From bsam@ipt.ru  Thu Apr 27 22:56:05 2006
Return-Path: <bsam@ipt.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3476116A400
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 27 Apr 2006 22:56:05 +0000 (UTC)
	(envelope-from bsam@ipt.ru)
Received: from mail.ipt.ru (mail.ipt.ru [80.253.10.82])
	by mx1.FreeBSD.org (Postfix) with ESMTP id BABB343D45
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 27 Apr 2006 22:56:04 +0000 (GMT)
	(envelope-from bsam@ipt.ru)
Received: from stat.sem.ipt.ru ([192.168.12.1] helo=srv.sem.ipt.ru)
	by mail.ipt.ru with esmtp (Exim 4.54 (FreeBSD))
	id 1FZFP0-000K1Y-Ur
	for FreeBSD-gnats-submit@freebsd.org; Fri, 28 Apr 2006 02:56:03 +0400
Received: from bsam by srv.sem.ipt.ru with local (Exim 4.61 (FreeBSD))
	(envelope-from <bsam@ipt.ru>)
	id 1FZFOo-000Jt5-Qz
	for FreeBSD-gnats-submit@freebsd.org; Fri, 28 Apr 2006 02:55:50 +0400
Message-Id: <E1FZFOo-000Jt5-Qz@srv.sem.ipt.ru>
Date: Fri, 28 Apr 2006 02:55:50 +0400
From: Boris B. Samorodov <bsam@ipt.ru>
Reply-To: Boris B. Samorodov <bsam@ipt.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [patch] x11/xorg-clients: logging on xdm with pam_krb does not create a ticket file
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         96436
>Category:       ports
>Synopsis:       [patch] x11/xorg-clients: logging on xdm with pam_krb does not create a ticket file
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-x11
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Thu Apr 27 23:00:34 GMT 2006
>Closed-Date:    Fri May 25 02:37:09 GMT 2007
>Last-Modified:  Fri May 25 02:37:09 GMT 2007
>Originator:     Boris B. Samorodov
>Release:        FreeBSD 6.1-RC i386
>Organization:
InPharmTech, Co. http://www.ipt.ru
>Environment:
System: FreeBSD srv.sem.ipt.ru 6.1-RC FreeBSD 6.1-RC #1: Fri Apr 14 18:29:53 MSD 2006 bsam@srv.sem.ipt.ru:/usr/obj/usr/src/sys/SRV i386

>Description:
	Current xdm code doesn't create a ticket file when logging on
	xdm using pam_krb5. You are authenticated by kerberos, get the
	GUI. But not the ticket file.

	The function pam_setcred() at xdm/session.c is never reached.

	Note: I can't say that it is a good solution -- just to copy
	the code which is never reached to a new place. But it works
	for me.
>How-To-Repeat:
	1. Install x11/xorg-clients.
	2. Create a kerberos account at KDC.
	3. Uncomment next line at /etc/pam.d/xdm:
           auth            sufficient      pam_krb5.so             try_first_pass
	4. Load xdm.
	5. Login on xdm with kerberos account.
	6. Run klist. (No ticket file)
>Fix:
	The patch is relative to the port:
	# cd ports/x11
	# patch -p0 < _the_patch_
	<delete xorg-clients/*.orig, xorg-clients/files/*.orig>

===== the patch begins here =====
diff -ruN xorg-clients.orig/Makefile xorg-clients/Makefile
--- xorg-clients.orig/Makefile	Fri Apr 28 02:28:18 2006
+++ xorg-clients/Makefile	Fri Apr 28 02:29:30 2006
@@ -7,7 +7,7 @@
 
 PORTNAME=	xorg-clients
 PORTVERSION=	6.9.0
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	x11
 MASTER_SITES=	${MASTER_SITE_XORG}
 MASTER_SITE_SUBDIR=	X11R${PORTVERSION}/src
diff -ruN xorg-clients.orig/files/patch-xdm_session.c xorg-clients/files/patch-xdm_session.c
--- xorg-clients.orig/files/patch-xdm_session.c	Fri Apr 28 02:28:18 2006
+++ xorg-clients/files/patch-xdm_session.c	Fri Apr 28 01:46:29 2006
@@ -8,7 +8,7 @@
  #endif
  #ifdef K5AUTH
  # include <krb5/krb5.h>
-@@ -529,6 +528,7 @@
+@@ -533,6 +532,7 @@
      int	pid;
  #ifdef HAS_SETUSERCONTEXT
      struct passwd* pwd;
@@ -16,7 +16,20 @@
  #endif
  #ifdef USE_PAM
      pam_handle_t *pamh = thepamh ();
-@@ -610,6 +610,8 @@
+@@ -576,6 +576,12 @@
+ 	    for(i = 0; pam_env && pam_env[i]; i++) {
+ 		verify->userEnviron = putEnv(pam_env[i], verify->userEnviron);
+ 	    }
++	    pam_error = pam_setcred (pamh, PAM_ESTABLISH_CRED);
++	    if (pam_error != PAM_SUCCESS) {
++		LogError ("pam_setcred for \"%s\" failed: %s\n",
++			 name, pam_strerror(pamh, pam_error));
++		return(0);
++	    }
+ 	}
+ #endif
+ 
+@@ -648,6 +654,8 @@
  	 * Set the user's credentials: uid, gid, groups,
  	 * environment variables, resource limits, and umask.
  	 */
@@ -25,7 +38,7 @@
  	pwd = getpwnam(name);
  	if (pwd) {
  	    if (setusercontext(NULL, pwd, pwd->pw_uid, LOGIN_SETALL) < 0) {
-@@ -617,6 +619,7 @@
+@@ -655,6 +663,7 @@
  		    errno);
  		return (0);
  	    }
===== the patch ends here =====

