diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..8f8debf
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/mod_auth_kerb-5.4.tar.gz
diff --git a/.mod_auth_kerb.metadata b/.mod_auth_kerb.metadata
new file mode 100644
index 0000000..81e46da
--- /dev/null
+++ b/.mod_auth_kerb.metadata
@@ -0,0 +1 @@
+22673081419bc2e98789fe2f998968c0cf10c2d4 SOURCES/mod_auth_kerb-5.4.tar.gz
diff --git a/SOURCES/LICENSE.ASL b/SOURCES/LICENSE.ASL
new file mode 100644
index 0000000..261eeb9
--- /dev/null
+++ b/SOURCES/LICENSE.ASL
@@ -0,0 +1,201 @@
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "[]"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright [yyyy] [name of copyright owner]
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
diff --git a/SOURCES/auth_kerb.conf b/SOURCES/auth_kerb.conf
new file mode 100644
index 0000000..b593270
--- /dev/null
+++ b/SOURCES/auth_kerb.conf
@@ -0,0 +1,25 @@
+#
+# The mod_auth_kerb module implements Kerberos authentication over
+# HTTP, following the "Negotiate" protocol.
+#
+
+LoadModule auth_kerb_module modules/mod_auth_kerb.so
+
+#
+# Sample configuration: Kerberos authentication must only be
+# used over SSL to prevent replay attacks. The keytab file
+# configured must be readable only by the "apache" user, and
+# must contain service keys for "HTTP/www.example.com", where
+# "www.example.com" is the FQDN of this server.
+#
+
+#
+# SSLRequireSSL
+# AuthType Kerberos
+# AuthName "Kerberos Login"
+# KrbMethodNegotiate On
+# KrbMethodK5Passwd Off
+# KrbAuthRealms EXAMPLE.COM
+# Krb5KeyTab /etc/httpd/conf/keytab
+# require valid-user
+#
diff --git a/SOURCES/mod_auth_kerb-5.4-cachedir.patch b/SOURCES/mod_auth_kerb-5.4-cachedir.patch
new file mode 100644
index 0000000..ebc4358
--- /dev/null
+++ b/SOURCES/mod_auth_kerb-5.4-cachedir.patch
@@ -0,0 +1,15 @@
+
+Per https://bugzilla.redhat.com//show_bug.cgi?id=796430
+switch the cache dir to be relative to runtimedir.
+
+--- mod_auth_kerb-5.4/src/mod_auth_kerb.c.cachedir
++++ mod_auth_kerb-5.4/src/mod_auth_kerb.c
+@@ -891,7 +891,7 @@ create_krb5_ccache(krb5_context kcontext
+ int ret;
+ krb5_ccache tmp_ccache = NULL;
+
+- ccname = apr_psprintf(r->connection->pool, "FILE:%s/krb5cc_apache_XXXXXX", P_tmpdir);
++ ccname = apr_pstrdup(r->connection->pool, "FILE:/run/httpd/krbcache/krb5cc_apache_XXXXXX");
+ fd = mkstemp(ccname + strlen("FILE:"));
+ if (fd < 0) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
diff --git a/SOURCES/mod_auth_kerb-5.4-delegation.patch b/SOURCES/mod_auth_kerb-5.4-delegation.patch
new file mode 100644
index 0000000..a01e9f2
--- /dev/null
+++ b/SOURCES/mod_auth_kerb-5.4-delegation.patch
@@ -0,0 +1,68 @@
+
+https://bugzilla.redhat.com/show_bug.cgi?id=688210
+
+--- mod_auth_kerb-5.4/src/mod_auth_kerb.c.delegation
++++ mod_auth_kerb-5.4/src/mod_auth_kerb.c
+@@ -209,6 +209,7 @@ typedef struct krb5_conn_data {
+ char *authline;
+ char *user;
+ char *mech;
++ char *ccname;
+ int last_return;
+ } krb5_conn_data;
+
+@@ -875,7 +876,7 @@ create_krb5_ccache(krb5_context kcontext
+ int ret;
+ krb5_ccache tmp_ccache = NULL;
+
+- ccname = apr_psprintf(r->pool, "FILE:%s/krb5cc_apache_XXXXXX", P_tmpdir);
++ ccname = apr_psprintf(r->connection->pool, "FILE:%s/krb5cc_apache_XXXXXX", P_tmpdir);
+ fd = mkstemp(ccname + strlen("FILE:"));
+ if (fd < 0) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+@@ -905,7 +906,7 @@ create_krb5_ccache(krb5_context kcontext
+ }
+
+ apr_table_setn(r->subprocess_env, "KRB5CCNAME", ccname);
+- apr_pool_cleanup_register(r->pool, ccname, krb5_cache_cleanup,
++ apr_pool_cleanup_register(r->connection->pool, ccname, krb5_cache_cleanup,
+ apr_pool_cleanup_null);
+
+ *ccache = tmp_ccache;
+@@ -1866,10 +1868,15 @@ already_succeeded(request_rec *r, char *
+ if (apr_pool_userdata_get((void**)&conn_data, keyname, r->connection->pool) != 0)
+ return NULL;
+
+- if(conn_data) {
+- if(strcmp(conn_data->authline, auth_line) == 0) {
+- log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "matched previous auth request");
+- return conn_data;
++ if(conn_data && conn_data->ccname != NULL) {
++ apr_finfo_t finfo;
++
++ if (apr_stat(&finfo, conn_data->ccname + strlen("FILE:"),
++ APR_FINFO_NORM, r->pool) == APR_SUCCESS
++ && (finfo.valid & APR_FINFO_TYPE)
++ && finfo.filetype == APR_REG) {
