ipa-kdb: support KDB DAL version 6.1 #410
Conversation
|
Are there any plans how to handle 6.0? Should configure at least show a warning if KRB5_KDB_DAL_MAJOR_VERSION == 6 but no free e_data callback was found? Should the .min_ver in the kdb_function_table be set to '1' if there is a free e_data callback? |
abbra
force-pushed
the
krb5-1-15-DAL-changes
branch
from
e4c0982
to
a6c0013
Compare
|
Thanks for the suggestions. I've updated the configure check to explicitly warn when both .free_principal and .free_principal_e_data are missing. DAL version 5 had .free_principal and we do not support any other DAL versions yet, so this should be enough. I also merged definitions of the kdb_function_table for both DAL versions by adding corresponding initializers in the right places wrapped with the #ifdef-s. I think it will be better than the current duplication, considering we need to support three different API variations. |
|
abbra, we should also change how spec deps work |
|
Also I know you can use ifdefs to avoid copy&pasting large parts of the structure initialization but I would prefer 3 separate full inits based only on ifdefs on the DAL version numbers. Those tables cannot change so using ifdefs in them can only risk to introduce bugs in one of the versions rather than help reduce code duplication. |
|
@simo5 spec dependencies are separate from the code -- the spec will not help on Debian, for example. |
|
Doesn't kdb.h also export a MINOR version to test against ? |
|
I checked and can't find it ... facepalm |
|
No, no minor DAL version. That's why I had to resort to structure member checks in autoconf. |
|
There was talk of exporting a minor dal version but I think upstream explicitly doesn't want it. freeipa.spec.in should be modified if I understand correctly; otherwise this looks good. |
abbra
force-pushed
the
krb5-1-15-DAL-changes
branch
from
a6c0013
to
0972231
Compare
|
I split the tables into separate ones and also made independent #if/#endif blocks for them. Finally, I added a spec file guard to force using 1.15-5 or later version on Fedora 26 or later. |
freeipa.spec.in
Outdated
| @@ -57,8 +57,12 @@ Source0: freeipa-%{version}.tar.gz | |||
| BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) | |||
|
|
|||
| BuildRequires: openldap-devel | |||
| %if 0%{?fedora} > 25 | |||
| BuildRequires: krb5-devel >= 1.15-5 | |||
There was a problem hiding this comment.
@frozencemetery introduced a provides that expicitly marks DAL versions, can we use that provide instead of a version number ?
There was a problem hiding this comment.
Field is named krb5-kdb-version, and 1.15.5 sets it to 6.1.
There was a problem hiding this comment.
@simo5 @frozencemetery unfortunately, the provide of "krb5-kdb-version = 6.1" is on krb5-libs, not on krb5-devel, so I cannot do a buildrequires dependency this way.
|
@simo5 @frozencemetery unfortunately, the provide of "krb5-kdb-version = 6.1" is on krb5-libs, not on krb5-devel, so I cannot do a buildrequires dependency this way. |
|
@frozencemetery Should we provide krb5-kdb-version-devel from krb5-devel ? |
abbra
force-pushed
the
krb5-1-15-DAL-changes
branch
2 times, most recently
from
1d1fcf7
to
a08f150
Compare
|
Updated the spec file and the commit message. |
| # DAL version change may cause code crash or memory leaks, it is better to fail early. | ||
| %if 0%{?fedora} > 25 | ||
| BuildRequires: krb5-devel >= 1.15-5 | ||
| BuildRequires: krb5-kdb-version = 6.1 |
There was a problem hiding this comment.
Shouldn't we add this to Requires ad well ?
There was a problem hiding this comment.
No. krb5-kdb-version is in krb5-devel now, requiring krb5-devel to installed system is not needed. However, when building the package we'll get krb5 >= 1.15-5 due to 'krb5-kdb-version = 6.1' BuildRequire and, as result, Requires(post): krb5-server >= %{krb5_base_version} will be set which will force use of 1.15.
Granted, this could be not enough but released version of F26 will have krb5-server 1.15-6 or later, so I think it is OK.
DAL version 6.0 removed support for a callback to free principal. This broke KDB drivers which had complex e_data structure within the principal structure. As result, FreeIPA KDB driver was leaking memory with DAL version 6.0 (krb5 1.15). DAL version 6.1 added a special callback for freeing e_data structure. See details at krb5/krb5#596 Restructure KDB driver code to provide this callback in case we are built against DAL version that supports it. For DAL version prior to 6.0 use this callback in the free_principal callback to tidy the code. Use explicit KDB version dependency in Fedora 26+ via BuildRequires. With new DAL version, freeipa package will fail to build and we'll have to add a support for new DAL version explicitly. https://fedorahosted.org/freeipa/ticket/6619
abbra
force-pushed
the
krb5-1-15-DAL-changes
branch
from
a08f150
to
2bbe7c1
Compare
|
I've rebased against master and added responses to inline comments in the PR. |
|
Fixed upstream |
DAL version 6.0 removed support for a callback to free principal.
This broke KDB drivers which had complex e_data structure within
the principal structure. As result, FreeIPA KDB driver was leaking
memory with DAL version 6.0 (krb5 1.15).
DAL version 6.1 added a special callback for freeing e_data structure.
See details at krb5/krb5#596
Restructure KDB driver code to provide this callback in case
we are built against DAL version that supports it. For DAL version
prior to 6.0 use this callback in the free_principal callback to
tidy the code.
https://fedorahosted.org/freeipa/ticket/6619
On Fedora the required interface is available in krb5-1.15-5.fc26 package.