WBR
-- 
bsam
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->freebsd-x11 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Thu Apr 27 23:08:11 UTC 2006 
Responsible-Changed-Why:  
Over to maintainer 

http://www.freebsd.org/cgi/query-pr.cgi?pr=96436 

From: Dejan Lesjak <dejan.lesjak@ijs.si>
To: bug-followup@freebsd.org,
 bsam@ipt.ru
Cc:  
Subject: Re: ports/96436: [patch] x11/xorg-clients: logging on xdm with pam_krb does not create a ticket file
Date: Wed, 10 May 2006 10:16:11 +0200

 --Boundary-00=_LFaYE6C/0mcA8iA
 Content-Type: text/plain;
   charset="us-ascii"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline
 
 This would seem to be bug #4765 in X.org bugzilla: 
 https://bugs.freedesktop.org/show_bug.cgi?id=4765
 Could you try if the attached patch from there taken from X.org CVS works for 
 you?
 
 --Boundary-00=_LFaYE6C/0mcA8iA
 Content-Type: text/x-diff;
   charset="us-ascii";
   name="xo-clients-xdmpam.patch"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: attachment;
 	filename="xo-clients-xdmpam.patch"
 
 Index: Makefile
 ===================================================================
 RCS file: /usr/local/repos/freebsd/ports/x11/xorg-clients/Makefile,v
 retrieving revision 1.24
 diff -u -r1.24 Makefile
 --- Makefile	9 May 2006 15:53:39 -0000	1.24
 +++ Makefile	10 May 2006 08:09:35 -0000
 @@ -7,7 +7,7 @@
  
  PORTNAME=	xorg-clients
  PORTVERSION=	6.9.0
 -PORTREVISION=	3
 +PORTREVISION=	4
  CATEGORIES=	x11
  MASTER_SITES=	${MASTER_SITE_XORG}
  MASTER_SITE_SUBDIR=	X11R${PORTVERSION}/src
 Index: files/patch-xdm_session.c
 ===================================================================
 RCS file: /usr/local/repos/freebsd/ports/x11/xorg-clients/files/patch-xdm_session.c,v
 retrieving revision 1.2
 diff -u -r1.2 patch-xdm_session.c
 --- files/patch-xdm_session.c	17 Jun 2004 01:53:09 -0000	1.2
 +++ files/patch-xdm_session.c	10 May 2006 08:04:17 -0000
 @@ -1,5 +1,5 @@
 ---- programs/xdm/session.c.orig	Thu Mar  4 09:48:55 2004
 -+++ programs/xdm/session.c	Wed Jun 16 16:59:46 2004
 +--- programs/xdm/session.c.orig	Wed May 10 10:01:21 2006
 ++++ programs/xdm/session.c	Wed May 10 10:01:09 2006
  @@ -55,7 +55,6 @@
   #ifdef SECURE_RPC
   # include <rpc/rpc.h>
 @@ -8,7 +8,7 @@
   #endif
   #ifdef K5AUTH
   # include <krb5/krb5.h>
 -@@ -529,6 +528,7 @@
 +@@ -533,6 +532,7 @@
       int	pid;
   #ifdef HAS_SETUSERCONTEXT
       struct passwd* pwd;
 @@ -16,7 +16,48 @@
   #endif
   #ifdef USE_PAM
       pam_handle_t *pamh = thepamh ();
 -@@ -610,6 +610,8 @@
 +@@ -568,17 +568,6 @@
 + 
 + 	/* Do system-dependent login setup here */
 + 
 +-#ifdef USE_PAM
 +-	/* pass in environment variables set by libpam and modules it called */
 +-	if (pamh) {
 +-	    long i;
 +-	    char **pam_env = pam_getenvlist(pamh);
 +-	    for(i = 0; pam_env && pam_env[i]; i++) {
 +-		verify->userEnviron = putEnv(pam_env[i], verify->userEnviron);
 +-	    }
 +-	}
 +-#endif
 +-
 + #ifdef USESECUREWARE
 +         Debug ("set_identity: uid=%d\n", userp->pw.pw_uid);
 +         ret = smp_set_identity (userp, &reason, &smpenv, &smpshell);
 +@@ -630,12 +619,22 @@
 + #endif   /* QNX4 doesn't support multi-groups, no initgroups() */
 + #ifdef USE_PAM
 + 	if (pamh) {
 ++	    long i;
 ++	    char **pam_env;
 ++
 + 	    pam_error = pam_setcred (pamh, PAM_ESTABLISH_CRED);
 + 	    if (pam_error != PAM_SUCCESS) {
 + 		LogError ("pam_setcred for \"%s\" failed: %s\n",
 + 			 name, pam_strerror(pamh, pam_error));
 + 		return(0);
 + 	    }
 ++
 ++	    /* pass in environment variables set by libpam and modules it called */
 ++	    pam_env = pam_getenvlist(pamh);
 ++	    for(i = 0; pam_env && pam_env[i]; i++) {
 ++		verify->userEnviron = putEnv(pam_env[i], verify->userEnviron);
 ++	    }
 ++
 + 	}
 + #endif
 + 	if (setuid(verify->uid) < 0) {
 +@@ -648,6 +647,8 @@
   	 * Set the user's credentials: uid, gid, groups,
   	 * environment variables, resource limits, and umask.
   	 */
 @@ -25,7 +66,7 @@
   	pwd = getpwnam(name);
   	if (pwd) {
   	    if (setusercontext(NULL, pwd, pwd->pw_uid, LOGIN_SETALL) < 0) {
 -@@ -617,6 +619,7 @@
 +@@ -655,6 +656,7 @@
   		    errno);
   		return (0);
   	    }
 