++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "matched previous auth request");
++ return conn_data;
+ }
+ }
+ return NULL;
+@@ -2001,6 +2008,8 @@ kerb_authenticate_user(request_rec *r)
+ ret = prevauth->last_return;
+ MK_USER = prevauth->user;
+ MK_AUTH_TYPE = prevauth->mech;
++ if (prevauth->ccname)
++ apr_table_setn(r->subprocess_env, "KRB5CCNAME", prevauth->ccname);
+ }
+
+ /*
+@@ -2011,6 +2020,7 @@ kerb_authenticate_user(request_rec *r)
+ prevauth->user = apr_pstrdup(r->connection->pool, MK_USER);
+ prevauth->authline = apr_pstrdup(r->connection->pool, auth_line);
+ prevauth->mech = apr_pstrdup(r->connection->pool, auth_type);
++ prevauth->ccname = apr_pstrdup(r->connection->pool, apr_table_get(r->subprocess_env, "KRB5CCNAME"));
+ prevauth->last_return = ret;
+ snprintf(keyname, sizeof(keyname) - 1,
+ "mod_auth_kerb::connection::%s::%ld",
diff --git a/SOURCES/mod_auth_kerb-5.4-expired.patch b/SOURCES/mod_auth_kerb-5.4-expired.patch
new file mode 100644
index 0000000..4b77a49
--- /dev/null
+++ b/SOURCES/mod_auth_kerb-5.4-expired.patch
@@ -0,0 +1,20 @@
+diff --git a/src/mod_auth_kerb.c b/src/mod_auth_kerb.c
+index 2aab5ee..ca81878 100644
+--- a/src/mod_auth_kerb.c
++++ b/src/mod_auth_kerb.c
+@@ -1744,7 +1744,6 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
+ goto end;
+ }
+
+-#if 0
+ /* This is a _Kerberos_ module so multiple authentication rounds aren't
+ * supported. If we wanted a generic GSS authentication we would have to do
+ * some magic with exporting context etc. */
+@@ -1752,7 +1751,6 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
+ ret = HTTP_UNAUTHORIZED;
+ goto end;
+ }
+-#endif
+
+ major_status = gss_display_name(&minor_status, client_name, &output_token, NULL);
+ gss_release_name(&minor_status, &client_name);
diff --git a/SOURCES/mod_auth_kerb-5.4-fixes.patch b/SOURCES/mod_auth_kerb-5.4-fixes.patch
new file mode 100644
index 0000000..b86be69
--- /dev/null
+++ b/SOURCES/mod_auth_kerb-5.4-fixes.patch
@@ -0,0 +1,40 @@
+
+Compiler warning fixes.
+
+--- mod_auth_kerb-5.4/src/mod_auth_kerb.c.fixes
++++ mod_auth_kerb-5.4/src/mod_auth_kerb.c
+@@ -677,7 +677,8 @@ end:
+ static krb5_error_code
+ verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal,
+ const char *password, krb5_principal server,
+- krb5_keytab keytab, int krb_verify_kdc, char *krb_service_name, krb5_ccache *ccache)
++ krb5_keytab keytab, int krb_verify_kdc,
++ const char *krb_service_name, krb5_ccache *ccache)
+ {
+ krb5_creds creds;
+ krb5_get_init_creds_opt options;
+@@ -1280,6 +1281,7 @@ get_gss_creds(request_rec *r,
+ return 0;
+ }
+
++#ifndef GSSAPI_SUPPORTS_SPNEGO
+ static int
+ cmp_gss_type(gss_buffer_t token, gss_OID oid)
+ {
+@@ -1306,6 +1308,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID
+
+ return memcmp(p, oid->elements, oid->length);
+ }
++#endif
+
+ static int
+ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
+@@ -1722,7 +1725,7 @@ kerb_authenticate_user(request_rec *r)
+ return ret;
+ }
+
+-int
++static int
+ have_rcache_type(const char *type)
+ {
+ krb5_error_code ret;
diff --git a/SOURCES/mod_auth_kerb-5.4-httpd24.patch b/SOURCES/mod_auth_kerb-5.4-httpd24.patch
new file mode 100644
index 0000000..86c9b47
--- /dev/null
+++ b/SOURCES/mod_auth_kerb-5.4-httpd24.patch
@@ -0,0 +1,75 @@
+
+Fixes for 2.4 API.
+
+--- mod_auth_kerb-5.4/src/mod_auth_kerb.c.httpd24
++++ mod_auth_kerb-5.4/src/mod_auth_kerb.c
+@@ -179,6 +179,16 @@ static apr_global_mutex_t *s4u2proxy_loc
+ #define PROXYREQ_PROXY STD_PROXY
+ #endif
+
++#if MODULE_MAGIC_NUMBER_MAJOR >= 20100606
++/* 2.4.x or later */
++#define WITH_HTTPD24 1
++#define client_ip(r) ((r)->useragent_ip)
++APLOG_USE_MODULE(auth_kerb);
++#else
++#define client_ip(r) ((r)->connection->remote_ip)
++#define ap_unixd_set_global_mutex_perms unixd_set_global_mutex_perms
++#endif
++
+ /***************************************************************************
+ Auth Configuration Structure
+ ***************************************************************************/
+@@ -383,7 +393,11 @@ cmd_delegationlock(cmd_parms *cmd, void
+ }
+
+ static void
+-log_rerror(const char *file, int line, int level, int status,
++log_rerror(const char *file, int line,
++#ifdef WITH_HTTPD24
++ int module_index,
++#endif
++ int level, int status,
+ const request_rec *r, const char *fmt, ...)
