From 42dc144c4499672114c392423d24c397ea929ad3 Mon Sep 17 00:00:00 2001
From: Michael Sweet <michael.r.sweet@gmail.com>
Date: Thu, 9 Mar 2017 15:24:58 -0500
Subject: [PATCH] Allow "Negotiate" as an AuthType/DefaultAuthType, even on
 systems that don't have Kerberos support compiled in.  The result will be a
 run-time access failure that gets logged instead of stopping cupsd (Issue
 #4947)

---
 CHANGES.txt        | 2 ++
 scheduler/client.c | 6 ++----
 scheduler/conf.c   | 6 +-----
 3 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/CHANGES.txt b/CHANGES.txt
index 5c8cc7860f..e774dfb073 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -17,6 +17,8 @@ CHANGES IN CUPS V2.2.3
 	  supported by the printer (Issue #4953)
 	- The IPP Everywhere PPD generator did not return useful error messages
 	  (Issue #4954)
+	- The default cupsd.conf file did not work on systems compiled without
+	  Kerberos support (Issue #4947)
 	- Fixed some localization issues on macOS (<rdar://problem/27245567>)
 
 
diff --git a/scheduler/client.c b/scheduler/client.c
index 50e00be552..f27decda47 100644
--- a/scheduler/client.c
+++ b/scheduler/client.c
@@ -2349,17 +2349,15 @@ cupsdSendHeader(
 
     if (auth_type == CUPSD_AUTH_BASIC)
       strlcpy(auth_str, "Basic realm=\"CUPS\"", sizeof(auth_str));
-#ifdef HAVE_GSSAPI
     else if (auth_type == CUPSD_AUTH_NEGOTIATE)
     {
-#  ifdef AF_LOCAL
+#ifdef AF_LOCAL
       if (httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL)
         strlcpy(auth_str, "Basic realm=\"CUPS\"", sizeof(auth_str));
       else
-#  endif /* AF_LOCAL */
+#endif /* AF_LOCAL */
       strlcpy(auth_str, "Negotiate", sizeof(auth_str));
     }
-#endif /* HAVE_GSSAPI */
 
     if (con->best && auth_type != CUPSD_AUTH_NEGOTIATE &&
         !_cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost"))
diff --git a/scheduler/conf.c b/scheduler/conf.c
index 3cde8bd298..36f043f650 100644
--- a/scheduler/conf.c
+++ b/scheduler/conf.c
@@ -1,7 +1,7 @@
 /*
  * Configuration routines for the CUPS scheduler.
  *
- * Copyright 2007-2016 by Apple Inc.
+ * Copyright 2007-2017 by Apple Inc.
  * Copyright 1997-2007 by Easy Software Products, all rights reserved.
  *
  * These coded instructions, statements, and computer programs are the
@@ -2233,7 +2233,6 @@ parse_aaa(cupsd_location_t *loc,	/* I - Location */
       if (loc->level == CUPSD_AUTH_ANON)
 	loc->level = CUPSD_AUTH_USER;
     }
-#ifdef HAVE_GSSAPI
     else if (!_cups_strcasecmp(value, "negotiate"))
     {
       loc->type = CUPSD_AUTH_NEGOTIATE;
@@ -2241,7 +2240,6 @@ parse_aaa(cupsd_location_t *loc,	/* I - Location */
       if (loc->level == CUPSD_AUTH_ANON)
 	loc->level = CUPSD_AUTH_USER;
     }
-#endif /* HAVE_GSSAPI */
     else
     {
       cupsdLogMessage(CUPSD_LOG_WARN,
@@ -3175,10 +3173,8 @@ read_cupsd_conf(cups_file_t *fp)	/* I - File to read from */
 	default_auth_type = CUPSD_AUTH_NONE;
       else if (!_cups_strcasecmp(value, "basic"))
 	default_auth_type = CUPSD_AUTH_BASIC;
-#ifdef HAVE_GSSAPI
       else if (!_cups_strcasecmp(value, "negotiate"))
         default_auth_type = CUPSD_AUTH_NEGOTIATE;
-#endif /* HAVE_GSSAPI */
       else if (!_cups_strcasecmp(value, "auto"))
         default_auth_type = CUPSD_AUTH_AUTO;
       else