--- clean/rpcsec_gss/gssd/Makefile.in	Thu Feb  7 17:52:42 2002
+++ dirty/rpcsec_gss/gssd/Makefile.in	Tue Feb 26 13:06:45 2002
@@ -3,12 +3,15 @@
 #
 # Dug Song <dugsong@monkey.org>
 #
-# $Id: rpcsec_gss-3.0-nfsv4_utilities.patch,v 1.1 2002/02/26 18:41:31 andros Exp $
+# $Id: rpcsec_gss-3.0-nfsv4_utilities.patch,v 1.1 2002/02/26 18:41:31 andros Exp $
 
 srcdir	= @srcdir@
 VPATH	= @srcdir@
 
 CC	= @CC@
+#
+# use -DDEBUG for gssd to run in forground and spit messges at you
+#
 CFLAGS	= @CFLAGS@ @DEFS@
 
 RPCDIR	= ../rpc
@@ -19,10 +22,8 @@
 KRBINC	= -I$(KRBDIR)/include
 KRBLIB	= -L$(KRBDIR)/lib @KRBLIB@
 
-
 INCS	= -I$(srcdir) $(RPCINC) $(KRBINC)
-LIBS	= $(RPCLIB) $(KRBLIB) @LIBS@
-
+LIBS = $(RPCLIB) $(KRBLIB) -lresolv -lnsl
 
 GEN	= gss_clnt.c gss_svc.c gss_xdr.c gss.h
 PROGS	= gssd gssc
@@ -37,8 +38,17 @@
 	rm -f gss_svc.c
 	rpcgen -m -o gss_svc.c gss.x
 
-gssd: gssd.o gss_proc.o gss_svc.o gss_xdr.o
-	$(CC) -o $@ gssd.o gss_proc.o gss_svc.o gss_xdr.o $(LIBS)
+#
+# mach_log tests kinit using machine creds stored in /etc/krb5.keytab
+#
+gss_kt_login_main.o:
+	$(CC) $(CFLAGS) -DMACH_LOGIN  $(INCS) -c $(srcdir)/gss_kt_login.c
+
+mach_log: gss_kt_login_main.o
+	$(CC) -o $@ gss_kt_login.o $(LIBS)
+
+gssd: gssd.o gss_proc.o gss_svc.o gss_xdr.o gss_kt_login.o
+	$(CC) -o $@ gssd.o gss_proc.o gss_svc.o gss_xdr.o gss_kt_login.o $(LIBS)
 
 gssc: gssc.o gss_clnt.o gss_xdr.o
 	$(CC) -o $@ gssc.o gss_clnt.o gss_xdr.o $(LIBS)
--- clean/rpcsec_gss/gssd/gss.x	Thu Feb  7 17:52:42 2002
+++ dirty/rpcsec_gss/gssd/gss.x	Fri Feb 22 14:32:06 2002
@@ -34,7 +34,7 @@
   NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
   SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-  $Id: rpcsec_gss-3.0-nfsv4_utilities.patch,v 1.1 2002/02/26 18:41:31 andros Exp $
+  $Id: rpcsec_gss-3.0-nfsv4_utilities.patch,v 1.1 2002/02/26 18:41:31 andros Exp $
 */
 