+ {
+ char errstr[1024];
+@@ -394,7 +408,9 @@ log_rerror(const char *file, int line, i
+ va_end(ap);
+
+
+-#ifdef STANDARD20_MODULE_STUFF
++#if defined(WITH_HTTPD24)
++ ap_log_rerror(file, line, module_index, level, status, r, "%s", errstr);
++#elif defined(STANDARD20_MODULE_STUFF)
+ ap_log_rerror(file, line, level | APLOG_NOERRNO, status, r, "%s", errstr);
+ #else
+ ap_log_rerror(file, line, level | APLOG_NOERRNO, r, "%s", errstr);
+@@ -1860,8 +1876,8 @@ already_succeeded(request_rec *r, char *
+ char keyname[1024];
+
+ snprintf(keyname, sizeof(keyname) - 1,
+- "mod_auth_kerb::connection::%s::%ld", r->connection->remote_ip,
+- r->connection->id);
++ "mod_auth_kerb::connection::%s::%ld", client_ip(r),
++ r->connection->id);
+
+ if (apr_pool_userdata_get((void**)&conn_data, keyname, r->connection->pool) != 0)
+ return NULL;
+@@ -2014,7 +2030,7 @@ kerb_authenticate_user(request_rec *r)
+ prevauth->last_return = ret;
+ snprintf(keyname, sizeof(keyname) - 1,
+ "mod_auth_kerb::connection::%s::%ld",
+- r->connection->remote_ip, r->connection->id);
++ client_ip(r), r->connection->id);
+ apr_pool_userdata_set(prevauth, keyname, NULL, r->connection->pool);
+ }
+
+@@ -2073,7 +2089,7 @@ s4u2proxylock_create(server_rec *s, apr_
+ }
+
+ #ifdef AP_NEED_SET_MUTEX_PERMS
+- rc = unixd_set_global_mutex_perms(s4u2proxy_lock);
++ rc = ap_unixd_set_global_mutex_perms(s4u2proxy_lock);
+ if (rc != APR_SUCCESS) {
+ ap_log_error(APLOG_MARK, APLOG_CRIT, rc, s,
+ "mod_auth_kerb: Parent could not set permissions "
diff --git a/SOURCES/mod_auth_kerb-5.4-longuser.patch b/SOURCES/mod_auth_kerb-5.4-longuser.patch
new file mode 100644
index 0000000..100fd36
--- /dev/null
+++ b/SOURCES/mod_auth_kerb-5.4-longuser.patch
@@ -0,0 +1,31 @@
+
+https://bugzilla.redhat.com/show_bug.cgi?id=867153
+
+Patch by: jkaluza
+
+--- mod_auth_kerb-5.4/src/mod_auth_kerb.c.longuser
++++ mod_auth_kerb-5.4/src/mod_auth_kerb.c
+@@ -80,6 +80,7 @@
+
+ #define MECH_NEGOTIATE "Negotiate"
+ #define SERVICE_NAME "HTTP"
++#define MAX_LOCAL_USERNAME 255
+
+ #include
+ #include
+@@ -1815,13 +1816,13 @@ do_krb5_an_to_ln(request_rec *r) {
+ krb5_get_err_text(kcontext, code));
+ goto end;
+ }
+- MK_USER_LNAME = apr_pcalloc(r->pool, strlen(MK_USER)+1);
++ MK_USER_LNAME = apr_pcalloc(r->pool, MAX_LOCAL_USERNAME+1);
+ if (MK_USER_LNAME == NULL) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "ap_pcalloc() failed (not enough memory)");
+ goto end;
+ }
+- code = krb5_aname_to_localname(kcontext, client, strlen(MK_USER), MK_USER_LNAME);
++ code = krb5_aname_to_localname(kcontext, client, MAX_LOCAL_USERNAME, MK_USER_LNAME);
+ if (code) {
+ if (code != KRB5_LNAME_NOTRANS) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
diff --git a/SOURCES/mod_auth_kerb-5.4-rcopshack.patch b/SOURCES/mod_auth_kerb-5.4-rcopshack.patch
new file mode 100644
index 0000000..abbf4db
--- /dev/null
+++ b/SOURCES/mod_auth_kerb-5.4-rcopshack.patch
@@ -0,0 +1,73 @@
+
+Remove the Krb5 1.3.x-specific hack which mucks about with
+libkrb5 internals, and shouldn't.
+
+--- mod_auth_kerb-5.4/src/mod_auth_kerb.c.rcopshack
++++ mod_auth_kerb-5.4/src/mod_auth_kerb.c
+@@ -285,34 +285,6 @@ mkstemp(char *template)
+ }
+ #endif
+
+-#if defined(KRB5) && !defined(HEIMDAL)
+-/* Needed to work around problems with replay caches */
+-#include "mit-internals.h"
+-
+-/* This is our replacement krb5_rc_store function */
+-static krb5_error_code KRB5_LIB_FUNCTION
+-mod_auth_kerb_rc_store(krb5_context context, krb5_rcache rcache,
+- krb5_donot_replay_internal *donot_replay)
+-{
+- return 0;
+-}
+-
+-/* And this is the operations vector for our replay cache */
+-const krb5_rc_ops_internal mod_auth_kerb_rc_ops = {
+- 0,
+- "dfl",
+- krb5_rc_dfl_init,
+- krb5_rc_dfl_recover,
+- krb5_rc_dfl_destroy,
+- krb5_rc_dfl_close,
+- mod_auth_kerb_rc_store,
+- krb5_rc_dfl_expunge,
+- krb5_rc_dfl_get_span,
+- krb5_rc_dfl_get_name,
+- krb5_rc_dfl_resolve
+-};
+-#endif
+-
+ /***************************************************************************
+ Auth Configuration Initialization
+ ***************************************************************************/
+@@ -1252,31 +1224,6 @@ get_gss_creds(request_rec *r,
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+
+-#ifndef HEIMDAL
+- /*
+- * With MIT Kerberos 5 1.3.x the gss_cred_id_t is the same as
+- * krb5_gss_cred_id_t and krb5_gss_cred_id_rec contains a pointer to
+- * the replay cache.
+- * This allows us to override the replay cache function vector with
+- * our own one.
+- * Note that this is a dirty hack to get things working and there may
+- * well be unknown side-effects.
+- */
+- {
+- krb5_gss_cred_id_t gss_creds = (krb5_gss_cred_id_t) *server_creds;
+-
+- /* First we try to verify we are linked with 1.3.x to prevent from
+- crashing when linked with 1.4.x */
+- if (gss_creds && (gss_creds->usage == GSS_C_ACCEPT)) {
+- if (gss_creds->rcache && gss_creds->rcache->ops &&
+- gss_creds->rcache->ops->type &&
+- memcmp(gss_creds->rcache->ops->type, "dfl", 3) == 0)
+- /* Override the rcache operations */
+- gss_creds->rcache->ops = &mod_auth_kerb_rc_ops;
+- }
+- }
+-#endif
+-
+ return 0;
+ }
+
diff --git a/SOURCES/mod_auth_kerb-5.4-s4u2proxy.patch b/SOURCES/mod_auth_kerb-5.4-s4u2proxy.patch
new file mode 100644
index 0000000..031f87e
--- /dev/null
+++ b/SOURCES/mod_auth_kerb-5.4-s4u2proxy.patch
@@ -0,0 +1,591 @@
+
+Add S4U2Proxy feature:
+
+http://sourceforge.net/mailarchive/forum.php?thread_name=4EE665D1.3000308%40redhat.com&forum_name=modauthkerb-help
+
+The attached patches add support for using s4u2proxy
+(http://k5wiki.kerberos.org/wiki/Projects/Services4User) to allow the
+web service to obtain credentials on behalf of the authenticated user.
+
+The first patch adds basic support for s4u2proxy. This requires the web
+administrator to manually create and manage the credentails cache for
+the apache user (via a cron job, for example).
+
+The second patch builds on this and makes mod_auth_kerb manage the
+ccache instead.
+
+These are patches against the current CVS HEAD (mod_auth_krb 5.4).
+
+I've added a new module option to enable this support,
+KrbConstrainedDelegation. The default is off.
+
+--- mod_auth_kerb-5.4.orig/README 2008-11-26 11:51:05.000000000 -0500
++++ mod_auth_kerb-5.4/README 2012-01-04 11:17:22.000000000 -0500
+@@ -122,4 +122,16 @@ KrbSaveCredentials, the tickets will be
+ credential cache that will be available for the request handler. The ticket
+ file will be removed after request is handled.
+
++Constrained Delegation
++----------------------
++S4U2Proxy, or constrained delegation, enables a service to use a client's
++ticket to itself to request another ticket for delegation. The KDC
++checks krbAllowedToDelegateTo to decide if it will issue a new ticket.
++If KrbConstrainedDelegation is enabled the server will use its own credentials
++to retrieve a delegated ticket for the user. For this to work the user must
++have a forwardable ticket (though the delegation flag need not be set).
++The server needs a valid credentials cache for this to work.
++
++The module itself will obtain and manage the necessary credentials.
++
+ $Id: README,v 1.12 2008/09/17 14:01:55 baalberith Exp $
+diff -up --recursive mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c mod_auth_kerb-5.4/src/mod_auth_kerb.c
+--- mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c 2011-12-09 17:55:05.000000000 -0500
++++ mod_auth_kerb-5.4/src/mod_auth_kerb.c 2012-03-01 14:19:40.000000000 -0500
+@@ -42,6 +42,31 @@
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
++/*
++ * Locking mechanism inspired by mod_rewrite.
++ *
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++
++/*
++ * S4U2Proxy code
++ *
++ * Copyright (C) 2012 Red Hat
++ */
++
+ #ident "$Id: mod_auth_kerb.c,v 1.150 2008/12/04 10:14:03 baalberith Exp $"
+
+ #include "config.h"
+@@ -49,6 +74,7 @@
+ #include
+ #include
+ #include
++#include
+
+ #define MODAUTHKERB_VERSION "5.4"
+
+@@ -131,6 +157,12 @@ module AP_MODULE_DECLARE_DATA auth_kerb_
+ module auth_kerb_module;
+ #endif
+
++#ifdef STANDARD20_MODULE_STUFF
++/* s4u2proxy only supported in 2.0+ */
++static const char *lockname;
++static apr_global_mutex_t *s4u2proxy_lock = NULL;
++#endif
++
+ /***************************************************************************
+ Macros To Ease Compatibility
+ ***************************************************************************/
+@@ -165,6 +197,7 @@ typedef struct {
+ int krb_method_gssapi;
+ int krb_method_k5pass;
+ int krb5_do_auth_to_local;
++ int krb5_s4u2proxy;
+ #endif
+ #ifdef KRB4
+ char *krb_4_srvtab;
+@@ -185,6 +218,11 @@ set_kerb_auth_headers(request_rec *r, co
+
+ static const char*
+ krb5_save_realms(cmd_parms *cmd, void *sec, const char *arg);
++static const char *
++cmd_delegationlock(cmd_parms *cmd, void *dconf, const char *a1);
++
++static int
++obtain_server_credentials(request_rec *r, const char *service_name);
+
+ #ifdef STANDARD20_MODULE_STUFF
+ #define command(name, func, var, type, usage) \
+@@ -237,6 +275,12 @@ static const command_rec kerb_auth_cmds[
+
+ command("KrbLocalUserMapping", ap_set_flag_slot, krb5_do_auth_to_local,
+ FLAG, "Set to 'on' to have Kerberos do auth_to_local mapping of principal names to system user names."),
++
++ command("KrbConstrainedDelegation", ap_set_flag_slot, krb5_s4u2proxy,
++ FLAG, "Set to 'on' to have Kerberos use S4U2Proxy delegation."),
++
++ AP_INIT_TAKE1("KrbConstrainedDelegationLock", cmd_delegationlock, NULL,
++ RSRC_CONF, "the filename of a lockfile used for inter-process synchronization"),
+ #endif
+
+ #ifdef KRB4
+@@ -302,6 +346,7 @@ static void *kerb_dir_create_config(MK_P
+ #endif
+ #ifdef KRB5
+ ((kerb_auth_config *)rec)->krb5_do_auth_to_local = 0;
++ ((kerb_auth_config *)rec)->krb5_s4u2proxy = 0;
+ ((kerb_auth_config *)rec)->krb_method_k5pass = 1;
+ ((kerb_auth_config *)rec)->krb_method_gssapi = 1;
+ #endif
+@@ -319,6 +364,24 @@ krb5_save_realms(cmd_parms *cmd, void *v
+ return NULL;
+ }
+
++static const char *
++cmd_delegationlock(cmd_parms *cmd, void *dconf, const char *a1)
++{
++ const char *error;
++
++ if ((error = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL)
++ return error;
++
++ /* fixup the path, especially for s4u2proxylock_remove() */
++ lockname = ap_server_root_relative(cmd->pool, a1);
++
++ if (!lockname) {
++ return apr_pstrcat(cmd->pool, "Invalid KrbConstrainedDelegationLock path ", a1, NULL);
++ }
++
++ return NULL;
++}
++
+ static void
+ log_rerror(const char *file, int line, int level, int status,
+ const request_rec *r, const char *fmt, ...)
+@@ -1170,6 +1233,7 @@ get_gss_creds(request_rec *r,
+ gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
+ OM_uint32 major_status, minor_status, minor_status2;
+ gss_name_t server_name = GSS_C_NO_NAME;
++ gss_cred_usage_t usage = GSS_C_ACCEPT;
+ char buf[1024];
+ int have_server_princ;
+
+@@ -1212,10 +1276,14 @@ get_gss_creds(request_rec *r,
+
+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Acquiring creds for %s",
+ token.value);
++ if (conf->krb5_s4u2proxy) {
++ usage = GSS_C_BOTH;
++ obtain_server_credentials(r, conf->krb_service_name);
++ }
+ gss_release_buffer(&minor_status, &token);
+
+ major_status = gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE,
+- GSS_C_NO_OID_SET, GSS_C_ACCEPT,
++ GSS_C_NO_OID_SET, usage,
+ server_creds, NULL, NULL);
+ gss_release_name(&minor_status2, &server_name);
+ if (GSS_ERROR(major_status)) {
+@@ -1257,6 +1325,293 @@ cmp_gss_type(gss_buffer_t token, gss_OID
+ }
+ #endif
+
++/* Renew the ticket if it will expire in under a minute */
++#define RENEWAL_TIME 60
++
++/*
++ * Services4U2Proxy lets a server prinicipal request another service
++ * principal on behalf of a user. To do this the Apache service needs
++ * to have its own ccache. This will ensure that the ccache has a valid
++ * principal and will initialize or renew new credentials when needed.
++ */
++
++static int
++verify_server_credentials(request_rec *r,
++ krb5_context kcontext,
++ krb5_ccache ccache,
++ krb5_principal princ,
++ int *renew
++)
++{
++ krb5_creds match_cred;
++ krb5_creds creds;
++ char * princ_name = NULL;
++ char *tgs_princ_name = NULL;
++ krb5_timestamp now;
++ krb5_error_code kerr = 0;
++
++ *renew = 0;
++
++ memset (&match_cred, 0, sizeof(match_cred));
++ memset (&creds, 0, sizeof(creds));
++
++ if (NULL == ccache || NULL == princ) {
++ /* Nothing to verify */
++ *renew = 1;
++ goto cleanup;
++ }
++
++ if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Could not unparse principal %s (%d)",
++ error_message(kerr), kerr);
++ goto cleanup;
++ }
++
++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++ "Using principal %s for s4u2proxy", princ_name);
++
++ tgs_princ_name = apr_psprintf(r->pool, "%s/%.*s@%.*s", KRB5_TGS_NAME,
++ krb5_princ_realm(kcontext, princ)->length,
++ krb5_princ_realm(kcontext, princ)->data,
++ krb5_princ_realm(kcontext, princ)->length,
++ krb5_princ_realm(kcontext, princ)->data);
++
++ if ((kerr = krb5_parse_name(kcontext, tgs_princ_name, &match_cred.server)))
++ {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Could not parse principal %s: %s (%d)",
++ tgs_princ_name, error_message(kerr), kerr);
++ goto cleanup;
++ }
++
++ match_cred.client = princ;
++
++ if ((kerr = krb5_cc_retrieve_cred(kcontext, ccache, 0, &match_cred, &creds)))
++ {
++ krb5_unparse_name(kcontext, princ, &princ_name);
++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++ "Could not unparse principal %s: %s (%d)",
++ princ_name, error_message(kerr), kerr);
++ goto cleanup;
++ }
++
++ if ((kerr = krb5_timeofday(kcontext, &now))) {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Could not get current time: %d (%s)",
++ kerr, error_message(kerr));
++ goto cleanup;
++ }
++
++ if (now > (creds.times.endtime + RENEWAL_TIME)) {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Credentials for %s have expired or will soon "
++ "expire - now %d endtime %d",
++ princ_name, now, creds.times.endtime);
++ *renew = 1;
++ } else {
++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++ "Credentials for %s will expire at "
++ "%d, it is now %d", princ_name, creds.times.endtime, now);
++ }
++
++cleanup:
++ /* Closing context, ccache, etc happens elsewhere */
++ if (match_cred.server) {
++ krb5_free_principal(kcontext, match_cred.server);
++ }
++ if (creds.client) {
++ krb5_free_cred_contents(kcontext, &creds);
++ }
++
++ return kerr;
++}
++
++static int
++obtain_server_credentials(request_rec *r,
++ const char *service_name)
++{
++ krb5_context kcontext = NULL;
++ krb5_keytab keytab = NULL;
++ krb5_ccache ccache = NULL;
++ char * princ_name = NULL;
++ char *tgs_princ_name = NULL;
++ krb5_error_code kerr = 0;
++ krb5_principal princ = NULL;
++ krb5_creds creds;
++ krb5_get_init_creds_opt gicopts;
++ int renew = 0;
++ apr_status_t rv = 0;
++
++ memset(&creds, 0, sizeof(creds));
++
++ if ((kerr = krb5_init_context(&kcontext))) {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Kerberos context initialization failed: %s (%d)", error_message(kerr), kerr);
++ goto done;
++ }
++
++ if ((kerr = krb5_cc_default(kcontext, &ccache))) {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Could not get default Kerberos ccache: %s (%d)",
++ error_message(kerr), kerr);
++ goto done;
++ }
++
++ if ((kerr = krb5_cc_get_principal(kcontext, ccache, &princ))) {
++ char * name = NULL;
++
++ if ((asprintf(&name, "%s:%s", krb5_cc_get_type(kcontext, ccache),
++ krb5_cc_get_name(kcontext, ccache))) == -1) {
++ kerr = KRB5_CC_NOMEM;
++ goto done;
++ }
++
++ if (KRB5_FCC_NOFILE == kerr) {
++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++ "Credentials cache %s not found, create one", name);
++ krb5_cc_close(kcontext, ccache);
++ ccache = NULL;
++ free(name);
++ } else {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Failure to open credentials cache %s: %s (%d)",
++ name, error_message(kerr), kerr);
++ free(name);
++ goto done;
++ }
++ }
++
++ kerr = verify_server_credentials(r, kcontext, ccache, princ, &renew);
++
++ if (kerr || !renew) {
++ goto done;
++ }
++
++#ifdef STANDARD20_MODULE_STUFF
++ if (s4u2proxy_lock) {
++ rv = apr_global_mutex_lock(s4u2proxy_lock);
++ if (rv != APR_SUCCESS) {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
++ "apr_global_mutex_lock(s4u2proxy_lock) "
++ "failed");
++ }
++ }
++#endif
++
++ /* We have the lock, check again to be sure another process hasn't already
++ * renewed the ticket.
