Mercurial Mercurial > upstream > oracle > userland-gate / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
24377741 Update Userland krb5 to MIT 1.14.3
authorShawn Emery <shawn.emery@oracle.com>
Tue, 09 Aug 2016 21:10:38 -0700
changeset 6599 1d033832c5e7
parent 6598 97c29bc92758
child 6602 162319034b53
24377741 Update Userland krb5 to MIT 1.14.3 24379666 problem in UTILITY/KERBEROS
components/krb5/Makefile file | annotate | diff | comparison | revisions
components/krb5/patches/010-qop.patch file | annotate | diff | comparison | revisions
components/krb5/patches/011-libgss_hack.patch file | annotate | diff | comparison | revisions
components/krb5/patches/012-libgss_filter.patch file | annotate | diff | comparison | revisions
components/krb5/patches/014-init_ccache.patch file | annotate | diff | comparison | revisions
components/krb5/patches/016-solaris_paths.patch file | annotate | diff | comparison | revisions
components/krb5/patches/018-krb5_keyblock-ABI.patch file | annotate | diff | comparison | revisions
components/krb5/patches/019-log-rotation.patch file | annotate | diff | comparison | revisions
components/krb5/patches/020-libkrb5-makefile.patch file | annotate | diff | comparison | revisions
components/krb5/patches/021-dump-ok.patch file | annotate | diff | comparison | revisions
components/krb5/patches/022-case-ins-compare.patch file | annotate | diff | comparison | revisions
components/krb5/patches/023-mem-rcache.patch file | annotate | diff | comparison | revisions
components/krb5/patches/024-smb-compat.patch file | annotate | diff | comparison | revisions
components/krb5/patches/025-ktwarnd.patch file | annotate | diff | comparison | revisions
components/krb5/patches/026-inappropriate_assert.patch file | annotate | diff | comparison | revisions
components/krb5/patches/027-add_admin_sname_princ.patch file | annotate | diff | comparison | revisions
components/krb5/patches/028-rpc-gss.patch file | annotate | diff | comparison | revisions
components/krb5/patches/029-kadmin_disable_anonymity.patch file | annotate | diff | comparison | revisions
components/krb5/patches/030-force_dns_hostname_canon.patch file | annotate | diff | comparison | revisions
components/krb5/patches/031-kinit-support.patch file | annotate | diff | comparison | revisions
components/krb5/patches/032-pam-krb5.patch file | annotate | diff | comparison | revisions
components/krb5/patches/033-pkinit-pin.patch file | annotate | diff | comparison | revisions
components/krb5/patches/034-migrate.patch file | annotate | diff | comparison | revisions
components/krb5/patches/035-multi-master.patch file | annotate | diff | comparison | revisions
components/krb5/patches/036-verify-nofail.patch file | annotate | diff | comparison | revisions
components/krb5/patches/037-root-defcred.patch file | annotate | diff | comparison | revisions
components/krb5/patches/038-krb5-conf.patch file | annotate | diff | comparison | revisions
components/krb5/patches/039-15699628.patch file | annotate | diff | comparison | revisions
components/krb5/patches/041-move_macros.patch file | annotate | diff | comparison | revisions
components/krb5/patches/047-dejagnu.patch file | annotate | diff | comparison | revisions
components/krb5/patches/048-dns-fix.patch file | annotate | diff | comparison | revisions
components/krb5/patches/049-kpropd_no_retries.patch file | annotate | diff | comparison | revisions
components/krb5/patches/050-libverto_memleak.patch file | annotate | diff | comparison | revisions
components/krb5/patches/051-fopenF.patch file | annotate | diff | comparison | revisions
components/krb5/patches/052-krb5-config.patch file | annotate | diff | comparison | revisions
components/krb5/patches/053-kernel-mech.patch file | annotate | diff | comparison | revisions
components/krb5/patches/054-trailing-comments.patch file | annotate | diff | comparison | revisions
components/krb5/patches/055-register_gsscred.patch file | annotate | diff | comparison | revisions
components/krb5/patches/057-des-md5-fix.patch file | annotate | diff | comparison | revisions
components/krb5/patches/058-man-pages.patch file | annotate | diff | comparison | revisions
components/krb5/patches/059-man-pages-fix-paths.patch file | annotate | diff | comparison | revisions
components/krb5/patches/060-header-files-cleanup.patch file | annotate | diff | comparison | revisions
components/krb5/patches/062-ldap-fixes.patch file | annotate | diff | comparison | revisions
components/krb5/patches/063-disable-rev-dns-lookup.patch file | annotate | diff | comparison | revisions
components/krb5/patches/065-no_MD5_in_rcache.patch file | annotate | diff | comparison | revisions
components/krb5/patches/068-ldif-format.patch file | annotate | diff | comparison | revisions
components/krb5/patches/069-k5identity-disable.patch file | annotate | diff | comparison | revisions
components/krb5/patches/070-gss_store_cred-fix.patch file | annotate | diff | comparison | revisions
components/krb5/patches/071-t_kdb-slapd.patch file | annotate | diff | comparison | revisions
components/krb5/patches/072-client-keytab-fix.patch file | annotate | diff | comparison | revisions 
--- a/components/krb5/Makefile	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/Makefile	Tue Aug 09 21:10:38 2016 -0700
@@ -31,7 +31,7 @@
 # Encoding rule for MICRO: MIT KerberosV5 x.y[.z] => MICRO $MINOR[.z]
 COMPONENT_MAJOR=	1
 COMPONENT_MINOR=	$(COMPONENT_MAJOR).14
-COMPONENT_MICRO=	$(COMPONENT_MINOR).2
+COMPONENT_MICRO=	$(COMPONENT_MINOR).3
 
 COMPONENT_VERSION=		$(COMPONENT_MICRO)
 IPS_COMPONENT_VERSION=	$(COMPONENT_VERSION).0
@@ -39,12 +39,12 @@
 COMPONENT_PROJECT_URL=	http://web.mit.edu/kerberos/
 COMPONENT_SRC=		krb5-$(COMPONENT_VERSION)
 COMPONENT_ARCHIVE_HASH=	\
-	sha256:6bcad7e6778d1965e4ce4af21d2efdc15b274c5ce5c69031c58e4c954cda8b27
+	sha256:cd4620d520cf0df0dd8791309912df2bb20fcba76790b9fba4e25c1da08ff2c9
 COMPONENT_ARCHIVE_URL=	\
 	$(COMPONENT_PROJECT_URL)dist/krb5/$(COMPONENT_MINOR)/$(COMPONENT_ARCHIVE)
 COMPONENT_BUGDB=	utility/kerberos
 
-TPNO=		27916
+TPNO=		30601
 
 # Depends on S12-only header file in ON.
 ifeq ($(BUILD_TYPE), evaluation)
--- a/components/krb5/patches/010-qop.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/010-qop.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -7,10 +7,10 @@
 # This is a Solaris specific patch not intended for upstream contribution.
 # Patch source: in-house
 #
-diff -ur old/src/lib/gssapi/libgssapi_krb5.exports new/src/lib/gssapi/libgssapi_krb5.exports
---- old/src/lib/gssapi/libgssapi_krb5.exports	2014-08-11 02:19:59.000000000 -0700
-+++ new/src/lib/gssapi/libgssapi_krb5.exports	2014-09-05 08:22:03.879817432 -0700
-@@ -36,6 +36,9 @@
+diff --git a/src/lib/gssapi/libgssapi_krb5.exports b/src/lib/gssapi/libgssapi_krb5.exports
+--- a/src/lib/gssapi/libgssapi_krb5.exports
++++ b/src/lib/gssapi/libgssapi_krb5.exports
+@@ -37,6 +37,9 @@ GSS_C_MA_CBINDINGS
  GSS_C_MA_PFS
  GSS_C_MA_COMPRESS
  GSS_C_MA_CTX_TRANS
@@ -20,12 +20,10 @@
  gss_accept_sec_context
  gss_acquire_cred
  gss_acquire_cred_with_password
-Only in new/src/lib/gssapi: libgssapi_krb5.exports.orig
-Only in new/src/lib/gssapi: libgssapi_krb5.exports.rej
-diff -ur old/src/lib/gssapi/mechglue/Makefile.in new/src/lib/gssapi/mechglue/Makefile.in
---- old/src/lib/gssapi/mechglue/Makefile.in	2014-08-11 02:19:59.000000000 -0700
-+++ new/src/lib/gssapi/mechglue/Makefile.in	2014-09-05 08:20:06.987333578 -0700
-@@ -66,6 +66,7 @@
+diff --git a/src/lib/gssapi/mechglue/Makefile.in b/src/lib/gssapi/mechglue/Makefile.in
+--- a/src/lib/gssapi/mechglue/Makefile.in
++++ b/src/lib/gssapi/mechglue/Makefile.in
+@@ -66,6 +66,7 @@ SRCS = \
  	$(srcdir)/g_sign.c \
  	$(srcdir)/g_store_cred.c \
  	$(srcdir)/g_unseal.c \
@@ -33,7 +31,7 @@
  	$(srcdir)/g_unwrap_aead.c \
  	$(srcdir)/g_unwrap_iov.c \
  	$(srcdir)/g_verify.c \
-@@ -130,6 +131,7 @@
+@@ -130,6 +131,7 @@ OBJS = \
  	$(OUTPRE)g_sign.$(OBJEXT) \
  	$(OUTPRE)g_store_cred.$(OBJEXT) \
  	$(OUTPRE)g_unseal.$(OBJEXT) \
@@ -41,7 +39,7 @@
  	$(OUTPRE)g_unwrap_aead.$(OBJEXT) \
  	$(OUTPRE)g_unwrap_iov.$(OBJEXT) \
  	$(OUTPRE)g_verify.$(OBJEXT) \
-@@ -194,6 +196,7 @@
+@@ -194,6 +196,7 @@ STLIBOBJS = \
  	g_sign.o \
  	g_store_cred.o \
  	g_unseal.o \
@@ -49,10 +47,10 @@
  	g_unwrap_aead.o \
  	g_unwrap_iov.o \
  	g_verify.o \
-diff -ur old/src/lib/gssapi/mechglue/mglueP.h new/src/lib/gssapi/mechglue/mglueP.h
---- old/src/lib/gssapi/mechglue/mglueP.h	2014-08-11 02:19:59.000000000 -0700
-+++ new/src/lib/gssapi/mechglue/mglueP.h	2014-09-05 08:20:06.987586085 -0700
-@@ -66,6 +66,38 @@
+diff --git a/src/lib/gssapi/mechglue/mglueP.h b/src/lib/gssapi/mechglue/mglueP.h
+--- a/src/lib/gssapi/mechglue/mglueP.h
++++ b/src/lib/gssapi/mechglue/mglueP.h
+@@ -65,6 +65,38 @@ typedef struct gss_cred_id_struct {
  } gss_union_cred_desc, *gss_union_cred_t;
  
  /*
--- a/components/krb5/patches/011-libgss_hack.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/011-libgss_hack.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -9,13 +9,14 @@
 # This patch is not inteded for upstream contribution.
 # Patch source: in-house
 #
-diff -ur old/src/lib/gssapi/mechglue/g_initialize.c new/src/lib/gssapi/mechglue/g_initialize.c
---- old/src/lib/gssapi/mechglue/g_initialize.c	2014-08-06 19:07:58.000000000 +0200
-+++ new/src/lib/gssapi/mechglue/g_initialize.c	2014-08-06 19:28:42.310006486 +0200
-@@ -444,6 +444,145 @@
+diff --git a/src/lib/gssapi/mechglue/g_initialize.c b/src/lib/gssapi/mechglue/g_initialize.c
+--- a/src/lib/gssapi/mechglue/g_initialize.c
++++ b/src/lib/gssapi/mechglue/g_initialize.c
+@@ -1568,3 +1568,141 @@ addConfigEntry(const char *oidStr, const char *oid, const char *sharedLib,
+ 		g_mechList = aMech;
  }
  
- /*
++/*
 + * given a mechanism string return the mechanism oid
 + */
 +OM_uint32
@@ -153,16 +154,10 @@
 +
 +	return (kmodName);
 +} /* gssint_get_kmodName */
-+
-+/*
-  * determines if the mechList needs to be updated from file
-  * and performs the update.
-  * this functions must be called with a lock of g_mechListLock
-Only in new/src/lib/gssapi/mechglue: g_initialize.c.orig
-diff -ur old/src/lib/gssapi/mechglue/mglueP.h new/src/lib/gssapi/mechglue/mglueP.h
---- old/src/lib/gssapi/mechglue/mglueP.h	2014-08-06 19:07:58.000000000 +0200
-+++ new/src/lib/gssapi/mechglue/mglueP.h	2014-08-06 19:25:49.488232250 +0200
-@@ -793,6 +793,28 @@
+diff --git a/src/lib/gssapi/mechglue/mglueP.h b/src/lib/gssapi/mechglue/mglueP.h
+--- a/src/lib/gssapi/mechglue/mglueP.h
++++ b/src/lib/gssapi/mechglue/mglueP.h
+@@ -824,6 +824,28 @@ OM_uint32 gss_add_mech_name_type
   * Sun extensions to GSS-API v2
   */
  
@@ -191,4 +186,3 @@
  int
  gssint_get_der_length(
  	unsigned char **,	/* buf */
-Only in new/src/lib/gssapi/mechglue: mglueP.h.orig
--- a/components/krb5/patches/012-libgss_filter.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/012-libgss_filter.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -13,10 +13,10 @@
 # Solaris Kerberos libraries and is not intended for upstream contribution.
 # Patch source: in-house
 #
-diff -ru old/src/lib/gssapi/mechglue/Makefile.in new/src/lib/gssapi/mechglue/Makefile.in
---- old/src/lib/gssapi/mechglue/Makefile.in	2013-12-06 06:13:39.120432302 -0800
-+++ new/src/lib/gssapi/mechglue/Makefile.in	2013-12-19 03:23:30.589779644 -0800
-@@ -72,7 +72,8 @@
+diff --git a/src/lib/gssapi/mechglue/Makefile.in b/src/lib/gssapi/mechglue/Makefile.in
+--- a/src/lib/gssapi/mechglue/Makefile.in
++++ b/src/lib/gssapi/mechglue/Makefile.in
+@@ -72,7 +72,8 @@ SRCS = \
  	$(srcdir)/g_verify.c \
  	$(srcdir)/g_wrap_aead.c \
  	$(srcdir)/g_wrap_iov.c \
@@ -26,7 +26,7 @@
  
  OBJS = \
  	$(OUTPRE)g_accept_sec_context.$(OBJEXT) \
-@@ -137,7 +138,8 @@
+@@ -137,7 +138,8 @@ OBJS = \
  	$(OUTPRE)g_verify.$(OBJEXT) \
  	$(OUTPRE)g_wrap_aead.$(OBJEXT) \
  	$(OUTPRE)g_wrap_iov.$(OBJEXT) \
@@ -36,7 +36,7 @@
  
  STLIBOBJS = \
  	g_accept_sec_context.o \
-@@ -209,7 +211,7 @@
+@@ -209,7 +211,7 @@ EXPORTED_HEADERS = mechglue.h
  
  $(OBJS): $(EXPORTED_HEADERS)
  
--- a/components/krb5/patches/014-init_ccache.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/014-init_ccache.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -6,10 +6,10 @@
 # We will try to push the patch upstream.
 # Patch source: in-house
 #
-diff -ur old/src/lib/gssapi/krb5/store_cred.c new/src/lib/gssapi/krb5/store_cred.c
---- old/src/lib/gssapi/krb5/store_cred.c	2014-01-21 01:38:26.331798328 -0800
-+++ new/src/lib/gssapi/krb5/store_cred.c	2014-01-21 02:31:35.858882999 -0800
-@@ -145,6 +145,16 @@
+diff --git a/src/lib/gssapi/krb5/store_cred.c b/src/lib/gssapi/krb5/store_cred.c
+--- a/src/lib/gssapi/krb5/store_cred.c
++++ b/src/lib/gssapi/krb5/store_cred.c
+@@ -143,6 +143,16 @@ copy_initiator_creds(OM_uint32 *minor_status,
      }
  
      code = krb5_cc_copy_creds(context, kcred->ccache, ccache);
--- a/components/krb5/patches/016-solaris_paths.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/016-solaris_paths.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -9,9 +9,9 @@
 # so that may require modification of this patch in a future update.
 # Patch source: in-house
 #
-diff -pur old/src/include/osconf.hin new/src/include/osconf.hin
---- old/src/include/osconf.hin
-+++ new/src/include/osconf.hin
+diff --git a/src/include/osconf.hin b/src/include/osconf.hin
+--- a/src/include/osconf.hin
++++ b/src/include/osconf.hin
 @@ -40,6 +40,8 @@
  # include <TargetConditionals.h>
  #endif
@@ -59,7 +59,7 @@
  #define DEFAULT_KADM5_PORT      749 /* assigned by IANA */
  
  #define KRB5_DEFAULT_SUPPORTED_ENCTYPES                 \
-@@ -106,7 +108,7 @@
+@@ -105,7 +107,7 @@
  
  #define MAX_DGRAM_SIZE  65536
  
@@ -68,7 +68,7 @@
  
  #define KRB5_PATH_TTY   "/dev/tty"
  #define KRB5_PATH_LOGIN "@SBINDIR/login.krb5"
-@@ -123,7 +125,7 @@
+@@ -122,7 +124,7 @@
  #define KPROPD_DEFAULT_KDB5_UTIL "@SBINDIR/kdb5_util"
  #define KPROPD_DEFAULT_KPROP "@SBINDIR/kprop"
  #define KPROPD_DEFAULT_KRB_DB DEFAULT_KDB_FILE
@@ -77,9 +77,9 @@
  
  /*
   * GSS mechglue
-diff -pur old/src/kadmin/cli/k5srvutil.sh new/src/kadmin/cli/k5srvutil.sh
---- old/src/kadmin/cli/k5srvutil.sh
-+++ new/src/kadmin/cli/k5srvutil.sh
+diff --git a/src/kadmin/cli/k5srvutil.sh b/src/kadmin/cli/k5srvutil.sh
+--- a/src/kadmin/cli/k5srvutil.sh
++++ b/src/kadmin/cli/k5srvutil.sh
 @@ -73,7 +73,7 @@ delete_keys() {
      }
  
@@ -89,9 +89,9 @@
  interactive=0
  keysalts=""
  
-diff -r -u krb5-1.13.2/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h krb5-1.13.2.srv-passwd-file/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h
---- krb5-1.13.2/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h
-+++ krb5-1.13.2.srv-passwd-file/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h
+diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h
+--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h
++++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h
 @@ -32,7 +32,7 @@
  #define MAX_LEN                 1024
  #define MAX_SERVICE_PASSWD_LEN  256
--- a/components/krb5/patches/018-krb5_keyblock-ABI.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/018-krb5_keyblock-ABI.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -7,9 +7,10 @@
 # Patch source: in-house
 #
 
---- original/src/include/krb5/krb5.hin	2014-08-11 04:19:59.000000000 -0500
-+++ krb5-1.13.mockup/src/include/krb5/krb5.hin	2014-08-15 14:56:23.511193392 -0500
-@@ -347,6 +347,13 @@
+diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
+--- a/src/include/krb5/krb5.hin
++++ b/src/include/krb5/krb5.hin
+@@ -353,6 +353,13 @@ typedef struct _krb5_keyblock {
      krb5_enctype enctype;
      unsigned int length;
      krb5_octet *contents;
--- a/components/krb5/patches/019-log-rotation.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/019-log-rotation.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -15,9 +15,10 @@
 # functionality in later MIT kerberos release, 1.14 or later.
 # Patch source: in-house
 #
---- ORIGINAL/src/lib/kadm5/logger.c	2014-08-11 02:19:59.000000000 -0700
-+++ krb5-1.13.mockup/src/lib/kadm5/logger.c	2014-09-11 17:13:22.608854008 -0700
-@@ -115,6 +115,13 @@
+diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c
+--- a/src/lib/kadm5/logger.c
++++ b/src/lib/kadm5/logger.c
+@@ -115,6 +115,13 @@ struct log_entry {
          struct log_file {
              FILE        *lf_filep;
              char        *lf_fname;
@@ -31,7 +32,7 @@
          } log_file;
          struct log_syslog {
              int         ls_facility;
-@@ -128,6 +135,11 @@
+@@ -128,6 +135,11 @@ struct log_entry {
  };
  #define lfu_filep       log_union.log_file.lf_filep
  #define lfu_fname       log_union.log_file.lf_fname
@@ -43,7 +44,7 @@
  #define lsu_facility    log_union.log_syslog.ls_facility
  #define lsu_severity    log_union.log_syslog.ls_severity
  #define ldu_filep       log_union.log_device.ld_filep
-@@ -161,6 +173,133 @@
+@@ -161,6 +173,132 @@ static struct log_entry def_log_entry;
                                   -1)
  #define DEVICE_CLOSE(d)         fclose(d)
  
@@ -66,7 +67,6 @@
 +    int num_vers;
 +    mode_t old_umask;
 +
-+
 +    /*
 +     * By default we don't rotate.
 +     */
@@ -138,7 +138,7 @@
 +         * Default log file creation mode should be read-only
 +         * by owner(root), but the admin can override with
 +         * chmod(1) if desired.
-+         */ 
++         */
 +
 +        old_umask = umask(077);
 +        fp = fopen(old_name, le->lfu_fopen_mode);
@@ -177,7 +177,7 @@
  
  /*
   * klog_com_err_proc()  - Handle com_err(3) messages as specified by the
-@@ -276,6 +415,8 @@
+@@ -276,6 +414,8 @@ klog_com_err_proc(const char *whoami, long int code, const char *format, va_list
      for (lindex = 0; lindex < log_control.log_nentries; lindex++) {
          switch (log_control.log_entries[lindex].log_type) {
          case K_LOG_FILE:
@@ -186,7 +186,7 @@
          case K_LOG_STDERR:
              /*
               * Files/standard error.
-@@ -360,6 +501,7 @@
+@@ -360,6 +500,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do
      int         error;
      int         do_openlog, log_facility;
      FILE        *f;
@@ -194,7 +194,7 @@
  
      /* Initialize */
      do_openlog = 0;
-@@ -423,12 +565,66 @@
+@@ -423,12 +564,66 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do
                       * Check for append/overwrite, then open the file.
                       */
                      if (cp[4] == ':' || cp[4] == '=') {
@@ -237,7 +237,7 @@
 +
 +                                if (!profile_get_string(kcontext->profile,
 +                                                        "logging", rotate_kw,
-+                                                        "period", NULL, 
++                                                        "period", NULL,
 +                                                        &time)) {
 +
 +                                    if (time != NULL) {
@@ -263,7 +263,7 @@
                          } else {
                              fprintf(stderr,"Couldn't open log file %s: %s\n",
                                      &cp[5], error_message(errno));
-@@ -880,6 +1076,8 @@
+@@ -880,6 +1075,8 @@ klog_vsyslog(int priority, const char *format, va_list arglist)
      for (lindex = 0; lindex < log_control.log_nentries; lindex++) {
          switch (log_control.log_entries[lindex].log_type) {
          case K_LOG_FILE:
--- a/components/krb5/patches/020-libkrb5-makefile.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/020-libkrb5-makefile.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -18,8 +18,9 @@
 #    which has not been integrated into current Solaris code yet.
 # Patch source: in-house
 #
---- ORIGINAL/src/lib/krb5/Makefile.in	2015-01-26 14:13:03.864453694 -0800
-+++ krb5-1.13/src/lib/krb5/Makefile.in	2015-01-28 16:00:48.949645899 -0800
+diff --git a/src/lib/krb5/Makefile.in b/src/lib/krb5/Makefile.in
+--- a/src/lib/krb5/Makefile.in
++++ b/src/lib/krb5/Makefile.in
 @@ -1,6 +1,6 @@
  mydir=lib$(S)krb5
  BUILDTOP=$(REL)..$(S)..
@@ -28,7 +29,7 @@
  SUBDIRS= error_tables asn.1 ccache keytab krb os rcache unicode
  WINSUBDIRS= $(SUBDIRS) posix
  DEFINES=-DLOCALEDIR=\"$(KRB5_LOCALEDIR)\"
-@@ -15,7 +15,8 @@
+@@ -15,7 +15,8 @@ DEFINES=-DLOCALEDIR=\"$(KRB5_LOCALEDIR)\"
  
  TST=if test -n "`cat DONE`" ; then
  
@@ -38,7 +39,7 @@
  
  LIBBASE=krb5
  LIBMAJOR=3
-@@ -47,10 +48,16 @@
+@@ -47,10 +48,16 @@ SUBDIROBJLISTS= \
  	$(BUILDTOP)/util/profile/OBJS.ST
  
  OBJS=\
@@ -57,7 +58,7 @@
  
  RELDIR=krb5
  SHLIB_EXPDEPS = \
-@@ -58,7 +65,7 @@
+@@ -58,7 +65,7 @@ SHLIB_EXPDEPS = \
  	$(COM_ERR_DEPLIB) $(SUPPORT_DEPLIB)
  SHLIB_EXPLIBS=-lk5crypto -lcom_err $(SUPPORT_LIB) @GEN_LIB@ $(LIBS)
  
@@ -66,9 +67,10 @@
  
  all-windows::
  
---- ORIGINAL/src/lib/krb5/keytab/Makefile.in	2014-12-01 16:58:27.760415842 -0800
-+++ krb5-1.13/src/lib/krb5/keytab/Makefile.in	2014-12-01 16:59:34.026881356 -0800
-@@ -15,7 +15,8 @@
+diff --git a/src/lib/krb5/keytab/Makefile.in b/src/lib/krb5/keytab/Makefile.in
+--- a/src/lib/krb5/keytab/Makefile.in
++++ b/src/lib/krb5/keytab/Makefile.in
+@@ -15,7 +15,8 @@ STLIBOBJS= \
  	kt_file.o	\
  	kt_memory.o	\
  	kt_srvtab.o	\
@@ -78,7 +80,7 @@
  
  OBJS=	\
  	$(OUTPRE)ktadd.$(OBJEXT)		\
-@@ -27,7 +28,8 @@
+@@ -27,7 +28,8 @@ OBJS=	\
  	$(OUTPRE)kt_file.$(OBJEXT)	\
  	$(OUTPRE)kt_memory.$(OBJEXT)	\
  	$(OUTPRE)kt_srvtab.$(OBJEXT)	\
@@ -88,7 +90,7 @@
  
  SRCS=	\
  	$(srcdir)/ktadd.c	\
-@@ -39,7 +41,8 @@
+@@ -39,7 +41,8 @@ SRCS=	\
  	$(srcdir)/kt_file.c	\
  	$(srcdir)/kt_memory.c	\
  	$(srcdir)/kt_srvtab.c	\
--- a/components/krb5/patches/021-dump-ok.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/021-dump-ok.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -11,9 +11,10 @@
 # customers.
 # Patch source: in-house
 #
---- old/src/kadmin/dbutil/kdb5_util.c	Wed Oct 15 17:55:10 2014
-+++ new/src/kadmin/dbutil/kdb5_util.c	Sat Jan 10 22:00:39 2015
-@@ -478,7 +478,14 @@
+diff --git a/src/kadmin/dbutil/kdb5_util.c b/src/kadmin/dbutil/kdb5_util.c
+--- a/src/kadmin/dbutil/kdb5_util.c
++++ b/src/kadmin/dbutil/kdb5_util.c
+@@ -480,7 +480,14 @@ static int open_db_and_mkey()
                                           0, &master_keyblock))) {
              com_err(progname, retval, _("while reading master key"));
              com_err(progname, 0, _("Warning: proceeding without master key"));
--- a/components/krb5/patches/022-case-ins-compare.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/022-case-ins-compare.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -12,9 +12,10 @@
 # 	http://k5wiki.kerberos.org/wiki/Projects/Acceptor_Names
 # Patch source: in-house
 #
---- old/src/lib/krb5/keytab/kt_file.c	Wed Oct 15 17:55:10 2014
-+++ new/src/lib/krb5/keytab/kt_file.c	Tue Jan 13 23:56:40 2015
-@@ -310,7 +310,21 @@
+diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c
+--- a/src/lib/krb5/keytab/kt_file.c
++++ b/src/lib/krb5/keytab/kt_file.c
+@@ -329,7 +329,21 @@ krb5_ktfile_get_entry(krb5_context context, krb5_keytab id,
          /* if the principal isn't the one requested, free new_entry
             and continue to the next. */
  
--- a/components/krb5/patches/023-mem-rcache.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/023-mem-rcache.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -28,10 +28,10 @@
 # integrate features that don't require replay caches in the the future.
 # Patch source: in-house
 #
-diff -pur old/src/lib/krb5/krb/srv_rcache.c new/src/lib/krb5/krb/srv_rcache.c
---- old/src/lib/krb5/krb/srv_rcache.c	2015-04-09 18:09:27.385483632 -0600
-+++ new/src/lib/krb5/krb/srv_rcache.c	2015-04-15 23:30:38.449049210 -0600
-@@ -39,6 +39,7 @@ krb5_get_server_rcache(krb5_context cont
+diff --git a/src/lib/krb5/krb/srv_rcache.c b/src/lib/krb5/krb/srv_rcache.c
+--- a/src/lib/krb5/krb/srv_rcache.c
++++ b/src/lib/krb5/krb/srv_rcache.c
+@@ -39,6 +39,7 @@ krb5_get_server_rcache(krb5_context context, const krb5_data *piece,
      krb5_error_code retval;
      unsigned int i;
      struct k5buf buf = EMPTY_K5BUF;
@@ -39,7 +39,7 @@
  #ifdef HAVE_GETEUID
      unsigned long uid = geteuid();
  #endif
-@@ -49,19 +50,30 @@ krb5_get_server_rcache(krb5_context cont
+@@ -49,19 +50,30 @@ krb5_get_server_rcache(krb5_context context, const krb5_data *piece,
      cachetype = krb5_rc_default_type(context);
  
      k5_buf_init_dynamic(&buf);
@@ -79,9 +79,9 @@
  
      if (k5_buf_status(&buf) != 0)
          return ENOMEM;
-diff -pur old/src/lib/krb5/rcache/Makefile.in new/src/lib/krb5/rcache/Makefile.in
---- old/src/lib/krb5/rcache/Makefile.in	2015-04-09 18:09:27.382173687 -0600
-+++ new/src/lib/krb5/rcache/Makefile.in	2015-04-09 18:04:39.621940187 -0600
+diff --git a/src/lib/krb5/rcache/Makefile.in b/src/lib/krb5/rcache/Makefile.in
+--- a/src/lib/krb5/rcache/Makefile.in
++++ b/src/lib/krb5/rcache/Makefile.in
 @@ -13,7 +13,8 @@ STLIBOBJS = \
  	rc_none.o	\
  	rc_conv.o	\
@@ -112,9 +112,19 @@
  
  ##DOS##LIBOBJS = $(OBJS)
  
-diff -pur old/src/lib/krb5/rcache/rc_base.c new/src/lib/krb5/rcache/rc_base.c
---- old/src/lib/krb5/rcache/rc_base.c	2015-04-09 18:09:27.381750522 -0600
-+++ new/src/lib/krb5/rcache/rc_base.c	2015-04-16 16:29:05.785483477 -0600
+diff --git a/src/lib/krb5/rcache/rc-int.h b/src/lib/krb5/rcache/rc-int.h
+--- a/src/lib/krb5/rcache/rc-int.h
++++ b/src/lib/krb5/rcache/rc-int.h
+@@ -87,5 +87,6 @@ krb5_error_code krb5_rc_register_type(krb5_context, const krb5_rc_ops *);
+ 
+ extern const krb5_rc_ops krb5_rc_dfl_ops;
+ extern const krb5_rc_ops krb5_rc_none_ops;
++extern const krb5_rc_ops krb5_rc_mem_ops;
+ 
+ #endif /* __KRB5_RCACHE_INT_H__ */
+diff --git a/src/lib/krb5/rcache/rc_base.c b/src/lib/krb5/rcache/rc_base.c
+--- a/src/lib/krb5/rcache/rc_base.c
++++ b/src/lib/krb5/rcache/rc_base.c
 @@ -13,19 +13,35 @@
  #include "rc_base.h"
  #include "rc-int.h"
@@ -181,7 +191,7 @@
      k5_mutex_destroy(&rc_typelist_lock);
      for (t = typehead; t != &krb5_rc_typelist_dfl; t = t_next) {
          t_next = t->next;
-@@ -106,21 +144,38 @@ char * krb5_rc_get_type(krb5_context con
+@@ -106,21 +144,38 @@ char * krb5_rc_get_type(krb5_context context, krb5_rcache id)
  char *
  krb5_rc_default_type(krb5_context context)
  {
@@ -226,10 +236,10 @@
  }
  
  krb5_error_code
-diff -pur old/src/lib/krb5/rcache/rc_dfl.c new/src/lib/krb5/rcache/rc_dfl.c
---- old/src/lib/krb5/rcache/rc_dfl.c	2015-04-09 18:09:27.382459743 -0600
-+++ new/src/lib/krb5/rcache/rc_dfl.c	2015-04-09 21:01:56.063638506 -0600
-@@ -249,6 +249,9 @@ krb5_rc_dfl_close_no_free(krb5_context c
+diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c
+--- a/src/lib/krb5/rcache/rc_dfl.c
++++ b/src/lib/krb5/rcache/rc_dfl.c
+@@ -249,6 +249,9 @@ krb5_rc_dfl_close_no_free(krb5_context context, krb5_rcache id)
      struct dfl_data *t = (struct dfl_data *)id->data;
      struct authlist *q;
  
@@ -239,7 +249,7 @@
      free(t->h);
      if (t->name)
          free(t->name);
-@@ -265,6 +268,7 @@ krb5_rc_dfl_close_no_free(krb5_context c
+@@ -265,6 +268,7 @@ krb5_rc_dfl_close_no_free(krb5_context context, krb5_rcache id)
      (void) krb5_rc_io_close(context, &t->d);
  #endif
      free(t);
@@ -255,9 +265,9 @@
      }
      return retval;
  }
-diff -pur old/src/lib/krb5/rcache/rc_io.c new/src/lib/krb5/rcache/rc_io.c
---- old/src/lib/krb5/rcache/rc_io.c	2015-04-09 18:09:27.382337387 -0600
-+++ new/src/lib/krb5/rcache/rc_io.c	2015-04-15 02:51:37.858253777 -0600
+diff --git a/src/lib/krb5/rcache/rc_io.c b/src/lib/krb5/rcache/rc_io.c
+--- a/src/lib/krb5/rcache/rc_io.c
++++ b/src/lib/krb5/rcache/rc_io.c
 @@ -56,7 +56,10 @@ getdir(void)
  #else
          if (!(dir = getenv("TMPDIR"))) {
@@ -270,7 +280,7 @@
  #else
              dir = "/tmp";
  #endif
-@@ -164,6 +167,8 @@ krb5_rc_io_creat(krb5_context context, k
+@@ -164,6 +167,8 @@ krb5_rc_io_creat(krb5_context context, krb5_rc_iostuff *d, char **fn)
  
      GETDIR;
      if (fn && *fn) {
@@ -279,7 +289,7 @@
          if (asprintf(&d->fn, "%s%s%s", dir, PATH_SEPARATOR, *fn) < 0)
              return KRB5_RC_IO_MALLOC;
          d->fd = -1;
-@@ -227,6 +232,8 @@ krb5_rc_io_open_internal(krb5_context co
+@@ -227,6 +232,8 @@ krb5_rc_io_open_internal(krb5_context context, krb5_rc_iostuff *d, char *fn,
      char *dir;
  
      dir = getdir();
@@ -288,13 +298,3 @@
      if (full_pathname) {
          if (!(d->fn = strdup(full_pathname)))
              return KRB5_RC_IO_MALLOC;
-diff -pur old/src/lib/krb5/rcache/rc-int.h new/src/lib/krb5/rcache/rc-int.h
---- old/src/lib/krb5/rcache/rc-int.h	2015-04-09 18:09:27.381858138 -0600
-+++ new/src/lib/krb5/rcache/rc-int.h	2015-04-09 18:04:39.622200717 -0600
-@@ -87,5 +87,6 @@ krb5_error_code krb5_rc_register_type(kr
- 
- extern const krb5_rc_ops krb5_rc_dfl_ops;
- extern const krb5_rc_ops krb5_rc_none_ops;
-+extern const krb5_rc_ops krb5_rc_mem_ops;
- 
- #endif /* __KRB5_RCACHE_INT_H__ */
--- a/components/krb5/patches/024-smb-compat.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/024-smb-compat.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -14,10 +14,10 @@
 # environment variable.
 # Patch source: in-house
 #
-diff -ur krb5-1.13.3.023-mem-rcache.patch/src/lib/gssapi/krb5/accept_sec_context.c krb5-1.13.3/src/lib/gssapi/krb5/accept_sec_context.c
---- krb5-1.13.3.023-mem-rcache.patch/src/lib/gssapi/krb5/accept_sec_context.c
-+++ krb5-1.13.3/src/lib/gssapi/krb5/accept_sec_context.c
-@@ -460,8 +460,6 @@
+diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
+--- a/src/lib/gssapi/krb5/accept_sec_context.c
++++ b/src/lib/gssapi/krb5/accept_sec_context.c
+@@ -454,8 +454,6 @@ kg_accept_krb5(minor_status, context_handle,
      const gss_OID_desc *mech_used = NULL;
      OM_uint32 major_status = GSS_S_FAILURE;
      OM_uint32 tmp_minor_status;
@@ -26,16 +26,16 @@
      gss_cred_id_t defcred = GSS_C_NO_CREDENTIAL;
      krb5_gss_cred_id_t deleg_cred = NULL;
      krb5int_access kaccess;
-@@ -1219,6 +1217,8 @@
+@@ -1211,6 +1209,8 @@ fail:
           major_status == GSS_S_CONTINUE_NEEDED)) {
          unsigned int tmsglen;
          int toktype;
++        krb5_error krb_error_data;
 +        krb5_data scratch;
-+        krb5_error krb_error_data;
  
          /*
           * The client is expecting a response, so we can send an
-@@ -1226,6 +1226,31 @@
+@@ -1218,6 +1218,31 @@ fail:
           */
          memset(&krb_error_data, 0, sizeof(krb_error_data));
  
@@ -67,15 +67,13 @@
          code -= ERROR_TABLE_BASE_krb5;
          if (code < 0 || code > KRB_ERR_MAX)
              code = 60 /* KRB_ERR_GENERIC */;
-
-diff -pur new/src/lib/gssapi/spnego/spnego_mech.c patched/src/lib/gssapi/spnego/spnego_mech.c
---- new/src/lib/gssapi/spnego/spnego_mech.c	2016-02-29 11:50:13.000000000 -0800
-+++ patched/src/lib/gssapi/spnego/spnego_mech.c	2016-03-18 21:55:31.131280297 -0700
-@@ -191,7 +190,14 @@ static const gss_OID_set_desc spnego_oid
- };
- const gss_OID_set_desc * const gss_mech_set_spnego = spnego_oidsets+0;
+diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
+--- a/src/lib/gssapi/spnego/spnego_mech.c
++++ b/src/lib/gssapi/spnego/spnego_mech.c
+@@ -180,6 +180,13 @@ get_negTokenResp(OM_uint32 *, unsigned char *, unsigned int,
+ static int
+ is_kerb_mech(gss_OID oid);
  
- static int make_NegHints(OM_uint32 *, gss_buffer_t *);
 +/* encoded OID octet string for NTLMSSP security mechanism */
 +#define GSS_MECH_NTLMSSP_OID_LENGTH 10
 +#define GSS_MECH_NTLMSSP_OID "\053\006\001\004\001\202\067\002\002\012"
@@ -83,21 +81,23 @@
 +	GSS_MECH_NTLMSSP_OID_LENGTH, GSS_MECH_NTLMSSP_OID
 +};
 +
- static int put_neg_hints(unsigned char **, gss_buffer_t, unsigned int);
- static OM_uint32
- acc_ctx_hints(OM_uint32 *, gss_ctx_id_t *, spnego_gss_cred_id_t,
-@@ -1325,6 +1387,7 @@ acc_ctx_new(OM_uint32 *minor_status,
+ /* SPNEGO oid structure */
+ static const gss_OID_desc spnego_oids[] = {
+ 	{SPNEGO_OID_LENGTH, SPNEGO_OID},
+@@ -1325,6 +1332,7 @@ acc_ctx_new(OM_uint32 *minor_status,
  	gss_buffer_desc der_mechTypes;
  	gss_OID mech_wanted;
  	spnego_gss_ctx_id_t sc = NULL;
-+	unsigned int i;
++        unsigned int i;
  
  	ret = GSS_S_DEFECTIVE_TOKEN;
  	der_mechTypes.length = 0;
-@@ -1348,6 +1411,24 @@ acc_ctx_new(OM_uint32 *minor_status,
+@@ -1347,6 +1355,26 @@ acc_ctx_new(OM_uint32 *minor_status,
+ 		*return_token = NO_TOKEN_SEND;
  		goto cleanup;
  	}
- 	/*
++
++ 	/*
 +	 * We add KRB5_WRONG here so that old MS clients can negotiate this
 +	 * mechanism, which allows extensions in Kerberos (clock skew
 +	 * adjustment, refresh ccache).
@@ -115,19 +115,19 @@
 +			break;
 +		}
 +        }
-+	/*
++
+ 	/*
  	 * Select the best match between the list of mechs
  	 * that the initiator requested and the list that
- 	 * the acceptor will support.
-@@ -3072,6 +3163,7 @@ static OM_uint32
+@@ -3087,6 +3115,7 @@ get_available_mechs(OM_uint32 *minor_status,
  	gss_OID_set mechs, goodmechs;
-	gss_OID_set_desc except_attrs;
-	gss_OID_desc attr_oids[2];
-+	char *msinterop = getenv("MS_INTEROP");
+ 	gss_OID_set_desc except_attrs;
+ 	gss_OID_desc attr_oids[2];
++        char *msinterop = getenv("MS_INTEROP");
  
-	attr_oids[0] = *GSS_C_MA_DEPRECATED;
-	attr_oids[1] = *GSS_C_MA_NOT_DFLT_MECH;
-@@ -3108,6 +3177,15 @@ get_available_mechs(OM_uint32 *minor_sta
+ 	attr_oids[0] = *GSS_C_MA_DEPRECATED;
+ 	attr_oids[1] = *GSS_C_MA_NOT_DFLT_MECH;
+@@ -3108,6 +3137,15 @@ get_available_mechs(OM_uint32 *minor_status,
  		return (major_status);
  	}
  
@@ -143,7 +143,7 @@
  	for (i = 0; i < mechs->count && major_status == GSS_S_COMPLETE; i++) {
  		if ((mechs->elements[i].length
  		    != spnego_mechanism.mech_type.length) ||
-@@ -3123,6 +3201,25 @@ get_available_mechs(OM_uint32 *minor_sta
+@@ -3123,6 +3161,25 @@ get_available_mechs(OM_uint32 *minor_status,
  		}
  	}
  
@@ -169,7 +169,7 @@
  	/*
  	 * If the caller wanted a list of creds returned,
  	 * trim the list of mechanisms down to only those
-@@ -3698,9 +3795,17 @@ negotiate_mech(gss_OID_set supported, gs
+@@ -3698,9 +3755,17 @@ negotiate_mech(gss_OID_set supported, gss_OID_set received,
  	for (i = 0; i < received->count; i++) {
  		gss_OID mech_oid = &received->elements[i];
  
--- a/components/krb5/patches/025-ktwarnd.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/025-ktwarnd.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -7,9 +7,9 @@
 # Patch source: in-house
 #
 
-diff -Napur ORIGINAL/src/clients/kdestroy/Makefile.in krb5-1.13.1/src/clients/kdestroy/Makefile.in
---- ORIGINAL/src/clients/kdestroy/Makefile.in	2015-02-11 19:16:43.000000000 -0800
-+++ krb5-1.13.1/src/clients/kdestroy/Makefile.in	2015-04-22 09:11:09.523911895 -0700
+diff --git a/src/clients/kdestroy/Makefile.in b/src/clients/kdestroy/Makefile.in
+--- a/src/clients/kdestroy/Makefile.in
++++ b/src/clients/kdestroy/Makefile.in
 @@ -19,7 +19,7 @@ all-unix:: kdestroy
  ##WIN32##all-windows:: $(KDESTROY)
  
@@ -19,9 +19,9 @@
  
  ##WIN32##$(KDESTROY): $(OUTPRE)kdestroy.obj $(BUILDTOP)\util\windows\$(OUTPRE)getopt.obj $(KLIB) $(CLIB) $(EXERES)
  ##WIN32##	link $(EXE_LINKOPTS) -out:$@ $**
-diff -Napur ORIGINAL/src/clients/kdestroy/kdestroy.c krb5-1.13.1/src/clients/kdestroy/kdestroy.c
---- ORIGINAL/src/clients/kdestroy/kdestroy.c	2015-02-11 19:16:43.000000000 -0800
-+++ krb5-1.13.1/src/clients/kdestroy/kdestroy.c	2015-04-22 14:52:01.310510058 -0700
+diff --git a/src/clients/kdestroy/kdestroy.c b/src/clients/kdestroy/kdestroy.c
+--- a/src/clients/kdestroy/kdestroy.c
++++ b/src/clients/kdestroy/kdestroy.c
 @@ -24,6 +24,12 @@
   * or implied warranty.
   */
@@ -39,7 +39,7 @@
  extern int optind;
  extern char *optarg;
  
-+/* 
++/*
 + * We add _rpcsys extern declariation because that ON build suppresses warning
 + * of implicit declarition, while MIT kerberos build treats the warning
 + * as an error.
@@ -49,7 +49,7 @@
  #ifndef _WIN32
  #define GET_PROGNAME(x) (strrchr((x), '/') ? strrchr((x), '/')+1 : (x))
  #else
-@@ -82,6 +95,13 @@
+@@ -82,6 +95,13 @@ main(argc, argv)
      int quiet = 0;
      int all = 0;
  
@@ -63,7 +63,7 @@
      setlocale(LC_ALL, "");
      progname = GET_PROGNAME(argv[0]);
  
-@@ -165,6 +185,49 @@
+@@ -165,6 +185,49 @@ main(argc, argv)
          }
      }
  
@@ -113,7 +113,7 @@
      code = krb5_cc_destroy (kcontext, cache);
      if (code != 0) {
          com_err (progname, code, _("while destroying cache"));
-@@ -178,5 +241,17 @@
+@@ -178,5 +241,17 @@ main(argc, argv)
              errflg = 1;
          }
      }
@@ -131,9 +131,9 @@
 +
      return errflg;
  }
-diff -Napur ORIGINAL/src/clients/kinit/Makefile.in krb5-1.13.1/src/clients/kinit/Makefile.in
---- ORIGINAL/src/clients/kinit/Makefile.in	2015-02-11 19:16:43.000000000 -0800
-+++ krb5-1.13.1/src/clients/kinit/Makefile.in	2015-04-22 09:11:09.525770418 -0700
+diff --git a/src/clients/kinit/Makefile.in b/src/clients/kinit/Makefile.in
+--- a/src/clients/kinit/Makefile.in
++++ b/src/clients/kinit/Makefile.in
 @@ -20,7 +20,7 @@ all-unix:: kinit
  ##WIN32##all-windows:: $(KINIT)
  
@@ -143,9 +143,9 @@
  
  ##WIN32##$(KINIT): $(OUTPRE)kinit.obj $(BUILDTOP)\util\windows\$(OUTPRE)getopt.lib $(KLIB) $(CLIB) $(EXERES)
  ##WIN32##	link $(EXE_LINKOPTS) -out:$@ $** advapi32.lib
-diff -Napur ORIGINAL/src/clients/kinit/kinit.c krb5-1.13.1/src/clients/kinit/kinit.c
---- ORIGINAL/src/clients/kinit/kinit.c	2015-02-11 19:16:43.000000000 -0800
-+++ krb5-1.13.1/src/clients/kinit/kinit.c	2015-04-22 14:17:16.415936121 -0700
+diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c
+--- a/src/clients/kinit/kinit.c
++++ b/src/clients/kinit/kinit.c
 @@ -35,6 +35,7 @@
  #include <time.h>
  #include <errno.h>
@@ -173,7 +173,7 @@
 +    if (opts->action == RENEW) {
 +        _kwarnd_del_warning(progname, opts->principal_name);
 +        _kwarnd_add_warning(progname, opts->principal_name, my_creds.times.endtime);
-+    } else if ((opts->action == INIT_KT) || (opts->action == INIT_PW)) { 
++    } else if ((opts->action == INIT_KT) || (opts->action == INIT_PW)) {
 +        _kwarnd_add_warning(progname, opts->principal_name, my_creds.times.endtime);
 +    }
 +
@@ -187,29 +187,29 @@
 +
 +/* Solaris Kerberos start */
 +
-+static void 
-+_kwarnd_add_warning(char *progname, char *me, time_t endtime) 
-+{ 
-+    if (kwarn_add_warning(me, endtime) != 0) 
++static void
++_kwarnd_add_warning(char *progname, char *me, time_t endtime)
++{
++    if (kwarn_add_warning(me, endtime) != 0)
 +        fprintf(stderr, gettext(
-+            "%s:  no ktkt_warnd warning possible\n"), progname); 
-+    return; 
++            "%s:  no ktkt_warnd warning possible\n"), progname);
++    return;
 +}
 +
-+static void 
-+_kwarnd_del_warning(char *progname, char *me) 
++static void
++_kwarnd_del_warning(char *progname, char *me)
 +{
 +    if (kwarn_del_warning(me) != 0)
-+        fprintf(stderr, gettext( 
-+            "%s:  unable to delete ktkt_warnd message for %s\n"), 
-+            progname, me); 
-+    return; 
++        fprintf(stderr, gettext(
++            "%s:  unable to delete ktkt_warnd message for %s\n"),
++            progname, me);
++    return;
 +}
 +/* Solaris Kerberos end */
-diff -Napur ORIGINAL/src/lib/gssapi/Makefile.in krb5-1.13.1/src/lib/gssapi/Makefile.in
---- ORIGINAL/src/lib/gssapi/Makefile.in	2015-02-11 19:16:43.000000000 -0800
-+++ krb5-1.13.1/src/lib/gssapi/Makefile.in	2015-04-22 09:11:09.527753282 -0700
-@@ -27,7 +27,7 @@ STOBJLISTS=OBJS.ST generic/OBJS.ST mechg
+diff --git a/src/lib/gssapi/Makefile.in b/src/lib/gssapi/Makefile.in
+--- a/src/lib/gssapi/Makefile.in
++++ b/src/lib/gssapi/Makefile.in
+@@ -27,7 +27,7 @@ STOBJLISTS=OBJS.ST generic/OBJS.ST mechglue/OBJS.ST krb5/OBJS.ST spnego/OBJS.ST
  SUBDIROBJLISTS=generic/OBJS.ST mechglue/OBJS.ST krb5/OBJS.ST spnego/OBJS.ST
  SHLIB_EXPDEPS=\
  	$(KRB5_DEPLIB) $(CRYPTO_DEPLIB) $(SUPPORT_DEPLIB) $(COM_ERR_DEPLIB)
@@ -218,20 +218,19 @@
  RELDIR=gssapi
  
  all-unix:: all-liblinks @MAINT@ verify-calling-conventions-gssapi
-diff -Napur ORIGINAL/src/lib/gssapi/krb5/store_cred.c krb5-1.13.1/src/lib/gssapi/krb5/store_cred.c
---- ORIGINAL/src/lib/gssapi/krb5/store_cred.c	2015-04-22 08:37:33.146728757 -0700
-+++ krb5-1.13.1/src/lib/gssapi/krb5/store_cred.c	2015-04-22 14:19:34.769508399 -0700
-@@ -26,6 +26,9 @@
+diff --git a/src/lib/gssapi/krb5/store_cred.c b/src/lib/gssapi/krb5/store_cred.c
+--- a/src/lib/gssapi/krb5/store_cred.c
++++ b/src/lib/gssapi/krb5/store_cred.c
+@@ -26,6 +26,8 @@
  
  #include "k5-int.h"
  #include "gssapiP_krb5.h"
 +#include <syslog.h>
 +#include <kerberosv5/private/ktwarn.h>
-+
  
  static int
  has_unexpired_creds(krb5_gss_cred_id_t kcred,
-@@ -71,6 +74,7 @@ copy_initiator_creds(OM_uint32 *minor_st
+@@ -71,6 +73,7 @@ copy_initiator_creds(OM_uint32 *minor_status,
      krb5_context context = NULL;
      krb5_ccache ccache = NULL;
      const char *ccache_name;
@@ -239,7 +238,7 @@
  
      *minor_status = 0;
  
-@@ -162,6 +166,17 @@ copy_initiator_creds(OM_uint32 *minor_st
+@@ -162,6 +165,17 @@ copy_initiator_creds(OM_uint32 *minor_status,
      *minor_status = 0;
      major_status = GSS_S_COMPLETE;
  
--- a/components/krb5/patches/026-inappropriate_assert.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/026-inappropriate_assert.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -9,10 +9,10 @@
 # upstream contribution.
 # Patch source: in-house
 #
-diff -pur old/src/lib/gssapi/krb5/import_name.c new/src/lib/gssapi/krb5/import_name.c
---- old/src/lib/gssapi/krb5/import_name.c	2014-10-15 16:55:10.000000000 -0700
-+++ new/src/lib/gssapi/krb5/import_name.c	2014-12-16 04:49:23.593542458 -0800
-@@ -288,7 +288,6 @@ krb5_gss_import_name(minor_status, input
+diff --git a/src/lib/gssapi/krb5/import_name.c b/src/lib/gssapi/krb5/import_name.c
+--- a/src/lib/gssapi/krb5/import_name.c
++++ b/src/lib/gssapi/krb5/import_name.c
+@@ -288,7 +288,6 @@ krb5_gss_import_name(minor_status, input_name_buffer,
                      goto fail_name;
                  cp += length;
              }
--- a/components/krb5/patches/027-add_admin_sname_princ.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/027-add_admin_sname_princ.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -6,9 +6,9 @@
 # https://github.com/krb5/krb5/pull/333
 # Patch source: in-house
 #
-diff -pur old/src/kadmin/dbutil/kadm5_create.c new/src/kadmin/dbutil/kadm5_create.c
---- old/src/kadmin/dbutil/kadm5_create.c
-+++ new/src/kadmin/dbutil/kadm5_create.c
+diff --git a/src/kadmin/dbutil/kadm5_create.c b/src/kadmin/dbutil/kadm5_create.c
+--- a/src/kadmin/dbutil/kadm5_create.c
++++ b/src/kadmin/dbutil/kadm5_create.c
 @@ -44,8 +44,14 @@
  #include <kdb.h>
  #include "kdb5_util.h"
@@ -26,7 +26,7 @@
  static int add_admin_princs(void *handle, krb5_context context, char *realm);
  
  #define ERR 1
-@@ -145,64 +151,11 @@ int kadm5_create_magic_princs(kadm5_conf
+@@ -145,64 +151,11 @@ int kadm5_create_magic_princs(kadm5_config_params *params,
  static int add_admin_princs(void *handle, krb5_context context, char *realm)
  {
      krb5_error_code ret = 0;
@@ -95,7 +95,7 @@
          goto clean_and_exit;
  
      if ((ret = add_admin_princ(handle, context,
-@@ -218,17 +171,60 @@ static int add_admin_princs(void *handle
+@@ -218,17 +171,60 @@ static int add_admin_princs(void *handle, krb5_context context, char *realm)
                                 CHANGEPW_LIFETIME)))
          goto clean_and_exit;
  
@@ -174,7 +174,7 @@
  {
      char *fullname;
      krb5_error_code ret;
-@@ -266,15 +262,7 @@ int add_admin_princ(void *handle, krb5_c
+@@ -266,15 +262,7 @@ int add_admin_princ(void *handle, krb5_context context,
  
      memset(&ent, 0, sizeof(ent));
  
@@ -191,7 +191,7 @@
      ent.max_life = lifetime;
      ent.attributes = attrs;
  
-@@ -283,6 +271,7 @@ int add_admin_princ(void *handle, krb5_c
+@@ -283,6 +271,7 @@ int add_admin_princ(void *handle, krb5_context context,
          flags |= KADM5_MAX_LIFE;
      ret = kadm5_create_principal(handle, &ent, flags, NULL);
      if (ret && ret != KADM5_DUP) {
@@ -199,7 +199,7 @@
          com_err(progname, ret, _("while creating principal %s"), fullname);
          krb5_free_principal(context, ent.principal);
          free(fullname);
-@@ -290,7 +279,6 @@ int add_admin_princ(void *handle, krb5_c
+@@ -290,7 +279,6 @@ int add_admin_princ(void *handle, krb5_context context,
      }
  
      krb5_free_principal(context, ent.principal);
@@ -207,9 +207,9 @@
  
      return OK;
  }
-diff -pur old/src/lib/kadm5/admin.h new/src/lib/kadm5/admin.h
---- old/src/lib/kadm5/admin.h
-+++ new/src/lib/kadm5/admin.h
+diff --git a/src/lib/kadm5/admin.h b/src/lib/kadm5/admin.h
+--- a/src/lib/kadm5/admin.h
++++ b/src/lib/kadm5/admin.h
 @@ -64,7 +64,9 @@ KADM5INT_BEGIN_DECLS
  #define KADM5_ADMIN_SERVICE     "kadmin/admin"
  #define KADM5_CHANGEPW_SERVICE  "kadmin/changepw"
--- a/components/krb5/patches/028-rpc-gss.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/028-rpc-gss.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -27,9 +27,9 @@
 # In the future MIT might provide support for system native RPC implementation.
 # Patch source: in-house
 #
-diff -pur old/src/build-tools/krb5-config.in new/src/build-tools/krb5-config.in
---- old/src/build-tools/krb5-config.in
-+++ new/src/build-tools/krb5-config.in
+diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in
+--- a/src/build-tools/krb5-config.in
++++ b/src/build-tools/krb5-config.in
 @@ -97,9 +97,6 @@ while test $# != 0; do
  	gssapi)
  	    library=gssapi
@@ -66,10 +66,10 @@
      fi
  
      if test $library = 'gssapi'; then
-diff -pur old/src/config/pre.in new/src/config/pre.in
---- old/src/config/pre.in
-+++ new/src/config/pre.in
-@@ -317,7 +317,7 @@ KDB5_PLUGIN_LIBS = @KDB5_PLUGIN_LIBS@
+diff --git a/src/config/pre.in b/src/config/pre.in
+--- a/src/config/pre.in
++++ b/src/config/pre.in
+@@ -318,7 +318,7 @@ KDB5_PLUGIN_LIBS = @KDB5_PLUGIN_LIBS@
  KADMCLNT_DEPLIB	= $(TOPLIBD)/libkadm5clnt_mit$(DEPLIBEXT)
  KADMSRV_DEPLIB	= $(TOPLIBD)/libkadm5srv_mit$(DEPLIBEXT)
  KDB5_DEPLIB	= $(TOPLIBD)/libkdb5$(DEPLIBEXT)
@@ -78,7 +78,7 @@
  GSS_DEPLIB	= $(TOPLIBD)/libgssapi_krb5$(DEPLIBEXT)
  KRB5_DEPLIB	= $(TOPLIBD)/libkrb5$(DEPLIBEXT)
  CRYPTO_DEPLIB	= $(TOPLIBD)/libk5crypto$(DEPLIBEXT)
-@@ -398,7 +398,7 @@ KRB5_BASE_LIBS	= $(KRB5_LIB) $(K5CRYPTO_
+@@ -399,7 +399,7 @@ KRB5_BASE_LIBS	= $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN
  KDB5_LIBS	= $(KDB5_LIB) $(GSSRPC_LIBS)
  GSS_LIBS	= $(GSS_KRB5_LIB)
  # needs fixing if ever used on Mac OS X!
@@ -87,9 +87,9 @@
  KADM_COMM_LIBS	= $(GSSRPC_LIBS)
  # need fixing if ever used on Mac OS X!
  KADMSRV_LIBS	= -lkadm5srv_mit $(HESIOD_LIBS) $(KDB5_LIBS) $(KADM_COMM_LIBS)
-diff -pur old/src/include/iprop.h new/src/include/iprop.h
---- old/src/include/iprop.h
-+++ new/src/include/iprop.h
+diff --git a/src/include/iprop.h b/src/include/iprop.h
+--- a/src/include/iprop.h
++++ b/src/include/iprop.h
 @@ -6,8 +6,7 @@
  #ifndef _IPROP_H_RPCGEN
  #define _IPROP_H_RPCGEN
@@ -100,10 +100,10 @@
  
  #ifdef __cplusplus
  extern "C" {
-diff -pur old/src/include/k5-int.h new/src/include/k5-int.h
---- old/src/include/k5-int.h
-+++ new/src/include/k5-int.h
-@@ -217,11 +217,14 @@ typedef unsigned char   u_char;
+diff --git a/src/include/k5-int.h b/src/include/k5-int.h
+--- a/src/include/k5-int.h
++++ b/src/include/k5-int.h
+@@ -218,11 +218,14 @@ typedef unsigned char   u_char;
  #define KRB5_CONF_HTTP_ANCHORS                 "http_anchors"
  #define KRB5_CONF_IGNORE_ACCEPTOR_HOSTNAME     "ignore_acceptor_hostname"
  #define KRB5_CONF_IPROP_ENABLE                 "iprop_enable"
@@ -118,10 +118,10 @@
  #define KRB5_CONF_K5LOGIN_AUTHORITATIVE        "k5login_authoritative"
  #define KRB5_CONF_K5LOGIN_DIRECTORY            "k5login_directory"
  #define KRB5_CONF_KADMIND_PORT                 "kadmind_port"
-diff -pur old/src/kadmin/dbutil/kadm5_create.c new/src/kadmin/dbutil/kadm5_create.c
---- old/src/kadmin/dbutil/kadm5_create.c
-+++ new/src/kadmin/dbutil/kadm5_create.c
-@@ -158,11 +158,20 @@ static int add_admin_princs(void *handle
+diff --git a/src/kadmin/dbutil/kadm5_create.c b/src/kadmin/dbutil/kadm5_create.c
+--- a/src/kadmin/dbutil/kadm5_create.c
++++ b/src/kadmin/dbutil/kadm5_create.c
+@@ -158,11 +158,20 @@ static int add_admin_princs(void *handle, krb5_context context, char *realm)
                                       ADMIN_LIFETIME)))
          goto clean_and_exit;
  
@@ -142,10 +142,10 @@
  
      if ((ret = add_admin_princ(handle, context,
                                 KADM5_CHANGEPW_SERVICE, realm,
-diff -pur old/src/kadmin/server/ipropd_svc.c new/src/kadmin/server/ipropd_svc.c
---- old/src/kadmin/server/ipropd_svc.c
-+++ new/src/kadmin/server/ipropd_svc.c
-@@ -134,6 +134,8 @@ iprop_get_updates_1_svc(kdb_last_t *arg,
+diff --git a/src/kadmin/server/ipropd_svc.c b/src/kadmin/server/ipropd_svc.c
+--- a/src/kadmin/server/ipropd_svc.c
++++ b/src/kadmin/server/ipropd_svc.c
+@@ -137,6 +137,8 @@ iprop_get_updates_1_svc(kdb_last_t *arg, struct svc_req *rqstp)
      kadm5_server_handle_t handle = global_server_handle;
      char *client_name = 0, *service_name = 0;
      char obuf[256] = {0};
@@ -154,7 +154,7 @@
  
      /* default return code */
      ret.ret = UPDATE_ERROR;
-@@ -172,8 +174,14 @@ iprop_get_updates_1_svc(kdb_last_t *arg,
+@@ -173,8 +175,14 @@ iprop_get_updates_1_svc(kdb_last_t *arg, struct svc_req *rqstp)
      DPRINT("%s: clprinc=`%s'\n\tsvcprinc=`%s'\n", whoami, client_name,
  	   service_name);
  
@@ -170,7 +170,7 @@
  			    ACL_IPROP,
  			    NULL,
  			    NULL)) {
-@@ -221,6 +229,8 @@ out:
+@@ -222,6 +230,8 @@ out:
  	debprret(whoami, ret.ret, ret.lastentry.last_sno);
      free(client_name);
      free(service_name);
@@ -179,7 +179,7 @@
      return (&ret);
  }
  
-@@ -251,6 +261,18 @@ ipropx_resync(uint32_t vers, struct svc_
+@@ -252,6 +262,18 @@ ipropx_resync(uint32_t vers, struct svc_req *rqstp)
      int pret, fret;
      FILE *p;
      kadm5_server_handle_t handle = global_server_handle;
@@ -198,7 +198,7 @@
      OM_uint32 min_stat;
      gss_name_t name = NULL;
      char *client_name = NULL, *service_name = NULL;
-@@ -301,8 +323,14 @@ ipropx_resync(uint32_t vers, struct svc_
+@@ -300,8 +322,14 @@ ipropx_resync(uint32_t vers, struct svc_req *rqstp)
      DPRINT("%s: clprinc=`%s'\n\tsvcprinc=`%s'\n",
  	    whoami, client_name, service_name);
  
@@ -214,7 +214,7 @@
  			    ACL_IPROP,
  			    NULL,
  			    NULL)) {
-@@ -449,6 +477,7 @@ iprop_full_resync_ext_1_svc(uint32_t *ar
+@@ -448,6 +476,7 @@ iprop_full_resync_ext_1_svc(uint32_t *argp, struct svc_req *rqstp)
      return ipropx_resync(*argp, rqstp);
  }
  
@@ -222,7 +222,7 @@
  static int
  check_iprop_rpcsec_auth(struct svc_req *rqstp)
  {
-@@ -521,6 +550,7 @@ fail_name:
+@@ -520,6 +549,7 @@ fail_name:
       gss_release_name(&min_stat, &name);
       return success;
  }
@@ -230,7 +230,7 @@
  
  void
  krb5_iprop_prog_1(struct svc_req *rqstp,
-@@ -534,6 +564,7 @@ krb5_iprop_prog_1(struct svc_req *rqstp,
+@@ -533,6 +563,7 @@ krb5_iprop_prog_1(struct svc_req *rqstp,
      char *(*local)(/* union XXX *, struct svc_req * */);
      char *whoami = "krb5_iprop_prog_1";
  
@@ -238,7 +238,7 @@
      if (!check_iprop_rpcsec_auth(rqstp)) {
  	krb5_klog_syslog(LOG_ERR, _("authentication attempt failed: %s, RPC "
  				    "authentication flavor %d"),
-@@ -542,6 +573,7 @@ krb5_iprop_prog_1(struct svc_req *rqstp,
+@@ -541,6 +572,7 @@ krb5_iprop_prog_1(struct svc_req *rqstp,
  	svcerr_weakauth(transp);
  	return;
      }
@@ -246,9 +246,9 @@
  
      switch (rqstp->rq_proc) {
      case NULLPROC:
-diff -pur old/src/kadmin/server/kadm_rpc_svc.c new/src/kadmin/server/kadm_rpc_svc.c
---- old/src/kadmin/server/kadm_rpc_svc.c
-+++ new/src/kadmin/server/kadm_rpc_svc.c
+diff --git a/src/kadmin/server/kadm_rpc_svc.c b/src/kadmin/server/kadm_rpc_svc.c
+--- a/src/kadmin/server/kadm_rpc_svc.c
++++ b/src/kadmin/server/kadm_rpc_svc.c
 @@ -5,7 +5,7 @@
   */
  
@@ -277,14 +277,14 @@
  static int
  check_rpcsec_auth(struct svc_req *rqstp)
  {
-@@ -337,3 +338,4 @@ gss_to_krb5_name_1(struct svc_req *rqstp
+@@ -337,3 +338,4 @@ gss_to_krb5_name_1(struct svc_req *rqstp, krb5_context ctx, gss_name_t gss_name,
       free(str);
       return success;
  }
 +#endif
-diff -pur old/src/kadmin/server/ovsec_kadmd.c new/src/kadmin/server/ovsec_kadmd.c
---- old/src/kadmin/server/ovsec_kadmd.c
-+++ new/src/kadmin/server/ovsec_kadmd.c
+diff --git a/src/kadmin/server/ovsec_kadmd.c b/src/kadmin/server/ovsec_kadmd.c
+--- a/src/kadmin/server/ovsec_kadmd.c
++++ b/src/kadmin/server/ovsec_kadmd.c
 @@ -45,10 +45,9 @@
  #include <unistd.h>
  #include <netinet/in.h>
@@ -345,11 +345,7 @@
 +        fail_to_start(ENOMEM, _("copying GSSAPI auth names"));
 +    free_srv_names(tmp_srv_names);
 +    tmp_srv_names = NULL;
- 
--    names[0].name = build_princ_name(KADM5_ADMIN_SERVICE, params.realm);
--    names[1].name = build_princ_name(KADM5_CHANGEPW_SERVICE, params.realm);
--    if (names[0].name == NULL || names[1].name == NULL)
--        fail_to_start(0, _("Cannot build GSSAPI auth names"));
++
 +    ret = kadm5_get_cpw_host_srv_names(context, params.realm, &tmp_srv_names);
 +    if (ret)
 +        fail_to_start(ret, _("building GSSAPI auth names"));
@@ -358,7 +354,11 @@
 +        fail_to_start(ENOMEM, _("copying GSSAPI auth names"));
 +    free_srv_names(tmp_srv_names);
 +    tmp_srv_names = NULL;
-+
+ 
+-    names[0].name = build_princ_name(KADM5_ADMIN_SERVICE, params.realm);
+-    names[1].name = build_princ_name(KADM5_CHANGEPW_SERVICE, params.realm);
+-    if (names[0].name == NULL || names[1].name == NULL)
+-        fail_to_start(0, _("Cannot build GSSAPI auth names"));
 +    if (params.iprop_enabled == TRUE) {
 +        ret = kadm5_get_kiprop_host_srv_names(context, params.realm,
 +                                              &tmp_srv_names);
@@ -455,10 +455,10 @@
  
      krb5_klog_close(context);
      krb5_free_context(context);
-diff -pur old/src/kadmin/server/server_stubs.c new/src/kadmin/server/server_stubs.c
---- old/src/kadmin/server/server_stubs.c
-+++ new/src/kadmin/server/server_stubs.c
-@@ -21,10 +21,10 @@ extern gss_name_t
+diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c
+--- a/src/kadmin/server/server_stubs.c
++++ b/src/kadmin/server/server_stubs.c
+@@ -21,10 +21,10 @@ extern gss_name_t                       gss_changepw_name;
  extern gss_name_t                       gss_oldchangepw_name;
  extern void *                           global_server_handle;
  
@@ -473,7 +473,7 @@
                            gss_oldchangepw_name)))
  
  
-@@ -33,7 +33,7 @@ static int gss_to_krb5_name(kadm5_server
+@@ -33,7 +33,7 @@ static int gss_to_krb5_name(kadm5_server_handle_t handle,
  
  static int gss_name_to_string(gss_name_t gss_name, gss_buffer_desc *str);
  
@@ -482,7 +482,7 @@
  
  gss_name_t rqst2name(struct svc_req *rqstp);
  
-@@ -107,6 +107,8 @@ static kadm5_ret_t new_server_handle(krb
+@@ -107,6 +107,8 @@ static kadm5_ret_t new_server_handle(krb5_ui_4 api_version,
                                       *out_handle)
  {
      kadm5_server_handle_t handle;
@@ -491,7 +491,7 @@
  
      *out_handle = NULL;
  
-@@ -117,13 +119,18 @@ static kadm5_ret_t new_server_handle(krb
+@@ -117,13 +119,18 @@ static kadm5_ret_t new_server_handle(krb5_ui_4 api_version,
      *handle = *(kadm5_server_handle_t)global_server_handle;
      handle->api_version = api_version;
  
@@ -512,7 +512,7 @@
      return 0;
  }
  
-@@ -182,38 +189,54 @@ int setup_gss_names(struct svc_req *rqst
+@@ -182,38 +189,54 @@ int setup_gss_names(struct svc_req *rqstp,
                      gss_buffer_desc *client_name,
                      gss_buffer_desc *server_name)
  {
@@ -586,7 +586,7 @@
  }
  
  static int cmp_gss_krb5_name(kadm5_server_handle_t handle,
-@@ -339,8 +362,9 @@ create_principal_2_svc(cprinc_arg *arg,
+@@ -340,8 +363,9 @@ create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp)
      kadm5_server_handle_t       handle;
      restriction_t               *rp;
      const char                  *errmsg = NULL;
@@ -597,7 +597,7 @@
  
      if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
          goto exit_func;
-@@ -359,8 +383,12 @@ create_principal_2_svc(cprinc_arg *arg,
+@@ -360,8 +384,12 @@ create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp)
          goto exit_func;
      }
  
@@ -611,16 +611,16 @@
                                 arg->rec.principal, &rp)
          || kadm5int_acl_impose_restrictions(handle->context,
                                              &arg->rec, &arg->mask, rp)) {
-@@ -387,6 +415,8 @@ create_principal_2_svc(cprinc_arg *arg,
- 
- exit_func:
+@@ -388,6 +416,8 @@ exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
+     gss_release_buffer(&minor_stat, &service_name);
      free_server_handle(handle);
 +    if (name)
 +        gss_release_name(&minor_stat, &name);
      return &ret;
  }
  
-@@ -400,8 +430,9 @@ create_principal3_2_svc(cprinc3_arg *arg
+@@ -402,8 +432,9 @@ create_principal3_2_svc(cprinc3_arg *arg, struct svc_req *rqstp)
      kadm5_server_handle_t       handle;
      restriction_t               *rp;
      const char                  *errmsg = NULL;
@@ -631,7 +631,7 @@
  
      if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
          goto exit_func;
-@@ -420,8 +451,12 @@ create_principal3_2_svc(cprinc3_arg *arg
+@@ -422,8 +453,12 @@ create_principal3_2_svc(cprinc3_arg *arg, struct svc_req *rqstp)
          goto exit_func;
      }
  
@@ -645,16 +645,16 @@
                                 arg->rec.principal, &rp)
          || kadm5int_acl_impose_restrictions(handle->context,
                                              &arg->rec, &arg->mask, rp)) {
-@@ -449,6 +484,8 @@ create_principal3_2_svc(cprinc3_arg *arg
- 
- exit_func:
+@@ -451,6 +486,8 @@ exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
+     gss_release_buffer(&minor_stat, &service_name);
      free_server_handle(handle);
 +    if (name)
 +        gss_release_name(&minor_stat, &name);
      return &ret;
  }
  
-@@ -462,8 +499,9 @@ delete_principal_2_svc(dprinc_arg *arg,
+@@ -464,8 +501,9 @@ delete_principal_2_svc(dprinc_arg *arg, struct svc_req *rqstp)
      OM_uint32                       minor_stat;
      kadm5_server_handle_t           handle;
      const char                      *errmsg = NULL;
@@ -665,7 +665,7 @@
  
      if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
          goto exit_func;
-@@ -482,8 +520,12 @@ delete_principal_2_svc(dprinc_arg *arg,
+@@ -484,8 +522,12 @@ delete_principal_2_svc(dprinc_arg *arg, struct svc_req *rqstp)
          goto exit_func;
      }
  
@@ -679,16 +679,16 @@
                                 arg->princ, NULL)) {
          ret.code = KADM5_AUTH_DELETE;
          log_unauth("kadm5_delete_principal", prime_arg,
-@@ -506,6 +548,8 @@ delete_principal_2_svc(dprinc_arg *arg,
- 
- exit_func:
+@@ -508,6 +550,8 @@ exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
+     gss_release_buffer(&minor_stat, &service_name);
      free_server_handle(handle);
 +    if (name)
 +        gss_release_name(&minor_stat, &name);
      return &ret;
  }
  
-@@ -520,8 +564,9 @@ modify_principal_2_svc(mprinc_arg *arg,
+@@ -522,8 +566,9 @@ modify_principal_2_svc(mprinc_arg *arg, struct svc_req *rqstp)
      kadm5_server_handle_t           handle;
      restriction_t                   *rp;
      const char                      *errmsg = NULL;
@@ -699,7 +699,7 @@
  
      if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
          goto exit_func;
-@@ -538,8 +583,12 @@ modify_principal_2_svc(mprinc_arg *arg,
+@@ -540,8 +585,12 @@ modify_principal_2_svc(mprinc_arg *arg, struct svc_req *rqstp)
          goto exit_func;
      }
  
@@ -713,16 +713,16 @@
                                 arg->rec.principal, &rp)
          || kadm5int_acl_impose_restrictions(handle->context,
                                              &arg->rec, &arg->mask, rp)) {
-@@ -563,6 +612,8 @@ modify_principal_2_svc(mprinc_arg *arg,
+@@ -565,6 +614,8 @@ exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
      gss_release_buffer(&minor_stat, &service_name);
- exit_func:
      free_server_handle(handle);
 +    if (name)
 +        gss_release_name(&minor_stat, &name);
      return &ret;
  }
  
-@@ -580,8 +631,9 @@ rename_principal_2_svc(rprinc_arg *arg,
+@@ -581,8 +632,9 @@ rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp)
      const char                  *errmsg = NULL;
      size_t                      tlen1, tlen2, clen, slen;
      char                        *tdots1, *tdots2, *cdots, *sdots;
@@ -733,7 +733,7 @@
  
      if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
          goto exit_func;
-@@ -607,13 +659,17 @@ rename_principal_2_svc(rprinc_arg *arg,
+@@ -608,13 +660,17 @@ rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp)
      slen = service_name.length;
      trunc_name(&slen, &sdots);
  
@@ -753,16 +753,16 @@
                                  ACL_ADD, arg->dest, &rp) || rp) {
              if (ret.code == KADM5_AUTH_DELETE)
                  ret.code = KADM5_AUTH_INSUFFICIENT;
-@@ -661,6 +717,8 @@ rename_principal_2_svc(rprinc_arg *arg,
+@@ -662,6 +718,8 @@ exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
      gss_release_buffer(&minor_stat, &service_name);
- exit_func:
      free_server_handle(handle);
 +    if (name)
 +        gss_release_name(&minor_stat, &name);
      return &ret;
  }
  
-@@ -674,8 +732,9 @@ get_principal_2_svc(gprinc_arg *arg, str
+@@ -675,8 +733,9 @@ get_principal_2_svc(gprinc_arg *arg, struct svc_req *rqstp)
      OM_uint32                       minor_stat;
      kadm5_server_handle_t           handle;
      const char                      *errmsg = NULL;
@@ -773,7 +773,7 @@
  
      if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
          goto exit_func;
-@@ -696,9 +755,13 @@ get_principal_2_svc(gprinc_arg *arg, str
+@@ -697,9 +756,13 @@ get_principal_2_svc(gprinc_arg *arg, struct svc_req *rqstp)
          goto exit_func;
      }
  
@@ -789,16 +789,16 @@
                                                          ACL_INQUIRE,
                                                          arg->princ,
                                                          NULL))) {
-@@ -723,6 +786,8 @@ get_principal_2_svc(gprinc_arg *arg, str
+@@ -724,6 +787,8 @@ exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
      gss_release_buffer(&minor_stat, &service_name);
- exit_func:
      free_server_handle(handle);
 +    if (name)
 +        gss_release_name(&minor_stat, &name);
      return &ret;
  }
  
-@@ -736,8 +801,9 @@ get_princs_2_svc(gprincs_arg *arg, struc
+@@ -737,8 +802,9 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp)
      OM_uint32                       minor_stat;
      kadm5_server_handle_t           handle;
      const char                      *errmsg = NULL;
@@ -809,7 +809,7 @@
  
      if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
          goto exit_func;
-@@ -755,8 +821,12 @@ get_princs_2_svc(gprincs_arg *arg, struc
+@@ -756,8 +822,12 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp)
      if (prime_arg == NULL)
          prime_arg = "*";
  
@@ -823,16 +823,16 @@
                                                         ACL_LIST,
                                                         NULL,
                                                         NULL)) {
-@@ -781,6 +851,8 @@ get_princs_2_svc(gprincs_arg *arg, struc
+@@ -782,6 +852,8 @@ exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
      gss_release_buffer(&minor_stat, &service_name);
- exit_func:
      free_server_handle(handle);
 +    if (name)
 +        gss_release_name(&minor_stat, &name);
      return &ret;
  }
  
-@@ -794,8 +866,9 @@ chpass_principal_2_svc(chpass_arg *arg,
+@@ -795,8 +867,9 @@ chpass_principal_2_svc(chpass_arg *arg, struct svc_req *rqstp)
      OM_uint32                       minor_stat;
      kadm5_server_handle_t           handle;
      const char                      *errmsg = NULL;
@@ -843,7 +843,7 @@
  
      if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
          goto exit_func;
-@@ -814,11 +887,15 @@ chpass_principal_2_svc(chpass_arg *arg,
+@@ -815,11 +888,15 @@ chpass_principal_2_svc(chpass_arg *arg, struct svc_req *rqstp)
          goto exit_func;
      }
  
@@ -861,16 +861,16 @@
                                    ACL_CHANGEPW, arg->princ, NULL)) {
          ret.code = kadm5_chpass_principal((void *)handle, arg->princ,
                                            arg->pass);
-@@ -844,6 +921,8 @@ chpass_principal_2_svc(chpass_arg *arg,
+@@ -845,6 +922,8 @@ exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
      gss_release_buffer(&minor_stat, &service_name);
- exit_func:
      free_server_handle(handle);
 +    if (name)
 +        gss_release_name(&minor_stat, &name);
      return &ret;
  }
  
-@@ -857,8 +936,9 @@ chpass_principal3_2_svc(chpass3_arg *arg
+@@ -858,8 +937,9 @@ chpass_principal3_2_svc(chpass3_arg *arg, struct svc_req *rqstp)
      OM_uint32                       minor_stat;
      kadm5_server_handle_t           handle;
      const char                      *errmsg = NULL;
@@ -881,7 +881,7 @@
  
      if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
          goto exit_func;
-@@ -877,14 +957,18 @@ chpass_principal3_2_svc(chpass3_arg *arg
+@@ -878,14 +958,18 @@ chpass_principal3_2_svc(chpass3_arg *arg, struct svc_req *rqstp)
          goto exit_func;
      }
  
@@ -902,16 +902,16 @@
                                    ACL_CHANGEPW, arg->princ, NULL)) {
          ret.code = kadm5_chpass_principal_3((void *)handle, arg->princ,
                                              arg->keepold,
-@@ -913,6 +997,8 @@ chpass_principal3_2_svc(chpass3_arg *arg
+@@ -914,6 +998,8 @@ exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
      gss_release_buffer(&minor_stat, &service_name);
- exit_func:
      free_server_handle(handle);
 +    if (name)
 +        gss_release_name(&minor_stat, &name);
      return &ret;
  }
  
-@@ -926,8 +1012,9 @@ setv4key_principal_2_svc(setv4key_arg *a
+@@ -927,8 +1013,9 @@ setv4key_principal_2_svc(setv4key_arg *arg, struct svc_req *rqstp)
      OM_uint32                       minor_stat;
      kadm5_server_handle_t           handle;
      const char                      *errmsg = NULL;
@@ -922,7 +922,7 @@
  
      if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
          goto exit_func;
-@@ -946,8 +1033,12 @@ setv4key_principal_2_svc(setv4key_arg *a
+@@ -947,8 +1034,12 @@ setv4key_principal_2_svc(setv4key_arg *arg, struct svc_req *rqstp)
          goto exit_func;
      }
  
@@ -936,16 +936,16 @@
                             ACL_SETKEY, arg->princ, NULL)) {
          ret.code = kadm5_setv4key_principal((void *)handle, arg->princ,
                                              arg->keyblock);
-@@ -973,6 +1064,8 @@ setv4key_principal_2_svc(setv4key_arg *a
+@@ -974,6 +1065,8 @@ exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
      gss_release_buffer(&minor_stat, &service_name);
- exit_func:
      free_server_handle(handle);
 +    if (name)
 +        gss_release_name(&minor_stat, &name);
      return &ret;
  }
  
-@@ -986,8 +1079,9 @@ setkey_principal_2_svc(setkey_arg *arg,
+@@ -987,8 +1080,9 @@ setkey_principal_2_svc(setkey_arg *arg, struct svc_req *rqstp)
      OM_uint32                       minor_stat;
      kadm5_server_handle_t           handle;
      const char                      *errmsg = NULL;
@@ -956,7 +956,7 @@
  
      if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
          goto exit_func;
-@@ -1006,8 +1100,12 @@ setkey_principal_2_svc(setkey_arg *arg,
+@@ -1007,8 +1101,12 @@ setkey_principal_2_svc(setkey_arg *arg, struct svc_req *rqstp)
          goto exit_func;
      }
  
@@ -970,16 +970,16 @@
                             ACL_SETKEY, arg->princ, NULL)) {
          ret.code = kadm5_setkey_principal((void *)handle, arg->princ,
                                            arg->keyblocks, arg->n_keys);
-@@ -1033,6 +1131,8 @@ setkey_principal_2_svc(setkey_arg *arg,
+@@ -1034,6 +1132,8 @@ exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
      gss_release_buffer(&minor_stat, &service_name);
- exit_func:
      free_server_handle(handle);
 +    if (name)
 +        gss_release_name(&minor_stat, &name);
      return &ret;
  }
  
-@@ -1046,8 +1146,9 @@ setkey_principal3_2_svc(setkey3_arg *arg
+@@ -1047,8 +1147,9 @@ setkey_principal3_2_svc(setkey3_arg *arg, struct svc_req *rqstp)
      OM_uint32                       minor_stat;
      kadm5_server_handle_t           handle;
      const char                      *errmsg = NULL;
@@ -990,7 +990,7 @@
  
      if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
          goto exit_func;
-@@ -1066,8 +1167,12 @@ setkey_principal3_2_svc(setkey3_arg *arg
+@@ -1067,8 +1168,12 @@ setkey_principal3_2_svc(setkey3_arg *arg, struct svc_req *rqstp)
          goto exit_func;
      }
  
@@ -1004,16 +1004,16 @@
                             ACL_SETKEY, arg->princ, NULL)) {
          ret.code = kadm5_setkey_principal_3((void *)handle, arg->princ,
                                              arg->keepold,
-@@ -1096,6 +1201,8 @@ setkey_principal3_2_svc(setkey3_arg *arg
+@@ -1097,6 +1202,8 @@ exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
      gss_release_buffer(&minor_stat, &service_name);
- exit_func:
      free_server_handle(handle);
 +    if (name)
 +        gss_release_name(&minor_stat, &name);
      return &ret;
  }
  
-@@ -1111,8 +1218,9 @@ chrand_principal_2_svc(chrand_arg *arg,
+@@ -1112,8 +1219,9 @@ chrand_principal_2_svc(chrand_arg *arg, struct svc_req *rqstp)
      OM_uint32                   minor_stat;
      kadm5_server_handle_t       handle;
      const char                  *errmsg = NULL;
@@ -1024,7 +1024,7 @@
  
      if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
          goto exit_func;
-@@ -1134,11 +1242,15 @@ chrand_principal_2_svc(chrand_arg *arg,
+@@ -1135,11 +1243,15 @@ chrand_principal_2_svc(chrand_arg *arg, struct svc_req *rqstp)
          goto exit_func;
      }
  
@@ -1042,16 +1042,16 @@
                                    ACL_CHANGEPW, arg->princ, NULL)) {
          ret.code = kadm5_randkey_principal((void *)handle, arg->princ,
                                             &k, &nkeys);
-@@ -1168,6 +1280,8 @@ chrand_principal_2_svc(chrand_arg *arg,
+@@ -1169,6 +1281,8 @@ exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
      gss_release_buffer(&minor_stat, &service_name);
- exit_func:
      free_server_handle(handle);
 +    if (name)
 +        gss_release_name(&minor_stat, &name);
      return &ret;
  }
  
-@@ -1183,8 +1297,9 @@ chrand_principal3_2_svc(chrand3_arg *arg
+@@ -1184,8 +1298,9 @@ chrand_principal3_2_svc(chrand3_arg *arg, struct svc_req *rqstp)
      OM_uint32                   minor_stat;
      kadm5_server_handle_t       handle;
      const char                  *errmsg = NULL;
@@ -1062,7 +1062,7 @@
  
      if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
          goto exit_func;
-@@ -1205,14 +1320,18 @@ chrand_principal3_2_svc(chrand3_arg *arg
+@@ -1206,14 +1321,18 @@ chrand_principal3_2_svc(chrand3_arg *arg, struct svc_req *rqstp)
          goto exit_func;
      }
  
@@ -1083,16 +1083,16 @@
                                    ACL_CHANGEPW, arg->princ, NULL)) {
          ret.code = kadm5_randkey_principal_3((void *)handle, arg->princ,
                                               arg->keepold,
-@@ -1245,6 +1364,8 @@ chrand_principal3_2_svc(chrand3_arg *arg
+@@ -1246,6 +1365,8 @@ exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
      gss_release_buffer(&minor_stat, &service_name);
- exit_func:
      free_server_handle(handle);
 +    if (name)
 +        gss_release_name(&minor_stat, &name);
      return &ret;
  }
  
-@@ -1258,8 +1379,9 @@ create_policy_2_svc(cpol_arg *arg, struc
+@@ -1259,8 +1380,9 @@ create_policy_2_svc(cpol_arg *arg, struct svc_req *rqstp)
      OM_uint32                       minor_stat;
      kadm5_server_handle_t           handle;
      const char                      *errmsg = NULL;
@@ -1103,7 +1103,7 @@
  
      if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
          goto exit_func;
-@@ -1275,8 +1397,12 @@ create_policy_2_svc(cpol_arg *arg, struc
+@@ -1276,8 +1398,12 @@ create_policy_2_svc(cpol_arg *arg, struct svc_req *rqstp)
      }
      prime_arg = arg->rec.policy;
  
@@ -1117,16 +1117,16 @@
                                                         ACL_ADD, NULL, NULL)) {
          ret.code = KADM5_AUTH_ADD;
          log_unauth("kadm5_create_policy", prime_arg,
-@@ -1299,6 +1425,8 @@ create_policy_2_svc(cpol_arg *arg, struc
+@@ -1300,6 +1426,8 @@ exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
      gss_release_buffer(&minor_stat, &service_name);
- exit_func:
      free_server_handle(handle);
 +    if (name)
 +        gss_release_name(&minor_stat, &name);
      return &ret;
  }
  
-@@ -1312,8 +1440,9 @@ delete_policy_2_svc(dpol_arg *arg, struc
+@@ -1313,8 +1441,9 @@ delete_policy_2_svc(dpol_arg *arg, struct svc_req *rqstp)
      OM_uint32                       minor_stat;
      kadm5_server_handle_t           handle;
      const char                      *errmsg = NULL;
@@ -1137,7 +1137,7 @@
  
      if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
          goto exit_func;
-@@ -1329,8 +1458,12 @@ delete_policy_2_svc(dpol_arg *arg, struc
+@@ -1330,8 +1459,12 @@ delete_policy_2_svc(dpol_arg *arg, struct svc_req *rqstp)
      }
      prime_arg = arg->name;
  
@@ -1151,16 +1151,16 @@
                                                         ACL_DELETE, NULL, NULL)) {
          log_unauth("kadm5_delete_policy", prime_arg,
                     &client_name, &service_name, rqstp);
-@@ -1351,6 +1484,8 @@ delete_policy_2_svc(dpol_arg *arg, struc
+@@ -1352,6 +1485,8 @@ exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
      gss_release_buffer(&minor_stat, &service_name);
- exit_func:
      free_server_handle(handle);
 +    if (name)
 +        gss_release_name(&minor_stat, &name);
      return &ret;
  }
  
-@@ -1364,8 +1499,9 @@ modify_policy_2_svc(mpol_arg *arg, struc
+@@ -1365,8 +1500,9 @@ modify_policy_2_svc(mpol_arg *arg, struct svc_req *rqstp)
      OM_uint32                       minor_stat;
      kadm5_server_handle_t           handle;
      const char                      *errmsg = NULL;
@@ -1171,7 +1171,7 @@
  
      if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
          goto exit_func;
-@@ -1381,8 +1517,12 @@ modify_policy_2_svc(mpol_arg *arg, struc
+@@ -1382,8 +1518,12 @@ modify_policy_2_svc(mpol_arg *arg, struct svc_req *rqstp)
      }
      prime_arg = arg->rec.policy;
  
@@ -1185,16 +1185,16 @@
                                                         ACL_MODIFY, NULL, NULL)) {
          log_unauth("kadm5_modify_policy", prime_arg,
                     &client_name, &service_name, rqstp);
-@@ -1404,6 +1544,8 @@ modify_policy_2_svc(mpol_arg *arg, struc
+@@ -1405,6 +1545,8 @@ exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
      gss_release_buffer(&minor_stat, &service_name);
- exit_func:
      free_server_handle(handle);
 +    if (name)
 +        gss_release_name(&minor_stat, &name);
      return &ret;
  }
  
-@@ -1419,8 +1561,9 @@ get_policy_2_svc(gpol_arg *arg, struct s
+@@ -1420,8 +1562,9 @@ get_policy_2_svc(gpol_arg *arg, struct svc_req *rqstp)
      kadm5_principal_ent_rec     caller_ent;
      kadm5_server_handle_t       handle;
      const char                  *errmsg = NULL;
@@ -1205,7 +1205,7 @@
  
      if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
          goto exit_func;
-@@ -1438,9 +1581,13 @@ get_policy_2_svc(gpol_arg *arg, struct s
+@@ -1439,9 +1582,13 @@ get_policy_2_svc(gpol_arg *arg, struct svc_req *rqstp)
      }
      prime_arg = arg->name;
  
@@ -1220,16 +1220,16 @@
                                                         ACL_INQUIRE, NULL, NULL))
          ret.code = KADM5_OK;
      else {
-@@ -1479,6 +1626,8 @@ get_policy_2_svc(gpol_arg *arg, struct s
+@@ -1480,6 +1627,8 @@ exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
      gss_release_buffer(&minor_stat, &service_name);
- exit_func:
      free_server_handle(handle);
 +    if (name)
 +        gss_release_name(&minor_stat, &name);
      return &ret;
  
  }
-@@ -1493,8 +1642,9 @@ get_pols_2_svc(gpols_arg *arg, struct sv
+@@ -1494,8 +1643,9 @@ get_pols_2_svc(gpols_arg *arg, struct svc_req *rqstp)
      OM_uint32                       minor_stat;
      kadm5_server_handle_t           handle;
      const char                      *errmsg = NULL;
@@ -1240,7 +1240,7 @@
  
      if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
          goto exit_func;
-@@ -1512,8 +1662,12 @@ get_pols_2_svc(gpols_arg *arg, struct sv
+@@ -1513,8 +1663,12 @@ get_pols_2_svc(gpols_arg *arg, struct svc_req *rqstp)
      if (prime_arg == NULL)
          prime_arg = "*";
  
@@ -1254,16 +1254,16 @@
                                                         ACL_LIST, NULL, NULL)) {
          ret.code = KADM5_AUTH_LIST;
          log_unauth("kadm5_get_policies", prime_arg,
-@@ -1535,6 +1689,8 @@ get_pols_2_svc(gpols_arg *arg, struct sv
+@@ -1536,6 +1690,8 @@ exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
      gss_release_buffer(&minor_stat, &service_name);
- exit_func:
      free_server_handle(handle);
 +    if (name)
 +        gss_release_name(&minor_stat, &name);
      return &ret;
  }
  
-@@ -1546,7 +1702,7 @@ getprivs_ret * get_privs_2_svc(krb5_ui_4
+@@ -1548,7 +1704,7 @@ getprivs_ret * get_privs_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp)
      kadm5_server_handle_t          handle;
      const char                     *errmsg = NULL;
  
@@ -1272,7 +1272,7 @@
  
      if ((ret.code = new_server_handle(*arg, rqstp, &handle)))
          goto exit_func;
-@@ -1588,8 +1744,9 @@ purgekeys_2_svc(purgekeys_arg *arg, stru
+@@ -1591,8 +1747,9 @@ purgekeys_2_svc(purgekeys_arg *arg, struct svc_req *rqstp)
      kadm5_server_handle_t       handle;
  
      const char                  *errmsg = NULL;
@@ -1283,7 +1283,7 @@
  
      if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
          goto exit_func;
-@@ -1610,9 +1767,13 @@ purgekeys_2_svc(purgekeys_arg *arg, stru
+@@ -1613,9 +1770,13 @@ purgekeys_2_svc(purgekeys_arg *arg, struct svc_req *rqstp)
          goto exit_func;
      }
  
@@ -1299,16 +1299,16 @@
                                  arg->princ, NULL))) {
          ret.code = KADM5_AUTH_MODIFY;
          log_unauth(funcname, prime_arg, &client_name, &service_name, rqstp);
-@@ -1633,6 +1794,8 @@ purgekeys_2_svc(purgekeys_arg *arg, stru
+@@ -1636,6 +1797,8 @@ exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
      gss_release_buffer(&minor_stat, &service_name);
- exit_func:
      free_server_handle(handle);
 +    if (name)
 +        gss_release_name(&minor_stat, &name);
      return &ret;
  }
  
-@@ -1646,8 +1809,9 @@ get_strings_2_svc(gstrings_arg *arg, str
+@@ -1649,8 +1812,9 @@ get_strings_2_svc(gstrings_arg *arg, struct svc_req *rqstp)
      OM_uint32                       minor_stat;
      kadm5_server_handle_t           handle;
      const char                      *errmsg = NULL;
@@ -1319,7 +1319,7 @@
  
      if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
          goto exit_func;
-@@ -1666,9 +1830,13 @@ get_strings_2_svc(gstrings_arg *arg, str
+@@ -1669,9 +1833,13 @@ get_strings_2_svc(gstrings_arg *arg, struct svc_req *rqstp)
          goto exit_func;
      }
  
@@ -1335,16 +1335,16 @@
                                                          ACL_INQUIRE,
                                                          arg->princ,
                                                          NULL))) {
-@@ -1692,6 +1860,8 @@ get_strings_2_svc(gstrings_arg *arg, str
+@@ -1695,6 +1863,8 @@ exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
      gss_release_buffer(&minor_stat, &service_name);
- exit_func:
      free_server_handle(handle);
 +    if (name)
 +        gss_release_name(&minor_stat, &name);
      return &ret;
  }
  
-@@ -1705,8 +1875,9 @@ set_string_2_svc(sstring_arg *arg, struc
+@@ -1708,8 +1878,9 @@ set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp)
      OM_uint32                       minor_stat;
      kadm5_server_handle_t           handle;
      const char                      *errmsg = NULL;
@@ -1355,7 +1355,7 @@
  
      if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
          goto exit_func;
-@@ -1725,8 +1896,12 @@ set_string_2_svc(sstring_arg *arg, struc
+@@ -1728,8 +1899,12 @@ set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp)
          goto exit_func;
      }
  
@@ -1369,16 +1369,16 @@
                                 arg->princ, NULL)) {
          ret.code = KADM5_AUTH_MODIFY;
          log_unauth("kadm5_mod_strings", prime_arg,
-@@ -1748,6 +1923,8 @@ set_string_2_svc(sstring_arg *arg, struc
+@@ -1751,6 +1926,8 @@ exit_func:
+     gss_release_buffer(&minor_stat, &client_name);
      gss_release_buffer(&minor_stat, &service_name);
- exit_func:
      free_server_handle(handle);
 +    if (name)
 +        gss_release_name(&minor_stat, &name);
      return &ret;
  }
  
-@@ -1762,7 +1939,7 @@ generic_ret *init_2_svc(krb5_ui_4 *arg,
+@@ -1765,7 +1942,7 @@ generic_ret *init_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp)
      size_t clen, slen;
      char *cdots, *sdots;
  
@@ -1387,19 +1387,20 @@
  
      if ((ret.code = new_server_handle(*arg, rqstp, &handle)))
          goto exit_func;
-@@ -1807,9 +1984,18 @@ exit_func:
+@@ -1810,9 +1987,18 @@ exit_func:
  gss_name_t
  rqst2name(struct svc_req *rqstp)
  {
+-
+-    if (rqstp->rq_cred.oa_flavor == RPCSEC_GSS)
+-        return rqstp->rq_clntname;
+-    else
+-        return rqstp->rq_clntcred;
 +    OM_uint32 maj_stat, min_stat;
 +    gss_name_t name;
 +    rpc_gss_rawcred_t * raw_cred;
 +    gss_buffer_desc name_buff;
- 
--    if (rqstp->rq_cred.oa_flavor == RPCSEC_GSS)
--        return rqstp->rq_clntname;
--    else
--        return rqstp->rq_clntcred;
++
 +    rpc_gss_getcred(rqstp, &raw_cred, NULL, NULL);
 +    name_buff.value = raw_cred->client_principal->name;
 +    name_buff.length = raw_cred->client_principal->len;
@@ -1410,9 +1411,9 @@
 +    }
 +    return (name);
  }
-diff -pur old/src/lib/Makefile.in new/src/lib/Makefile.in
---- old/src/lib/Makefile.in
-+++ new/src/lib/Makefile.in
+diff --git a/src/lib/Makefile.in b/src/lib/Makefile.in
+--- a/src/lib/Makefile.in
++++ b/src/lib/Makefile.in
 @@ -1,5 +1,5 @@
  mydir=lib
 -SUBDIRS=crypto krb5 gssapi rpc kdb kadm5 apputils krad
@@ -1420,9 +1421,9 @@
  WINSUBDIRS=crypto krb5 gssapi
  BUILDTOP=$(REL)..
  
-diff -pur old/src/lib/apputils/net-server.c new/src/lib/apputils/net-server.c
---- old/src/lib/apputils/net-server.c
-+++ new/src/lib/apputils/net-server.c
+diff --git a/src/lib/apputils/net-server.c b/src/lib/apputils/net-server.c
+--- a/src/lib/apputils/net-server.c
++++ b/src/lib/apputils/net-server.c
 @@ -32,7 +32,7 @@
  #include "port-sockets.h"
  #include "socket-utils.h"
@@ -1442,7 +1443,7 @@
  /*
   * N.B.: The Emacs cc-mode indentation code seems to get confused if
   * the macro argument here is one word only.  So use "unsigned short"
-@@ -546,6 +549,127 @@ add_tcp_read_fd(struct socksetup *data,
+@@ -546,6 +549,127 @@ add_tcp_read_fd(struct socksetup *data, int sock)
                    process_tcp_connection_read, 1);
  }
  
@@ -1570,7 +1571,7 @@
  /*
   * Create a socket and bind it to addr.  Ensure the socket will work with
   * select().  Set the socket cloexec, reuseaddr, and if applicable v6-only.
-@@ -604,12 +728,13 @@ create_server_socket(struct socksetup *d
+@@ -604,12 +728,13 @@ create_server_socket(struct socksetup *data, struct sockaddr *addr, int type)
  }
  
  static verto_ev *
@@ -1586,7 +1587,7 @@
                  VERTO_EV_FLAG_IO_READ |
                  VERTO_EV_FLAG_PERSIST |
                  VERTO_EV_FLAG_REINITIABLE,
-@@ -618,7 +743,7 @@ add_rpc_listener_fd(struct socksetup *da
+@@ -618,7 +743,7 @@ add_rpc_listener_fd(struct socksetup *data, struct rpc_svc_data *svc, int sock)
          return NULL;
  
      conn = verto_get_private(ev);
@@ -1595,7 +1596,7 @@
      if (conn->transp == NULL) {
          krb5_klog_syslog(LOG_ERR,
                           _("Cannot create RPC service: %s; continuing"),
-@@ -627,11 +752,14 @@ add_rpc_listener_fd(struct socksetup *da
+@@ -627,11 +752,14 @@ add_rpc_listener_fd(struct socksetup *data, struct rpc_svc_data *svc, int sock)
          return NULL;
      }
  
@@ -1614,7 +1615,7 @@
          verto_del(ev);
          return NULL;
      }
-@@ -760,53 +888,99 @@ setup_tcp_listener_ports(struct socksetu
+@@ -760,53 +888,99 @@ setup_tcp_listener_ports(struct socksetup *data)
      return 0;
  }
  
@@ -1652,7 +1653,10 @@
 +        com_err(data->prog, errno, _("cannot get any transport information"));
 +        goto cleanup;
 +    }
-+
+ 
+-    memset(&sin4, 0, sizeof(sin4));
+-    sin4.sin_family = AF_INET;
+-    sin4.sin_addr.s_addr = INADDR_ANY;
 +    while (nconf = getnetconfig(handlep)) {
 +        if ((nconf->nc_semantics == NC_TPI_COTS_ORD) &&
 +            (strcmp(nconf->nc_proto, NC_TCP) == 0)){
@@ -1663,10 +1667,6 @@
 +        }
 +    }
  
--    memset(&sin4, 0, sizeof(sin4));
--    sin4.sin_family = AF_INET;
--    sin4.sin_addr.s_addr = INADDR_ANY;
--
 -    memset(&sin6, 0, sizeof(sin6));
 -    sin6.sin6_family = AF_INET6;
 -    sin6.sin6_addr = in6addr_any;
@@ -1723,8 +1723,6 @@
 +            }
          }
      }
--
--    return 0;
 +    if (n_svcs > 0) {
 +        krb5_klog_syslog(LOG_INFO, _("%d RPC services registered"), n_svcs);
 +    } else if (!EMPTY(rpc_svc_data)){
@@ -1740,16 +1738,17 @@
 +        exit (1);
 +    }
 +    ret = 0;
-+
+ 
+-    return 0;
 +cleanup:
 +    endnetconfig(handlep);
 +    return ret;
  }
  
  #if defined(CMSG_SPACE) && defined(HAVE_STRUCT_CMSGHDR) &&      \
-diff -pur old/src/lib/kadm5/Makefile.in new/src/lib/kadm5/Makefile.in
---- old/src/lib/kadm5/Makefile.in
-+++ new/src/lib/kadm5/Makefile.in
+diff --git a/src/lib/kadm5/Makefile.in b/src/lib/kadm5/Makefile.in
+--- a/src/lib/kadm5/Makefile.in
++++ b/src/lib/kadm5/Makefile.in
 @@ -21,6 +21,7 @@ SRCS =	kadm_err.c \
  	$(srcdir)/chpass_util.c \
  	$(srcdir)/alt_prof.c \
@@ -1774,9 +1773,9 @@
  	logger.o
  
  HDRDIR=$(BUILDTOP)/include/kadm5
-diff -pur old/src/lib/kadm5/admin.h new/src/lib/kadm5/admin.h
---- old/src/lib/kadm5/admin.h
-+++ new/src/lib/kadm5/admin.h
+diff --git a/src/lib/kadm5/admin.h b/src/lib/kadm5/admin.h
+--- a/src/lib/kadm5/admin.h
++++ b/src/lib/kadm5/admin.h
 @@ -42,7 +42,7 @@
  #define __KADM5_ADMIN_H__
  
@@ -1794,7 +1793,7 @@
  
  typedef krb5_principal  kadm5_princ_t;
  typedef char            *kadm5_policy_t;
-@@ -453,6 +454,21 @@ kadm5_ret_t    kadm5_free_key_data(void
+@@ -453,6 +454,21 @@ kadm5_ret_t    kadm5_free_key_data(void *server_handle,
  kadm5_ret_t    kadm5_free_name_list(void *server_handle, char **names,
                                      int count);
  
@@ -1816,10 +1815,10 @@
  krb5_error_code kadm5_init_krb5_context (krb5_context *);
  
  krb5_error_code kadm5_init_iprop(void *server_handle, char **db_args);
-diff -pur old/src/lib/kadm5/alt_prof.c new/src/lib/kadm5/alt_prof.c
---- old/src/lib/kadm5/alt_prof.c
-+++ new/src/lib/kadm5/alt_prof.c
-@@ -746,10 +746,17 @@ krb5_error_code kadm5_get_config_params(
+diff --git a/src/lib/kadm5/alt_prof.c b/src/lib/kadm5/alt_prof.c
+--- a/src/lib/kadm5/alt_prof.c
++++ b/src/lib/kadm5/alt_prof.c
+@@ -746,10 +746,17 @@ krb5_error_code kadm5_get_config_params(krb5_context context,
          params.mask |= KADM5_CONFIG_IPROP_ENABLED;
          params.iprop_enabled = params_in->iprop_enabled;
      } else {
@@ -1841,7 +1840,7 @@
          }
      }
  
-@@ -778,18 +785,30 @@ krb5_error_code kadm5_get_config_params(
+@@ -778,18 +785,30 @@ krb5_error_code kadm5_get_config_params(krb5_context context,
          params.mask |= KADM5_CONFIG_ULOG_SIZE;
          params.iprop_ulogsize = params_in->iprop_ulogsize;
      } else {
@@ -1880,10 +1879,10 @@
  
      *params_out = params;
  
-diff -pur old/src/lib/kadm5/clnt/Makefile.in new/src/lib/kadm5/clnt/Makefile.in
---- old/src/lib/kadm5/clnt/Makefile.in
-+++ new/src/lib/kadm5/clnt/Makefile.in
-@@ -7,12 +7,11 @@ LIBMAJOR=9
+diff --git a/src/lib/kadm5/clnt/Makefile.in b/src/lib/kadm5/clnt/Makefile.in
+--- a/src/lib/kadm5/clnt/Makefile.in
++++ b/src/lib/kadm5/clnt/Makefile.in
+@@ -7,12 +7,11 @@ LIBMAJOR=10
  LIBMINOR=0
  STOBJLISTS=../OBJS.ST OBJS.ST
  SHLIB_EXPDEPS=\
@@ -1897,9 +1896,9 @@
  RELDIR=kadm5/clnt
  
  ##DOSBUILDTOP = ..\..\..
-diff -pur new/src/lib/kadm5/clnt/client_init.c patched.1/src/lib/kadm5/clnt/client_init.c
---- no-028/src/lib/kadm5/clnt/client_init.c	2016-03-28 14:39:09.439503108 -0600
-+++ 028/src/lib/kadm5/clnt/client_init.c	2016-03-28 14:40:49.154436988 -0600
+diff --git a/src/lib/kadm5/clnt/client_init.c b/src/lib/kadm5/clnt/client_init.c
+--- a/src/lib/kadm5/clnt/client_init.c
++++ b/src/lib/kadm5/clnt/client_init.c
 @@ -44,12 +44,12 @@
  #include <iprop_hdr.h>
  #include "iprop.h"
@@ -1915,7 +1914,7 @@
  
  enum init_type { INIT_PASS, INIT_SKEY, INIT_CREDS, INIT_ANONYMOUS };
  
-@@ -138,9 +138,385 @@ kadm5_init_with_skey(krb5_context contex
+@@ -138,9 +138,385 @@ kadm5_init_with_skey(krb5_context context, char *client_name,
                      server_handle);
  }
  
@@ -2302,7 +2301,7 @@
           kadm5_config_params *params_in, krb5_ui_4 struct_version,
           krb5_ui_4 api_version, char **db_args, void **server_handle)
  {
-@@ -152,13 +528,13 @@ init_any(krb5_context context, char *cli
+@@ -152,13 +528,13 @@ init_any(krb5_context context, char *client_name, enum init_type init_type,
      rpcvers_t rpc_vers;
      krb5_ccache ccache;
      krb5_principal client = NULL, server = NULL;
@@ -2317,7 +2316,7 @@
  
      initialize_ovk_error_table();
  /*      initialize_adb_error_table(); */
-@@ -226,105 +602,27 @@ init_any(krb5_context context, char *cli
+@@ -226,105 +602,27 @@ init_any(krb5_context context, char *client_name, enum init_type init_type,
      if (code)
          goto error;
  
@@ -2472,7 +2471,7 @@
      /*
       * Acquire a service ticket for svcname@realm for client, using password
       * pass (which could be NULL), and create a ccache to store them in.  If
-@@ -426,12 +710,6 @@ get_init_creds(kadm5_server_handle_t han
+@@ -426,12 +710,6 @@ get_init_creds(kadm5_server_handle_t handle, krb5_principal client,
  
      code = gic_iter(handle, init_type, ccache, client, pass, svcname, realm,
                      server_out);
@@ -2485,7 +2484,7 @@
      /* Improved error messages */
      if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) code = KADM5_BAD_PASSWORD;
      if (code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN)
-@@ -698,6 +976,26 @@ rpc_auth(kadm5_server_handle_t handle, k
+@@ -698,6 +976,26 @@ rpc_auth(kadm5_server_handle_t handle, kadm5_config_params *params_in,
           gss_cred_id_t gss_client_creds, gss_name_t gss_target)
  {
      OM_uint32 gssstat, minor_stat;
@@ -2512,7 +2511,7 @@
      struct rpc_gss_sec sec;
  
      /* Allow unauthenticated option for testing. */
-@@ -732,6 +1030,7 @@ rpc_auth(kadm5_server_handle_t handle, k
+@@ -732,6 +1030,7 @@ rpc_auth(kadm5_server_handle_t handle, kadm5_config_params *params_in,
                                                 GSS_C_MUTUAL_FLAG
                                                 | GSS_C_REPLAY_FLAG,
                                                 0, NULL, NULL, NULL);
@@ -2520,8 +2519,9 @@
  }
  
  kadm5_ret_t
---- old/src/lib/kadm5/clnt/client_principal.c
-+++ new/src/lib/kadm5/clnt/client_principal.c
+diff --git a/src/lib/kadm5/clnt/client_principal.c b/src/lib/kadm5/clnt/client_principal.c
+--- a/src/lib/kadm5/clnt/client_principal.c
++++ b/src/lib/kadm5/clnt/client_principal.c
 @@ -5,7 +5,7 @@
   * $Header$
   */
@@ -2531,9 +2531,9 @@
  #include    <kadm5/admin.h>
  #include    <kadm5/kadm_rpc.h>
  #ifdef HAVE_MEMORY_H
-diff -pur old/src/lib/kadm5/clnt/client_rpc.c new/src/lib/kadm5/clnt/client_rpc.c
---- old/src/lib/kadm5/clnt/client_rpc.c
-+++ new/src/lib/kadm5/clnt/client_rpc.c
+diff --git a/src/lib/kadm5/clnt/client_rpc.c b/src/lib/kadm5/clnt/client_rpc.c
+--- a/src/lib/kadm5/clnt/client_rpc.c
++++ b/src/lib/kadm5/clnt/client_rpc.c
 @@ -1,5 +1,5 @@
  /* -*- mode: c; c-file-style: "bsd"; indent-tabs-mode: t -*- */
 -#include <gssrpc/rpc.h>
@@ -2541,9 +2541,9 @@
  #include <kadm5/kadm_rpc.h>
  #include <krb5.h>
  #include <kadm5/admin.h>
-diff -pur old/src/lib/kadm5/clnt/clnt_policy.c new/src/lib/kadm5/clnt/clnt_policy.c
---- old/src/lib/kadm5/clnt/clnt_policy.c
-+++ new/src/lib/kadm5/clnt/clnt_policy.c
+diff --git a/src/lib/kadm5/clnt/clnt_policy.c b/src/lib/kadm5/clnt/clnt_policy.c
+--- a/src/lib/kadm5/clnt/clnt_policy.c
++++ b/src/lib/kadm5/clnt/clnt_policy.c
 @@ -5,7 +5,7 @@
   * $Header$
   */
@@ -2553,9 +2553,9 @@
  #include    <kadm5/admin.h>
  #include    <kadm5/kadm_rpc.h>
  #include    "client_internal.h"
-diff -pur old/src/lib/kadm5/clnt/clnt_privs.c new/src/lib/kadm5/clnt/clnt_privs.c
---- old/src/lib/kadm5/clnt/clnt_privs.c
-+++ new/src/lib/kadm5/clnt/clnt_privs.c
+diff --git a/src/lib/kadm5/clnt/clnt_privs.c b/src/lib/kadm5/clnt/clnt_privs.c
+--- a/src/lib/kadm5/clnt/clnt_privs.c
++++ b/src/lib/kadm5/clnt/clnt_privs.c
 @@ -7,7 +7,7 @@
   *
   */
@@ -2565,10 +2565,10 @@
  #include    <kadm5/admin.h>
  #include    <kadm5/kadm_rpc.h>
  #include    "client_internal.h"
-diff -pur old/src/lib/kadm5/deps new/src/lib/kadm5/deps
---- old/src/lib/kadm5/deps
-+++ new/src/lib/kadm5/deps
-@@ -90,6 +90,20 @@ str_conv.so str_conv.po $(OUTPRE)str_con
+diff --git a/src/lib/kadm5/deps b/src/lib/kadm5/deps
+--- a/src/lib/kadm5/deps
++++ b/src/lib/kadm5/deps
+@@ -90,6 +90,20 @@ str_conv.so str_conv.po $(OUTPRE)str_conv.$(OBJEXT): \
    $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
    $(top_srcdir)/include/socket-utils.h admin_internal.h \
    str_conv.c
@@ -2589,9 +2589,9 @@
  logger.so logger.po $(OUTPRE)logger.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
    $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
    $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/adm_proto.h \
-diff -pur old/src/lib/kadm5/kadm_rpc.h new/src/lib/kadm5/kadm_rpc.h
---- old/src/lib/kadm5/kadm_rpc.h
-+++ new/src/lib/kadm5/kadm_rpc.h
+diff --git a/src/lib/kadm5/kadm_rpc.h b/src/lib/kadm5/kadm_rpc.h
+--- a/src/lib/kadm5/kadm_rpc.h
++++ b/src/lib/kadm5/kadm_rpc.h
 @@ -2,7 +2,7 @@
  #ifndef __KADM_RPC_H__
  #define __KADM_RPC_H__
@@ -2610,9 +2610,9 @@
 +#define	xdr_u_int32 xdr_u_int
  
  #endif /* __KADM_RPC_H__ */
-diff -pur old/src/lib/kadm5/kadm_rpc_xdr.c new/src/lib/kadm5/kadm_rpc_xdr.c
---- old/src/lib/kadm5/kadm_rpc_xdr.c
-+++ new/src/lib/kadm5/kadm_rpc_xdr.c
+diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
+--- a/src/lib/kadm5/kadm_rpc_xdr.c
++++ b/src/lib/kadm5/kadm_rpc_xdr.c
 @@ -3,7 +3,7 @@
   * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
   */
@@ -2622,10 +2622,10 @@
  #include <krb5.h>
  #include <errno.h>
  #include <kadm5/admin.h>
-diff -pur old/src/lib/kadm5/server_internal.h new/src/lib/kadm5/server_internal.h
---- old/src/lib/kadm5/server_internal.h
-+++ new/src/lib/kadm5/server_internal.h
-@@ -257,4 +257,8 @@ k5_kadm5_hook_remove (krb5_context conte
+diff --git a/src/lib/kadm5/server_internal.h b/src/lib/kadm5/server_internal.h
+--- a/src/lib/kadm5/server_internal.h
++++ b/src/lib/kadm5/server_internal.h
+@@ -264,4 +264,8 @@ k5_kadm5_hook_rename (krb5_context context,
  
  /** @}*/
  
@@ -2634,9 +2634,9 @@
 +extern caddr_t xdralloc_getdata(XDR *xdrs);
 +
  #endif /* __KADM5_SERVER_INTERNAL_H__ */
-diff -pur old/src/lib/kadm5/srv/Makefile.in new/src/lib/kadm5/srv/Makefile.in
---- old/src/lib/kadm5/srv/Makefile.in
-+++ new/src/lib/kadm5/srv/Makefile.in
+diff --git a/src/lib/kadm5/srv/Makefile.in b/src/lib/kadm5/srv/Makefile.in
+--- a/src/lib/kadm5/srv/Makefile.in
++++ b/src/lib/kadm5/srv/Makefile.in
 @@ -14,13 +14,12 @@ LIBMINOR=0
  STOBJLISTS=../OBJS.ST OBJS.ST
  
@@ -2679,9 +2679,9 @@
  	adb_xdr.o
  
  all-unix:: includes
-diff -pur old/src/lib/kadm5/srv/adb_xdr.c new/src/lib/kadm5/srv/adb_xdr.c
---- old/src/lib/kadm5/srv/adb_xdr.c
-+++ new/src/lib/kadm5/srv/adb_xdr.c
+diff --git a/src/lib/kadm5/srv/adb_xdr.c b/src/lib/kadm5/srv/adb_xdr.c
+--- a/src/lib/kadm5/srv/adb_xdr.c
++++ b/src/lib/kadm5/srv/adb_xdr.c
 @@ -7,7 +7,7 @@
  
  #include <sys/types.h>
@@ -2691,10 +2691,10 @@
  #include	"server_internal.h"
  #include "admin_xdr.h"
  #ifdef HAVE_MEMORY_H
-diff -pur old/src/lib/kadm5/srv/server_init.c new/src/lib/kadm5/srv/server_init.c
---- old/src/lib/kadm5/srv/server_init.c
-+++ new/src/lib/kadm5/srv/server_init.c
-@@ -233,8 +233,7 @@ kadm5_ret_t kadm5_init(krb5_context cont
+diff --git a/src/lib/kadm5/srv/server_init.c b/src/lib/kadm5/srv/server_init.c
+--- a/src/lib/kadm5/srv/server_init.c
++++ b/src/lib/kadm5/srv/server_init.c
+@@ -233,8 +233,7 @@ kadm5_ret_t kadm5_init(krb5_context context, char *client_name, char *pass,
  
  #define IPROP_REQUIRED_PARAMS                   \
      (KADM5_CONFIG_IPROP_ENABLED |               \
@@ -2704,9 +2704,9 @@
  
      if ((handle->params.mask & REQUIRED_PARAMS) != REQUIRED_PARAMS) {
          free_db_args(handle);
-diff -pur old/src/lib/kdb/Makefile.in new/src/lib/kdb/Makefile.in
---- old/src/lib/kdb/Makefile.in
-+++ new/src/lib/kdb/Makefile.in
+diff --git a/src/lib/kdb/Makefile.in b/src/lib/kdb/Makefile.in
+--- a/src/lib/kdb/Makefile.in
++++ b/src/lib/kdb/Makefile.in
 @@ -14,9 +14,8 @@ RELDIR=kdb
  
  SHLIB_EXPDEPS = \
@@ -2718,9 +2718,9 @@
  
  adb_err.$(OBJEXT): adb_err.c
  adb_err.c adb_err.h: $(srcdir)/adb_err.et
-diff -pur old/src/lib/kdb/iprop_xdr.c new/src/lib/kdb/iprop_xdr.c
---- old/src/lib/kdb/iprop_xdr.c
-+++ new/src/lib/kdb/iprop_xdr.c
+diff --git a/src/lib/kdb/iprop_xdr.c b/src/lib/kdb/iprop_xdr.c
+--- a/src/lib/kdb/iprop_xdr.c
++++ b/src/lib/kdb/iprop_xdr.c
 @@ -9,6 +9,7 @@
  #pragma GCC diagnostic ignored "-Wunused-variable"
  #endif
@@ -2737,9 +2737,9 @@
  
  bool_t
  xdr_utf8str_t (XDR *xdrs, utf8str_t *objp)
-diff -pur old/src/lib/krb5/os/changepw.c new/src/lib/krb5/os/changepw.c
---- old/src/lib/krb5/os/changepw.c
-+++ new/src/lib/krb5/os/changepw.c
+diff --git a/src/lib/krb5/os/changepw.c b/src/lib/krb5/os/changepw.c
+--- a/src/lib/krb5/os/changepw.c
++++ b/src/lib/krb5/os/changepw.c
 @@ -57,7 +57,7 @@ struct sendto_callback_context {
   * Wrapper function for the two backends
   */
@@ -2749,10 +2749,10 @@
  locate_kpasswd(krb5_context context, const krb5_data *realm,
                 struct serverlist *serverlist, krb5_boolean no_udp)
  {
-diff -pur old/src/lib/krb5/os/locate_kdc.c new/src/lib/krb5/os/locate_kdc.c
---- old/src/lib/krb5/os/locate_kdc.c
-+++ new/src/lib/krb5/os/locate_kdc.c
-@@ -675,6 +675,14 @@ k5_locate_kdc(krb5_context context, cons
+diff --git a/src/lib/krb5/os/locate_kdc.c b/src/lib/krb5/os/locate_kdc.c
+--- a/src/lib/krb5/os/locate_kdc.c
++++ b/src/lib/krb5/os/locate_kdc.c
+@@ -675,6 +675,14 @@ k5_locate_kdc(krb5_context context, const krb5_data *realm,
      return k5_locate_server(context, realm, serverlist, stype, no_udp);
  }
  
@@ -2767,9 +2767,9 @@
  krb5_boolean
  k5_kdc_is_master(krb5_context context, const krb5_data *realm,
                   struct server_entry *server)
-diff -pur old/src/lib/rpc/xdr_alloc.c new/src/lib/rpc/xdr_alloc.c
---- old/src/lib/rpc/xdr_alloc.c
-+++ new/src/lib/rpc/xdr_alloc.c
+diff --git a/src/lib/rpc/xdr_alloc.c b/src/lib/rpc/xdr_alloc.c
+--- a/src/lib/rpc/xdr_alloc.c
++++ b/src/lib/rpc/xdr_alloc.c
 @@ -35,18 +35,23 @@
   * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved.
   */
@@ -2879,9 +2879,9 @@
 +{
 +     return FALSE;
 +}
-diff -pur old/src/plugins/kdb/db2/adb_policy.c new/src/plugins/kdb/db2/adb_policy.c
---- old/src/plugins/kdb/db2/adb_policy.c
-+++ new/src/plugins/kdb/db2/adb_policy.c
+diff --git a/src/plugins/kdb/db2/adb_policy.c b/src/plugins/kdb/db2/adb_policy.c
+--- a/src/plugins/kdb/db2/adb_policy.c
++++ b/src/plugins/kdb/db2/adb_policy.c
 @@ -28,6 +28,9 @@
              return cl_ret;                                              \
      }
@@ -2892,9 +2892,9 @@
  
  /*
   * Function: osa_adb_create_policy
-diff -pur old/src/plugins/kdb/db2/pol_xdr.c new/src/plugins/kdb/db2/pol_xdr.c
---- old/src/plugins/kdb/db2/pol_xdr.c
-+++ new/src/plugins/kdb/db2/pol_xdr.c
+diff --git a/src/plugins/kdb/db2/pol_xdr.c b/src/plugins/kdb/db2/pol_xdr.c
+--- a/src/plugins/kdb/db2/pol_xdr.c
++++ b/src/plugins/kdb/db2/pol_xdr.c
 @@ -1,6 +1,6 @@
  #include <sys/types.h>
  #include <krb5.h>
@@ -2903,9 +2903,9 @@
  #include <kdb.h>
  #include <kadm5/admin_xdr.h>
  #include "policy_db.h"
-diff -pur old/src/plugins/kdb/db2/policy_db.h new/src/plugins/kdb/db2/policy_db.h
---- old/src/plugins/kdb/db2/policy_db.h
-+++ new/src/plugins/kdb/db2/policy_db.h
+diff --git a/src/plugins/kdb/db2/policy_db.h b/src/plugins/kdb/db2/policy_db.h
+--- a/src/plugins/kdb/db2/policy_db.h
++++ b/src/plugins/kdb/db2/policy_db.h
 @@ -28,8 +28,8 @@
  
     A better fix might be for db.h to include netinet/in.h if that's
@@ -2917,9 +2917,9 @@
  #include <db.h>
  #include "adb_err.h"
  #include <com_err.h>
-diff -pur old/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c new/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c
---- old/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c
-+++ new/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c b/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c
+--- a/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c
++++ b/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c
 @@ -3,6 +3,10 @@
  #include "princ_xdr.h"
  #include <kadm5/admin.h>
@@ -2931,9 +2931,9 @@
  bool_t
  ldap_xdr_krb5_ui_2(XDR *xdrs, krb5_ui_2 *objp)
  {
-diff -pur old/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h new/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h
---- old/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h
-+++ new/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h b/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h
+--- a/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h
++++ b/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h
 @@ -4,7 +4,7 @@
  #include <sys/types.h>
  #include <krb5.h>
@@ -2943,10 +2943,10 @@
  
  #ifdef HAVE_MEMORY_H
  #include <memory.h>
-diff -pur old/src/slave/kpropd.c new/src/slave/kpropd.c
---- old/src/slave/kpropd.c
-+++ new/src/slave/kpropd.c
-@@ -584,7 +584,7 @@ full_resync(CLIENT *clnt)
+diff --git a/src/slave/kpropd.c b/src/slave/kpropd.c
+--- a/src/slave/kpropd.c
++++ b/src/slave/kpropd.c
+@@ -588,7 +588,7 @@ full_resync(CLIENT *clnt)
  
      memset(&clnt_res, 0, sizeof(clnt_res));
  
@@ -2955,10 +2955,10 @@
                         (caddr_t)&vers, (xdrproc_t)xdr_kdb_fullresync_result_t,
                         (caddr_t)&clnt_res, full_resync_timeout);
      if (status == RPC_PROCUNAVAIL) {
-diff -pur new/src/tests/misc/Makefile.in patched.1/src/tests/misc/Makefile.in
---- new/src/tests/misc/Makefile.in	2016-02-29 11:50:13.000000000 -0800
-+++ patched.1/src/tests/misc/Makefile.in	2016-03-19 08:15:59.222125882 -0700
-@@ -12,19 +12,17 @@ SRCS=\
+diff --git a/src/tests/misc/Makefile.in b/src/tests/misc/Makefile.in
+--- a/src/tests/misc/Makefile.in
++++ b/src/tests/misc/Makefile.in
+@@ -12,18 +12,16 @@ SRCS=\
  	$(srcdir)/test_cxx_krb5.cpp \
  	$(srcdir)/test_cxx_k5int.cpp \
  	$(srcdir)/test_cxx_gss.cpp \
@@ -2978,8 +2978,7 @@
  	$(RUN_TEST) ./test_cxx_kadm5
  
  test_getpw: $(OUTPRE)test_getpw.$(OBJEXT) $(SUPPORT_DEPLIB)
- 	$(CC_LINK) $(ALL_CFLAGS) -o test_getpw $(OUTPRE)test_getpw.$(OBJEXT) $(SUPPORT_LIB)
-@@ -41,18 +39,15 @@ test_cxx_k5int: $(OUTPRE)test_cxx_k5int.
+@@ -41,18 +39,15 @@ test_cxx_k5int: $(OUTPRE)test_cxx_k5int.$(OBJEXT) $(KRB5_DEPLIB)
  	$(CXX_LINK) $(ALL_CXXFLAGS) -o test_cxx_k5int $(OUTPRE)test_cxx_k5int.$(OBJEXT) $(KRB5_BASE_LIBS) $(LIBS)
  test_cxx_gss: $(OUTPRE)test_cxx_gss.$(OBJEXT)
  	$(CXX_LINK) $(ALL_CXXFLAGS) -o test_cxx_gss $(OUTPRE)test_cxx_gss.$(OBJEXT) $(LIBS)
@@ -2999,9 +2998,21 @@
 -	$(RM) test_getpw test_chpw_message test_cxx_krb5 test_cxx_gss test_cxx_k5int test_cxx_rpc test_cxx_kadm5 *.o
 +	$(RM) test_getpw test_chpw_message test_cxx_krb5 test_cxx_gss test_cxx_k5int test_cxx_kadm5 *.o
  
-diff -pur old/src/tests/t_iprop.py new/src/tests/t_iprop.py
---- old/src/tests/t_iprop.py	2016-02-29 11:50:13.000000000 -0800
-+++ new/src/tests/t_iprop.py	2016-04-08 11:08:10.225701596 -0700
+diff --git a/src/tests/t_ccache.py b/src/tests/t_ccache.py
+--- a/src/tests/t_ccache.py
++++ b/src/tests/t_ccache.py
+@@ -51,7 +51,7 @@ realm.kinit(realm.user_princ, password('user'))
+ realm.run([klist, '-s'])
+ realm.kinit(realm.user_princ, password('user'), ['-l', '-1s'])
+ realm.run([klist, '-s'], expected_code=1)
+-realm.kinit(realm.user_princ, password('user'), ['-S', 'kadmin/admin'])
++realm.kinit(realm.user_princ, password('user'), ['-S', 'kadmin/changepw'])
+ realm.run([klist, '-s'])
+ realm.run([kdestroy])
+ realm.run([klist, '-s'], expected_code=1)
+diff --git a/src/tests/t_iprop.py b/src/tests/t_iprop.py
+--- a/src/tests/t_iprop.py
++++ b/src/tests/t_iprop.py
 @@ -1,44 +1,35 @@
  #!/usr/bin/python
  
@@ -3059,7 +3070,7 @@
  
          # Detect some failure conditions.
          if 'Still waiting for full resync' in line:
-@@ -54,98 +45,28 @@ def wait_for_prop(kpropd, full_expected,
+@@ -54,98 +45,28 @@ def wait_for_prop(kpropd, full_expected, expected_old, expected_new):
          if 'invalid return' in line:
              fail('kadmind returned invalid result')
  
@@ -3082,7 +3093,7 @@
 -        if 'Waiting for' in line:
 -            break
 -    output('*** Sync complete\n')
--
+ 
 -# Verify the output of kproplog against the expected number of
 -# entries, first and last serial number, and a list of principal names
 -# for the update entrires.
@@ -3117,7 +3128,13 @@
 -            eprinc = entries[ser - first]
 -            if eprinc != None:
 -                fail('Expected princ %s in update entry %d' % (eprinc, ser))
--
++# Verify the iprop log last serial number against an expected value,
++# on either the master or slave.
++def check_serial(realm, expected, env=None):
++    out = realm.run([kproplog, '-h'], env=env)
++    if 'Last serial # : ' not in out:
++        fail('Unexpected serial number')
+ 
 -# slave1 will receive updates from master, and slave2 will receive
 -# updates from slave1.  Because of the awkward way iprop and kprop
 -# port configuration currently works, we need separate config files
@@ -3140,7 +3157,11 @@
 -slave1 = realm.special_env('slave1', True, kdc_conf=conf_slave1)
 -slave1m = realm.special_env('slave1m', True, kdc_conf=conf_slave1m)
 -slave2 = realm.special_env('slave2', True, kdc_conf=conf_slave2)
--
++conf = {
++    'realms': {'$realm': {
++            'iprop_enable': 'true',
++            'iprop_logfile' : '$testdir/db.ulog'}}}
+ 
 -# Define some principal names.  pr3 is long enough to cause internal
 -# reallocs, but not long enough to grow the basic ulog entry size.
 -pr1 = 'wakawaka@' + realm.realm
@@ -3149,19 +3170,6 @@
 -cs = c + '/'
 -pr3 = (cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + c +
 -       '@' + realm.realm)
-+# Verify the iprop log last serial number against an expected value,
-+# on either the master or slave.
-+def check_serial(realm, expected, env=None):
-+    out = realm.run([kproplog, '-h'], env=env)
-+    if 'Last serial # : ' not in out:
-+        fail('Unexpected serial number')
-+
-+
-+conf = {
-+    'realms': {'$realm': {
-+            'iprop_enable': 'true',
-+            'iprop_logfile' : '$testdir/db.ulog'}}}
-+
 +conf_slave = {
 +    'realms': {'$realm': {
 +            'iprop_slave_poll': '600',
@@ -3206,6 +3214,8 @@
 +realm.addprinc('w')
 +realm.run([kadminl, 'modprinc', '-allow_tix', 'w'])
 +realm.run([kadminl, 'modprinc', '+allow_tix', 'w'])
++
++check_serial(realm, '7')
  
 -# Make some changes to the master DB.
 -realm.addprinc(pr1)
@@ -3214,7 +3224,12 @@
 -realm.run([kadminl, 'modprinc', '-allow_tix', pr2])
 -realm.run([kadminl, 'modprinc', '+allow_tix', pr2])
 -check_ulog(6, 1, 6, [None, pr1, pr3, pr2, pr2, pr2])
--
++# Set up the kpropd acl file.
++acl_file = os.path.join(realm.testdir, 'kpropd-acl')
++acl = open(acl_file, 'w')
++acl.write(realm.host_princ + '\n')
++acl.close()
+ 
 -# Start kpropd for slave1 and get a full dump from master.
 -kpropd1 = realm.start_kpropd(slave1, ['-d'])
 -wait_for_prop(kpropd1, True, 1, 6)
@@ -3222,14 +3237,6 @@
 -if pr1 not in out or pr2 not in out or pr3 not in out:
 -    fail('slave1 does not have all principals from master')
 -check_ulog(1, 6, 6, [None], slave1)
-+check_serial(realm, '7')
-+
-+# Set up the kpropd acl file.
-+acl_file = os.path.join(realm.testdir, 'kpropd-acl')
-+acl = open(acl_file, 'w')
-+acl.write(realm.host_princ + '\n')
-+acl.close()
-+
 +# Start kpropd and get a full dump from master.
 +kpropd = realm.start_kpropd(slave, ['-d'])
 +wait_for_prop(kpropd, True)
@@ -3252,8 +3259,7 @@
 +out = realm.run([kadminl, 'getprinc', 'w'], env=slave)
  if 'Attributes: DISALLOW_ALL_TIX' not in out:
 -    fail('slave1 does not have modification from master')
-+    fail('Slave does not have modification from master')
- 
+-
 -# Start kadmind -proponly for slave1.  (Use the slave1m environment
 -# which defines iprop_port to $port8.)
 -slave1_out_dump_path = os.path.join(realm.testdir, 'dump.slave1.out')
@@ -3263,7 +3269,8 @@
 -realm.start_server([kadmind, '-nofork', '-proponly', '-W', '-p', kdb5_util,
 -                    '-K', kprop, '-F', slave1_out_dump_path], 'starting...',
 -                   slave1m)
--
++    fail('Slave does not have modification from master')
+ 
 -# Start kpropd for slave2.  The -A option isn't needed since we're
 -# talking to the same host as master (we specify it anyway to exercise
 -# the code), but slave2 defines iprop_port to $port8 so it will talk
@@ -3293,7 +3300,16 @@
 -out = realm.run([kadminl, 'getprinc', pr1], env=slave2)
 -if 'Maximum renewable life: 0 days 22:00:00\n' not in out:
 -    fail('slave2 does not have modification from slave1')
--
++# Make another change and check that it propagates incrementally.
++realm.run([kadminl, 'modprinc', '+allow_tix', 'w'])
++check_serial(realm, '9')
++kpropd.send_signal(signal.SIGUSR1)
++wait_for_prop(kpropd, False)
++check_serial(realm, '9', slave)
++out = realm.run([kadminl, 'getprinc', 'w'], env=slave)
++if 'Attributes:\n' not in out:
++    fail('Slave does not have modification from master')
+ 
 -# Reset the ulog on slave1 to force a full resync from master.  The
 -# resync will use the old dump file and then propagate changes.
 -# slave2 should still be in sync with slave1 after the resync, so make
@@ -3306,7 +3322,13 @@
 -kpropd2.send_signal(signal.SIGUSR1)
 -wait_for_prop(kpropd2, False, 8, 8)
 -check_ulog(2, 7, 8, [None, pr1], slave2)
--
++# Reset the ulog on the slave side to force a full resync to the slave.
++realm.run([kproplog, '-R'], slave)
++check_serial(realm, 'None', slave)
++kpropd.send_signal(signal.SIGUSR1)
++wait_for_prop(kpropd, True)
++check_serial(realm, '9', slave)
+ 
 -# Make another change and check that it propagates incrementally to
 -# both slaves.
 +# Make another change and check that it propagates incrementally.
@@ -3316,10 +3338,10 @@
 -wait_for_prop(kpropd1, False, 8, 9)
 -check_ulog(4, 6, 9, [None, pr2, pr1, pr2], slave1)
 -out = realm.run([kadminl, 'getprinc', pr2], env=slave1)
-+check_serial(realm, '9')
++check_serial(realm, '10')
 +kpropd.send_signal(signal.SIGUSR1)
 +wait_for_prop(kpropd, False)
-+check_serial(realm, '9', slave)
++check_serial(realm, '10', slave)
 +out = realm.run([kadminl, 'getprinc', 'w'], env=slave)
  if 'Attributes:\n' not in out:
 -    fail('slave1 does not have modification from master')
@@ -3327,23 +3349,7 @@
 -wait_for_prop(kpropd2, False, 8, 9)
 -check_ulog(3, 7, 9, [None, pr1, pr2], slave2)
 -out = realm.run([kadminl, 'getprinc', pr2], env=slave2)
-+    fail('Slave does not have modification from master')
-+
-+# Reset the ulog on the slave side to force a full resync to the slave.
-+realm.run([kproplog, '-R'], slave)
-+check_serial(realm, 'None', slave)
-+kpropd.send_signal(signal.SIGUSR1)
-+wait_for_prop(kpropd, True)
-+check_serial(realm, '9', slave)
-+
-+# Make another change and check that it propagates incrementally.
-+realm.run([kadminl, 'modprinc', '+allow_tix', 'w'])
-+check_serial(realm, '10')
-+kpropd.send_signal(signal.SIGUSR1)
-+wait_for_prop(kpropd, False)
-+check_serial(realm, '10', slave)
-+out = realm.run([kadminl, 'getprinc', 'w'], env=slave)
- if 'Attributes:\n' not in out:
+-if 'Attributes:\n' not in out:
 -    fail('slave2 does not have modification from slave1')
 +    fail('Slave has different state from master')
  
@@ -3354,18 +3360,18 @@
 -wait_for_prop(kpropd1, True, 9, 1)
 -check_ulog(1, 1, 1, [None], slave1)
 -out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1)
+-if 'Minimum number of password character classes: 2' not in out:
+-    fail('slave1 does not have policy from master')
+-kpropd2.send_signal(signal.SIGUSR1)
+-wait_for_prop(kpropd2, True, 9, 1)
+-check_ulog(1, 1, 1, [None], slave2)
+-out = realm.run([kadminl, 'getpol', 'testpol'], env=slave2)
 +check_serial(realm, 'None')
 +kpropd.send_signal(signal.SIGUSR1)
 +wait_for_prop(kpropd, True)
 +check_serial(realm, 'None', slave)
 +out = realm.run([kadminl, 'getpol', 'testpol'], env=slave)
  if 'Minimum number of password character classes: 2' not in out:
--    fail('slave1 does not have policy from master')
--kpropd2.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd2, True, 9, 1)
--check_ulog(1, 1, 1, [None], slave2)
--out = realm.run([kadminl, 'getpol', 'testpol'], env=slave2)
--if 'Minimum number of password character classes: 2' not in out:
 -    fail('slave2 does not have policy from slave1')
 +    fail('Slave does not have policy from master')
  
@@ -3376,18 +3382,18 @@
 -wait_for_prop(kpropd1, True, 1, 1)
 -check_ulog(1, 1, 1, [None], slave1)
 -out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1)
--if 'Minimum password length: 17' not in out:
--    fail('slave1 does not have policy change from master')
--kpropd2.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd2, True, 1, 1)
--check_ulog(1, 1, 1, [None], slave2)
--out = realm.run([kadminl, 'getpol', 'testpol'], env=slave2)
 +check_serial(realm, 'None')
 +kpropd.send_signal(signal.SIGUSR1)
 +wait_for_prop(kpropd, True)
 +check_serial(realm, 'None', slave)
 +out = realm.run([kadminl, 'getpol', 'testpol'], env=slave)
  if 'Minimum password length: 17' not in out:
+-    fail('slave1 does not have policy change from master')
+-kpropd2.send_signal(signal.SIGUSR1)
+-wait_for_prop(kpropd2, True, 1, 1)
+-check_ulog(1, 1, 1, [None], slave2)
+-out = realm.run([kadminl, 'getpol', 'testpol'], env=slave2)
+-if 'Minimum password length: 17' not in out:
 -    fail('slave2 does not have policy change from slave1')
 +    fail('Slave does not have policy change from master')
  
@@ -3398,6 +3404,12 @@
 -wait_for_prop(kpropd1, True, 1, 1)
 -check_ulog(1, 1, 1, [None], slave1)
 -out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1, expected_code=1)
+-if 'Policy does not exist' not in out:
+-    fail('slave1 did not get policy deletion from master')
+-kpropd2.send_signal(signal.SIGUSR1)
+-wait_for_prop(kpropd2, True, 1, 1)
+-check_ulog(1, 1, 1, [None], slave2)
+-out = realm.run([kadminl, 'getpol', 'testpol'], env=slave2, expected_code=1)
 +realm.run([kadminl, 'delpol', '-force', 'testpol'])
 +check_serial(realm, 'None')
 +kpropd.send_signal(signal.SIGUSR1)
@@ -3405,12 +3417,6 @@
 +check_serial(realm, 'None', slave)
 +out = realm.run([kadminl, 'getpol', 'testpol'], env=slave, expected_code=1)
  if 'Policy does not exist' not in out:
--    fail('slave1 did not get policy deletion from master')
--kpropd2.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd2, True, 1, 1)
--check_ulog(1, 1, 1, [None], slave2)
--out = realm.run([kadminl, 'getpol', 'testpol'], env=slave2, expected_code=1)
--if 'Policy does not exist' not in out:
 -    fail('slave2 did not get policy deletion from slave1')
 -
 -# Modify a principal on the master and test that it propagates incrementally.
@@ -3428,7 +3434,8 @@
 -out = realm.run([kadminl, 'getprinc', pr1], env=slave2)
 -if 'Maximum ticket life: 0 days 00:10:00' not in out:
 -    fail('slave2 does not have modification from slave1')
--
++    fail('Slave did not get policy deletion from master')
+ 
 -# Delete a principal and test that it propagates incrementally.
 -realm.run([kadminl, 'delprinc', pr3])
 -check_ulog(3, 1, 3, [None, pr1, pr3])
@@ -3444,8 +3451,7 @@
 -out = realm.run([kadminl, 'getprinc', pr3], env=slave2, expected_code=1)
 -if 'Principal does not exist' not in out:
 -    fail('slave2 does not have principal deletion from slave1')
-+    fail('Slave did not get policy deletion from master')
- 
+-
 -# Reset the ulog on the master to force a full resync.
 +# Reset the ulog on the master side to force a full resync to all slaves.
 +# XXX Note that we only have one slave in this test, so we can't really
@@ -3498,9 +3504,9 @@
  
  success('iprop tests')
 +
-diff -pur old/src/tests/t_kadmin_acl.py new/src/tests/t_kadmin_acl.py
---- old/src/tests/t_kadmin_acl.py
-+++ new/src/tests/t_kadmin_acl.py
+diff --git a/src/tests/t_kadmin_acl.py b/src/tests/t_kadmin_acl.py
+--- a/src/tests/t_kadmin_acl.py
++++ b/src/tests/t_kadmin_acl.py
 @@ -9,7 +9,7 @@ def make_client(name):
      ccache = os.path.join(realm.testdir,
                            'kadmin_ccache_' + name.replace('/', '_'))
@@ -3509,11 +3515,11 @@
 +                flags=['-S', 'kadmin/' + hostname, '-c', ccache])
      return ccache
  
- def kadmin_as(client, query):
-diff -pur old/src/util/gss-kernel-lib/Makefile.in new/src/util/gss-kernel-lib/Makefile.in
---- old/src/util/gss-kernel-lib/Makefile.in
-+++ new/src/util/gss-kernel-lib/Makefile.in
-@@ -7,7 +7,7 @@ ALL_CFLAGS=$(CPPFLAGS) $(CFLAGS) $(WARN_
+ def kadmin_as(client, query, **kwargs):
+diff --git a/src/util/gss-kernel-lib/Makefile.in b/src/util/gss-kernel-lib/Makefile.in
+--- a/src/util/gss-kernel-lib/Makefile.in
++++ b/src/util/gss-kernel-lib/Makefile.in
+@@ -7,7 +7,7 @@ ALL_CFLAGS=$(CPPFLAGS) $(CFLAGS) $(WARN_CFLAGS) $(DEFS) $(DEFINES) -I. -Igssapi
  SHLIB_EXPDEPS = \
  	$(TOPLIBD)/libk5crypto$(SHLIBEXT) \
  	$(TOPLIBD)/libkrb5$(SHLIBEXT)
@@ -3522,10 +3528,10 @@
  
  SRCS= \
  	k5seal.c \
-diff -pur old/src/util/k5test.py new/src/util/k5test.py
---- old/src/util/k5test.py
-+++ new/src/util/k5test.py
-@@ -972,7 +972,7 @@ class K5Realm(object):
+diff --git a/src/util/k5test.py b/src/util/k5test.py
+--- a/src/util/k5test.py
++++ b/src/util/k5test.py
+@@ -997,7 +997,7 @@ class K5Realm(object):
              princname = self.admin_princ
              pw = password('admin')
          return self.kinit(princname, pw,
@@ -3533,16 +3539,4 @@
 +                          flags=['-S', 'kadmin/' + hostname,
                                   '-c', self.kadmin_ccache] + flags)
  
-     def run_kadmin(self, query, **keywords):
-/usr/gnu/bin/diff -pur old/src/tests/t_ccache.py new/src/tests/t_ccache.py
---- old/src/tests/t_ccache.py     2016-04-08 09:50:18.104351949 -0700
-+++ new/src/tests/t_ccache.py 2016-04-08 09:48:10.841275532 -0700
-@@ -51,7 +51,7 @@ realm.kinit(realm.user_princ, password('
- realm.run([klist, '-s'])
- realm.kinit(realm.user_princ, password('user'), ['-l', '-1s'])
- realm.run([klist, '-s'], expected_code=1)
--realm.kinit(realm.user_princ, password('user'), ['-S', 'kadmin/admin'])
-+realm.kinit(realm.user_princ, password('user'), ['-S', 'kadmin/changepw'])
- realm.run([klist, '-s'])
- realm.run([kdestroy])
- realm.run([klist, '-s'], expected_code=1)
+     def run_kadmin(self, args, **keywords):
--- a/components/krb5/patches/029-kadmin_disable_anonymity.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/029-kadmin_disable_anonymity.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -17,10 +17,10 @@
 # This patch is Solaris specific and not intented for upstream contribution.
 # Patch source: in-house
 #
-diff -pur old/src/kadmin/cli/kadmin.c new/src/kadmin/cli/kadmin.c
---- old/src/kadmin/cli/kadmin.c	2015-02-11 19:16:43.000000000 -0800
-+++ new/src/kadmin/cli/kadmin.c	2015-03-05 07:53:41.131383214 -0800
-@@ -282,7 +282,7 @@ kadmin_startup(int argc, char *argv[])
+diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c
+--- a/src/kadmin/cli/kadmin.c
++++ b/src/kadmin/cli/kadmin.c
+@@ -268,7 +268,7 @@ kadmin_startup(int argc, char *argv[], char **request_out, char ***args_out)
      }
  
      while ((optchar = getopt(argc, argv,
@@ -29,10 +29,10 @@
          switch (optchar) {
          case 'x':
              db_args_size++;
-diff -pur old/src/man/kadmin.man new/src/man/kadmin.man
---- old/src/man/kadmin.man	2015-02-11 19:16:43.000000000 -0800
-+++ new/src/man/kadmin.man	2015-03-05 07:59:17.166151676 -0800
-@@ -37,7 +37,7 @@ level margin: \\n[rst2man-indent\\n[rst2
+diff --git a/src/man/kadmin.man b/src/man/kadmin.man
+--- a/src/man/kadmin.man
++++ b/src/man/kadmin.man
+@@ -37,7 +37,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
  [\fB\-r\fP \fIrealm\fP]
  [\fB\-p\fP \fIprincipal\fP]
  [\fB\-q\fP \fIquery\fP]
@@ -40,8 +40,8 @@
 +[[\fB\-c\fP \fIcache_name\fP]|[\fB\-k\fP [\fB\-t\fP \fIkeytab\fP]]]
  [\fB\-w\fP \fIpassword\fP]
  [\fB\-s\fP \fIadmin_server\fP[:\fIport\fP]]
- .sp
-@@ -97,21 +97,6 @@ a password.  In this case, the default p
+ [command args...]
+@@ -99,21 +99,6 @@ a password.  In this case, the default principal will be
  Use \fIkeytab\fP to decrypt the KDC response.  This can only be used
  with the \fB\-k\fP option.
  .TP
@@ -63,9 +63,9 @@
  .B \fB\-c\fP \fIcredentials_cache\fP
  Use \fIcredentials_cache\fP as the credentials cache.  The
  cache should contain a service ticket for the \fBkadmin/ADMINHOST\fP
-diff -pur old/src/tests/t_pkinit.py new/src/tests/t_pkinit.py
---- new/src/tests/t_pkinit.py   2016-02-29 11:50:13.000000000 -0800
-+++ patched.1/src/tests/t_pkinit.py     2016-03-19 08:15:59.287791038 -0700
+diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
+--- a/src/tests/t_pkinit.py
++++ b/src/tests/t_pkinit.py
 @@ -73,15 +73,16 @@ if '97:' in out:
      fail('auth indicators seen in anonymous PKINIT ticket')
  
--- a/components/krb5/patches/030-force_dns_hostname_canon.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/030-force_dns_hostname_canon.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -8,9 +8,9 @@
 # This patch is not meant for upstream contribution.
 # Patch source: in-house
 #
-diff -pur old/src/lib/krb5/os/sn2princ.c new/src/lib/krb5/os/sn2princ.c
---- old/src/lib/krb5/os/sn2princ.c	2015-02-11 19:16:43.000000000 -0800
-+++ new/src/lib/krb5/os/sn2princ.c	2015-05-12 04:14:40.341673659 -0700
+diff --git a/src/lib/krb5/os/sn2princ.c b/src/lib/krb5/os/sn2princ.c
+--- a/src/lib/krb5/os/sn2princ.c
++++ b/src/lib/krb5/os/sn2princ.c
 @@ -39,6 +39,14 @@
  #define DEFAULT_RDNS_LOOKUP 1
  #endif
@@ -53,7 +53,7 @@
  /* Set *name_out to the canonicalized form of name, obeying relevant
   * configuration settings.  The caller must free the result. */
  static krb5_error_code
-@@ -63,11 +91,15 @@ canon_hostname(krb5_context context, krb
+@@ -63,11 +91,15 @@ canon_hostname(krb5_context context, krb5_int32 type, const char *host,
      char namebuf[NI_MAXHOST], *copy, *p;
      int err;
      const char *canonhost;
@@ -69,7 +69,7 @@
          /* Try a forward lookup of the hostname. */
          memset(&hint, 0, sizeof(hint));
          hint.ai_flags = AI_CANONNAME;
-@@ -86,6 +118,31 @@ canon_hostname(krb5_context context, krb
+@@ -86,6 +118,31 @@ canon_hostname(krb5_context context, krb5_int32 type, const char *host,
              if (!err)
                  canonhost = namebuf;
          }
@@ -101,7 +101,7 @@
      }
  
      copy = strdup(canonhost);
-@@ -110,9 +167,12 @@ canon_hostname(krb5_context context, krb
+@@ -110,9 +167,12 @@ canon_hostname(krb5_context context, krb5_int32 type, const char *host,
      *canonhost_out = copy;
  
  cleanup:
@@ -115,10 +115,10 @@
      return (*canonhost_out == NULL) ? ENOMEM : 0;
  }
  
-diff -pur old/src/util/k5test.py new/src/util/k5test.py
---- old/src/util/k5test.py	2015-04-28 08:02:39.179471813 -0700
-+++ new/src/util/k5test.py	2015-05-13 06:36:54.073414866 -0700
-@@ -353,6 +353,7 @@ import string
+diff --git a/src/util/k5test.py b/src/util/k5test.py
+--- a/src/util/k5test.py
++++ b/src/util/k5test.py
+@@ -364,6 +364,7 @@ import string
  import subprocess
  import sys
  import imp
@@ -126,7 +126,7 @@
  
  # Used when most things go wrong (other than programming errors) so
  # that the user sees an error message rather than a Python traceback,
-@@ -460,7 +461,19 @@ def _find_srctop():
+@@ -485,7 +486,19 @@ def _find_srctop():
  # because it explicitly prefers results containing periods and
  # krb5_sname_to_principal doesn't care.
  def _get_hostname():
--- a/components/krb5/patches/031-kinit-support.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/031-kinit-support.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -11,8 +11,9 @@
 # We will maintain it as patch.
 # Patch source: in-house
 #
---- ORIGINAL/src/clients/kinit/kinit.c	2015-04-30 13:46:57.411641188 -0700
-+++ MODIFIED/src/clients/kinit/kinit.c	2015-05-12 11:22:49.905473473 -0700
+diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c
+--- a/src/clients/kinit/kinit.c
++++ b/src/clients/kinit/kinit.c
 @@ -36,6 +36,7 @@
  #include <errno.h>
  #include <com_err.h>
--- a/components/krb5/patches/032-pam-krb5.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/032-pam-krb5.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -13,10 +13,10 @@
 # presented to MIT.
 # Patch source: in-house
 #
-diff -pur old/src/lib/kadm5/clnt/client_init.c new/src/lib/kadm5/clnt/client_init.c
---- no-032/src/lib/kadm5/clnt/client_init.c	2016-03-28 14:25:17.265078167 -0600
-+++ 032/src/lib/kadm5/clnt/client_init.c	2016-03-28 14:27:42.301681052 -0600
-@@ -299,7 +299,7 @@ _kadm5_initialize_rpcsec_gss_handle(kadm
+diff --git a/src/lib/kadm5/clnt/client_init.c b/src/lib/kadm5/clnt/client_init.c
+--- a/src/lib/kadm5/clnt/client_init.c
++++ b/src/lib/kadm5/clnt/client_init.c
+@@ -299,7 +299,7 @@ _kadm5_initialize_rpcsec_gss_handle(kadm5_server_handle_t handle,
  {
  	int code = 0;
  	generic_ret *r;
@@ -25,7 +25,7 @@
  	char *iprop_svc;
  	boolean_t iprop_enable = B_FALSE;
  	char mech[] = "kerberos_v5";
-@@ -317,15 +317,13 @@ _kadm5_initialize_rpcsec_gss_handle(kadm
+@@ -317,15 +317,13 @@ _kadm5_initialize_rpcsec_gss_handle(kadm5_server_handle_t handle,
  	int port;
  	struct timeval timeout;
  
@@ -53,7 +53,7 @@
           kadm5_config_params *params_in, krb5_ui_4 struct_version,
           krb5_ui_4 api_version, char **db_args, void **server_handle)
  {
-@@ -534,7 +532,6 @@ init_any(krb5_context context, char *cli
+@@ -534,7 +532,6 @@ init_any(krb5_context context, char *client_name, enum init_type init_type,
  
      int code = 0;
      generic_ret *r;
@@ -61,7 +61,7 @@
  
      initialize_ovk_error_table();
  /*      initialize_adb_error_table(); */
-@@ -603,15 +600,19 @@ init_any(krb5_context context, char *cli
+@@ -603,15 +600,19 @@ init_any(krb5_context context, char *client_name, enum init_type init_type,
          goto error;
  
      /* NULL svcname means use host-based. */
@@ -142,7 +142,7 @@
       * Acquire a service ticket for svcname@realm for client, using password
       * pass (which could be NULL), and create a ccache to store them in.  If
       * INIT_CREDS, use the ccache we were provided instead.
-@@ -708,7 +747,7 @@ get_init_creds(kadm5_server_handle_t han
+@@ -708,7 +747,7 @@ get_init_creds(kadm5_server_handle_t handle, krb5_principal client,
      }
      handle->lhandle->cache_name = handle->cache_name;
  
@@ -151,9 +151,9 @@
                      server_out);
      /* Improved error messages */
      if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) code = KADM5_BAD_PASSWORD;
-diff -pur old/src/lib/krb5/krb/gic_pwd.c new/src/lib/krb5/krb/gic_pwd.c
---- old/src/lib/krb5/krb/gic_pwd.c	2015-04-30 01:12:10.560945822 -0600
-+++ new/src/lib/krb5/krb/gic_pwd.c	2015-04-30 14:55:26.993611965 -0600
+diff --git a/src/lib/krb5/krb/gic_pwd.c b/src/lib/krb5/krb/gic_pwd.c
+--- a/src/lib/krb5/krb/gic_pwd.c
++++ b/src/lib/krb5/krb/gic_pwd.c
 @@ -5,6 +5,17 @@
  #include "int-proto.h"
  #include "os-proto.h"
@@ -172,7 +172,7 @@
  krb5_error_code
  krb5_get_as_key_password(krb5_context context,
                           krb5_principal client,
-@@ -135,7 +146,7 @@ krb5_init_creds_set_password(krb5_contex
+@@ -135,7 +146,7 @@ krb5_init_creds_set_password(krb5_context context,
  
  /* Return the password expiry time indicated by enc_part2.  Set *is_last_req
   * if the information came from a last_req value. */
@@ -181,7 +181,7 @@
  get_expiry_times(krb5_enc_kdc_rep_part *enc_part2, krb5_timestamp *pw_exp,
                   krb5_timestamp *acct_exp, krb5_boolean *is_last_req)
  {
-@@ -288,6 +299,35 @@ krb5_get_init_creds_password(krb5_contex
+@@ -288,6 +299,35 @@ krb5_get_init_creds_password(krb5_context context,
                               const char *in_tkt_service,
                               krb5_get_init_creds_opt *options)
  {
@@ -232,10 +232,10 @@
      k5_clear_error(&errsave);
  
      return(ret);
-diff -pur old/src/slave/kpropd.c new/src/slave/kpropd.c
---- old/src/slave/kpropd.c	2015-04-30 01:12:10.629801044 -0600
-+++ new/src/slave/kpropd.c	2015-05-04 14:12:25.818752484 -0600
-@@ -640,6 +640,7 @@ do_iprop()
+diff --git a/src/slave/kpropd.c b/src/slave/kpropd.c
+--- a/src/slave/kpropd.c
++++ b/src/slave/kpropd.c
+@@ -644,6 +644,7 @@ do_iprop()
      params.realm = def_realm;
  
      if (master_svc_princstr == NULL) {
@@ -243,7 +243,7 @@
          retval = kadm5_get_kiprop_host_srv_name(kpropd_context, def_realm,
                                                  &master_svc_princstr);
          if (retval) {
-@@ -649,6 +650,27 @@ do_iprop()
+@@ -653,6 +654,27 @@ do_iprop()
                      progname, def_realm);
              return retval;
          }
--- a/components/krb5/patches/033-pkinit-pin.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/033-pkinit-pin.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -9,9 +9,44 @@
 # directly or through a utility library.
 # Patch source: in-house
 #
-diff -pur old/src/plugins/preauth/pkinit/pkinit_clnt.c new/src/plugins/preauth/pkinit/pkinit_clnt.c
---- old/src/plugins/preauth/pkinit/pkinit_clnt.c	2015-05-08 12:37:14.618553502 -0600
-+++ new/src/plugins/preauth/pkinit/pkinit_clnt.c	2015-05-08 23:54:28.000000000 -0600
+diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h
+--- a/src/plugins/preauth/pkinit/pkinit.h
++++ b/src/plugins/preauth/pkinit/pkinit.h
+@@ -27,10 +27,14 @@
+  * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
+  * SUCH DAMAGES.
+  */
++/*
++ * Copyright (c) 2008, 2015, Oracle and/or its affiliates. All rights reserved.
++ */
+ 
+ #ifndef _PKINIT_H
+ #define _PKINIT_H
+ 
++#include <k5-int.h>
+ #include <k5-platform.h>
+ #include <krb5/krb5.h>
+ #include <krb5/preauth_plugin.h>
+@@ -42,7 +46,7 @@
+ #ifndef WITHOUT_PKCS11
+ #include "pkcs11.h"
+ 
+-#define PKCS11_MODNAME "opensc-pkcs11.so"
++#define PKCS11_MODNAME "libpkcs11.so"
+ #define PK_SIGLEN_GUESS 1000
+ #define PK_NOSLOT 999999
+ #endif
+@@ -183,6 +187,7 @@ typedef struct _pkinit_identity_opts {
+     char *token_label;
+     char *cert_id_string;
+     char *cert_label;
++    char *PIN;
+ #endif
+ } pkinit_identity_opts;
+ 
+diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
+--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
++++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
 @@ -29,6 +29,10 @@
   * SUCH DAMAGES.
   */
@@ -23,7 +58,7 @@
  #include "k5-int.h"
  #include "pkinit.h"
  #include "k5-json.h"
-@@ -1571,6 +1575,10 @@ handle_gic_opt(krb5_context context,
+@@ -1573,6 +1577,10 @@ handle_gic_opt(krb5_context context,
              pkiDebug("Setting flag to use RSA_PROTOCOL\n");
              plgctx->opts->dh_or_rsa = RSA_PROTOCOL;
          }
@@ -34,13 +69,13 @@
      }
      return 0;
  }
-diff -pur old/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c new/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
---- old/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c	2015-05-08 12:37:14.617065120 -0600
-+++ new/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c	2015-05-19 17:53:18.025396256 -0600
+diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
 @@ -29,6 +29,10 @@
   * SUCH DAMAGES.
   */
-
+ 
 +/*
 + * Copyright (c) 2008, 2015, Oracle and/or its affiliates. All rights reserved.
 + */
@@ -48,7 +83,7 @@
  #include "pkinit_crypto_openssl.h"
  #include "k5-buf.h"
  #include <dlfcn.h>
-@@ -851,6 +855,7 @@ pkinit_init_pkcs11(pkinit_identity_crypt
+@@ -916,6 +920,7 @@ pkinit_init_pkcs11(pkinit_identity_crypto_context ctx)
      ctx->slotid = PK_NOSLOT;
      ctx->token_label = NULL;
      ctx->cert_label = NULL;
@@ -56,7 +91,7 @@
      ctx->session = CK_INVALID_HANDLE;
      ctx->p11 = NULL;
  #endif
-@@ -883,6 +888,7 @@ pkinit_fini_pkcs11(pkinit_identity_crypt
+@@ -948,6 +953,7 @@ pkinit_fini_pkcs11(pkinit_identity_crypto_context ctx)
      free(ctx->token_label);
      free(ctx->cert_id);
      free(ctx->cert_label);
@@ -64,7 +99,7 @@
  #endif
  }
  
-@@ -3523,7 +3532,36 @@ pkinit_C_UnloadModule(void *handle)
+@@ -3548,7 +3554,36 @@ pkinit_C_UnloadModule(void *handle)
      dlclose(handle);
      return CKR_OK;
  }
@@ -76,7 +111,7 @@
 +trim_token_label(CK_TOKEN_INFO *tinfo, char *labelstr, unsigned int labelstr_len)
 +{
 +    int i;
-+
+ 
 +    assert(labelstr_len > sizeof (tinfo->label));
 +    /*
 +     * \0 terminate labelstr in case the last char in the token label is
@@ -93,7 +128,7 @@
 +           break;
 +    }
 +}
- 
++
 +/*
 + * This function was changed to support a PIN being passed in.  If that is the
 + * case the user will not be prompted for their PIN.
@@ -101,7 +136,7 @@
  static krb5_error_code
  pkinit_login(krb5_context context,
               pkinit_identity_crypto_context id_cryptoctx,
-@@ -3539,6 +3577,15 @@ pkinit_login(krb5_context context,
+@@ -3564,6 +3599,15 @@ pkinit_login(krb5_context context,
      if (tip->flags & CKF_PROTECTED_AUTHENTICATION_PATH) {
          rdat.data = NULL;
          rdat.length = 0;
@@ -117,7 +152,7 @@
      } else if (password != NULL) {
          rdat.data = strdup(password);
          rdat.length = strlen(password);
-@@ -3546,6 +3593,16 @@ pkinit_login(krb5_context context,
+@@ -3571,6 +3615,16 @@ pkinit_login(krb5_context context,
          r = KRB5_LIBOS_CANTREADPWD;
          rdat.data = NULL;
      } else {
@@ -134,7 +169,7 @@
          if (tip->flags & CKF_USER_PIN_LOCKED)
              warning = " (Warning: PIN locked)";
          else if (tip->flags & CKF_USER_PIN_FINAL_TRY)
-@@ -3554,11 +3611,14 @@ pkinit_login(krb5_context context,
+@@ -3579,11 +3633,14 @@ pkinit_login(krb5_context context,
              warning = " (Warning: PIN count low)";
          else
              warning = "";
@@ -151,7 +186,7 @@
  
          kprompt.prompt = prompt;
          kprompt.hidden = 1;
-@@ -3569,7 +3629,7 @@ pkinit_login(krb5_context context,
+@@ -3594,7 +3651,7 @@ pkinit_login(krb5_context context,
          k5int_set_prompt_types(context, &prompt_type);
          r = (*id_cryptoctx->prompter)(context, id_cryptoctx->prompter_data,
                                        NULL, NULL, 1, &kprompt);
@@ -160,7 +195,7 @@
          free(prompt);
      }
  
-@@ -3582,7 +3642,7 @@ pkinit_login(krb5_context context,
+@@ -3607,7 +3664,7 @@ pkinit_login(krb5_context context,
              r = KRB5KDC_ERR_PREAUTH_FAILED;
          }
      }
@@ -169,7 +204,7 @@
  
      return r;
  }
-@@ -3779,6 +3842,81 @@ pkinit_find_private_key(pkinit_identity_
+@@ -3804,6 +3861,81 @@ pkinit_find_private_key(pkinit_identity_crypto_context id_cryptoctx,
      r = id_cryptoctx->p11->C_FindObjects(id_cryptoctx->session, objp, 1, &count);
      id_cryptoctx->p11->C_FindObjectsFinal(id_cryptoctx->session);
      pkiDebug("found %d private keys (%s)\n", (int) count, pkinit_pkcs11_code_to_text(r));
@@ -251,7 +286,7 @@
      if (r != CKR_OK || count < 1)
          return KRB5KDC_ERR_PREAUTH_FAILED;
      return 0;
-@@ -4174,7 +4312,10 @@ pkinit_get_certs_pkcs12(krb5_context con
+@@ -4199,7 +4331,10 @@ pkinit_get_certs_pkcs12(krb5_context context,
          } else if (id_cryptoctx->prompter == NULL) {
              /* We can't use a prompter. */
              goto cleanup;
@@ -263,7 +298,7 @@
              /* Ask using a prompter. */
              memset(prompt_reply, '\0', sizeof(prompt_reply));
              rdat.data = prompt_reply;
-@@ -4193,7 +4334,7 @@ pkinit_get_certs_pkcs12(krb5_context con
+@@ -4218,7 +4353,7 @@ pkinit_get_certs_pkcs12(krb5_context context,
              k5int_set_prompt_types(context, &prompt_type);
              r = (*id_cryptoctx->prompter)(context, id_cryptoctx->prompter_data,
                                            NULL, NULL, 1, &kprompt);
@@ -272,7 +307,7 @@
              if (r) {
                  pkiDebug("Failed to prompt for PKCS12 password");
                  goto cleanup;
-@@ -4501,6 +4642,11 @@ pkinit_get_certs_pkcs11(krb5_context con
+@@ -4527,6 +4662,11 @@ pkinit_get_certs_pkcs11(krb5_context context,
          if (id_cryptoctx->cert_label == NULL)
              return ENOMEM;
      }
@@ -284,9 +319,9 @@
      /* Convert the ascii cert_id string into a binary blob */
      if (idopts->cert_id_string != NULL) {
          BIGNUM *bn = NULL;
-diff -pur old/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h new/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h
---- old/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h	2015-05-08 12:37:14.618921565 -0600
-+++ new/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h	2015-05-08 23:22:37.000000000 -0600
+diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h
+--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h
++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h
 @@ -28,6 +28,10 @@
   * SUCH DAMAGES.
   */
@@ -306,9 +341,9 @@
      /* These are crypto-specific */
      void *p11_module;
      CK_SESSION_HANDLE session;
-diff -pur old/src/plugins/preauth/pkinit/pkinit_identity.c new/src/plugins/preauth/pkinit/pkinit_identity.c
---- old/src/plugins/preauth/pkinit/pkinit_identity.c	2015-05-08 12:37:14.615376527 -0600
-+++ new/src/plugins/preauth/pkinit/pkinit_identity.c	2015-05-08 23:26:14.000000000 -0600
+diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c
+--- a/src/plugins/preauth/pkinit/pkinit_identity.c
++++ b/src/plugins/preauth/pkinit/pkinit_identity.c
 @@ -29,6 +29,10 @@
   * SUCH DAMAGES.
   */
@@ -320,7 +355,7 @@
  #include <errno.h>
  #include <string.h>
  #include <stdio.h>
-@@ -135,6 +139,7 @@ pkinit_init_identity_opts(pkinit_identit
+@@ -135,6 +139,7 @@ pkinit_init_identity_opts(pkinit_identity_opts **idopts)
      opts->token_label = NULL;
      opts->cert_id_string = NULL;
      opts->cert_label = NULL;
@@ -328,7 +363,7 @@
  #endif
  
      *idopts = opts;
-@@ -218,9 +223,13 @@ pkinit_dup_identity_opts(pkinit_identity
+@@ -218,9 +223,13 @@ pkinit_dup_identity_opts(pkinit_identity_opts *src_opts,
          if (newopts->cert_label == NULL)
              goto cleanup;
      }
@@ -343,7 +378,7 @@
      *dest_opts = newopts;
      return 0;
  cleanup:
-@@ -248,6 +257,7 @@ pkinit_fini_identity_opts(pkinit_identit
+@@ -248,6 +257,7 @@ pkinit_fini_identity_opts(pkinit_identity_opts *idopts)
      free(idopts->token_label);
      free(idopts->cert_id_string);
      free(idopts->cert_label);
@@ -351,38 +386,3 @@
  #endif
      free(idopts);
  }
-diff -pur old/src/plugins/preauth/pkinit/pkinit.h new/src/plugins/preauth/pkinit/pkinit.h
---- old/src/plugins/preauth/pkinit/pkinit.h	2015-05-08 12:37:14.616200703 -0600
-+++ new/src/plugins/preauth/pkinit/pkinit.h	2015-05-12 23:52:10.000000000 -0600
-@@ -28,10 +28,14 @@
-  * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
-  * SUCH DAMAGES.
-  */
-+/*
-+ * Copyright (c) 2008, 2015, Oracle and/or its affiliates. All rights reserved.
-+ */
-
- #ifndef _PKINIT_H
- #define _PKINIT_H
- 
-+#include <k5-int.h>
- #include <k5-platform.h>
- #include <krb5/krb5.h>
- #include <krb5/preauth_plugin.h>
-@@ -42,7 +46,7 @@
- #ifndef WITHOUT_PKCS11
- #include "pkcs11.h"
- 
--#define PKCS11_MODNAME "opensc-pkcs11.so"
-+#define PKCS11_MODNAME "libpkcs11.so"
- #define PK_SIGLEN_GUESS 1000
- #define PK_NOSLOT 999999
- #endif
-@@ -182,6 +186,7 @@ typedef struct _pkinit_identity_opts {
-     char *token_label;
-     char *cert_id_string;
-     char *cert_label;
-+    char *PIN;
- #endif
- } pkinit_identity_opts;
- 
--- a/components/krb5/patches/034-migrate.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/034-migrate.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -7,10 +7,10 @@
 # functionality as this is specific to a 3rd party migration design.
 # Patch source: in-house
 #
-diff -pur old/src/kadmin/server/Makefile.in new/src/kadmin/server/Makefile.in
---- old/src/kadmin/server/Makefile.in	2015-04-30 01:12:10.540747993 -0600
-+++ new/src/kadmin/server/Makefile.in	2015-05-20 21:20:31.285698636 -0600
-@@ -13,7 +13,7 @@ SRCS = kadm_rpc_svc.c server_stubs.c ovs
+diff --git a/src/kadmin/server/Makefile.in b/src/kadmin/server/Makefile.in
+--- a/src/kadmin/server/Makefile.in
++++ b/src/kadmin/server/Makefile.in
+@@ -13,7 +13,7 @@ SRCS = kadm_rpc_svc.c server_stubs.c ovsec_kadmd.c schpw.c misc.c ipropd_svc.c
  all:: $(PROG)
  
  $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIBS) $(APPUTILS_DEPLIB) $(VERTO_DEPLIB)
@@ -19,9 +19,9 @@
  
  install::
  	$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(SERVER_BINDIR)/$(PROG)
-diff -pur old/src/kadmin/server/server_stubs.c new/src/kadmin/server/server_stubs.c
---- old/src/kadmin/server/server_stubs.c	2015-04-30 01:12:10.540973547 -0600
-+++ new/src/kadmin/server/server_stubs.c	2015-05-20 21:16:21.635418741 -0600
+diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c
+--- a/src/kadmin/server/server_stubs.c
++++ b/src/kadmin/server/server_stubs.c
 @@ -16,6 +16,7 @@
  #include <syslog.h>
  #include <adm_proto.h>  /* krb5_klog_syslog */
@@ -111,7 +111,7 @@
  generic_ret *
  create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp)
  {
-@@ -363,6 +438,8 @@ create_principal_2_svc(cprinc_arg *arg,
+@@ -364,6 +439,8 @@ create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp)
      restriction_t               *rp;
      const char                  *errmsg = NULL;
      gss_name_t                  name = NULL;
@@ -120,7 +120,7 @@
  
      xdr_free(xdr_generic_ret, (char *) &ret);
  
-@@ -387,9 +464,17 @@ create_principal_2_svc(cprinc_arg *arg,
+@@ -388,9 +465,17 @@ create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp)
          ret.code = KADM5_FAILURE;
          goto exit_func;
      }
@@ -140,7 +140,7 @@
          || kadm5int_acl_impose_restrictions(handle->context,
                                              &arg->rec, &arg->mask, rp)) {
          ret.code = KADM5_AUTH_ADD;
-@@ -408,6 +493,25 @@ create_principal_2_svc(cprinc_arg *arg,
+@@ -409,6 +494,25 @@ create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp)
  
          if (errmsg != NULL)
              krb5_free_error_message(handle->context, errmsg);
@@ -165,8 +165,8 @@
 +	}
      }
      free(prime_arg);
-     gss_release_buffer(&minor_stat, &client_name);
-@@ -431,6 +535,8 @@ create_principal3_2_svc(cprinc3_arg *arg
+ 
+@@ -433,6 +537,8 @@ create_principal3_2_svc(cprinc3_arg *arg, struct svc_req *rqstp)
      restriction_t               *rp;
      const char                  *errmsg = NULL;
      gss_name_t                  name = NULL;
@@ -175,7 +175,7 @@
  
      xdr_free(xdr_generic_ret, (char *) &ret);
  
-@@ -455,9 +561,17 @@ create_principal3_2_svc(cprinc3_arg *arg
+@@ -457,9 +563,17 @@ create_principal3_2_svc(cprinc3_arg *arg, struct svc_req *rqstp)
          ret.code = KADM5_FAILURE;
          goto exit_func;
      }
@@ -195,7 +195,7 @@
          || kadm5int_acl_impose_restrictions(handle->context,
                                              &arg->rec, &arg->mask, rp)) {
          ret.code = KADM5_AUTH_ADD;
-@@ -477,6 +591,24 @@ create_principal3_2_svc(cprinc3_arg *arg
+@@ -479,6 +593,24 @@ create_principal3_2_svc(cprinc3_arg *arg, struct svc_req *rqstp)
  
          if (errmsg != NULL)
              krb5_free_error_message(handle->context, errmsg);
@@ -219,10 +219,10 @@
 +	 }
      }
      free(prime_arg);
-     gss_release_buffer(&minor_stat, &client_name);
-diff -pur old/src/lib/kadm5/srv/server_acl.c new/src/lib/kadm5/srv/server_acl.c
---- old/src/lib/kadm5/srv/server_acl.c	2015-04-30 01:12:10.576699515 -0600
-+++ new/src/lib/kadm5/srv/server_acl.c	2015-05-20 21:00:21.476861745 -0600
+ 
+diff --git a/src/lib/kadm5/srv/server_acl.c b/src/lib/kadm5/srv/server_acl.c
+--- a/src/lib/kadm5/srv/server_acl.c
++++ b/src/lib/kadm5/srv/server_acl.c
 @@ -24,6 +24,10 @@
   * or implied warranty.
   */
@@ -242,9 +242,9 @@
      { 'x',      ACL_ALL_MASK },
      { '*',      ACL_ALL_MASK },
      { '\0',     0 }
-diff -pur old/src/lib/kadm5/srv/server_acl.h new/src/lib/kadm5/srv/server_acl.h
---- old/src/lib/kadm5/srv/server_acl.h	2015-04-30 01:12:10.575948391 -0600
-+++ new/src/lib/kadm5/srv/server_acl.h	2015-05-20 21:00:26.742448675 -0600
+diff --git a/src/lib/kadm5/srv/server_acl.h b/src/lib/kadm5/srv/server_acl.h
+--- a/src/lib/kadm5/srv/server_acl.h
++++ b/src/lib/kadm5/srv/server_acl.h
 @@ -24,6 +24,10 @@
   * or implied warranty.
   */
--- a/components/krb5/patches/035-multi-master.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/035-multi-master.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -8,10 +8,10 @@
 # should look at modifying/deleting this patch.
 # Patch source: in-house
 #
-diff -pur new/src/kadmin/cli/kadmin.c old/src/kadmin/cli/kadmin.c
---- old/src/kadmin/cli/kadmin.c	2016-03-31 16:44:43.282366236 -0700
-+++ patched/src/kadmin/cli/kadmin.c	2016-03-31 19:24:20.929551275 -0700
-@@ -255,7 +255,7 @@ kadmin_startup(int argc, char *argv[], c
+diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c
+--- a/src/kadmin/cli/kadmin.c
++++ b/src/kadmin/cli/kadmin.c
+@@ -255,7 +255,7 @@ kadmin_startup(int argc, char *argv[], char **request_out, char ***args_out)
      char **db_args = NULL;
      int db_args_size = 0;
      char *db_name = NULL;
@@ -20,7 +20,7 @@
  
      memset(&params, 0, sizeof(params));
  
-@@ -370,11 +370,6 @@ kadmin_startup(int argc, char *argv[], c
+@@ -370,11 +370,6 @@ kadmin_startup(int argc, char *argv[], char **request_out, char ***args_out)
      params.mask |= KADM5_CONFIG_REALM;
      params.realm = def_realm;
  
@@ -32,7 +32,7 @@
      /*
       * Set cc to an open credentials cache, either specified by the -c
       * argument or the default.
-@@ -503,13 +498,14 @@ kadmin_startup(int argc, char *argv[], c
+@@ -503,13 +498,14 @@ kadmin_startup(int argc, char *argv[], char **request_out, char ***args_out)
      if (ccache_name) {
          info(_("Authenticating as principal %s with existing "
                 "credentials.\n"), princstr);
@@ -49,7 +49,7 @@
                                        KADM5_STRUCT_VERSION,
                                        KADM5_API_VERSION_4, db_args, &handle);
      } else if (use_keytab) {
-@@ -520,17 +516,20 @@ kadmin_startup(int argc, char *argv[], c
+@@ -520,17 +516,20 @@ kadmin_startup(int argc, char *argv[], char **request_out, char ***args_out)
              info(_("Authenticating as principal %s with default keytab.\n"),
                   princstr);
          }
@@ -72,10 +72,10 @@
      if (retval) {
          com_err(whoami, retval, _("while initializing %s interface"), whoami);
          if (retval == KADM5_BAD_CLIENT_PARAMS ||
-diff -u -r old/src/lib/kadm5/admin.h new/src/lib/kadm5/admin.h
---- old/src/lib/kadm5/admin.h	2015-05-28 15:10:45.095122403 -0500
-+++ new/src/lib/kadm5/admin.h	2015-05-28 15:34:35.800877732 -0500
-@@ -345,6 +345,51 @@
+diff --git a/src/lib/kadm5/admin.h b/src/lib/kadm5/admin.h
+--- a/src/lib/kadm5/admin.h
++++ b/src/lib/kadm5/admin.h
+@@ -345,6 +345,51 @@ kadm5_ret_t    kadm5_init_with_creds(krb5_context context,
                                       krb5_ui_4 api_version,
                                       char **db_args,
                                       void **server_handle);
@@ -127,10 +127,10 @@
  kadm5_ret_t    kadm5_lock(void *server_handle);
  kadm5_ret_t    kadm5_unlock(void *server_handle);
  kadm5_ret_t    kadm5_flush(void *server_handle);
-/usr/gnu/bin/diff -pur old/src/lib/kadm5/clnt/client_init.c new/src/lib/kadm5/clnt/client_init.c
---- unpatched/src/lib/kadm5/clnt/client_init.c	2016-03-28 00:19:36.988270188 -0600
-+++ patched/src/lib/kadm5/clnt/client_init.c	2016-03-28 13:12:43.769371355 -0600
-@@ -55,7 +55,7 @@ enum init_type { INIT_PASS, INIT_SKEY, I
+diff --git a/src/lib/kadm5/clnt/client_init.c b/src/lib/kadm5/clnt/client_init.c
+--- a/src/lib/kadm5/clnt/client_init.c
++++ b/src/lib/kadm5/clnt/client_init.c
+@@ -55,7 +55,7 @@ enum init_type { INIT_PASS, INIT_SKEY, INIT_CREDS, INIT_ANONYMOUS };
  
  static kadm5_ret_t
  init_any(krb5_context context, char *client_name, enum init_type init_type,
@@ -139,7 +139,7 @@
           kadm5_config_params *params, krb5_ui_4 struct_version,
           krb5_ui_4 api_version, char **db_args, void **server_handle);
  
-@@ -87,8 +87,25 @@ kadm5_init_with_creds(krb5_context conte
+@@ -87,8 +87,25 @@ kadm5_init_with_creds(krb5_context context, char *client_name,
                        krb5_ui_4 api_version, char **db_args,
                        void **server_handle)
  {
@@ -148,7 +148,8 @@
 +    svcnames[0] = service_name;
 +    svcnames[1] = NULL;
 +
-+    return init_any(context, client_name, INIT_CREDS, NULL, ccache,
+     return init_any(context, client_name, INIT_CREDS, NULL, ccache,
+-                    service_name, params, struct_version, api_version, db_args,
 +                    svcnames, params, struct_version, api_version, db_args,
 +                    server_handle);
 +}
@@ -160,13 +161,12 @@
 +                      krb5_ui_4 api_version, char **db_args,
 +                      void **server_handle)
 +{
-     return init_any(context, client_name, INIT_CREDS, NULL, ccache,
--                    service_name, params, struct_version, api_version, db_args,
++    return init_any(context, client_name, INIT_CREDS, NULL, ccache,
 +                    svcnames, params, struct_version, api_version, db_args,
                      server_handle);
  }
  
-@@ -99,7 +116,24 @@ kadm5_init_with_password(krb5_context co
+@@ -99,7 +116,24 @@ kadm5_init_with_password(krb5_context context, char *client_name,
                           krb5_ui_4 api_version, char **db_args,
                           void **server_handle)
  {
@@ -192,7 +192,7 @@
                      params, struct_version, api_version, db_args,
                      server_handle);
  }
-@@ -110,8 +144,24 @@ kadm5_init_anonymous(krb5_context contex
+@@ -110,8 +144,24 @@ kadm5_init_anonymous(krb5_context context, char *client_name,
                       krb5_ui_4 struct_version, krb5_ui_4 api_version,
                       char **db_args, void **server_handle)
  {
@@ -218,7 +218,7 @@
                      db_args, server_handle);
  }
  
-@@ -121,7 +171,23 @@ kadm5_init(krb5_context context, char *c
+@@ -121,7 +171,23 @@ kadm5_init(krb5_context context, char *client_name, char *pass,
             krb5_ui_4 struct_version, krb5_ui_4 api_version, char **db_args,
             void **server_handle)
  {
@@ -243,7 +243,7 @@
                      params, struct_version, api_version, db_args,
                      server_handle);
  }
-@@ -133,8 +199,25 @@ kadm5_init_with_skey(krb5_context contex
+@@ -133,8 +199,25 @@ kadm5_init_with_skey(krb5_context context, char *client_name,
                       krb5_ui_4 api_version, char **db_args,
                       void **server_handle)
  {
@@ -252,8 +252,7 @@
 +    svcnames[0] = service_name;
 +    svcnames[1] = NULL;
 +
-     return init_any(context, client_name, INIT_SKEY, keytab, NULL,
--                    service_name, params, struct_version, api_version, db_args,
++    return init_any(context, client_name, INIT_SKEY, keytab, NULL,
 +                    svcnames, params, struct_version, api_version, db_args,
 +                    server_handle);
 +}
@@ -265,12 +264,13 @@
 +                     krb5_ui_4 api_version, char **db_args,
 +                     void **server_handle)
 +{
-+    return init_any(context, client_name, INIT_SKEY, keytab, NULL,
+     return init_any(context, client_name, INIT_SKEY, keytab, NULL,
+-                    service_name, params, struct_version, api_version, db_args,
 +                    svcnames, params, struct_version, api_version, db_args,
                      server_handle);
  }
  
-@@ -339,7 +422,7 @@ _kadm5_initialize_rpcsec_gss_handle(kadm
+@@ -339,7 +422,7 @@ _kadm5_initialize_rpcsec_gss_handle(kadm5_server_handle_t handle,
  	}
  
  	/*
@@ -316,7 +316,7 @@
           kadm5_config_params *params_in, krb5_ui_4 struct_version,
           krb5_ui_4 api_version, char **db_args, void **server_handle)
  {
-@@ -532,6 +641,10 @@ init_any(krb5_context context, char *cli
+@@ -532,6 +641,10 @@ init_any(krb5_context context, char *client_name, enum init_type init_type,
  
      int code = 0;
      generic_ret *r;
@@ -327,7 +327,7 @@
  
      initialize_ovk_error_table();
  /*      initialize_adb_error_table(); */
-@@ -599,34 +712,56 @@ init_any(krb5_context context, char *cli
+@@ -599,34 +712,56 @@ init_any(krb5_context context, char *client_name, enum init_type init_type,
      if (code)
          goto error;
  
@@ -355,17 +355,7 @@
 +    } else {
 +        svcname_ptr = svcnames_in;
 +    }
- 
--	code = kadm5_get_adm_host_srv_names(context, handle->params.realm,
--	    &kadmin_srv_names);
--        if (code)
--            goto error;
--	svcname = strdup(kadmin_srv_names[0]);
--	free_srv_names(kadmin_srv_names);
--	if (svcname == NULL) {
--	    code = ENOMEM;
--            goto error;
--	}
++
 +    for (i = 0; svcname_ptr[i]; i++) {
 +        /* Get credentials. */
 +        code = get_init_creds(handle, client, init_type, pass, ccache_in,
@@ -379,7 +369,17 @@
 +            } else
 +                goto error;
 +        }
-+
+ 
+-	code = kadm5_get_adm_host_srv_names(context, handle->params.realm,
+-	    &kadmin_srv_names);
+-        if (code)
+-            goto error;
+-	svcname = strdup(kadmin_srv_names[0]);
+-	free_srv_names(kadmin_srv_names);
+-	if (svcname == NULL) {
+-	    code = ENOMEM;
+-            goto error;
+-	}
 +        code = _kadm5_initialize_rpcsec_gss_handle(handle, client_name,
 +                                                   svcname_ptr[i]);
 +        if (code) {
@@ -415,7 +415,7 @@
  
      return code;
  }
-@@ -671,46 +808,43 @@ get_init_creds(kadm5_server_handle_t han
+@@ -671,46 +808,43 @@ get_init_creds(kadm5_server_handle_t handle, krb5_principal client,
  {
      kadm5_ret_t code;
      krb5_ccache ccache = NULL;
@@ -493,7 +493,7 @@
  
      /*
       * Acquire a service ticket for svcname@realm for client, using password
-@@ -747,7 +881,7 @@ get_init_creds(kadm5_server_handle_t han
+@@ -747,7 +881,7 @@ get_init_creds(kadm5_server_handle_t handle, krb5_principal client,
      }
      handle->lhandle->cache_name = handle->cache_name;
  
@@ -502,10 +502,10 @@
                      server_out);
      /* Improved error messages */
      if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) code = KADM5_BAD_PASSWORD;
-diff -u -r old/src/lib/kadm5/clnt/libkadm5clnt_mit.exports new/src/lib/kadm5/clnt/libkadm5clnt_mit.exports
---- old/src/lib/kadm5/clnt/libkadm5clnt_mit.exports	2015-02-11 21:16:43.000000000 -0600
-+++ new/src/lib/kadm5/clnt/libkadm5clnt_mit.exports	2015-05-28 15:34:35.828495806 -0500
-@@ -31,6 +31,11 @@
+diff --git a/src/lib/kadm5/clnt/libkadm5clnt_mit.exports b/src/lib/kadm5/clnt/libkadm5clnt_mit.exports
+--- a/src/lib/kadm5/clnt/libkadm5clnt_mit.exports
++++ b/src/lib/kadm5/clnt/libkadm5clnt_mit.exports
+@@ -31,6 +31,11 @@ kadm5_init_krb5_context
  kadm5_init_with_creds
  kadm5_init_with_password
  kadm5_init_with_skey
@@ -517,10 +517,10 @@
  kadm5_lock
  kadm5_modify_policy
  kadm5_modify_principal
-diff -u -r old/src/lib/kadm5/srv/server_init.c new/src/lib/kadm5/srv/server_init.c
---- old/src/lib/kadm5/srv/server_init.c	2015-05-28 15:10:45.100182433 -0500
-+++ new/src/lib/kadm5/srv/server_init.c	2015-05-29 12:40:47.354397224 -0500
-@@ -97,6 +97,29 @@
+diff --git a/src/lib/kadm5/srv/server_init.c b/src/lib/kadm5/srv/server_init.c
+--- a/src/lib/kadm5/srv/server_init.c
++++ b/src/lib/kadm5/srv/server_init.c
+@@ -97,6 +97,29 @@ kadm5_ret_t kadm5_init_with_password(krb5_context context, char *client_name,
                        server_handle);
  }
  
@@ -550,7 +550,7 @@
  kadm5_ret_t kadm5_init_anonymous(krb5_context context, char *client_name,
                                   char *service_name,
                                   kadm5_config_params *params,
-@@ -110,6 +133,20 @@
+@@ -110,6 +133,20 @@ kadm5_ret_t kadm5_init_anonymous(krb5_context context, char *client_name,
                        server_handle);
  }
  
@@ -571,7 +571,7 @@
  kadm5_ret_t kadm5_init_with_creds(krb5_context context,
                                    char *client_name,
                                    krb5_ccache ccache,
-@@ -133,6 +170,22 @@
+@@ -133,6 +170,22 @@ kadm5_ret_t kadm5_init_with_creds(krb5_context context,
                        server_handle);
  }
  
@@ -594,7 +594,7 @@
  
  kadm5_ret_t kadm5_init_with_skey(krb5_context context, char *client_name,
                                   char *keytab, char *service_name,
-@@ -155,6 +208,20 @@
+@@ -155,6 +208,20 @@ kadm5_ret_t kadm5_init_with_skey(krb5_context context, char *client_name,
                        server_handle);
  }
  
@@ -615,10 +615,10 @@
  kadm5_ret_t kadm5_init(krb5_context context, char *client_name, char *pass,
                         char *service_name,
                         kadm5_config_params *params_in,
-diff -u -r old/src/slave/kpropd.c new/src/slave/kpropd.c
---- old/src/slave/kpropd.c	2015-05-28 15:10:45.194095824 -0500
-+++ new/src/slave/kpropd.c	2015-05-29 12:17:56.397347156 -0500
-@@ -609,7 +609,7 @@
+diff --git a/src/slave/kpropd.c b/src/slave/kpropd.c
+--- a/src/slave/kpropd.c
++++ b/src/slave/kpropd.c
+@@ -613,7 +613,7 @@ do_iprop()
      kadm5_ret_t retval;
      krb5_principal iprop_svc_principal;
      void *server_handle = NULL;
@@ -627,7 +627,7 @@
      unsigned int pollin, backoff_time;
      int backoff_cnt = 0, reinit_cnt = 0;
      struct timeval iprop_start, iprop_end;
-@@ -639,22 +639,9 @@
+@@ -643,22 +643,9 @@ do_iprop()
      params.mask |= KADM5_CONFIG_REALM;
      params.realm = def_realm;
  
@@ -652,7 +652,7 @@
          if (retval) {
              com_err(progname, retval,
                      _("%s: unable to get kiprop host based "
-@@ -662,15 +649,6 @@
+@@ -666,15 +653,6 @@ do_iprop()
                      progname, def_realm);
              return retval;
  	}
@@ -668,7 +668,7 @@
      }
  
      retval = krb5_sname_to_principal(kpropd_context, NULL, KIPROP_SVC_NAME,
-@@ -714,9 +692,9 @@
+@@ -718,9 +696,9 @@ reinit:
          fprintf(stderr, _("Initializing kadm5 as client %s\n"),
                  iprop_svc_princstr);
      }
@@ -680,7 +680,7 @@
                                    &params,
                                    KADM5_STRUCT_VERSION,
                                    KADM5_API_VERSION_4,
-@@ -1014,7 +992,7 @@
+@@ -1018,7 +996,7 @@ error:
      syslog(LOG_ERR, _("ERROR returned by master KDC, bailing.\n"));
  done:
      free(iprop_svc_princstr);
--- a/components/krb5/patches/036-verify-nofail.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/036-verify-nofail.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -7,9 +7,9 @@
 # position on validating a KDC during initial authentication.
 # Patch source: in-house
 #
-diff -pur old/src/lib/krb5/krb/t_vfy_increds.c new/src/lib/krb5/krb/t_vfy_increds.c
---- old/src/lib/krb5/krb/t_vfy_increds.c	2015-05-28 14:42:17.094623052 -0600
-+++ new/src/lib/krb5/krb/t_vfy_increds.c	2015-05-28 15:53:08.651207899 -0600
+diff --git a/src/lib/krb5/krb/t_vfy_increds.c b/src/lib/krb5/krb/t_vfy_increds.c
+--- a/src/lib/krb5/krb/t_vfy_increds.c
++++ b/src/lib/krb5/krb/t_vfy_increds.c
 @@ -59,6 +59,9 @@ main(int argc, char **argv)
      if (*argv != NULL && strcmp(*argv, "-n") == 0) {
          argv++;
@@ -20,9 +20,9 @@
      }
      if (*argv != NULL)
          check(krb5_parse_name(context, *argv, &princ));
-diff -pur old/src/lib/krb5/krb/t_vfy_increds.py new/src/lib/krb5/krb/t_vfy_increds.py
---- old/src/lib/krb5/krb/t_vfy_increds.py	2016-03-31 16:44:48.483714940 -0700
-+++ patched/src/lib/krb5/krb/t_vfy_increds.py	2016-03-31 19:34:30.816360770 -0700
+diff --git a/src/lib/krb5/krb/t_vfy_increds.py b/src/lib/krb5/krb/t_vfy_increds.py
+--- a/src/lib/krb5/krb/t_vfy_increds.py
++++ b/src/lib/krb5/krb/t_vfy_increds.py
 @@ -53,29 +53,31 @@ realm.run(['./t_vfy_increds'])
  realm.run(['./t_vfy_increds', '-n'])
  
@@ -62,7 +62,7 @@
  realm.run(['./t_vfy_increds', '-n'], expected_code=1)
  realm.run(['./t_vfy_increds', realm.nfs_princ])
  realm.run(['./t_vfy_increds', '-n', realm.nfs_princ])
-@@ -84,7 +86,7 @@ realm.run(['./t_vfy_increds', '-n', real
+@@ -84,7 +86,7 @@ realm.run(['./t_vfy_increds', '-n', realm.nfs_princ])
  # results with the default principal argument, but verification should
  # now fail if we request it specifically.
  realm.run([kadminl, 'change_password', '-randkey', realm.nfs_princ])
@@ -71,9 +71,9 @@
  realm.run(['./t_vfy_increds', '-n'], expected_code=1)
  realm.run(['./t_vfy_increds', realm.nfs_princ], expected_code=1)
  realm.run(['./t_vfy_increds', '-n', realm.nfs_princ], expected_code=1)
-diff -pur old/src/lib/krb5/krb/vfy_increds.c new/src/lib/krb5/krb/vfy_increds.c
---- old/src/lib/krb5/krb/vfy_increds.c	2015-05-28 14:42:17.092454308 -0600
-+++ new/src/lib/krb5/krb/vfy_increds.c	2015-05-28 15:45:14.121515053 -0600
+diff --git a/src/lib/krb5/krb/vfy_increds.c b/src/lib/krb5/krb/vfy_increds.c
+--- a/src/lib/krb5/krb/vfy_increds.c
++++ b/src/lib/krb5/krb/vfy_increds.c
 @@ -33,8 +33,8 @@
  #include "k5-int.h"
  #include "int-proto.h"
@@ -85,7 +85,7 @@
  static krb5_boolean
  nofail(krb5_context context, krb5_verify_init_creds_opt *options,
         krb5_creds *creds)
-@@ -48,7 +48,7 @@ nofail(krb5_context context, krb5_verify
+@@ -48,7 +48,7 @@ nofail(krb5_context context, krb5_verify_init_creds_opt *options,
                                     KRB5_CONF_VERIFY_AP_REQ_NOFAIL,
                                     &val) == 0)
          return (val != 0);
--- a/components/krb5/patches/037-root-defcred.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/037-root-defcred.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -6,20 +6,19 @@
 # This is Solaris specific behavior that MIT will not take upstream.
 # Patch source: in-house
 #
-diff -u -r old/src/include/k5-int.h new/src/include/k5-int.h
---- old/src/include/k5-int.h	2015-06-03 18:20:34.239623602 -0500
-+++ new/src/include/k5-int.h	2015-06-04 12:29:26.540947840 -0500
-@@ -2294,4 +2294,6 @@
- /* Define a shorter internal name for krb5_set_error_message. */
- #define k5_setmsg krb5_set_error_message
+diff --git a/src/include/k5-int.h b/src/include/k5-int.h
+--- a/src/include/k5-int.h
++++ b/src/include/k5-int.h
+@@ -2353,4 +2353,6 @@ void k5_change_error_message_code(krb5_context ctx, krb5_error_code oldcode,
+ #define k5_prependmsg krb5_prepend_error_message
+ #define k5_wrapmsg krb5_wrap_error_message
  
 +uid_t krb5_getuid();
 +
  #endif /* _KRB5_INT_H */
-Only in new/src/lib/gssapi/krb5: .init_sec_context.c.swp
-diff -u -r old/src/lib/gssapi/krb5/init_sec_context.c new/src/lib/gssapi/krb5/init_sec_context.c
---- old/src/lib/gssapi/krb5/init_sec_context.c	2015-05-08 18:27:02.000000000 -0500
-+++ new/src/lib/gssapi/krb5/init_sec_context.c	2015-06-08 12:44:54.041616737 -0500
+diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
+--- a/src/lib/gssapi/krb5/init_sec_context.c
++++ b/src/lib/gssapi/krb5/init_sec_context.c
 @@ -104,6 +104,11 @@
  #endif
  #include <stdlib.h>
@@ -32,7 +31,7 @@
  
  /*
   * $Id$
-@@ -960,8 +965,11 @@
+@@ -962,8 +967,11 @@ krb5_gss_init_sec_context_ext(
          /* verify the credential, or use the default */
          /*SUPPRESS 29*/
          if (claimant_cred_handle == GSS_C_NO_CREDENTIAL) {
@@ -45,7 +44,7 @@
                  if (*context_handle == GSS_C_NO_CONTEXT)
                      krb5_free_context(context);
                  return(major_status);
-@@ -1097,3 +1105,441 @@
+@@ -1099,3 +1107,441 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle,
                                           time_rec,
                                           &exts);
  }
@@ -487,10 +486,10 @@
 +    /* Otherwise we got non expired creds */
 +    return (GSS_S_COMPLETE);
 +}
-diff -u -r old/src/lib/krb5/keytab/Makefile.in new/src/lib/krb5/keytab/Makefile.in
---- old/src/lib/krb5/keytab/Makefile.in	2015-06-03 18:20:34.099323499 -0500
-+++ new/src/lib/krb5/keytab/Makefile.in	2015-06-04 11:49:24.702959055 -0500
-@@ -13,6 +13,7 @@
+diff --git a/src/lib/krb5/keytab/Makefile.in b/src/lib/krb5/keytab/Makefile.in
+--- a/src/lib/krb5/keytab/Makefile.in
++++ b/src/lib/krb5/keytab/Makefile.in
+@@ -13,6 +13,7 @@ STLIBOBJS= \
  	ktremove.o	\
  	ktfns.o		\
  	kt_file.o	\
@@ -498,7 +497,7 @@
  	kt_memory.o	\
  	kt_srvtab.o	\
  	read_servi.o	\
-@@ -26,6 +27,7 @@
+@@ -26,6 +27,7 @@ OBJS=	\
  	$(OUTPRE)ktremove.$(OBJEXT)	\
  	$(OUTPRE)ktfns.$(OBJEXT)	\
  	$(OUTPRE)kt_file.$(OBJEXT)	\
@@ -506,7 +505,7 @@
  	$(OUTPRE)kt_memory.$(OBJEXT)	\
  	$(OUTPRE)kt_srvtab.$(OBJEXT)	\
  	$(OUTPRE)read_servi.$(OBJEXT)	\
-@@ -39,6 +41,7 @@
+@@ -39,6 +41,7 @@ SRCS=	\
  	$(srcdir)/ktremove.c	\
  	$(srcdir)/ktfns.c	\
  	$(srcdir)/kt_file.c	\
@@ -514,10 +513,61 @@
  	$(srcdir)/kt_memory.c	\
  	$(srcdir)/kt_srvtab.c	\
  	$(srcdir)/read_servi.c	\
-diff -u -r old/src/lib/krb5/os/expand_path.c new/src/lib/krb5/os/expand_path.c
---- old/src/lib/krb5/os/expand_path.c	2015-05-08 18:27:02.000000000 -0500
-+++ new/src/lib/krb5/os/expand_path.c	2015-06-04 12:26:15.614110414 -0500
-@@ -291,7 +291,7 @@
+diff --git a/src/lib/krb5/os/Makefile.in b/src/lib/krb5/os/Makefile.in
+--- a/src/lib/krb5/os/Makefile.in
++++ b/src/lib/krb5/os/Makefile.in
+@@ -24,6 +24,7 @@ STLIBOBJS= \
+ 	gen_port.o	\
+ 	genaddrs.o	\
+ 	gen_rname.o	\
++	getuid.o	\
+ 	hostaddr.o	\
+ 	hostrealm.o	\
+ 	hostrealm_dns.o \
+@@ -49,6 +50,7 @@ STLIBOBJS= \
+ 	read_msg.o	\
+ 	read_pwd.o	\
+ 	realm_dom.o	\
++	safechown.o	\
+ 	sendto_kdc.o	\
+ 	sn2princ.o	\
+         thread_safe.o   \
+@@ -71,6 +73,7 @@ OBJS= \
+ 	$(OUTPRE)gen_port.$(OBJEXT)	\
+ 	$(OUTPRE)genaddrs.$(OBJEXT)	\
+ 	$(OUTPRE)gen_rname.$(OBJEXT)	\
++	$(OUTPRE)getuid.$(OBJEXT)	\
+ 	$(OUTPRE)hostaddr.$(OBJEXT)	\
+ 	$(OUTPRE)hostrealm.$(OBJEXT)	\
+ 	$(OUTPRE)hostrealm_dns.$(OBJEXT) \
+@@ -96,6 +99,7 @@ OBJS= \
+ 	$(OUTPRE)read_msg.$(OBJEXT)	\
+ 	$(OUTPRE)read_pwd.$(OBJEXT)	\
+ 	$(OUTPRE)realm_dom.$(OBJEXT)	\
++	$(OUTPRE)safechown.$(OBJEXT)	\
+ 	$(OUTPRE)sendto_kdc.$(OBJEXT)	\
+ 	$(OUTPRE)sn2princ.$(OBJEXT)	\
+         $(OUTPRE)thread_safe.$(OBJEXT)  \
+@@ -118,6 +122,7 @@ SRCS= \
+ 	$(srcdir)/gen_port.c	\
+ 	$(srcdir)/genaddrs.c	\
+ 	$(srcdir)/gen_rname.c	\
++	$(srcdir)/getuid.c	\
+ 	$(srcdir)/hostaddr.c	\
+ 	$(srcdir)/hostrealm.c	\
+ 	$(srcdir)/hostrealm_dns.c \
+@@ -143,6 +148,7 @@ SRCS= \
+ 	$(srcdir)/read_pwd.c	\
+ 	$(srcdir)/realm_dom.c	\
+ 	$(srcdir)/port2ip.c	\
++	$(srcdir)/safechown.c	\
+ 	$(srcdir)/sendto_kdc.c	\
+ 	$(srcdir)/sn2princ.c	\
+         $(srcdir)/thread_safe.c \
+diff --git a/src/lib/krb5/os/expand_path.c b/src/lib/krb5/os/expand_path.c
+--- a/src/lib/krb5/os/expand_path.c
++++ b/src/lib/krb5/os/expand_path.c
+@@ -291,7 +291,7 @@ static krb5_error_code
  expand_userid(krb5_context context, PTYPE param, const char *postfix,
                char **str)
  {
@@ -526,54 +576,3 @@
          return ENOMEM;
      return 0;
  }
-diff -u -r old/src/lib/krb5/os/Makefile.in new/src/lib/krb5/os/Makefile.in
---- old/src/lib/krb5/os/Makefile.in	2015-05-08 18:27:02.000000000 -0500
-+++ new/src/lib/krb5/os/Makefile.in	2015-06-04 12:00:15.668542036 -0500
-@@ -20,6 +20,7 @@
- 	gen_port.o	\
- 	genaddrs.o	\
- 	gen_rname.o	\
-+	getuid.o	\
- 	hostaddr.o	\
- 	hostrealm.o	\
- 	hostrealm_dns.o \
-@@ -44,6 +45,7 @@
- 	read_msg.o	\
- 	read_pwd.o	\
- 	realm_dom.o	\
-+	safechown.o	\
- 	sendto_kdc.o	\
- 	sn2princ.o	\
-         thread_safe.o   \
-@@ -66,6 +68,7 @@
- 	$(OUTPRE)gen_port.$(OBJEXT)	\
- 	$(OUTPRE)genaddrs.$(OBJEXT)	\
- 	$(OUTPRE)gen_rname.$(OBJEXT)	\
-+	$(OUTPRE)getuid.$(OBJEXT)	\
- 	$(OUTPRE)hostaddr.$(OBJEXT)	\
- 	$(OUTPRE)hostrealm.$(OBJEXT)	\
- 	$(OUTPRE)hostrealm_dns.$(OBJEXT) \
-@@ -90,6 +93,7 @@
- 	$(OUTPRE)read_msg.$(OBJEXT)	\
- 	$(OUTPRE)read_pwd.$(OBJEXT)	\
- 	$(OUTPRE)realm_dom.$(OBJEXT)	\
-+	$(OUTPRE)safechown.$(OBJEXT)	\
- 	$(OUTPRE)sendto_kdc.$(OBJEXT)	\
- 	$(OUTPRE)sn2princ.$(OBJEXT)	\
-         $(OUTPRE)thread_safe.$(OBJEXT)  \
-@@ -112,6 +116,7 @@
- 	$(srcdir)/gen_port.c	\
- 	$(srcdir)/genaddrs.c	\
- 	$(srcdir)/gen_rname.c	\
-+	$(srcdir)/getuid.c	\
- 	$(srcdir)/hostaddr.c	\
- 	$(srcdir)/hostrealm.c	\
- 	$(srcdir)/hostrealm_dns.c \
-@@ -136,6 +141,7 @@
- 	$(srcdir)/read_pwd.c	\
- 	$(srcdir)/realm_dom.c	\
- 	$(srcdir)/port2ip.c	\
-+	$(srcdir)/safechown.c	\
- 	$(srcdir)/sendto_kdc.c	\
- 	$(srcdir)/sn2princ.c	\
-         $(srcdir)/thread_safe.c \
--- a/components/krb5/patches/038-krb5-conf.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/038-krb5-conf.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -7,10 +7,10 @@
 # through kdc_max_tcp_connections.
 # Patch source: in-house
 #
-diff -pur old/src/include/k5-int.h new/src/include/k5-int.h
---- old/src/include/k5-int.h	2015-06-03 16:56:30.904839037 -0600
-+++ new/src/include/k5-int.h	2015-06-07 21:27:29.766113292 -0600
-@@ -263,6 +263,7 @@ typedef unsigned char   u_char;
+diff --git a/src/include/k5-int.h b/src/include/k5-int.h
+--- a/src/include/k5-int.h
++++ b/src/include/k5-int.h
+@@ -264,6 +264,7 @@ typedef unsigned char   u_char;
  #define KRB5_CONF_MASTER_KEY_TYPE              "master_key_type"
  #define KRB5_CONF_MAX_LIFE                     "max_life"
  #define KRB5_CONF_MAX_RENEWABLE_LIFE           "max_renewable_life"
@@ -18,10 +18,10 @@
  #define KRB5_CONF_MODULE                       "module"
  #define KRB5_CONF_NOADDRESSES                  "noaddresses"
  #define KRB5_CONF_NO_HOST_REFERRAL             "no_host_referral"
-diff -pur old/src/include/net-server.h new/src/include/net-server.h
---- old/src/include/net-server.h	2015-06-03 16:56:30.911020661 -0600
-+++ new/src/include/net-server.h	2015-06-07 00:39:54.939610507 -0600
-@@ -52,6 +52,7 @@ krb5_error_code loop_setup_network(verto
+diff --git a/src/include/net-server.h b/src/include/net-server.h
+--- a/src/include/net-server.h
++++ b/src/include/net-server.h
+@@ -52,6 +52,7 @@ krb5_error_code loop_setup_network(verto_ctx *ctx, void *handle,
  krb5_error_code loop_setup_signals(verto_ctx *ctx, void *handle,
                                     void (*reset)());
  void loop_free(verto_ctx *ctx);
@@ -29,9 +29,9 @@
  
  /* to be supplied by the server application */
  
-diff -pur old/src/include/osconf.hin new/src/include/osconf.hin
---- old/src/include/osconf.hin	2015-06-03 16:56:30.905987490 -0600
-+++ new/src/include/osconf.hin	2015-06-06 00:24:02.109378599 -0600
+diff --git a/src/include/osconf.hin b/src/include/osconf.hin
+--- a/src/include/osconf.hin
++++ b/src/include/osconf.hin
 @@ -94,6 +94,10 @@
  #define DEFAULT_KDC_UDP_PORTLIST "88,750"
  #define DEFAULT_KDC_TCP_PORTLIST "88"
@@ -43,9 +43,9 @@
  /*
   * Defaults for the KADM5 admin system.
   */
-diff -pur old/src/kdc/main.c new/src/kdc/main.c
---- old/src/kdc/main.c	2015-06-03 16:56:30.884798447 -0600
-+++ new/src/kdc/main.c	2015-06-07 00:42:33.937821705 -0600
+diff --git a/src/kdc/main.c b/src/kdc/main.c
+--- a/src/kdc/main.c
++++ b/src/kdc/main.c
 @@ -203,7 +203,8 @@ static krb5_error_code
  init_realm(kdc_realm_t *rdp, krb5_pointer aprof, char *realm, char *def_mpname,
             krb5_enctype def_enctype, char *def_udp_ports, char *def_tcp_ports,
@@ -56,7 +56,7 @@
  {
      krb5_error_code     kret;
      krb5_boolean        manual;
-@@ -260,6 +261,8 @@ init_realm(kdc_realm_t *rdp, krb5_pointe
+@@ -260,6 +261,8 @@ init_realm(kdc_realm_t *rdp, krb5_pointer aprof, char *realm, char *def_mpname,
          kret = ENOMEM;
          goto whoops;
      }
@@ -65,7 +65,7 @@
      /* Handle stash file */
      hierarchy[2] = KRB5_CONF_KEY_STASH_FILE;
      if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &rdp->realm_stash))
-@@ -621,6 +624,7 @@ initialize_realms(krb5_context kcontext,
+@@ -621,6 +624,7 @@ initialize_realms(krb5_context kcontext, int argc, char **argv)
      char                *hostbased = NULL;
      int                  db_args_size = 0;
      char                **db_args = NULL;
@@ -73,7 +73,7 @@
  
      extern char *optarg;
  
-@@ -633,6 +637,13 @@ initialize_realms(krb5_context kcontext,
+@@ -633,6 +637,13 @@ initialize_realms(krb5_context kcontext, int argc, char **argv)
          hierarchy[1] = KRB5_CONF_KDC_TCP_PORTS;
          if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &default_tcp_ports))
              default_tcp_ports = 0;
@@ -87,7 +87,7 @@
          hierarchy[1] = KRB5_CONF_KDC_MAX_DGRAM_REPLY_SIZE;
          if (krb5_aprof_get_int32(aprof, hierarchy, TRUE, &max_dgram_reply_size))
              max_dgram_reply_size = MAX_DGRAM_SIZE;
-@@ -694,7 +705,8 @@ initialize_realms(krb5_context kcontext,
+@@ -694,7 +705,8 @@ initialize_realms(krb5_context kcontext, int argc, char **argv)
                                          menctype, default_udp_ports,
                                          default_tcp_ports, manual,
                                          def_restrict_anon, db_args,
@@ -97,7 +97,7 @@
                      if (retval) {
                          fprintf(stderr, _("%s: cannot initialize realm %s - "
                                            "see log file for details\n"),
-@@ -811,7 +823,7 @@ initialize_realms(krb5_context kcontext,
+@@ -811,7 +823,7 @@ initialize_realms(krb5_context kcontext, int argc, char **argv)
              retval = init_realm(rdatap, aprof, lrealm, mkey_name, menctype,
                                  default_udp_ports, default_tcp_ports, manual,
                                  def_restrict_anon, db_args, no_referral,
@@ -116,9 +116,9 @@
      /* Handle each realm's ports */
      for (i=0; i< shandle.kdc_numrealms; i++) {
          char *cp = shandle.kdc_realmlist[i]->realm_ports;
-diff -pur old/src/kdc/realm_data.h new/src/kdc/realm_data.h
---- old/src/kdc/realm_data.h	2015-06-03 16:56:30.885907080 -0600
-+++ new/src/kdc/realm_data.h	2015-06-06 22:52:44.710060227 -0600
+diff --git a/src/kdc/realm_data.h b/src/kdc/realm_data.h
+--- a/src/kdc/realm_data.h
++++ b/src/kdc/realm_data.h
 @@ -66,6 +66,7 @@ typedef struct __kdc_realm_data {
       */
      char                *realm_ports;   /* Per-realm KDC UDP port */
@@ -127,10 +127,10 @@
      /*
       * Per-realm parameters.
       */
-diff -pur old/src/lib/apputils/net-server.c new/src/lib/apputils/net-server.c
---- old/src/lib/apputils/net-server.c	2015-06-03 16:56:31.835537747 -0600
-+++ new/src/lib/apputils/net-server.c	2015-06-07 01:17:20.123103672 -0600
-@@ -345,6 +345,12 @@ loop_add_tcp_port(int port)
+diff --git a/src/lib/apputils/net-server.c b/src/lib/apputils/net-server.c
+--- a/src/lib/apputils/net-server.c
++++ b/src/lib/apputils/net-server.c
+@@ -348,6 +348,12 @@ loop_add_tcp_port(int port)
      return 0;
  }
  
@@ -143,10 +143,10 @@
  krb5_error_code
  loop_add_rpc_service(int port, u_long prognum,
                       u_long versnum, void (*dispatchfn)())
-diff -pur old/src/lib/krb5/os/localauth.c new/src/lib/krb5/os/localauth.c
---- old/src/lib/krb5/os/localauth.c	2015-06-03 16:56:31.860283075 -0600
-+++ new/src/lib/krb5/os/localauth.c	2015-06-03 22:18:21.968345429 -0600
-@@ -258,6 +258,49 @@ parse_mapping_value(const char *value, c
+diff --git a/src/lib/krb5/os/localauth.c b/src/lib/krb5/os/localauth.c
+--- a/src/lib/krb5/os/localauth.c
++++ b/src/lib/krb5/os/localauth.c
+@@ -258,6 +258,49 @@ parse_mapping_value(const char *value, char **type_out, char **residual_out)
      return 0;
  }
  
@@ -196,7 +196,7 @@
  /* Apply the default an2ln method, which translates name@defaultrealm or
   * name/defaultrealm@defaultrealm to name. */
  static krb5_error_code
-@@ -274,7 +317,8 @@ an2ln_default(krb5_context context, krb5
+@@ -274,7 +317,8 @@ an2ln_default(krb5_context context, krb5_localauth_moddata data,
      if (ret)
          return KRB5_LNAME_NOTRANS;
  
--- a/components/krb5/patches/039-15699628.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/039-15699628.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -8,10 +8,10 @@
 # contributed upstream.
 # Patch source: in-house
 #
-diff -pur old/src/lib/gssapi/krb5/disp_status.c new/src/lib/gssapi/krb5/disp_status.c
---- old/src/lib/gssapi/krb5/disp_status.c	2015-06-07 23:15:18.753872790 -0600
-+++ new/src/lib/gssapi/krb5/disp_status.c	2015-06-08 00:04:51.457635593 -0600
-@@ -98,6 +98,12 @@ static int save_error_string_nocopy(OM_u
+diff --git a/src/lib/gssapi/krb5/disp_status.c b/src/lib/gssapi/krb5/disp_status.c
+--- a/src/lib/gssapi/krb5/disp_status.c
++++ b/src/lib/gssapi/krb5/disp_status.c
+@@ -98,6 +98,12 @@ static int save_error_string_nocopy(OM_uint32 minor_code, char *msg)
          }
      }
      ret = gsserrmap_replace_or_insert(p, minor_code, msg);
--- a/components/krb5/patches/041-move_macros.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/041-move_macros.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -7,9 +7,9 @@
 # This patch is unlikely to be accepted upstream.
 # Patch source: in-house
 #
-diff -pur old/src/lib/gssapi/generic/gssapiP_generic.h new/src/lib/gssapi/generic/gssapiP_generic.h
---- old/src/lib/gssapi/generic/gssapiP_generic.h	2015-05-08 16:27:02.000000000 -0700
-+++ new/src/lib/gssapi/generic/gssapiP_generic.h	2015-06-11 12:39:09.937906716 -0700
+diff --git a/src/lib/gssapi/generic/gssapiP_generic.h b/src/lib/gssapi/generic/gssapiP_generic.h
+--- a/src/lib/gssapi/generic/gssapiP_generic.h
++++ b/src/lib/gssapi/generic/gssapiP_generic.h
 @@ -49,10 +49,11 @@
  #include "k5-buf.h"
  
@@ -23,9 +23,9 @@
  
  /* this code knows that an int on the wire is 32 bits.  The type of
     num should be at least this big, or the extra shifts may do weird
-diff -pur old/src/lib/gssapi/generic/gssapi_ext.h new/src/lib/gssapi/generic/gssapi_ext.h
---- old/src/lib/gssapi/generic/gssapi_ext.h	2015-05-08 16:27:02.000000000 -0700
-+++ new/src/lib/gssapi/generic/gssapi_ext.h	2015-06-11 12:40:45.859478118 -0700
+diff --git a/src/lib/gssapi/generic/gssapi_ext.h b/src/lib/gssapi/generic/gssapi_ext.h
+--- a/src/lib/gssapi/generic/gssapi_ext.h
++++ b/src/lib/gssapi/generic/gssapi_ext.h
 @@ -43,6 +43,26 @@ gss_pname_to_uid
  	 uid_t *uidOut);
  #endif
@@ -53,9 +53,9 @@
  /**
   * Provides a platform-specific name for a GSSAPI name as interpreted by a
   * given mechanism.
-diff -pur old/src/lib/gssapi/generic/gssapi_generic.h new/src/lib/gssapi/generic/gssapi_generic.h
---- old/src/lib/gssapi/generic/gssapi_generic.h	2015-05-08 16:27:02.000000000 -0700
-+++ new/src/lib/gssapi/generic/gssapi_generic.h	2015-06-11 12:35:47.817578844 -0700
+diff --git a/src/lib/gssapi/generic/gssapi_generic.h b/src/lib/gssapi/generic/gssapi_generic.h
+--- a/src/lib/gssapi/generic/gssapi_generic.h
++++ b/src/lib/gssapi/generic/gssapi_generic.h
 @@ -38,8 +38,10 @@
  #define GSSAPIGENERIC_END_DECLS
  #endif
@@ -67,9 +67,9 @@
  
  GSSAPIGENERIC_BEGIN_DECLS
  
-diff -pur old/src/lib/gssapi/mechglue/mglueP.h new/src/lib/gssapi/mechglue/mglueP.h
---- old/src/lib/gssapi/mechglue/mglueP.h	2015-06-11 12:28:43.196963587 -0700
-+++ new/src/lib/gssapi/mechglue/mglueP.h	2015-06-11 12:40:27.690166071 -0700
+diff --git a/src/lib/gssapi/mechglue/mglueP.h b/src/lib/gssapi/mechglue/mglueP.h
+--- a/src/lib/gssapi/mechglue/mglueP.h
++++ b/src/lib/gssapi/mechglue/mglueP.h
 @@ -14,11 +14,13 @@
  #include "mechglue.h"
  #include "gssapiP_generic.h"
--- a/components/krb5/patches/047-dejagnu.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/047-dejagnu.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -7,9 +7,9 @@
 # donated.
 # Patch source: in-house
 #
-diff -pur old/src/kadmin/testing/scripts/init_db new/src/kadmin/testing/scripts/init_db
---- old/src/kadmin/testing/scripts/init_db	2015-06-10 00:50:51.127628066 -0600
-+++ new/src/kadmin/testing/scripts/init_db	2015-06-16 02:28:12.221384825 -0600
+diff --git a/src/kadmin/testing/scripts/init_db b/src/kadmin/testing/scripts/init_db
+--- a/src/kadmin/testing/scripts/init_db
++++ b/src/kadmin/testing/scripts/init_db
 @@ -215,7 +215,7 @@ changepw/kerberos@$REALM	cil
  