 %#include <sys/types.h>
@@ -47,6 +47,7 @@
 
 struct gss_init_sec_context_arg {
         unsigned int	uid;		/* caller's uid */       
+        unsigned int	flags;		/* to signal use of MACHINE CREDS */       
 					/* claimant_cred_handle */
 	GSS_CTX_ID_T	ctx_id;		
 	GSS_BUFFER_T    target_name;	
--- clean/rpcsec_gss/gssd/gss_kt_login.c	Tue Feb 26 13:15:46 2002
+++ dirty/rpcsec_gss/gssd/gss_kt_login.c	Fri Feb 22 14:35:38 2002
@@ -0,0 +1,172 @@
+/*
+ *  gss_kt_login.c
+ *
+ *  Adapted from MIT Kerberos 5-1.2.1 slave/kprop.c
+ *
+ *  Copyright (c) 2002 The Regents of the University of Michigan.
+ *  All rights reserved.
+ *
+ *  Andy Adamson <andros@umich.edu>
+ */
+
+/*
+ * slave/kprop.c
+ *
+ * Copyright 1990,1991 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ *
+ *
+ */
+
+
+
+#include <errno.h>
+#include <stdio.h>
+#include <ctype.h>
+#include <sys/file.h>
+#include <signal.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <sys/param.h>
+#include <netdb.h>
+#include <fcntl.h>
+#include "krb5.h"
+
+krb5_ccache ccache;
+krb5_creds  creds;
+
+#ifdef MACH_LOGIN
+/* build this as the mach_log executable */
+main(int ac,char **av)
+{
+
+krb5_kt_get_tickets();
+
+}
+#endif /* MACH_LOGIN */
+
+int
+krb5_kt_get_tickets(void)
+{
+	krb5_error_code retval;
+	krb5_context context;
+	krb5_creds *my_creds;
+	static char tkstring[] = "/tmp/krb5cc_machine";
+	krb5_keytab keytab = NULL;
+	krb5_keytab_entry entry;
+	krb5_kt_cursor cur;
+	krb5_principal  my_principal;   
+	char * srvtab = "/etc/krb5.keytab";
+	char * realm;
+	char   buf[BUFSIZ];
+
+
+
+	retval = krb5_init_context(&context);
+	if (retval) {
+		com_err("GSSD", retval, "while initializing krb5");
+		goto out;
+	}
+	retval = krb5_get_default_realm(context, &realm);
+	if (retval) {
+		com_err("GSSD", retval, "while getting default realm");
+		goto out;
+	}
+
+	retval = krb5_sname_to_principal(context, NULL, "nfs",
+	                             KRB5_NT_SRV_HST, &my_principal);
+	if (retval) {
+		com_err("GSSD", errno, "while setting client principal name");
+		goto out;
+	}
+
+	/*
+	* Initialize cache file which we're going to be using
+	*/
+
+	sprintf(buf, "FILE:%s", tkstring);
+	if (retval = krb5_cc_resolve(context, buf, &ccache)) {
+		com_err("GSSD", retval, "while opening credential cache %s", buf);
+		goto out;
+	}
+	if (retval = krb5_cc_initialize(context, ccache, my_principal)) {
+		com_err ("GSSD", retval, "when initializing cache %s", buf);
+		goto out;
+	}
+
+	memset((char *)&creds, 0, sizeof(creds));
+	retval = krb5_build_principal(context, &creds.server,
+	strlen(realm),realm, KRB5_TGS_NAME, realm,0);
+	if (retval) {
+		com_err("GSSD", errno, "while setting server principal name");
+		(void) krb5_cc_destroy(context, ccache);
+		goto out;
+	}
+
+	/*
+	* Now fill in the client....
+	*/
+	if (retval = krb5_copy_principal(context, my_principal, &creds.client)) {
+		com_err("GSSD", retval, "While copying client principal");
+		(void) krb5_cc_destroy(context, ccache);
+		goto out;
+	}
+	if (retval = krb5_kt_resolve(context, srvtab, &keytab)) {
+		com_err("GSSD", retval, "while resolving keytab");
+		(void) krb5_cc_destroy(context, ccache);
+		goto out;
+	}
+	/* ANDROS add etype to specify DES cbc mode with CRC-32 */
+	if ((retval = krb5_kt_start_seq_get(context,keytab, &cur))) {
+		com_err("GSSD", retval, "while starting keytab scan");
+		goto out;
+	}
+	retval = krb5_kt_next_entry(context,keytab,&entry,&cur);
+	if (retval) {
+		com_err("GSSD", retval, "while getting keytab entry\n");
+		goto out;
+	}
+	retval = krb5_get_in_tkt_with_keytab(context, 0, 0,&entry.key.enctype,
+	NULL, keytab, ccache, &creds, 0);
+	if (retval) {
+		com_err("GSSD", retval, "while getting initial ticket\n");
+		(void) krb5_cc_destroy(context, ccache);
+		goto out;
+	}
+
+	if (keytab)
+		(void) krb5_kt_close(context, keytab);
+
+out:
+	return(retval == 0);
+}
+
+
+void
+gss_kt_destroy_tickets(void)
+{
+fprintf(stderr,"gss_kt_destroy_tickets\n");
+}
--- clean/rpcsec_gss/gssd/gss_proc.c	Thu Feb  7 17:52:42 2002
+++ dirty/rpcsec_gss/gssd/gss_proc.c	Fri Feb 22 15:00:18 2002
@@ -33,7 +33,7 @@
   NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
   SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-  $Id: rpcsec_gss-3.0-nfsv4_utilities.patch,v 1.1 2002/02/26 18:41:31 andros Exp $
+  $Id: rpcsec_gss-3.0-nfsv4_utilities.patch,v 1.1 2002/02/26 18:41:31 andros Exp $
 */
 
 #include <sys/types.h>
@@ -47,12 +47,54 @@
 #ifdef HAVE_KRB5
 #include <gssapi/gssapi.h>
 #include <gssapi/gssapi_generic.h>
+#define CA_RUN_AS_MACHINE  0x00000200
 #elif HAVE_HEIMDAL
 #include <gssapi.h>
 #define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE
 #endif
 #include "gss.h"
 
+#ifdef DEBUG
+void
+print_hexl(u_int *p, u_int length, u_int offset)
+{
+  u_int i, j, jm;
+  unsigned char c, *cp;
+ 
+  printf("\n");
+  cp = (unsigned char *) p;
+ 
+  for (i = 0; i < length; i += 0x10) {
+    printf("  %04x: ", (u_int)(i + offset));
+    jm = length - i;
+    jm = jm > 16 ? 16 : jm;
+
+    for (j = 0; j < jm; j++) {
+      if ((j % 2) == 1)
+        printf("%02x ", (u_int)cp[i+j]);
+      else
+        printf("%02x", (u_int)cp[i+j]);
+    }
+    for (; j < 16; j++) {
+      if ((j % 2) == 1)
+        printf("   ");
+      else
+        printf("  ");
+    }
+    printf(" ");
+
+    for (j = 0; j < jm; j++) {
+      c = cp[i+j];
+      c = isprint(c) ? c : '.';
+      printf("%c", c);
+    }
+    printf("\n");
+  }
+}
+#endif /* DEBUG */
+
+
+
 /* Default values. */
 u_int	nobody_uid;
 u_int	nobody_gid;
@@ -101,6 +143,7 @@
 	return (FALSE);
 }
 