++ */
++ kerr = verify_server_credentials(r, kcontext, ccache, princ, &renew);
++ if (kerr || !renew) {
++ goto unlock;
++ }
++
++ if (NULL == princ) {
++ princ_name = apr_psprintf(r->pool, "%s/%s",
++ (service_name) ? service_name : SERVICE_NAME,
++ ap_get_server_name(r));
++
++ if ((kerr = krb5_parse_name(kcontext, princ_name, &princ))) {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Could not parse principal %s: %s (%d) ",
++ princ_name, error_message(kerr), kerr);
++ goto unlock;
++ }
++ } else if (NULL == princ_name) {
++ if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) {
++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++ "Could not unparse principal %s: %s (%d)",
++ princ_name, error_message(kerr), kerr);
++ goto unlock;
++ }
++ }
++
++ if ((kerr = krb5_kt_default(kcontext, &keytab))) {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Unable to get default keytab: %s (%d)",
++ error_message(kerr), kerr);
++ goto unlock;
++ }
++
++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++ "Obtaining new credentials for %s", princ_name);
++ krb5_get_init_creds_opt_init(&gicopts);
++ krb5_get_init_creds_opt_set_forwardable(&gicopts, 1);
++
++ tgs_princ_name = apr_psprintf(r->pool, "%s/%.*s@%.*s", KRB5_TGS_NAME,
++ krb5_princ_realm(kcontext, princ)->length,
++ krb5_princ_realm(kcontext, princ)->data,
++ krb5_princ_realm(kcontext, princ)->length,
++ krb5_princ_realm(kcontext, princ)->data);
++
++ if ((kerr = krb5_get_init_creds_keytab(kcontext, &creds, princ, keytab,
++ 0, tgs_princ_name, &gicopts))) {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Failed to obtain credentials for principal %s: "
++ "%s (%d)", princ_name, error_message(kerr), kerr);
++ goto unlock;
++ }
++
++ krb5_kt_close(kcontext, keytab);
++ keytab = NULL;
++
++ if (NULL == ccache) {
++ if ((kerr = krb5_cc_default(kcontext, &ccache))) {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Failed to open default ccache: %s (%d)",
++ error_message(kerr), kerr);
++ goto unlock;
++ }
++ }
++
++ if ((kerr = krb5_cc_initialize(kcontext, ccache, princ))) {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Failed to initialize ccache for %s: %s (%d)",
++ princ_name, error_message(kerr), kerr);
++ goto unlock;
++ }
++
++ if ((kerr = krb5_cc_store_cred(kcontext, ccache, &creds))) {
++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Failed to store %s in ccache: %s (%d)",
++ princ_name, error_message(kerr), kerr);
++ goto unlock;
++ }
++
++unlock:
++#ifdef STANDARD20_MODULE_STUFF
++ if (s4u2proxy_lock) {
++ apr_global_mutex_unlock(s4u2proxy_lock);
++ if (rv != APR_SUCCESS) {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
++ "apr_global_mutex_unlock(s4u2proxy_lock) "
++ "failed");
++ }
++ }
++#endif
++
++done:
++ if (0 == kerr)
++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++ "Done obtaining credentials for s4u2proxy");
++ else
++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++ "Failed to obtain credentials for s4u2proxy");
++
++ if (creds.client) {
++ krb5_free_cred_contents(kcontext, &creds);
++ }
++ if (ccache) {
++ krb5_cc_close(kcontext, ccache);
++ }
++ if (kcontext) {
++ krb5_free_context(kcontext);
++ }
++
++ return kerr;
++}
++
+ static int
+ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
+ const char *auth_line, char **negotiate_ret_value)
+@@ -1697,10 +2052,60 @@ have_rcache_type(const char *type)
+ /***************************************************************************
+ Module Setup/Configuration
+ ***************************************************************************/
++#ifdef STANDARD20_MODULE_STUFF
++static apr_status_t
++s4u2proxylock_create(server_rec *s, apr_pool_t *p)
++{
++ apr_status_t rc;
++
++ /* only operate if a lockfile is used */
++ if (lockname == NULL || *(lockname) == '\0') {
++ return APR_SUCCESS;
++ }
++
++ /* create the lockfile */
++ rc = apr_global_mutex_create(&s4u2proxy_lock, lockname,
++ APR_LOCK_DEFAULT, p);
++ if (rc != APR_SUCCESS) {
++ ap_log_error(APLOG_MARK, APLOG_CRIT, rc, s,
++ "Parent could not create lock file %s", lockname);
++ return rc;
++ }
++
++#ifdef AP_NEED_SET_MUTEX_PERMS
++ rc = unixd_set_global_mutex_perms(s4u2proxy_lock);
++ if (rc != APR_SUCCESS) {
++ ap_log_error(APLOG_MARK, APLOG_CRIT, rc, s,
++ "mod_auth_kerb: Parent could not set permissions "
++ "on lock; check User and Group directives");
++ return rc;
++ }
++#endif
++
++ return APR_SUCCESS;
++}
++
++static apr_status_t
++s4u2proxylock_remove(void *unused)
++{
++ /* only operate if a lockfile is used */
++ if (lockname == NULL || *(lockname) == '\0') {
++ return APR_SUCCESS;
++ }
++
++ /* destroy the rewritelock */
++ apr_global_mutex_destroy(s4u2proxy_lock);
++ s4u2proxy_lock = NULL;
++ lockname = NULL;
++ return APR_SUCCESS;
++}
++#endif
++
+ #ifndef STANDARD20_MODULE_STUFF
+ static void
+ kerb_module_init(server_rec *dummy, pool *p)
+ {
++ apr_status_t status;
+ #ifndef HEIMDAL
+ /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later.
+ 1.3.x are covered by the hack overiding the replay calls */
+@@ -1741,6 +2146,7 @@ static int
+ kerb_init_handler(apr_pool_t *p, apr_pool_t *plog,
+ apr_pool_t *ptemp, server_rec *s)
+ {
++ apr_status_t rv;
+ ap_add_version_component(p, "mod_auth_kerb/" MODAUTHKERB_VERSION);
+ #ifndef HEIMDAL
+ /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later.