 --Boundary-00=_LFaYE6C/0mcA8iA--
State-Changed-From-To: open->feedback 
State-Changed-By: lesi 
State-Changed-When: Wed May 10 08:54:01 UTC 2006 
State-Changed-Why:  


http://www.freebsd.org/cgi/query-pr.cgi?pr=96436 

From: Boris Samorodov <bsam@ipt.ru>
To: Dejan Lesjak <dejan.lesjak@ijs.si>
Cc: bug-followup@freebsd.org
Subject: Re: ports/96436: [patch] x11/xorg-clients: logging on xdm with pam_krb does not create a ticket file
Date: Wed, 10 May 2006 14:12:53 +0400

 On Wed, 10 May 2006 10:16:11 +0200 Dejan Lesjak wrote:
 
 > This would seem to be bug #4765 in X.org bugzilla: 
 > https://bugs.freedesktop.org/show_bug.cgi?id=4765
 > Could you try if the attached patch from there taken from X.org CVS works for 
 > you?
 
 I tested the first patch. It doesn't help.
 
 The problem from X.org bugzilla is with not defining KRB5CCNAME. The
 problem I wrote about is with not doing pam_setcred () -- the code in
 not reached. It is located inside "#ifndef HAS_SETUSERCONTEXT", but I
 have HAS_SETUSERCONTEXT defined. I added some debug info to session.c
 file:
 =====
 --- session.c.orig      Wed May 10 13:52:17 2006
 +++ session.c   Wed May 10 13:27:42 2006
 @@ -599,6 +599,7 @@
  #endif
  
  #ifndef AIXV3
 +       LogError ("bsam: HAS_SETUSERCONTEXT = %i\n", HAS_SETUSERCONTEXT);
  #ifndef HAS_SETUSERCONTEXT
         if (setgid(verify->gid) < 0) {
             LogError ("setgid %d (user \"%s\") failed, errno=%d\n",
 =====
 
 And get a message while running xdm with debug:
 =====
 xdm error (pid 1160): bsam: HAS_SETUSERCONTEXT = 1
 =====
 
 Hence the code with pam_setcred () is never reached. That's why I've
 had to place the code with this function call outside.
 
 
 WBR
 -- 
 Boris B. Samorodov, Research Engineer
 InPharmTech Co,     http://www.ipt.ru
 Telephone & Internet Service Provider
State-Changed-From-To: feedback->open 
State-Changed-By: ceri 
State-Changed-When: Mon Jun 5 15:05:37 UTC 2006 
State-Changed-Why:  
Feedback received, thanks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=96436 
State-Changed-From-To: open->closed 
State-Changed-By: linimon 
State-Changed-When: Fri May 25 02:36:57 UTC 2007 
State-Changed-Why:  
Since the latest xorg import, this port no longer exists.  If this is 
still a problem with the latest import, please open a new PR. 

Thanks for your patience. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=96436 
>Unformatted:
