# HG changeset patch # User Jan Parcel # Date 1461801322 25200 # Node ID 683c5c035a7943004c3c948efc036a0090623a5b # Parent 3e994941530839f006cc96f49904a581ef55bcf4 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos 23041772 Reconcile redundancies between patches and Makefile 23044356 Unable to build openldap if cyrus-sasl requests -lldap_r for ldapdb 22928693 Now that libsasl2 is available, openldap should call it out as a dependency 23072799 fix dead/broken links in sasl html docs 23077448 Broken links with Net TI install with facet.devel=false - libsasl2 diff -r 3e9949415308 -r 683c5c035a79 components/cyrus-sasl/Makefile --- a/components/cyrus-sasl/Makefile Wed Apr 27 16:15:18 2016 -0700 +++ b/components/cyrus-sasl/Makefile Wed Apr 27 16:55:22 2016 -0700 @@ -54,7 +54,7 @@ SASL_CONFDIR = $(ETCDIR)/sasl2 PROTO_CONFDIR = $(PROTO_DIR)$(SASL_CONFDIR) -TESTS_DIR=$(PROTO_DIR)/$(SASL2)/tests +TESTS_DIR=$(PROTO_DIR)/tests TESTS_32_DIR=$(TESTS_DIR)/$(MACH32) # Migrated from ON in S12, including stuff from system/header, so this @@ -73,11 +73,18 @@ CPPFLAGS += -I$(USRINCDIR)/openldap LDFLAGS += $(CC_BITS) -lscf -lresolv +# if there is no mediator, use MIT +KRB5_API = $(shell pkg mediator -H kerberos5 2>/dev/null | nawk '{print $$4;}') + CONFIGURE_OPTIONS += --sysconfdir=$(ETCDIR) CONFIGURE_OPTIONS += --enable-auth-sasldb CONFIGURE_OPTIONS += --with-dblib=berkeley CONFIGURE_OPTIONS += --with-saslauthd=$(USRSBINDIR)/saslauthd +ifeq ($(KRB5_API), solaris) CONFIGURE_OPTIONS += --with-gss_impl=seam +else +CONFIGURE_OPTIONS += --with-gss_impl=mit +endif CONFIGURE_OPTIONS += --without-gnu-ld CONFIGURE_OPTIONS.32 += --with-plugindir=$(SASL2.32) CONFIGURE_OPTIONS.64 += --with-plugindir=$(SASL2.64) @@ -88,11 +95,7 @@ CONFIGURE_OPTIONS += --enable-sample CONFIGURE_OPTIONS += --enable-login CONFIGURE_OPTIONS += --with-configdir=$(ETCDIR)/sasl2 - -# 23044356 must be fixed before this can be enabled -# bugzilla.cyrusimap.org 3926 must be fixed before this can be useful -# except for testing -# CONFIGURE_OPTIONS += --enable-ldapdb +CONFIGURE_OPTIONS += --enable-ldapdb PKG_PROTO_DIRS += $(SOURCE_DIR)/doc $(COMPONENT_DIR)/Solaris @@ -176,7 +179,8 @@ CLEAN_PATHS += $(TARBALL_DIR) test_tarball: sasltest.tgz -TEST_SCRIPTS= setup_testsuite run_testsuite transform-results cleanup +TEST_SCRIPTS= setup_testsuite run_testsuite transform-results cleanup \ + setup-for-mit setup-for-seam sasltest.tgz: install $(MKDIR) $(TARBALL_DIR) @@ -193,4 +197,7 @@ REQUIRED_PACKAGES += developer/build/automake-115 REQUIRED_PACKAGES += library/openldap REQUIRED_PACKAGES += library/security/openssl +ifneq ($(KRB5_API), solaris) + REQUIRED_PACKAGES += security/kerberos-5 +endif REQUIRED_PACKAGES += system/library/security/gss diff -r 3e9949415308 -r 683c5c035a79 components/cyrus-sasl/libsasl2.p5m --- a/components/cyrus-sasl/libsasl2.p5m Wed Apr 27 16:15:18 2016 -0700 +++ b/components/cyrus-sasl/libsasl2.p5m Wed Apr 27 16:55:22 2016 -0700 @@ -42,7 +42,7 @@ value=org.opensolaris.category.2008:System/Libraries set name=info.source-url value=$(COMPONENT_ARCHIVE_URL) set name=info.upstream-url value=$(COMPONENT_PROJECT_URL) -set name=org.opensolaris.arc-caseid value=PSARC/2015/194 +set name=org.opensolaris.arc-caseid value=PSARC/2015/194 value=PSARC/2016/158 set name=org.opensolaris.consolidation value=$(CONSOLIDATION) dir path=etc/sasl2 owner=root group=sys mode=0755 file README path=etc/sasl2/README @@ -58,9 +58,7 @@ link path=usr/lib/$(MACH64)/libsasl2.so target=libsasl2.so.3.0.0 link path=usr/lib/$(MACH64)/libsasl2.so.3 target=libsasl2.so.3.0.0 file path=usr/lib/$(MACH64)/libsasl2.so.3.0.0 -link path=usr/lib/$(MACH64)/llib-lsasl target=../llib-lsasl2 link path=usr/lib/$(MACH64)/llib-lsasl.ln target=llib-lsasl2.ln -link path=usr/lib/$(MACH64)/llib-lsasl2 target=../llib-lsasl2 file path=usr/lib/$(MACH64)/llib-lsasl2.ln link path=usr/lib/$(MACH64)/pkgconfig/libsasl.pc target=libsasl2.pc file path=usr/lib/$(MACH64)/pkgconfig/libsasl2.pc @@ -134,6 +132,28 @@ file advanced.html path=usr/share/doc/libsasl2/advanced.html file appconvert.html path=usr/share/doc/libsasl2/appconvert.html file components.html path=usr/share/doc/libsasl2/components.html +file draft-burdis-cat-srp-sasl-xx.txt \ + path=usr/share/doc/libsasl2/draft-burdis-cat-srp-sasl-xx.txt +file draft-ietf-sasl-anon-xx.txt \ + path=usr/share/doc/libsasl2/draft-ietf-sasl-anon-xx.txt +file draft-ietf-sasl-crammd5-xx.txt \ + path=usr/share/doc/libsasl2/draft-ietf-sasl-crammd5-xx.txt +file draft-ietf-sasl-gssapi-xx.txt \ + path=usr/share/doc/libsasl2/draft-ietf-sasl-gssapi-xx.txt +file draft-ietf-sasl-plain-xx.txt \ + path=usr/share/doc/libsasl2/draft-ietf-sasl-plain-xx.txt +file draft-ietf-sasl-rfc2222bis-xx.txt \ + path=usr/share/doc/libsasl2/draft-ietf-sasl-rfc2222bis-xx.txt +file draft-ietf-sasl-rfc2831bis-xx.txt \ + path=usr/share/doc/libsasl2/draft-ietf-sasl-rfc2831bis-xx.txt +file draft-ietf-sasl-saslprep-xx.txt \ + path=usr/share/doc/libsasl2/draft-ietf-sasl-saslprep-xx.txt +file draft-murchison-sasl-login-xx.txt \ + path=usr/share/doc/libsasl2/draft-murchison-sasl-login-xx.txt +file draft-newman-sasl-c-api-xx.txt \ + path=usr/share/doc/libsasl2/draft-newman-sasl-c-api-xx.txt +file draft-newman-sasl-passdss-xx.txt \ + path=usr/share/doc/libsasl2/draft-newman-sasl-passdss-xx.txt file gssapi.html path=usr/share/doc/libsasl2/gssapi.html file index.html path=usr/share/doc/libsasl2/index.html file install.html path=usr/share/doc/libsasl2/install.html @@ -142,6 +162,19 @@ file options.html path=usr/share/doc/libsasl2/options.html file plugprog.html path=usr/share/doc/libsasl2/plugprog.html file programming.html path=usr/share/doc/libsasl2/programming.html +file rfc1321.txt path=usr/share/doc/libsasl2/rfc1321.txt +file rfc1939.txt path=usr/share/doc/libsasl2/rfc1939.txt +file rfc2104.txt path=usr/share/doc/libsasl2/rfc2104.txt +file rfc2195.txt path=usr/share/doc/libsasl2/rfc2195.txt +file rfc2222.txt path=usr/share/doc/libsasl2/rfc2222.txt +file rfc2243.txt path=usr/share/doc/libsasl2/rfc2243.txt +file rfc2245.txt path=usr/share/doc/libsasl2/rfc2245.txt +file rfc2289.txt path=usr/share/doc/libsasl2/rfc2289.txt +file rfc2444.txt path=usr/share/doc/libsasl2/rfc2444.txt +file rfc2595.txt path=usr/share/doc/libsasl2/rfc2595.txt +file rfc2831.txt path=usr/share/doc/libsasl2/rfc2831.txt +file rfc2945.txt path=usr/share/doc/libsasl2/rfc2945.txt +file rfc3174.txt path=usr/share/doc/libsasl2/rfc3174.txt file sysadmin.html path=usr/share/doc/libsasl2/sysadmin.html file upgrading.html path=usr/share/doc/libsasl2/upgrading.html file windows.html path=usr/share/doc/libsasl2/windows.html diff -r 3e9949415308 -r 683c5c035a79 components/cyrus-sasl/patches/102-sasldir-fix.patch --- a/components/cyrus-sasl/patches/102-sasldir-fix.patch Wed Apr 27 16:15:18 2016 -0700 +++ b/components/cyrus-sasl/patches/102-sasldir-fix.patch Wed Apr 27 16:55:22 2016 -0700 @@ -1,5 +1,6 @@ -Developed in-house at Oracle -Bugzilla Bug 3401 sasldir and plugindir in Makefile.am +# Developed in-house at Oracle +# Commented on bugzilla Bug 3401 sasldir and plugindir in Makefile.am +# Upstream is considering multiple solutions, attached this patch to the bug. diff -rupN old/configure.in new/configure.in --- old/configure.in 2015-01-16 16:06:51.953695234 -0800 diff -r 3e9949415308 -r 683c5c035a79 components/cyrus-sasl/patches/107-build-testsuite.patch --- a/components/cyrus-sasl/patches/107-build-testsuite.patch Wed Apr 27 16:15:18 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,15 +0,0 @@ -Developed in-house at Oracle -Will file a bug upstream asking this to be an option for configure - -diff -rupN old/utils/Makefile.am new/utils/Makefile.am ---- old/utils/Makefile.am 2016-02-12 11:48:32.389775435 -0800 -+++ new/utils/Makefile.am 2016-02-12 11:51:08.007216490 -0800 -@@ -48,7 +48,7 @@ all_sasl_static_libs = ../lib/.libs/libs - sbin_PROGRAMS = @SASL_DB_UTILS@ @SMTPTEST_PROGRAM@ pluginviewer - EXTRA_PROGRAMS = saslpasswd2 sasldblistusers2 testsuite testsuitestatic smtptest pluginviewer - --noinst_PROGRAMS = dbconverter-2 -+noinst_PROGRAMS = dbconverter-2 testsuite - - if NO_SASL_DB_MANS - man_MANS = diff -r 3e9949415308 -r 683c5c035a79 components/cyrus-sasl/patches/108-sample-test-tools.patch --- a/components/cyrus-sasl/patches/108-sample-test-tools.patch Wed Apr 27 16:15:18 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,15 +0,0 @@ -Developed in-house at Oracle -Will file a bug upstream asking for this to be a configure option - -diff -rupN old/sample/Makefile.am new/sample/Makefile.am ---- old/sample/Makefile.am 2016-02-16 13:53:52.473628366 -0800 -+++ new/sample/Makefile.am 2016-02-16 14:14:10.022927698 -0800 -@@ -44,7 +44,7 @@ - - INCLUDES=-I$(top_srcdir)/include - --noinst_PROGRAMS = client server -+noinst_PROGRAMS = client server sample-client sample-server - EXTRA_PROGRAMS = sample-client sample-server - CLEANFILES=sample-client sample-server ./.libs/*sample-client ./.libs/*sample-server - diff -r 3e9949415308 -r 683c5c035a79 components/cyrus-sasl/patches/110-solaris-configure.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/cyrus-sasl/patches/110-solaris-configure.patch Wed Apr 27 16:55:22 2016 -0700 @@ -0,0 +1,31 @@ +# Developed in-house at Oracle +# File bug 3239 upstream asking for a configure option to give a path or name +# for the openldap library. +# http://bugzilla.cyrusimap.org/show_bug.cgi?id=3929 + +diff -rupN old/configure.in new/configure.in +--- old/configure.in 2016-02-23 19:24:33.185997552 -0800 ++++ new/configure.in 2016-02-24 10:14:11.001802600 -0800 +@@ -968,7 +968,7 @@ if test "$ldapdb" != no; then + CMU_OPENLDAP_API + + if test "$cmu_cv_openldap_api" = yes; then +- AC_CHECK_LIB(ldap, ldap_initialize, [ cmu_link_openldap="-lldap -llber" ], [ cmu_link_openldap=no ],-llber) ++ AC_CHECK_LIB(ldap_r, ldap_initialize, [ cmu_link_openldap="-lldap_r -llber" ], [ cmu_link_openldap=no ],-llber) + fi + fi + +diff -rupN old/saslauthd/configure.in new/saslauthd/configure.in +--- old/saslauthd/configure.in 2016-02-23 19:24:48.448493822 -0800 ++++ new/saslauthd/configure.in 2016-02-24 06:26:13.041626875 -0800 +@@ -138,8 +138,8 @@ fi + + LDAP_LIBS="" + if test "$with_ldap" != no; then +- AC_CHECK_LIB(ldap, ldap_initialize, [ AC_DEFINE(HAVE_LDAP,[],[Support for LDAP?]) +- LDAP_LIBS="-lldap -llber" ++ AC_CHECK_LIB(ldap_r, ldap_initialize, [ AC_DEFINE(HAVE_LDAP,[],[Support for LDAP?]) ++ LDAP_LIBS="-lldap_r -llber" + if test "$with_openssl" != "no"; then + LDAP_LIBS="$LDAP_LIBS -lcrypto $LIB_RSAREF" + fi],,-llber) diff -r 3e9949415308 -r 683c5c035a79 components/cyrus-sasl/patches/111-fix-html-doc-links.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/cyrus-sasl/patches/111-fix-html-doc-links.patch Wed Apr 27 16:55:22 2016 -0700 @@ -0,0 +1,39 @@ +# This patch has been fed upstream. +# Patch to remove links to documents that are no longer available, fix +# changed links. +# http://bugzilla.cyrusimap.org/show_bug.cgi?id=3930 + +diff -rupN old/doc/index.html new/doc/index.html +--- old/doc/index.html 2016-04-07 17:43:16.583489776 -0700 ++++ new/doc/index.html 2016-04-12 11:01:09.353415779 -0700 +@@ -40,7 +40,6 @@ library distribution + Special Platforms + + +diff -rupN old/doc/install.html new/doc/install.html +--- old/doc/install.html 2016-04-07 17:43:16.597328339 -0700 ++++ new/doc/install.html 2016-04-12 11:01:33.989542591 -0700 +@@ -218,7 +218,6 @@ can be linked against other dynamic obje + library file extension is ".so", or where libtool creates the .la + files correctly. There is also documentation for + Win32, MacOS X, and +-OS/390. + +
+ Back to the index +diff -rupN old/doc/readme.html new/doc/readme.html +--- old/doc/readme.html 2016-04-07 17:43:16.589392684 -0700 ++++ new/doc/readme.html 2016-04-12 11:02:38.062666985 -0700 +@@ -102,7 +102,7 @@ we only have static Krb5 libraries; the + these libraries in on platforms that support it (Solaris and Linux + among them) but it does not. It also doesn't always get the runpath + of libraries correct. +-
  • Also see our bugzilla. ++
  • Also see our bugzilla. + + +

    AUTHORS