+/* XXX put machine login here! */
 bool_t
 gssd_init_defaults(void)
 {
@@ -277,8 +320,8 @@
 	if (!hosts_access(rqstp))
 		return (NULL);
 #ifdef DEBUG
-	fprintf(stderr, "init_sec_context_svc arg (uid %d, ctx %p:%d, "
-		"name %.*s, mech %p:%d, token %p:%d)\n", argp->uid,
+	fprintf(stderr, "init_sec_context_svc arg (uid %d, flags %d,ctx %p:%d, "
+		"name %.*s, mech %p:%d, token %p:%d)\n", argp->uid, argp->flags,
 		argp->ctx_id.GSS_CTX_ID_T_val, argp->ctx_id.GSS_CTX_ID_T_len,
 		argp->target_name.GSS_BUFFER_T_len,
 		argp->target_name.GSS_BUFFER_T_val,
@@ -317,13 +360,18 @@
 
 	/* XXX - haaaack. how else to do this? */
 #ifdef HAVE_KRB5
-	snprintf(buf, sizeof(buf), "FILE:/tmp/krb5cc_%u", argp->uid);
+  if((argp->flags & CA_RUN_AS_MACHINE) || (argp->uid == 0))
+		snprintf(buf, sizeof(buf), "FILE:/tmp/krb5cc_machine");
+	else
+		snprintf(buf, sizeof(buf), "FILE:/tmp/krb5cc_%u", argp->uid);
 	gss_krb5_ccache_name(&res.min_stat, buf, NULL);
+
 #elif HAVE_HEIMDAL
 	snprintf(buf, sizeof(buf),
 		 "KRB5CCNAME=FILE:/tmp/krb5cc_%u", argp->uid);
 	putenv(buf);
 #endif
+
 	res.maj_stat = gss_init_sec_context(&res.min_stat,
 					    GSS_C_NO_CREDENTIAL,
 					    &ctx_id,
@@ -465,6 +513,7 @@
 	gss_buffer_desc  output_token;
 	static char buf1[MAX_NETOBJ_SZ];
 	OM_uint32  min = 0,maj = 0;
+	OM_uint32  mins = 0,resu = 0;
 
 	if (!hosts_access(rqstp))
 		return (NULL);
@@ -487,6 +536,12 @@
 	res.maj_stat = gss_export_sec_context(&res.min_stat,
 					    &ctx_id, 
 	            &output_token);
+
+#ifdef DEBUG
+	print_hexl((u_int *)output_token.value,8,0);
+#endif /* DEBUG */
+
+resu = gss_import_sec_context(&mins, &output_token, &ctx_id);
 
   /* Note: the krb5 context is returned in an 'externalized form'
 	 * packed in an asn1-like fashion into the output_token.
--- clean/rpcsec_gss/gssd/gssd.c	Thu Feb  7 17:52:42 2002
+++ dirty/rpcsec_gss/gssd/gssd.c	Fri Feb 22 14:32:06 2002
@@ -5,6 +5,7 @@
   All rights reserved.
 
   Copyright (c) 2000 Dug Song <dugsong@UMICH.EDU>.
+  Copyright (c) 2002 Andy Adamson <andros@UMICH.EDU>.
   All rights reserved, all wrongs reversed.
 
   Redistribution and use in source and binary forms, with or without
@@ -32,7 +33,7 @@
   NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
   SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-  $Id: rpcsec_gss-3.0-nfsv4_utilities.patch,v 1.1 2002/02/26 18:41:31 andros Exp $
+  $Id: rpcsec_gss-3.0-nfsv4_utilities.patch,v 1.1 2002/02/26 18:41:31 andros Exp $
 */
 
 #include <sys/types.h>
@@ -60,6 +61,8 @@
 sig_die(int signal)
 {
 	pmap_unset(GSSPROG, GSSVERS);
+  /* destroy krb5 machine creds */
+	gss_kt_destroy_tickets();
 	syslog(LOG_INFO, "exiting on signal %d", signal);
 	exit(1);
 }
@@ -157,6 +160,10 @@
 	}
 	if (get_creds && !gssd_acquire_cred(GSS_SERVER_NAME)) {
 		syslog(LOG_ERR, "couldn't get credentials");
+		exit(1);
+	}
+	if (get_creds && !krb5_kt_get_tickets()) {
+		syslog(LOG_ERR, "couldn't get krb5 machine tickets");
 		exit(1);
 	}