SETFL, flags);
7	ret = connect(state->fd, (struct sockaddr *) &state->addr,
8	state->addr_len);
9	+ if (errno == EISCONN) {	7	+ if (errno == EISCONN) {
10	+ ret = EOK;	8	+ ret = EOK;
11	+ }	9	+ }
12	if (ret != EOK) {	10	if (ret != EOK) {
13	ret = errno;	11	ret = errno;
14	if (ret == EINPROGRESS \|\| ret == EINTR) {	12	DEBUG(SSSDBG_CRIT_FAILURE,
15	@@ -346,7 +349,7 @@ struct tevent_req sss_ldap_init_send(TALLOC_CTX mem_ctx,
16	"Using file descriptor [%d] for LDAP connection.\n", state->sd);
17
18	subreq = sdap_async_sys_connect_send(state, ev, state->sd,
19	- (struct sockaddr *) addr, addr_len);
20	+ (struct sockaddr *) addr, sizeof(struct sockaddr));
21	if (subreq == NULL) {
22	ret = ENOMEM;
23	DEBUG(SSSDBG_CRIT_FAILURE, "sdap_async_sys_connect_send failed.\n");

Lines 1-20 Link Here

(-)b/security/sssd/files/patch-src__util__util.h (-15 / +5 lines)
1	diff --git src/util/util.h src/util/util.h	1	--- src/util/util.h.ga 2017-08-08 16:36:09.070328000 +0000
2	index 7a66846..5e63275 100644	2	+++ src/util/util.h 2017-08-08 16:45:26.801638000 +0000
3	--- src/util/util.h	3	@@ -618,6 +618,7 @@ char * sss_replace_space(TALLOC_CTX *mem
4	+++ src/util/util.h
5	@@ -227,8 +227,6 @@ void sig_term(int sig);
6	#include <signal.h>
7	void BlockSignals(bool block, int signum);
8	void (CatchSignal(int signum,void (handler)(int )))(int);
9	-void CatchChild(void);
10	-void CatchChildLeaveStatus(void);
11
12	/* from memory.c */
13	typedef int (void_destructor_fn_t)(void *);
14	@@ -542,5 +540,6 @@ char * sss_replace_space(TALLOC_CTX *mem_ctx,
15	char * sss_reverse_replace_space(TALLOC_CTX *mem_ctx,	4	char * sss_reverse_replace_space(TALLOC_CTX *mem_ctx,
16	const char *orig_name,	5	const char *orig_name,
17	const char replace_char);	6	const char replace_char);
18	+#include "util/sss_bsd_errno.h"	7	+#include "util/sss_bsd_errno.h"
19		8
20	#endif /* __SSSD_UTIL_H__ */	9	#define GUID_BIN_LENGTH 16
		10	/* 16 2-digit hex values + 4 dashes + terminating 0 */

Lines 1-22 Link Here

(-)b/security/sssd/files/patch-src_external_pac__responder.m4 (-17 / +6 lines)
1	--- src/external/pac_responder.m4.orig 2014-09-17 13:01:37 UTC	1	--- src/external/pac_responder.m4.ga 2017-08-08 16:52:35.337535000 +0000
2	+++ src/external/pac_responder.m4	2	+++ src/external/pac_responder.m4 2017-08-08 16:55:22.087338000 +0000
3	@@ -14,14 +14,17 @@ then	3	@@ -7,7 +7,7 @@ AC_ARG_ENABLE([pac-responder],
4	PKG_CHECK_MODULES(NDR_KRB5PAC, ndr_krb5pac, ndr_krb5pac_ok=yes,	4	krb5_version_ok=no
5	AC_MSG_WARN([Cannot build pac responder without libndr_krb5pac]))	5	if test x$build_pac_responder = xyes
6		6	then
7	- AC_PATH_PROG(KRB5_CONFIG, krb5-config)	7	- AC_PATH_PROG(KRB5_CONFIG, krb5-config)
8	+ AC_PATH_PROG(KRB5_CONFIG, krb5-config, [], [/usr/local/bin:$PATH])	8	+ AC_PATH_PROG(KRB5_CONFIG, krb5-config, [], [/usr/local/bin:$PATH])
9	AC_MSG_CHECKING(for supported MIT krb5 version)	9	AC_MSG_CHECKING(for supported MIT krb5 version)
10	KRB5_VERSION="`$KRB5_CONFIG --version`"	10	KRB5_VERSION="`$KRB5_CONFIG --version`"
11	case $KRB5_VERSION in	11	case $KRB5_VERSION in
12	Kerberos\ 5\ release\ 1.9* \| \
13	Kerberos\ 5\ release\ 1.10* \| \
14	Kerberos\ 5\ release\ 1.11* \| \
15	- Kerberos\ 5\ release\ 1.12*)
16	+ Kerberos\ 5\ release\ 1.12* \| \
17	+ Kerberos\ 5\ release\ 1.13* \| \
18	+ Kerberos\ 5\ release\ 1.14* \| \
19	+ Kerberos\ 5\ release\ 1.15*)
20	krb5_version_ok=yes
21	AC_MSG_RESULT([yes])
22	;;