    diff -r 3e9949415308 -r 683c5c035a79 components/cyrus-sasl/test/TestSuite.conf --- a/components/cyrus-sasl/test/TestSuite.conf Wed Apr 27 16:15:18 2016 -0700 +++ b/components/cyrus-sasl/test/TestSuite.conf Wed Apr 27 16:55:22 2016 -0700 @@ -19,7 +19,7 @@ # # Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. -# Default test parameters +# Default test parameters, NOT default production parameters. auxprop_plugin: sasldb canon_user_plugin: INTERNAL mech_list: LOGIN PLAIN EXTERNAL OTP CRAM-MD5 DIGEST-MD5 ANONYMOUS GSSAPI SCRAM-SHA-1 diff -r 3e9949415308 -r 683c5c035a79 components/cyrus-sasl/test/setup-for-mit --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/cyrus-sasl/test/setup-for-mit Wed Apr 27 16:55:22 2016 -0700 @@ -0,0 +1,212 @@ +#!/bin/ksh93 -p +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# + +# +# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. +# + +# have to use longer string because the end of security/kerberos5 matches +# 2 packages, old and new. +PACKAGES_NEEDED="$SASL_PACKAGES_NEEDED \ + pkg://solaris/security/kerberos-5 \ + security/kerberos-5/kdc " + +pkg list $PACKAGES_NEEDED > /dev/null +if (( $? != 0 )) +then + pkg install $PACKAGES_NEEDED +fi + +pkg list $PACKAGES_NEEDED > /dev/null +if (( $? != 0 )) +then + echo "One or more packages failed to install" + exit 1 +fi + +passwd="1234" + +trap "echo 'A command failed, aborting.'; exit 1" ERR + +if ! $force +then + ok_to_proceed "Existing KDC config will be destroyed, okay to proceed?" +fi + +trap - ERR # in kdcmgr destroy fails, run it again +yes | /usr/sbin/kdcmgr destroy > /dev/null +if (( $? != 0 )) +then + yes | /usr/sbin/kdcmgr destroy > /dev/null +fi +print "Existing KDC config destroyed." +trap "echo 'A command failed, aborting.'; exit 1" ERR + +passwd_file=$(/usr/bin/mktemp /var/run/setup_kdc_passwd.XXXXXX) + +print $passwd > $passwd_file + +# create the master KDC +if [[ -n $master_kdc ]] +then + /usr/sbin/kdcmgr -a $admin_princ -r $realm -p $passwd_file create -m $master_kdc slave +else + /usr/sbin/kdcmgr -a $admin_princ -r $realm -p $passwd_file create master +fi + +rm -f $passwd_file + +# Optional stuff follows... + +# Note, this next section is adding various service principals local to +# this system. If you have servers running on other systems, edit this +# section to add the services using the FQDN hostnames of those systems +# and ouput the keytab to a non-default filename. +# You will then either copy the non-default filename created on the +# system you ran this script on or login to the other system and do a +# kadmin/ktadd to add the service principal to the /etc/krb5/krb5.keytab +# located on that server. + +# addprincs if not in slave mode +if [[ -z $master_kdc ]] +then + if [[ -n "$kt_config_file" ]] + then + if ! $force + then + ok_to_proceed "Existing keytab files will be modified, okay to proceed?" + fi + while read host services + do + if [[ "$host" == "#*" ]] + then + # skip comments + continue + fi + if [[ "$host" != "localhost" ]] + then + hostkeytab="/var/run/${host}.keytab" + rm -f $hostkeytab + kt_transfer_command[num_keytabs]="scp $hostkeytab ${host}:/etc/krb5/krb5.keytab" + fi + for service in $services + do + if [[ "$host" == "localhost" ]] + then + # add service to KDC's keytab + kadmin.local -q "addprinc -randkey $service/$fqdn" + kadmin.local -q "ktadd $service/$fqdn" + print "Added $service/$fqdn to /etc/krb5/krb5.keytab" + else + # add service to $host's keytab + kadmin.local -q "addprinc -randkey $service/$host" + kadmin.local -q "ktadd -k $hostkeytab $service/$host" + print "\nAdded $service/$host to $hostkeytab" + fi + done + ((num_keytabs = num_keytabs + 1)) + done < $kt_config_file + fi + + if [[ -n "$crossrealm" ]] + then + # Setup Cross-realm auth. + kadmin.local -q "addprinc -pw $passwd krbtgt/$realm@$crossrealm" + kadmin.local -q "addprinc -pw $passwd krbtgt/$crossrealm@$realm" + print "\n\nNote, /etc/krb5/krb5.conf will need to be modified to support crossrealm." + fi + + # Optional, Add service principals on KDC + for srv in nfs ldap smtp imap cifs + do + # randomizes the key anyway so use the -randkey option for addprinc). + kadmin.local -q "addprinc -randkey $srv/$fqdn" + kadmin.local -q "ktadd $srv/$fqdn" + done + + + # "tester" needed for setup + kadmin.local -q "addprinc -pw $passwd tester" + + # "ken" needed for test + echo "$passwd" | saslpasswd2 -c -p -f ./sasldb ken + kadmin.local -q "addprinc -pw $passwd ken" + +fi # addprincs if not in slave mode + +# turn off err trap because svcadm below may return an unimportant error +trap "" ERR + +if ! egrep '^[ ]*krb5[ ]+390003' /etc/nfssec.conf > /dev/null +then + tmpnfssec=$(/usr/bin/mktemp /tmp/nfssec.conf_XXXXX) + [[ -n $tmpnfssec ]] || exit 1 + sed -e 's/^ *# *krb5/krb5/g' /etc/nfssec.conf > $tmpnfssec + mv -f $tmpnfssec /etc/nfssec.conf + print 'Enabled krb5 sec in /etc/nfssec.conf.' + print 'Copy /etc/nfssec.conf to all systems doing NFS sec=krb5*.' + print +fi + +# get time and DNS running + +if [[ ! -f /etc/inet/ntp.conf && -f /etc/inet/ntp.client ]] +then + cp /etc/inet/ntp.client /etc/inet/ntp.conf +fi +if [[ -f /etc/inet/ntp.conf ]] +then + svcadm enable -s svc:/network/ntp:default +fi + +svcadm enable -s svc:/network/security/ktkt_warn:default + +if ! svcadm enable -s svc:/network/rpc/gss:default +then + svcs -x svc:/network/rpc/gss:default + cat <<-EOF + +Error, the gss service did not start. You will not be able to do nfssec with sec=krb5* + +EOF + exit 1 +fi + +tmpccache=$(/usr/bin/mktemp /tmp/ccache_XXXXXX) +[[ -n $tmpccache ]] || exit 1 +if ! print "$passwd" | kinit -c $tmpccache tester +then + print -u2 "Warning, kinit for tester princ failed, kdc setup is not working!" + exit 1 +fi + +integer i=0 +while ((i < num_keytabs)) +do + if ((i == 0)) + then + print "\nRun the following commands to transfer generated keytabs:" + fi + print ${kt_transfer_command[i]} + ((i = i + 1)) +done + diff -r 3e9949415308 -r 683c5c035a79 components/cyrus-sasl/test/setup-for-seam --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/cyrus-sasl/test/setup-for-seam Wed Apr 27 16:55:22 2016 -0700 @@ -0,0 +1,241 @@ +#!/bin/ksh93 -p +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# + +# +# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. +# + +PACKAGES_NEEDED="$SASL_PACKAGES_NEEDED \ + service/security/kerberos-5 \ + system/security/kerberos-5 " + +pkg list $PACKAGES_NEEDED > /dev/null +if (( $? != 0 )) +then + pkg install $PACKAGES_NEEDED +fi + +pkg list $PACKAGES_NEEDED > /dev/null +if (( $? != 0 )) +then + echo "One or more packages failed to install" + exit 1 +fi + + +passwd="1234" + +trap "echo 'A command failed, aborting.'; exit 1" ERR + +svcadm disable -s svc:/network/security/krb5kdc:default +svcadm disable -s svc:/network/security/kadmin:default +svcadm disable -s svc:/network/security/krb5_prop:default + +if ! $force +then + ok_to_proceed "Existing KDC config will be destroyed, okay to proceed?" +fi + +trap - ERR # in kdcmgr destroy fails, run it again +yes | /usr/sbin/kdcmgr destroy > /dev/null +if (( $? != 0 )) +then + yes | /usr/sbin/kdcmgr destroy > /dev/null +fi +print "Existing KDC config destroyed." +trap "echo 'A command failed, aborting.'; exit 1" ERR + +passwd_file=$(/usr/bin/mktemp /var/run/setup_kdc_passwd.XXXXXX) + +print $passwd > $passwd_file + +# create the master KDC +if [[ -n $master_kdc ]] +then + /usr/sbin/kdcmgr -a $admin_princ -r $realm -p $passwd_file create -m $master_kdc slave +else + /usr/sbin/kdcmgr -a $admin_princ -r $realm -p $passwd_file create master +fi + +rm -f $passwd_file + +# Optional stuff follows... + +# Note, this next section is adding various service principals local to +# this system. If you have servers running on other systems, edit this +# section to add the services using the FQDN hostnames of those systems +# and ouput the keytab to a non-default filename. +# You will then either copy the non-default filename created on the +# system you ran this script on or login to the other system and do a +# kadmin/ktadd to add the service principal to the /etc/krb5/krb5.keytab +# located on that server. + +# addprincs if not in slave mode +if [[ -z $master_kdc ]] +then + if [[ -n "$kt_config_file" ]] + then + if ! $force + then + ok_to_proceed "Existing keytab files will be modified, okay to proceed?" + fi + while read host services + do + if [[ "$host" == "#*" ]] + then + # skip comments + continue + fi + if [[ "$host" != "localhost" ]] + then + hostkeytab="/var/run/${host}.keytab" + rm -f $hostkeytab + kt_transfer_command[num_keytabs]="scp $hostkeytab ${host}:/etc/krb5/krb5.keytab" + fi + for service in $services + do + if [[ "$host" == "localhost" ]] + then + # add service to KDC's keytab + kadmin.local -q "addprinc -randkey $service/$fqdn" + kadmin.local -q "ktadd $service/$fqdn" + print "Added $service/$fqdn to /etc/krb5/krb5.keytab" + else + # add service to $host's keytab + kadmin.local -q "addprinc -randkey $service/$host" + kadmin.local -q "ktadd -k $hostkeytab $service/$host" + print "\nAdded $service/$host to $hostkeytab" + fi + done + ((num_keytabs = num_keytabs + 1)) + done < $kt_config_file + fi + + if [[ -n "$crossrealm" ]] + then + # Setup Cross-realm auth. + kadmin.local -q "addprinc -pw $passwd krbtgt/$realm@$crossrealm" + kadmin.local -q "addprinc -pw $passwd krbtgt/$crossrealm@$realm" + print "\n\nNote, /etc/krb5/krb5.conf will need to be modified to support crossrealm." + fi + + # Optional, Add service principals on KDC + for srv in nfs ldap smtp imap cifs + do + # randomizes the key anyway so use the -randkey option for addprinc). + kadmin.local -q "addprinc -randkey $srv/$fqdn" + kadmin.local -q "ktadd $srv/$fqdn" + done + + + # "tester" needed for setup + kadmin.local -q "addprinc -pw $passwd tester" + + # "ken" needed for test + echo "$passwd" | saslpasswd2 -c -p -f ./sasldb ken + kadmin.local -q "addprinc -pw $passwd ken" + +fi # addprincs if not in slave mode + +# turn off err trap because svcadm below may return an unimportant error +trap "" ERR + +if ! egrep '^[ ]*krb5[ ]+390003' /etc/nfssec.conf > /dev/null +then + tmpnfssec=$(/usr/bin/mktemp /tmp/nfssec.conf_XXXXX) + [[ -n $tmpnfssec ]] || exit 1 + sed -e 's/^ *# *krb5/krb5/g' /etc/nfssec.conf > $tmpnfssec + mv -f $tmpnfssec /etc/nfssec.conf + print 'Enabled krb5 sec in /etc/nfssec.conf.' + print 'Copy /etc/nfssec.conf to all systems doing NFS sec=krb5*.' + print +fi + +# get time and DNS running + +if [[ ! -f /etc/inet/ntp.conf && -f /etc/inet/ntp.client ]] +then + cp /etc/inet/ntp.client /etc/inet/ntp.conf +fi +if [[ -f /etc/inet/ntp.conf ]] +then + svcadm enable -s svc:/network/ntp:default +fi + + +svcadm enable svc:/network/security/ktkt_warn:default + +if ! svcadm enable -s svc:/network/security/krb5kdc:default +then + svcs -x svc:/network/security/krb5kdc:default + cat <<-EOF + +Error, the krb5kdc daemon did not start. You will not be able to do Kerberos +authentication. Check your kerberos config and rerun this script. + + EOF + exit 1 +fi + +if [[ -z $master_kdc ]] && ! svcadm enable -s svc:/network/security/kadmin:default +then + svcs -x svc:/network/security/kadmin:default + cat <<-EOF + +Error, the kadmind daemon did not start. You will not be able to change +passwords or run the kadmin command. Make sure /etc/krb5/kadm5.acl is +configured properly and rerun this script. + + EOF + exit 1 +fi + +if ! svcadm enable -s svc:/network/rpc/gss:default +then + svcs -x svc:/network/rpc/gss:default + cat <<-EOF + +Error, the gss service did not start. You will not be able to do nfssec with sec=krb5* + + EOF + exit 1 +fi + +tmpccache=$(/usr/bin/mktemp /tmp/ccache_XXXXXX) +[[ -n $tmpccache ]] || exit 1 +if ! print "$passwd" | kinit -c $tmpccache tester +then + print -u2 "Warning, kinit for tester princ failed, kdc setup is not working!" + exit 1 +fi + +integer i=0 +while ((i < num_keytabs)) +do + if ((i == 0)) + then + print "\nRun the following commands to transfer generated keytabs:" + fi + print ${kt_transfer_command[i]} + ((i = i + 1)) +done + diff -r 3e9949415308 -r 683c5c035a79 components/cyrus-sasl/test/setup_testsuite --- a/components/cyrus-sasl/test/setup_testsuite Wed Apr 27 16:15:18 2016 -0700 +++ b/components/cyrus-sasl/test/setup_testsuite Wed Apr 27 16:55:22 2016 -0700 @@ -29,10 +29,6 @@ # -- create/recreate the KDC principal DB # -- create a sasldb -#TODO -# -- create a TestSuite.conf file for a default simple test - -#PATH=/usr/bin:/usr/sbin:/usr/gnu/bin export THIRTYTWO case `uname -p` in @@ -50,7 +46,7 @@ # realm used as default, edit if a different realm is