patch for OSX

Darren Tucker dtucker at
Sun Apr 22 10:13:02 EST 2012

Nick had problems sending the patch to the list, so I'm just passing
this along.  I'm not sure that the patch is correct, but the man page
for krb5_unparse_name does say "If no errors occur, the return value is
0. Otherwise, a Kerberos error code is returned."


Gah, email filters stripping usefulness! Sorry. I've removed the GIT patch headers just to get the diff through ;-). Let me know if this works. 


The opendirectory lookups in gss-serv-krb5.c, used for OS X had
reversed boolean logic meaning that the code will fail if ever
the OD lookup or the group membership calls returned success.
Obviously this is wrong, but even more so the log messages were
a bit sparse so it was hard to see why the PAM call was being
rejected. This commit fixes the logic and adds in some extra log
messages in the case of failure.
 gss-serv-krb5.c |   13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
index ae4ee1c..879c76a 100644
--- a/gss-serv-krb5.c
+++ b/gss-serv-krb5.c
@@ -91,26 +91,29 @@ od_kuserok(krb5_context context, krb5_principal principal, const char *luser)
        uuid_t krb_uuid, un_uuid;

        ret = krb5_unparse_name(context, principal, &kprinc);
-       if (!ret) {
+       if (ret) {
                logit("od_kuserok - krb5_unparse_name failed: %d", ret);
                goto error;

        ret = mbr_identifier_to_uuid(ID_TYPE_USERNAME, luser, strlen(luser), un_uuid);
-       if (!ret) {
-               logit("od_kuserok - mbr_identifier_to_uuid: %d", ret);
+       if (ret) {
+               logit("od_kuserok - mbr_identifier_to_uuid(%s) failed: %d", luser, ret);
                goto error;

        ret = mbr_identifier_to_uuid(ID_TYPE_KERBEROS, kprinc, strlen(kprinc), krb_uuid);
-       if (!ret) {
+       if (ret) {
+                logit("od_kuserok - mbr_id_to_uuid(%s) failed: %d", kprinc, ret);
                goto error;

        ret = uuid_compare(krb_uuid, un_uuid);
        if (0 == ret)  {
                retval = TRUE;
-       }
+       } else {
+               logit("od_kuserok - uuids do not match, refusing");
+        }

        if (kprinc)

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list