+@@ -1748,14 +2154,41 @@ kerb_init_handler(apr_pool_t *p, apr_poo
+ if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none"))
+ putenv(strdup("KRB5RCACHETYPE=none"));
+ #endif
++#ifdef STANDARD20_MODULE_STUFF
++ rv = s4u2proxylock_create(s, p);
++ if (rv != APR_SUCCESS) {
++ return HTTP_INTERNAL_SERVER_ERROR;
++ }
++
++ apr_pool_cleanup_register(p, (void *)s, s4u2proxylock_remove,
++ apr_pool_cleanup_null);
++#endif
+
+ return OK;
+ }
+
+ static void
++initialize_child(apr_pool_t *p, server_rec *s)
++{
++ apr_status_t rv = 0;
++
++#ifdef STANDARD20_MODULE_STUFF
++ if (lockname != NULL && *(lockname) != '\0') {
++ rv = apr_global_mutex_child_init(&s4u2proxy_lock, lockname, p);
++ if (rv != APR_SUCCESS) {
++ ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s,
++ "mod_auth_kerb: could not init s4u2proxy_lock"
++ " in child");
++ }
++ }
++#endif
++}
++
++static void
+ kerb_register_hooks(apr_pool_t *p)
+ {
+ ap_hook_post_config(kerb_init_handler, NULL, NULL, APR_HOOK_MIDDLE);
++ ap_hook_child_init(initialize_child, NULL, NULL, APR_HOOK_MIDDLE);
+ ap_hook_check_user_id(kerb_authenticate_user, NULL, NULL, APR_HOOK_MIDDLE);
+ }
+
diff --git a/SPECS/mod_auth_kerb.spec b/SPECS/mod_auth_kerb.spec
new file mode 100644
index 0000000..eaf9383
--- /dev/null
+++ b/SPECS/mod_auth_kerb.spec
@@ -0,0 +1,254 @@
+%{!?_httpd_apxs: %{expand: %%global _httpd_apxs %%{_sbindir}/apxs}}
+%{!?_httpd_mmn: %{expand: %%global _httpd_mmn %%(cat %{_includedir}/httpd/.mmn 2>/dev/null || echo missing-httpd-devel)}}
+%{!?_httpd_confdir: %{expand: %%global _httpd_confdir %%{_sysconfdir}/httpd/conf.d}}
+# /etc/httpd/conf.d with httpd < 2.4 and defined as /etc/httpd/conf.modules.d with httpd >= 2.4
+%{!?_httpd_modconfdir: %{expand: %%global _httpd_modconfdir %%{_sysconfdir}/httpd/conf.d}}
+%{!?_httpd_moddir: %{expand: %%global _httpd_moddir %%{_libdir}/httpd/modules}}
+
+Summary: Kerberos authentication module for HTTP
+Name: mod_auth_kerb
+Version: 5.4
+Release: 28%{?dist}
+# src/mod_auth_kerb.c is under 3-clause BSD, ASL 2.0 code is patched in (-s4u2proxy.patch)
+# src/mit-internals.h contains MIT-licensed code.
+License: BSD and MIT and ASL 2.0
+Group: System Environment/Daemons
+URL: http://modauthkerb.sourceforge.net/
+Source0: http://downloads.sourceforge.net/modauthkerb/%{name}-%{version}.tar.gz
+Source1: auth_kerb.conf
+Source2: LICENSE.ASL
+Patch1: mod_auth_kerb-5.4-rcopshack.patch
+Patch2: mod_auth_kerb-5.4-fixes.patch
+Patch3: mod_auth_kerb-5.4-s4u2proxy.patch
+Patch4: mod_auth_kerb-5.4-httpd24.patch
+Patch5: mod_auth_kerb-5.4-delegation.patch
+Patch6: mod_auth_kerb-5.4-cachedir.patch
+Patch7: mod_auth_kerb-5.4-longuser.patch
+Patch8: mod_auth_kerb-5.4-expired.patch
+BuildRequires: httpd-devel, krb5-devel
+Requires: httpd-mmn = %{_httpd_mmn}
+Requires(pre): httpd
+
+# Suppres auto-provides for module DSO
+%{?filter_provides_in: %filter_provides_in %{_libdir}/httpd/modules/.*\.so$}
+%{?filter_setup}
+
+%description
+mod_auth_kerb is module for the Apache HTTP Server designed to
+provide Kerberos authentication over HTTP. The module supports the
+Negotiate authentication method, which performs full Kerberos
+authentication based on ticket exchanges.
+
+%prep
+%setup -q -n %{name}-%{version}
+%patch1 -p1 -b .rcopshack
+%patch2 -p1 -b .fixes
+%patch3 -p1 -b .s4u2proxy
+%patch4 -p1 -b .httpd24
+%patch5 -p1 -b .delegation
+%patch6 -p1 -b .cachedir
+%patch7 -p1 -b .longuser
+%patch8 -p1 -b .expired
+
+%build
+export APXS=%{_httpd_apxs}
+%configure --without-krb4 --with-krb5=%{_prefix}
+make %{?_smp_mflags}
+
+%install
+rm -rf $RPM_BUILD_ROOT
+install -Dm 755 src/.libs/mod_auth_kerb.so \
+ $RPM_BUILD_ROOT%{_httpd_moddir}/mod_auth_kerb.so
+
+%if "%{_httpd_modconfdir}" != "%{_httpd_confdir}"
+# httpd >= 2.4.x
+sed -n /^LoadModule/p %{SOURCE1} > 10-auth_kerb.conf
+sed '/LoadModule/d;/Location /,/Location>/s,^#,,' %{SOURCE1} > example.conf
+install -Dp -m 0644 10-auth_kerb.conf $RPM_BUILD_ROOT%{_httpd_modconfdir}/10-auth_kerb.conf
+%else
+# httpd <= 2.2.x
+install -Dp -m 0644 %{SOURCE1} $RPM_BUILD_ROOT%{_httpd_confdir}/auth_kerb.conf
+%endif
+
+# Credentials cache
+mkdir -p $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d
+echo 'd /run/httpd/krbcache 700 apache apache' \
+ > $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/httpd-krbcache.conf
+mkdir -p $RPM_BUILD_ROOT/run/httpd/krbcache
+
+# Copy the license files here so we can include them in %doc
+cp -p %{SOURCE2} .