desired. -realm="SASLTEST.NET" +export realm="SASLTEST.NET" # realm for cross-realm auth. crossrealm= @@ -61,7 +57,8 @@ # Be default you would do: "kadmin -p kdc/admin" and use the passwd above. admin_princ="kdc/admin" -# used to determine if in batch/non-intera/home/willf/app_support/etc/krb5/templates/db2ctive mode +# used to determine if in +# batch/non-intera/home/willf/app_support/etc/krb5/templates/db2ctive mode force='false' check_leaks='false' @@ -70,8 +67,6 @@ num_keytabs=0 set -A kt_transfer_command -ldap_ds= - # should be null if seting up master kdc master_kdc= @@ -147,7 +142,7 @@ if [[ -f .setup ]] then - print -u2 "Notice: $me alread run" + print -u2 "Notice: $me already run" exit 0 fi @@ -167,24 +162,10 @@ fi ln -s $THIRTYTWO 32 -PACKAGES_NEEDED="service/security/kerberos-5 \ - system/security/kerberos-5 \ - system/library/security/sasl/crammd5 \ +export SASL_PACKAGES_NEEDED="system/library/security/sasl/crammd5 \ system/library/security/sasl/digestmd5 \ system/library/security/sasl/anonymous " -pkg list $PACKAGES_NEEDED > /dev/null -if (( $? != 0 )) -then - pkg install $PACKAGES_NEEDED -fi - -pkg list $PACKAGES_NEEDED > /dev/null -if (( $? != 0 )) -then - echo "One or more packages failed to install" - exit 1 -fi export MYLOC=`pwd` if [[ ! -f /etc/sasl2/TestSuite.conf ]] ; then @@ -224,134 +205,6 @@ exit 1 fi -passwd="1234" - -trap "echo 'A command failed, aborting.'; exit 1" ERR - -svcadm disable -s svc:/network/security/krb5kdc:default -svcadm disable -s svc:/network/security/kadmin:default -svcadm disable -s svc:/network/security/krb5_prop:default - -if ! $force -then - ok_to_proceed "Existing KDC config will be destroyed, okay to proceed?" -fi - -trap - ERR # in kdcmgr destroy fails, run it again -yes | /usr/sbin/kdcmgr destroy > /dev/null -if (( $? != 0 )) -then - yes | /usr/sbin/kdcmgr destroy > /dev/null -fi -print "Existing KDC config destroyed." -trap "echo 'A command failed, aborting.'; exit 1" ERR - -passwd_file=$(/usr/bin/mktemp /var/run/setup_kdc_passwd.XXXXXX) - -print $passwd > $passwd_file - -# create the master KDC -if [[ -n $master_kdc ]] -then - /usr/sbin/kdcmgr -a $admin_princ -r $realm -p $passwd_file create -m $master_kdc slave -else - /usr/sbin/kdcmgr -a $admin_princ -r $realm -p $passwd_file create master -fi - -rm -f $passwd_file - -# Optional stuff follows... - -# Note, this next section is adding various service principals local to -# this system. If you have servers running on other systems, edit this -# section to add the services using the FQDN hostnames of those systems -# and ouput the keytab to a non-default filename. -# You will then either copy the non-default filename created on the -# system you ran this script on or login to the other system and do a -# kadmin/ktadd to add the service principal to the /etc/krb5/krb5.keytab -# located on that server. - -# addprincs if not in slave mode -if [[ -z $master_kdc ]] -then - if [[ -n "$kt_config_file" ]] - then - if ! $force - then - ok_to_proceed "Existing keytab files will be modified, okay to proceed?" - fi - while read host services - do - if [[ "$host" == "#*" ]] - then - # skip comments - continue - fi - if [[ "$host" != "localhost" ]] - then - hostkeytab="/var/run/${host}.keytab" - rm -f $hostkeytab - kt_transfer_command[num_keytabs]="scp $hostkeytab ${host}:/etc/krb5/krb5.keytab" - fi - for service in $services - do - if [[ "$host" == "localhost" ]] - then - # add service to KDC's keytab - kadmin.local -q "addprinc -randkey $service/$fqdn" - kadmin.local -q "ktadd $service/$fqdn" - print "Added $service/$fqdn to /etc/krb5/krb5.keytab" - else - # add service to $host's keytab - kadmin.local -q "addprinc -randkey $service/$host" - kadmin.local -q "ktadd -k $hostkeytab $service/$host" - print "\nAdded $service/$host to $hostkeytab" - fi - done - ((num_keytabs = num_keytabs + 1)) - done < $kt_config_file - fi - - if [[ -n "$crossrealm" ]] - then - # Setup Cross-realm auth. - kadmin.local -q "addprinc -pw $passwd krbtgt/$realm@$crossrealm" - kadmin.local -q "addprinc -pw $passwd krbtgt/$crossrealm@$realm" - print "\n\nNote, /etc/krb5/krb5.conf