>From bd051cd3cc50d8d4695693c8f2d8cf78935c5711 Mon Sep 17 00:00:00 2001
From: Michael Weiser <weiser@science-computing.de>
Date: Mon, 12 Mar 2012 20:43:36 +0100
Subject: [PATCH] Add -l option to gssd to force legacy behaviour

A new option -l forces gssd to ignore its kernel's crypto capabilities
and use just the Single DES legacy encryption types to be compatible
with old servers without re-negotiation functionality.
---
 utils/gssd/gssd.c      |   12 +++++++++++-
 utils/gssd/krb5_util.c |    6 +++++-
 utils/gssd/krb5_util.h |    1 +
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/utils/gssd/gssd.c b/utils/gssd/gssd.c
index ccadb07..fff9d21 100644
--- a/utils/gssd/gssd.c
+++ b/utils/gssd/gssd.c
@@ -100,9 +100,14 @@ main(int argc, char *argv[])
 	int i;
 	extern char *optarg;
 	char *progname;
+#ifdef HAVE_SET_ALLOWABLE_ENCTYPES
+ 	const char *opts = "fvrmnMp:k:d:t:R:l";
+#else
+ 	const char *opts = "fvrmnMp:k:d:t:R";
+#endif
 
 	memset(ccachesearch, 0, sizeof(ccachesearch));
-	while ((opt = getopt(argc, argv, "fvrmnMp:k:d:t:R:")) != -1) {
+	while ((opt = getopt(argc, argv, opts)) != -1) {
 		switch (opt) {
 			case 'f':
 				fg = 1;
@@ -143,6 +148,11 @@ main(int argc, char *argv[])
 			case 'R':
 				preferred_realm = strdup(optarg);
 				break;
+#ifdef HAVE_SET_ALLOWABLE_ENCTYPES
+			case 'l':
+				limit_to_legacy_enctypes = 1;
+				break;
+#endif
 			default:
 				usage(argv[0]);
 				break;
diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index 4b13fa1..887d118 100644
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -129,6 +129,10 @@
 /* Global list of principals/cache file names for machine credentials */
 struct gssd_k5_kt_princ *gssd_k5_kt_princ_list = NULL;
 
+#ifdef HAVE_SET_ALLOWABLE_ENCTYPES
+int limit_to_legacy_enctypes = 0;
+#endif
+
 /*==========================*/
 /*===  Internal routines ===*/
 /*==========================*/
@@ -1342,7 +1346,7 @@ limit_krb5_enctypes(struct rpc_gss_sec *sec)
 	 * If we failed for any reason to produce global
 	 * list of supported enctypes, use local default here.
 	 */
-	if (krb5_enctypes == NULL)
+	if (krb5_enctypes == NULL || limit_to_legacy_enctypes)
 		maj_stat = gss_set_allowable_enctypes(&min_stat, credh,
 					&krb5oid, num_enctypes, enctypes);
 	else
diff --git a/utils/gssd/krb5_util.h b/utils/gssd/krb5_util.h
index b42b91e..cd6e107 100644
--- a/utils/gssd/krb5_util.h
+++ b/utils/gssd/krb5_util.h
@@ -36,6 +36,7 @@ char *gssd_k5_err_msg(krb5_context context, krb5_error_code code);
 void gssd_k5_get_default_realm(char **def_realm);
 
 #ifdef HAVE_SET_ALLOWABLE_ENCTYPES
+extern int limit_to_legacy_enctypes;
 int limit_krb5_enctypes(struct rpc_gss_sec *sec);
 #endif
 
-- 
1.7.3.4