+
+%files
+%doc README LICENSE LICENSE.ASL
+%config(noreplace) %{_httpd_modconfdir}/*.conf
+%if "%{_httpd_modconfdir}" != "%{_httpd_confdir}"
+%doc example.conf
+%endif
+%{_httpd_moddir}/*.so
+%{_prefix}/lib/tmpfiles.d/httpd-krbcache.conf
+%attr(0700,apache,apache) %dir /run/httpd/krbcache
+
+%changelog
+* Fri Jan 24 2014 Daniel Mach - 5.4-28
+- Mass rebuild 2014-01-24
+
+* Mon Jan 13 2014 Joe Orton - 5.4-27
+- rebuild for #1029360
+
+* Fri Dec 27 2013 Daniel Mach - 5.4-26
+- Mass rebuild 2013-12-27
+
+* Thu Oct 03 2013 Jan Kaluza - 5.4-25
+- don't fail with error 500 when ticket is expired and Authorization header is
+ provided by client (#982521)
+
+* Tue Jun 04 2013 Jan Kaluza - 5.4-24
+- don't truncate translated names with KrbLocalUserMapping
+
+* Thu Feb 14 2013 Fedora Release Engineering - 5.4-23
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Thu Nov 15 2012 Joe Orton - 5.4-22
+- clarify licensing; clean up spec file
+
+* Tue Nov 13 2012 Joe Orton - 5.4-21
+- fix httpd_mmn stderr filter (thanks rcollet)
+
+* Tue Nov 13 2012 Joe Orton - 5.4-20
+- hide stderr if finding httpd_mmn
+- package LICENSE
+- filter DSO auto provides
+
+* Wed Aug 8 2012 Joe Orton - 5.4-19
+- add Requires(pre) for httpd to ensure apache uid exists at install time
+
+* Wed Aug 8 2012 Joe Orton - 5.4-18
+- move ccache to /run/httpd/ccache
+
+* Fri Jul 20 2012 Fedora Release Engineering - 5.4-17
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Wed Jun 13 2012 Joe Orton - 5.4-16
+- hard-code use of /run/user/apache for cache dir
+- package /run/user/apache
+- move tmpfiles drop-in to /usr/lib
+
+* Wed Jun 13 2012 Joe Orton - 5.4-15
+- fix segfault in cache dir fix (#796430)
+
+* Fri May 11 2012 Joe Orton - 5.4-14
+- add tmpfile drop-in for cred cache (#796430)
+- really apply delegation fix
+
+* Tue May 1 2012 Joe Orton - 5.4-13
+- add delegation fix (Ben Kahn, mgbowman, #687975)
+
+* Tue Mar 27 2012 Joe Orton - 5.4-12
+- rebuild for httpd 2.4
+
+* Fri Mar 9 2012 Joe Orton - 5.4-11
+- adapt for 2.4 API
+
+* Thu Mar 1 2012 Rob Crittenden - 5.4-10
+- Updated s4u2proxy patch to add missing braces around conditional.
+
+* Tue Jan 31 2012 Rob Crittenden - 5.4-9
+- Add support for Constrained Delegation/s4u2proxy (#767740)
+
+* Fri Jan 13 2012 Fedora Release Engineering - 5.4-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Tue Feb 08 2011 Fedora Release Engineering - 5.4-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Thu Dec 9 2010 Joe Orton - 5.4-6
+- fix build (thanks to Mike Bonnet, #599754)
+
+* Fri Aug 07 2009 Parag 5.4-5
+- Spec cleanup as suggested in review bug #226150
+
+* Sat Jul 25 2009 Fedora Release Engineering - 5.4-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Wed Feb 25 2009 Fedora Release Engineering - 5.4-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Thu Dec 11 2008 Joe Orton 5.4-2
+- update to 5.4
+
+* Tue Feb 19 2008 Fedora Release Engineering - 5.3-7
+- Autorebuild for GCC 4.3
+
+* Tue Sep 25 2007 Joe Orton 5.3-6
+- fix configure invocation (#301181)
+
+* Sun Sep 2 2007 Joe Orton 5.3-5
+- rebuild for fixed 32-bit APR
+
+* Thu Aug 30 2007 Joe Orton 5.3-4
+- clarify License tag
+
+* Wed Nov 29 2006 Joe Orton 5.3-3
+- fix r->user caching (Enrico Scholz, #214207)
+- update to 5.3 (CVE-2006-5989, #215443)
+
+* Sun Oct 01 2006 Jesse Keating - 5.1-3
+- rebuilt for unwind info generation, broken in gcc-4.1.1-21
+
+* Tue Sep 19 2006 Joe Orton 5.1-2
+- update to 5.1
+
+* Thu Aug 3 2006 Joe Orton 5.0-10
+- fix segfault at startup (#201145)
+
+* Thu Jul 20 2006 Joe Orton 5.0-9
+- add Russ Allbery's fix for disabling replay cache with krb15
+
+* Wed Jul 12 2006 Jesse Keating - 5.0-8.2.2
+- rebuild
+
+* Fri Feb 10 2006 Jesse Keating - 5.0-8.2.1
+- bump again for double-long bug on ppc(64)
+
+* Tue Feb 07 2006 Jesse Keating - 5.0-8.2
+- rebuilt for new gcc4.1 snapshot and glibc changes
+
+* Fri Dec 09 2005 Jesse Keating
+- rebuilt
+
+* Mon Dec 5 2005 Joe Orton 5.0-8
+- rebuild for httpd 2.2
+
+* Wed Sep 21 2005 Joe Orton 5.0-7
+- fix build without /usr/sbin in $PATH (Roozbeh Pournader, #168212)
+
+* Tue May 10 2005 Joe Orton 5.0-6
+- update to 5.0rc6
+- don't force CC=gcc4
+
+* Fri Mar 4 2005 Joe Orton 5.0-3
+- fix build with GCC 4
+- only add "auth_kerb_module" symbol to dynamic symbol table
+
+* Tue Jun 15 2004 Elliot Lee
+- rebuilt
+
+* Thu Apr 8 2004 Joe Orton 5.0-0.rc4.5
+- remove static globals
+- add SSLRequireSSL
+
+* Mon Mar 29 2004 Joe Orton 5.0-0.rc4.3
+- support mutual authentication (Nalin Dahyabhai)
+- once authentication returns COMPLETE, cache name for the duration
+ of the connection
+
+* Thu Mar 25 2004 Joe Orton 5.0-0.rc4.2
+- add example config file
+
+* Wed Mar 24 2004 Joe Orton 5.0-0.rc4.1
+- update to mod_auth_kerb.c from HEAD to get workaround for
+ "Request is a replay" errors
+
+* Tue Mar 23 2004 Joe Orton
+- Initial build.