will need to be modified to support crossrealm." - fi - - # Optional, Add service principals on KDC - for srv in nfs ldap smtp imap cifs - do - # randomizes the key anyway so use the -randkey option for addprinc). - kadmin.local -q "addprinc -randkey $srv/$fqdn" - kadmin.local -q "ktadd $srv/$fqdn" - done - - - # "tester" needed for setup - kadmin.local -q "addprinc -pw $passwd tester" - - # "ken" needed for test - echo "1234" | saslpasswd2 -c -p -f ./sasldb ken - kadmin.local -q "addprinc -pw $passwd ken" - -fi # addprincs if not in slave mode - -# turn off err trap because svcadm below may return an unimportant error -trap "" ERR - -if ! egrep '^[ ]*krb5[ ]+390003' /etc/nfssec.conf > /dev/null -then - tmpnfssec=$(/usr/bin/mktemp /tmp/nfssec.conf_XXXXX) - [[ -n $tmpnfssec ]] || exit 1 - sed -e 's/^ *# *krb5/krb5/g' /etc/nfssec.conf > $tmpnfssec - mv -f $tmpnfssec /etc/nfssec.conf - print 'Enabled krb5 sec in /etc/nfssec.conf.' - print 'Copy /etc/nfssec.conf to all systems doing NFS sec=krb5*.' - print -fi - # get time and DNS running if [[ ! -f /etc/inet/ntp.conf && -f /etc/inet/ntp.client ]] @@ -363,63 +216,27 @@ svcadm enable -s svc:/network/ntp:default fi - -svcadm enable svc:/network/security/ktkt_warn:default +export KMODE="mit" +set -A MEDIATOR `pkg mediator -H kerberos5` -if ! svcadm enable -s svc:/network/security/krb5kdc:default -then - svcs -x svc:/network/security/krb5kdc:default - cat <<-EOF +case ${MEDIATOR[3]} in -Error, the krb5kdc daemon did not start. You will not be able to do Kerberos -authentication. Check your kerberos config and rerun this script. + "solaris" ) # old kerberos configured + KMODE="seam" + ;; - EOF - exit 1 -fi + *) # "MIT" or mediator does not exist + KMODE="mit" + ;; +esac -if [[ -z $master_kdc ]] && ! svcadm enable -s svc:/network/security/kadmin:default +. ./setup-for-$KMODE +if (( $? != 0 )) then - svcs -x svc:/network/security/kadmin:default - cat <<-EOF - -Error, the kadmind daemon did not start. You will not be able to change -passwords or run the kadmin command. Make sure /etc/krb5/kadm5.acl is -configured properly and rerun this script. - - EOF - exit 1 + print -u2 "Setup failed" + exit 1 fi -if ! svcadm enable -s svc:/network/rpc/gss:default -then - svcs -x svc:/network/rpc/gss:default - cat <<-EOF -Error, the gss service did not start. You will not be able to do nfssec with sec=krb5* - - EOF - exit 1 -fi - -tmpccache=$(/usr/bin/mktemp /tmp/ccache_XXXXXX) -[[ -n $tmpccache ]] || exit 1 -if ! print "$passwd" | kinit -c $tmpccache tester -then - print -u2 "Warning, kinit for tester princ failed, kdc setup is not working!" - exit 1 -fi - -integer i=0 -while ((i < num_keytabs)) -do - if ((i == 0)) - then - print "\nRun the following commands to transfer generated keytabs:" - fi - print ${kt_transfer_command[i]} - ((i = i + 1)) -done - -print 1234 | kinit ken +print "$passwd" | kinit ken touch .setup diff -r 3e9949415308 -r 683c5c035a79 components/openldap/openldap.p5m --- a/components/openldap/openldap.p5m Wed Apr 27 16:15:18 2016 -0700 +++ b/components/openldap/openldap.p5m Wed Apr 27 16:55:22 2016 -0700 @@ -20,7 +20,7 @@ # # -# Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved. # default mangler.man.stability committed> @@ -513,10 +513,6 @@ uid=75 license openldap.license license="openldap license" # This dependency is because we are building against cyrus-sasl from its proto -# area and bypassing the auto-generated dependency. When libsasl is updated, -# this version number really should be adjusted, but the userland-incorporation -# will force the cyrus-sasl packaging and openldap packaging to be from the same -# build and not just this version or later. -# The strange version number is caused by historical versioning in ON and will -# go away when the libsasl package name is changed to libsasl2 -depend type=require fmri=pkg:/system/library/security/libsasl@5.12.2.1.26 +# area and bypassing the auto-generated dependency. When upstream libsasl +# is updated, this version number must be adjusted. +depend type=require fmri=pkg:/system/library/security/libsasl2@2.1.26