  EOF
@@ -19,9 +19,9 @@
  
  # Create $K5ROOT/setup.csh to make it easy to run other programs against
  # the test db
-diff -pur old/src/kadmin/testing/util/tcl_kadm5.c new/src/kadmin/testing/util/tcl_kadm5.c
---- old/src/kadmin/testing/util/tcl_kadm5.c	2015-06-10 00:50:51.128546692 -0600
-+++ new/src/kadmin/testing/util/tcl_kadm5.c	2015-06-16 02:25:40.402115955 -0600
+diff --git a/src/kadmin/testing/util/tcl_kadm5.c b/src/kadmin/testing/util/tcl_kadm5.c
+--- a/src/kadmin/testing/util/tcl_kadm5.c
++++ b/src/kadmin/testing/util/tcl_kadm5.c
 @@ -13,8 +13,11 @@
  #include <errno.h>
  #include <stdlib.h>
@@ -34,7 +34,7 @@
  struct flagval {
      char *name;
      krb5_flags val;
-@@ -2504,12 +2507,14 @@ static int tcl_kadm5_get_privs(ClientDat
+@@ -2504,12 +2507,14 @@ static int tcl_kadm5_get_privs(ClientData clientData, Tcl_Interp *interp,
  
  void Tcl_kadm5_init(Tcl_Interp *interp)
  {
@@ -54,9 +54,21 @@
      (void) sprintf(buf, "%d", KADM5_STRUCT_VERSION);
      Tcl_SetVar(interp, "KADM5_STRUCT_VERSION", buf, TCL_GLOBAL_ONLY);
      (void) sprintf(buf, "%d", KADM5_API_VERSION_2);
-diff -pur old/src/lib/kadm5/unit-test/api.current/init-v2.exp new/src/lib/kadm5/unit-test/api.current/init-v2.exp
---- old/src/lib/kadm5/unit-test/api.current/init-v2.exp	2015-06-10 00:50:51.345973412 -0600
-+++ new/src/lib/kadm5/unit-test/api.current/init-v2.exp	2015-06-17 15:27:14.063710212 -0600
+diff --git a/src/lib/kadm5/unit-test/Makefile.in b/src/lib/kadm5/unit-test/Makefile.in
+--- a/src/lib/kadm5/unit-test/Makefile.in
++++ b/src/lib/kadm5/unit-test/Makefile.in
+@@ -103,7 +103,7 @@ unit-test-server-setup::
+ unit-test-server-cleanup::
+ 	$(ENV_SETUP) $(STOP_SERVERS_LOCAL)
+ 
+-unit-test-client-body: site.exp test-noauth test-destroy test-handle-client 
++unit-test-client-body: site.exp test-destroy test-handle-client 
+ 	$(ENV_SETUP) $(RUNTEST) --tool api RPC=1 API=$(CLNTTCL) \
+ 		KINIT=$(BUILDTOP)/clients/kinit/kinit \
+ 		KDESTROY=$(BUILDTOP)/clients/kdestroy/kdestroy \
+diff --git a/src/lib/kadm5/unit-test/api.current/init-v2.exp b/src/lib/kadm5/unit-test/api.current/init-v2.exp
+--- a/src/lib/kadm5/unit-test/api.current/init-v2.exp
++++ b/src/lib/kadm5/unit-test/api.current/init-v2.exp
 @@ -70,7 +70,7 @@ proc test102 {} {
  		[config_params {KADM5_CONFIG_ADMIN_SERVER} does.not.exist] \
  		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \
@@ -94,9 +106,9 @@
      one_line_succeed_test {
  	kadm5_init_with_creds testuser null $KADM5_CHANGEPW_SERVICE \
  		null $KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \
-diff -pur old/src/lib/kadm5/unit-test/api.current/init.exp new/src/lib/kadm5/unit-test/api.current/init.exp
---- old/src/lib/kadm5/unit-test/api.current/init.exp	2015-06-10 00:50:51.346734449 -0600
-+++ new/src/lib/kadm5/unit-test/api.current/init.exp	2015-06-16 02:25:07.155377656 -0600
+diff --git a/src/lib/kadm5/unit-test/api.current/init.exp b/src/lib/kadm5/unit-test/api.current/init.exp
+--- a/src/lib/kadm5/unit-test/api.current/init.exp
++++ b/src/lib/kadm5/unit-test/api.current/init.exp
 @@ -697,8 +697,8 @@ if {$RPC} {
      # re-extract the keytab so it is right
      exec rm $env(K5ROOT)/ovsec_adm.srvtab
@@ -108,9 +120,9 @@
  }
  
  return ""
-diff -pur old/src/lib/kadm5/unit-test/destroy-test.c new/src/lib/kadm5/unit-test/destroy-test.c
---- old/src/lib/kadm5/unit-test/destroy-test.c	2015-06-10 00:50:51.347207985 -0600
-+++ new/src/lib/kadm5/unit-test/destroy-test.c	2015-06-12 01:15:05.073293523 -0600
+diff --git a/src/lib/kadm5/unit-test/destroy-test.c b/src/lib/kadm5/unit-test/destroy-test.c
+--- a/src/lib/kadm5/unit-test/destroy-test.c
++++ b/src/lib/kadm5/unit-test/destroy-test.c
 @@ -27,7 +27,7 @@ int main()
          exit(2);
      }
@@ -120,9 +132,9 @@
                           KADM5_STRUCT_VERSION, KADM5_API_VERSION_4, NULL,
                           &server_handle);
          if(ret != KADM5_OK) {
-diff -pur old/src/lib/kadm5/unit-test/handle-test.c new/src/lib/kadm5/unit-test/handle-test.c
---- old/src/lib/kadm5/unit-test/handle-test.c	2015-06-10 00:50:51.347684536 -0600
-+++ new/src/lib/kadm5/unit-test/handle-test.c	2015-06-12 01:17:51.121655473 -0600
+diff --git a/src/lib/kadm5/unit-test/handle-test.c b/src/lib/kadm5/unit-test/handle-test.c
+--- a/src/lib/kadm5/unit-test/handle-test.c
++++ b/src/lib/kadm5/unit-test/handle-test.c
 @@ -30,7 +30,7 @@ int main(int argc, char *argv[])
  
      kadm5_init_krb5_context(&context);
@@ -132,9 +144,9 @@
                       KADM5_STRUCT_VERSION, KADM5_API_VERSION_4, NULL,
                       &server_handle);
      if(ret != KADM5_OK) {
-diff -pur old/src/lib/kadm5/unit-test/iter-test.c new/src/lib/kadm5/unit-test/iter-test.c
---- old/src/lib/kadm5/unit-test/iter-test.c	2015-06-10 00:50:51.347990562 -0600
-+++ new/src/lib/kadm5/unit-test/iter-test.c	2015-06-12 01:18:32.114334236 -0600
+diff --git a/src/lib/kadm5/unit-test/iter-test.c b/src/lib/kadm5/unit-test/iter-test.c
+--- a/src/lib/kadm5/unit-test/iter-test.c
++++ b/src/lib/kadm5/unit-test/iter-test.c
 @@ -22,7 +22,7 @@ int main(int argc, char **argv)
          com_err("iter-test", ret, "while initializing context");
          exit(1);
@@ -144,21 +156,9 @@
                       KADM5_STRUCT_VERSION, KADM5_API_VERSION_4, NULL,
                       &server_handle);
      if (ret != KADM5_OK) {
-diff -pur old/src/lib/kadm5/unit-test/Makefile.in new/src/lib/kadm5/unit-test/Makefile.in
---- old/src/lib/kadm5/unit-test/Makefile.in	2015-06-10 00:50:51.344879613 -0600
-+++ new/src/lib/kadm5/unit-test/Makefile.in	2015-06-12 01:08:32.007953859 -0600
-@@ -103,7 +103,7 @@ unit-test-server-setup::
- unit-test-server-cleanup::
- 	$(ENV_SETUP) $(STOP_SERVERS_LOCAL)
- 
--unit-test-client-body: site.exp test-noauth test-destroy test-handle-client 
-+unit-test-client-body: site.exp test-destroy test-handle-client 
- 	$(ENV_SETUP) $(RUNTEST) --tool api RPC=1 API=$(CLNTTCL) \
- 		KINIT=$(BUILDTOP)/clients/kinit/kinit \
- 		KDESTROY=$(BUILDTOP)/clients/kdestroy/kdestroy \
-diff -pur old/src/lib/kadm5/unit-test/randkey-test.c new/src/lib/kadm5/unit-test/randkey-test.c
---- old/src/lib/kadm5/unit-test/randkey-test.c	2015-06-10 00:50:51.345250545 -0600
-+++ new/src/lib/kadm5/unit-test/randkey-test.c	2015-06-12 01:19:03.866788127 -0600
+diff --git a/src/lib/kadm5/unit-test/randkey-test.c b/src/lib/kadm5/unit-test/randkey-test.c
+--- a/src/lib/kadm5/unit-test/randkey-test.c
++++ b/src/lib/kadm5/unit-test/randkey-test.c
 @@ -23,7 +23,7 @@ int main()
      kadm5_init_krb5_context(&context);
  
@@ -168,9 +168,9 @@
                       KADM5_STRUCT_VERSION, KADM5_API_VERSION_4, NULL,
                       &server_handle);
      if(ret != KADM5_OK) {
-diff -pur old/src/lib/kadm5/unit-test/setkey-test.c new/src/lib/kadm5/unit-test/setkey-test.c
---- old/src/lib/kadm5/unit-test/setkey-test.c	2015-06-10 00:50:51.345023163 -0600
-+++ new/src/lib/kadm5/unit-test/setkey-test.c	2015-06-12 01:19:20.512438967 -0600
+diff --git a/src/lib/kadm5/unit-test/setkey-test.c b/src/lib/kadm5/unit-test/setkey-test.c
+--- a/src/lib/kadm5/unit-test/setkey-test.c
++++ b/src/lib/kadm5/unit-test/setkey-test.c
 @@ -119,7 +119,7 @@ main(int argc, char **argv)
          exit(1);
      }
@@ -180,9 +180,9 @@
                       KADM5_STRUCT_VERSION, KADM5_API_VERSION_4, NULL,
                       &handle);
      if (ret) {
-diff -pur old/src/tests/dejagnu/krb-standalone/kadmin.exp new/src/tests/dejagnu/krb-standalone/kadmin.exp
---- old/src/tests/dejagnu/krb-standalone/kadmin.exp	2015-06-10 00:50:51.143889459 -0600
-+++ new/src/tests/dejagnu/krb-standalone/kadmin.exp	2015-06-17 16:39:21.177011699 -0600
+diff --git a/src/tests/dejagnu/krb-standalone/kadmin.exp b/src/tests/dejagnu/krb-standalone/kadmin.exp
+--- a/src/tests/dejagnu/krb-standalone/kadmin.exp
++++ b/src/tests/dejagnu/krb-standalone/kadmin.exp
 @@ -1050,13 +1050,16 @@ proc kadmin_test { } {
  	return
      }
--- a/components/krb5/patches/048-dns-fix.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/048-dns-fix.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -7,9 +7,9 @@
 # feature that this patch is not intended to be contributed upstream.
 # Patch source: in-house
 #
-diff -pur old/src/lib/kadm5/unit-test/api.current/init-v2.exp new/src/lib/kadm5/unit-test/api.current/init-v2.exp
---- old/src/lib/kadm5/unit-test/api.current/init-v2.exp	2015-06-21 00:18:20.230303372 -0600
-+++ new/src/lib/kadm5/unit-test/api.current/init-v2.exp	2015-06-22 17:04:49.232411015 -0600
+diff --git a/src/lib/kadm5/unit-test/api.current/init-v2.exp b/src/lib/kadm5/unit-test/api.current/init-v2.exp
+--- a/src/lib/kadm5/unit-test/api.current/init-v2.exp
++++ b/src/lib/kadm5/unit-test/api.current/init-v2.exp
 @@ -14,7 +14,7 @@ proc get_hostname { } {
  	return 1
      }
@@ -19,9 +19,9 @@
      if ![string match "" $exec_output] {
  	send_log "$exec_output\n"
  	verbose $exec_output
-diff -pur old/src/lib/kadm5/unit-test/api.current/init.exp new/src/lib/kadm5/unit-test/api.current/init.exp
---- old/src/lib/kadm5/unit-test/api.current/init.exp	2015-06-21 00:18:20.230782385 -0600
-+++ new/src/lib/kadm5/unit-test/api.current/init.exp	2015-06-22 17:32:38.659298951 -0600
+diff --git a/src/lib/kadm5/unit-test/api.current/init.exp b/src/lib/kadm5/unit-test/api.current/init.exp
+--- a/src/lib/kadm5/unit-test/api.current/init.exp
++++ b/src/lib/kadm5/unit-test/api.current/init.exp
 @@ -9,6 +9,39 @@ load_lib lib.t
  
  api_exit
@@ -84,9 +84,9 @@
  }
  
  return ""
-diff -pur old/src/tests/dejagnu/config/default.exp new/src/tests/dejagnu/config/default.exp
---- old/src/tests/dejagnu/config/default.exp	2015-06-21 00:18:20.155115365 -0600
-+++ new/src/tests/dejagnu/config/default.exp	2015-06-22 02:55:13.011533167 -0600
+diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp
+--- a/src/tests/dejagnu/config/default.exp
++++ b/src/tests/dejagnu/config/default.exp
 @@ -682,7 +682,7 @@ proc get_hostname { } {
  
      envstack_push
@@ -96,10 +96,10 @@
      envstack_pop
      if ![string match "" $exec_output] {
  	verbose -log $exec_output
-diff -pur old/src/tests/resolve/Makefile.in new/src/tests/resolve/Makefile.in
---- old/src/tests/resolve/Makefile.in	2015-06-21 00:18:20.152133289 -0600
-+++ new/src/tests/resolve/Makefile.in	2015-06-22 02:54:28.986659244 -0600
-@@ -8,7 +8,7 @@ SRCS=$(srcdir)/resolve.c $(srcdir)/addri
+diff --git a/src/tests/resolve/Makefile.in b/src/tests/resolve/Makefile.in
+--- a/src/tests/resolve/Makefile.in
++++ b/src/tests/resolve/Makefile.in
+@@ -8,7 +8,7 @@ SRCS=$(srcdir)/resolve.c $(srcdir)/addrinfo-test.c \
  all:: resolve addrinfo-test fake-addrinfo-test
  
  resolve: resolve.o
@@ -108,9 +108,9 @@
  
  addrinfo-test: addrinfo-test.o
  	$(CC_LINK) -o $@ addrinfo-test.o $(SUPPORT_LIB) $(LIBS)
-diff -pur old/src/tests/resolve/resolve.c new/src/tests/resolve/resolve.c
---- old/src/tests/resolve/resolve.c	2015-06-21 00:18:20.151976156 -0600
-+++ new/src/tests/resolve/resolve.c	2015-06-22 17:03:19.772488031 -0600
+diff --git a/src/tests/resolve/resolve.c b/src/tests/resolve/resolve.c
+--- a/src/tests/resolve/resolve.c
++++ b/src/tests/resolve/resolve.c
 @@ -73,6 +73,94 @@ char *strchr();
  #include <netinet/in.h>
  #include <netdb.h>
--- a/components/krb5/patches/049-kpropd_no_retries.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/049-kpropd_no_retries.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -10,10 +10,10 @@
 # This is a Solaris specific change, it will not be contributed upstream.
 # Patch source: in-house
 #
-diff -pur old/src/slave/kpropd.c new/src/slave/kpropd.c
---- old/src/slave/kpropd.c	2015-06-26 05:26:18.093175489 -0700
-+++ new/src/slave/kpropd.c	2015-07-07 05:33:21.888052914 -0700
-@@ -730,18 +730,10 @@ reinit:
+diff --git a/src/slave/kpropd.c b/src/slave/kpropd.c
+--- a/src/slave/kpropd.c
++++ b/src/slave/kpropd.c
+@@ -734,18 +734,10 @@ reinit:
  
                  usage();
              }
--- a/components/krb5/patches/050-libverto_memleak.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/050-libverto_memleak.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -17,9 +17,9 @@
 #    https://fedorahosted.org/libverto/ticket/13
 # Patch source: in-house
 #
-diff -pur old/src/util/verto/verto.c new/src/util/verto/verto.c
---- old/src/util/verto/verto.c	2015-05-08 16:27:02.000000000 -0700
-+++ new/src/util/verto/verto.c	2015-07-03 08:35:24.868287391 -0700
+diff --git a/src/util/verto/verto.c b/src/util/verto/verto.c
+--- a/src/util/verto/verto.c
++++ b/src/util/verto/verto.c
 @@ -132,6 +132,11 @@ vresize(void *mem, size_t size)
  {
      if (!resize_cb)
--- a/components/krb5/patches/051-fopenF.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/051-fopenF.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -7,10 +7,10 @@
 # submitted to MIT until this is resolved in ON.
 # Patch source: in-house
 #
-diff -ur krb5-1.13.2/src/appl/gss-sample/gss-server.c krb5-1.13.2.fopen/src/appl/gss-sample/gss-server.c
---- krb5-1.13.2/src/appl/gss-sample/gss-server.c	2015-05-08 18:27:02.000000000 -0500
-+++ krb5-1.13.2.fopen/src/appl/gss-sample/gss-server.c	2015-08-11 13:52:42.455625831 -0500
-@@ -699,7 +699,7 @@
+diff --git a/src/appl/gss-sample/gss-server.c b/src/appl/gss-sample/gss-server.c
+--- a/src/appl/gss-sample/gss-server.c
++++ b/src/appl/gss-sample/gss-server.c
+@@ -709,7 +709,7 @@ main(int argc, char **argv)
              if (!strcmp(*argv, "/dev/null")) {
                  logfile = display_file = NULL;
              } else {
@@ -19,10 +19,10 @@
                  display_file = logfile;
                  if (!logfile) {
                      perror(*argv);
-diff -ur krb5-1.13.2/src/clients/ksu/authorization.c krb5-1.13.2.fopen/src/clients/ksu/authorization.c
---- krb5-1.13.2/src/clients/ksu/authorization.c	2015-05-08 18:27:02.000000000 -0500
-+++ krb5-1.13.2.fopen/src/clients/ksu/authorization.c	2015-08-11 13:46:50.985382622 -0500
-@@ -100,7 +100,7 @@
+diff --git a/src/clients/ksu/authorization.c b/src/clients/ksu/authorization.c
+--- a/src/clients/ksu/authorization.c
++++ b/src/clients/ksu/authorization.c
+@@ -100,7 +100,7 @@ krb5_error_code krb5_authorization(context, principal, luser,
  
      /* k5login and k5users must be owned by target user or root */
      if (!k5login_flag){
@@ -31,7 +31,7 @@
              return 0;
          if ( fowner(login_fp, pwd->pw_uid) == FALSE) {
              fclose(login_fp);
-@@ -109,7 +109,7 @@
+@@ -109,7 +109,7 @@ krb5_error_code krb5_authorization(context, principal, luser,
      }
  
      if (!k5users_flag){
@@ -40,10 +40,10 @@
              return 0;
          }
          if ( fowner(users_fp, pwd->pw_uid) == FALSE){
-diff -ur krb5-1.13.2/src/clients/ksu/ccache.c krb5-1.13.2.fopen/src/clients/ksu/ccache.c
---- krb5-1.13.2/src/clients/ksu/ccache.c	2015-05-08 18:27:02.000000000 -0500
-+++ krb5-1.13.2.fopen/src/clients/ksu/ccache.c	2015-08-11 13:27:17.131920647 -0500
-@@ -375,7 +375,7 @@
+diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c
+--- a/src/clients/ksu/ccache.c
++++ b/src/clients/ksu/ccache.c
+@@ -375,7 +375,7 @@ krb5_get_login_princ(luser, princ_list)
  
  
      /* open ~/.k5login */
@@ -52,10 +52,10 @@
          return 0;
      }
      /*
-diff -ur krb5-1.13.2/src/clients/ksu/heuristic.c krb5-1.13.2.fopen/src/clients/ksu/heuristic.c
---- krb5-1.13.2/src/clients/ksu/heuristic.c	2015-05-08 18:27:02.000000000 -0500
-+++ krb5-1.13.2.fopen/src/clients/ksu/heuristic.c	2015-08-11 13:53:18.318187882 -0500
-@@ -222,7 +222,7 @@
+diff --git a/src/clients/ksu/heuristic.c b/src/clients/ksu/heuristic.c
+--- a/src/clients/ksu/heuristic.c
++++ b/src/clients/ksu/heuristic.c
+@@ -222,7 +222,7 @@ get_authorized_princ_names(luser, cmd, princ_list)
      k5users_flag = stat(k5users_path, &tb);
  
      if (!k5login_flag){
@@ -64,7 +64,7 @@
              return 0;
          if ( fowner(login_fp, pwd->pw_uid) == FALSE){
              close_time(1 /*k5users_flag*/, (FILE *) 0 /*users_fp*/,
-@@ -231,7 +231,7 @@
+@@ -231,7 +231,7 @@ get_authorized_princ_names(luser, cmd, princ_list)
          }
      }
      if (!k5users_flag){
@@ -73,10 +73,10 @@
              return 0;
  
          if ( fowner(users_fp, pwd->pw_uid) == FALSE){
-diff -ur krb5-1.13.2/src/kadmin/dbutil/dump.c krb5-1.13.2.fopen/src/kadmin/dbutil/dump.c
---- krb5-1.13.2/src/kadmin/dbutil/dump.c	2015-05-08 18:27:02.000000000 -0500
-+++ krb5-1.13.2.fopen/src/kadmin/dbutil/dump.c	2015-08-11 13:41:07.987791713 -0500
-@@ -1195,7 +1195,7 @@
+diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
+--- a/src/kadmin/dbutil/dump.c
++++ b/src/kadmin/dbutil/dump.c
+@@ -1215,7 +1215,7 @@ current_dump_sno_in_ulog(krb5_context context, const char *ifile)
      char buf[BUFSIZ];
      FILE *f;
  
@@ -85,7 +85,7 @@
      if (f == NULL)
          return 0;              /* aliasing other errors to ENOENT here is OK */
  
-@@ -1517,7 +1517,7 @@
+@@ -1537,7 +1537,7 @@ load_db(int argc, char **argv)
  
      /* Open the dumpfile. */
      if (dumpfile != NULL) {
@@ -94,10 +94,10 @@
          if (f == NULL) {
              com_err(progname, errno, _("while opening %s"), dumpfile);
              goto error;
-diff -ur krb5-1.13.2/src/kadmin/server/ovsec_kadmd.c krb5-1.13.2.fopen/src/kadmin/server/ovsec_kadmd.c
---- krb5-1.13.2/src/kadmin/server/ovsec_kadmd.c	2015-08-11 14:09:05.551255648 -0500
-+++ krb5-1.13.2.fopen/src/kadmin/server/ovsec_kadmd.c	2015-08-11 13:45:04.700855296 -0500
-@@ -126,7 +126,7 @@
+diff --git a/src/kadmin/server/ovsec_kadmd.c b/src/kadmin/server/ovsec_kadmd.c
+--- a/src/kadmin/server/ovsec_kadmd.c
++++ b/src/kadmin/server/ovsec_kadmd.c
+@@ -126,7 +126,7 @@ write_pid_file(const char *pid_file)
      unsigned long pid;
      int st1, st2;
  
@@ -106,10 +106,10 @@
      if (file == NULL)
          return errno;
      pid = (unsigned long)getpid();
-diff -ur krb5-1.13.2/src/kdc/main.c krb5-1.13.2.fopen/src/kdc/main.c
---- krb5-1.13.2/src/kdc/main.c	2015-08-11 14:09:05.788213288 -0500
-+++ krb5-1.13.2.fopen/src/kdc/main.c	2015-08-11 13:40:50.652078819 -0500
-@@ -859,7 +859,7 @@
+diff --git a/src/kdc/main.c b/src/kdc/main.c
+--- a/src/kdc/main.c
++++ b/src/kdc/main.c
+@@ -859,7 +859,7 @@ write_pid_file(const char *path)
      FILE *file;
      unsigned long pid;
  
@@ -118,10 +118,10 @@
      if (file == NULL)
          return errno;
      pid = (unsigned long) getpid();
-diff -ur krb5-1.13.2/src/lib/gssapi/generic/util_errmap.c krb5-1.13.2.fopen/src/lib/gssapi/generic/util_errmap.c
---- krb5-1.13.2/src/lib/gssapi/generic/util_errmap.c	2015-05-08 18:27:02.000000000 -0500
-+++ krb5-1.13.2.fopen/src/lib/gssapi/generic/util_errmap.c	2015-08-11 13:44:48.732993167 -0500
-@@ -176,7 +176,7 @@
+diff --git a/src/lib/gssapi/generic/util_errmap.c b/src/lib/gssapi/generic/util_errmap.c
+--- a/src/lib/gssapi/generic/util_errmap.c
++++ b/src/lib/gssapi/generic/util_errmap.c
+@@ -176,7 +176,7 @@ OM_uint32 gssint_mecherrmap_map(OM_uint32 minor, const gss_OID_desc * oid)
  
  #ifdef DEBUG
      FILE *f;
@@ -130,10 +130,10 @@
      if (f == NULL)
          f = stderr;
  #endif
-diff -ur krb5-1.13.2/src/lib/gssapi/mechglue/g_initialize.c krb5-1.13.2.fopen/src/lib/gssapi/mechglue/g_initialize.c
---- krb5-1.13.2/src/lib/gssapi/mechglue/g_initialize.c	2015-08-11 14:09:05.250949351 -0500
-+++ krb5-1.13.2.fopen/src/lib/gssapi/mechglue/g_initialize.c	2015-08-11 13:38:16.832678845 -0500
-@@ -1357,7 +1357,7 @@
+diff --git a/src/lib/gssapi/mechglue/g_initialize.c b/src/lib/gssapi/mechglue/g_initialize.c
+--- a/src/lib/gssapi/mechglue/g_initialize.c
++++ b/src/lib/gssapi/mechglue/g_initialize.c
+@@ -1218,7 +1218,7 @@ loadConfigFile(const char *fileName)
  	char buffer[BUFSIZ], *oidStr;
  	FILE *confFile;
  
@@ -142,10 +142,10 @@
  		return;
  	}
  
-diff -ur krb5-1.13.2/src/lib/kadm5/logger.c krb5-1.13.2.fopen/src/lib/kadm5/logger.c
---- krb5-1.13.2/src/lib/kadm5/logger.c	2015-08-11 14:09:05.365604955 -0500
-+++ krb5-1.13.2.fopen/src/lib/kadm5/logger.c	2015-08-11 13:50:11.011871109 -0500
-@@ -567,7 +567,7 @@
+diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c
+--- a/src/lib/kadm5/logger.c
++++ b/src/lib/kadm5/logger.c
+@@ -566,7 +566,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do
                      if (cp[4] == ':' || cp[4] == '=') {
                          /* Solaris Kerberos */
                          log_control.log_entries[i].lfu_fopen_mode =
@@ -154,7 +154,7 @@
                          old_umask = umask(077);
                          f = fopen(&cp[5],
                                    log_control.log_entries[i].lfu_fopen_mode);
-@@ -802,7 +802,7 @@
+@@ -801,7 +801,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do
                   */
                  else if (!strcasecmp(cp, "CONSOLE")) {
                      log_control.log_entries[i].ldu_filep =
@@ -163,7 +163,7 @@
                      if (log_control.log_entries[i].ldu_filep) {
                          set_cloexec_file(log_control.log_entries[i].ldu_filep);
                          log_control.log_entries[i].log_type = K_LOG_CONSOLE;
-@@ -818,7 +818,7 @@
+@@ -817,7 +817,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do
                       */
                      if (cp[6] == '=') {
                          log_control.log_entries[i].ldu_filep =
@@ -172,7 +172,7 @@
                          if (log_control.log_entries[i].ldu_filep) {
                              set_cloexec_file(log_control.log_entries[i].ldu_filep);
                              log_control.log_entries[i].log_type = K_LOG_DEVICE;
-@@ -1157,7 +1157,7 @@
+@@ -1156,7 +1156,7 @@ krb5_klog_reopen(krb5_context kcontext)
               * In case the old logfile did not get moved out of the
               * way, open for append to prevent squashing the old logs.
               */
@@ -181,10 +181,10 @@
              if (f) {
                  set_cloexec_file(f);
                  log_control.log_entries[lindex].lfu_filep = f;
-diff -ur krb5-1.13.2/src/lib/kadm5/srv/server_acl.c krb5-1.13.2.fopen/src/lib/kadm5/srv/server_acl.c
---- krb5-1.13.2/src/lib/kadm5/srv/server_acl.c	2015-08-11 14:09:05.702364340 -0500
-+++ krb5-1.13.2.fopen/src/lib/kadm5/srv/server_acl.c	2015-08-11 13:38:00.105075682 -0500
-@@ -496,7 +496,7 @@
+diff --git a/src/lib/kadm5/srv/server_acl.c b/src/lib/kadm5/srv/server_acl.c
+--- a/src/lib/kadm5/srv/server_acl.c
++++ b/src/lib/kadm5/srv/server_acl.c
+@@ -488,7 +488,7 @@ kadm5int_acl_load_acl_file()
  
      DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_load_acl_file()\n"));
      /* Open the ACL file for read */
@@ -193,10 +193,10 @@
      if (afp) {
          set_cloexec_file(afp);
          alineno = 1;
-diff -ur krb5-1.13.2/src/lib/kdb/kdb_default.c krb5-1.13.2.fopen/src/lib/kdb/kdb_default.c
---- krb5-1.13.2/src/lib/kdb/kdb_default.c	2015-05-08 18:27:02.000000000 -0500
-+++ krb5-1.13.2.fopen/src/lib/kdb/kdb_default.c	2015-08-11 13:39:37.134237942 -0500
-@@ -251,9 +251,9 @@
+diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c
+--- a/src/lib/kdb/kdb_default.c
++++ b/src/lib/kdb/kdb_default.c
+@@ -251,9 +251,9 @@ krb5_db_def_fetch_mkey_stash(krb5_context   context,
      FILE *kf = NULL;
  
  #ifdef ANSI_STDIO
@@ -208,10 +208,10 @@
  #endif
              return KRB5_KDB_CANTREAD_STORED;
      set_cloexec_file(kf);
-diff -ur krb5-1.13.2/src/lib/krb5/ccache/cc_dir.c krb5-1.13.2.fopen/src/lib/krb5/ccache/cc_dir.c
---- krb5-1.13.2/src/lib/krb5/ccache/cc_dir.c	2015-05-08 18:27:02.000000000 -0500
-+++ krb5-1.13.2.fopen/src/lib/krb5/ccache/cc_dir.c	2015-08-11 13:41:24.435225067 -0500
-@@ -153,7 +153,7 @@
+diff --git a/src/lib/krb5/ccache/cc_dir.c b/src/lib/krb5/ccache/cc_dir.c
+--- a/src/lib/krb5/ccache/cc_dir.c
++++ b/src/lib/krb5/ccache/cc_dir.c
+@@ -153,7 +153,7 @@ read_primary_file(krb5_context context, const char *primary_path,
      *residual_out = NULL;
  
      /* Open the file and read its first line. */
@@ -220,10 +220,10 @@
      if (fp == NULL)
          return ENOENT;
      ret = fgets(buf, sizeof(buf), fp);
-diff -ur krb5-1.13.2/src/lib/krb5/ccache/ccselect_k5identity.c krb5-1.13.2.fopen/src/lib/krb5/ccache/ccselect_k5identity.c
---- krb5-1.13.2/src/lib/krb5/ccache/ccselect_k5identity.c	2015-05-08 18:27:02.000000000 -0500
-+++ krb5-1.13.2.fopen/src/lib/krb5/ccache/ccselect_k5identity.c	2015-08-11 13:26:23.773323178 -0500
-@@ -168,7 +168,7 @@
+diff --git a/src/lib/krb5/ccache/ccselect_k5identity.c b/src/lib/krb5/ccache/ccselect_k5identity.c
+--- a/src/lib/krb5/ccache/ccselect_k5identity.c
++++ b/src/lib/krb5/ccache/ccselect_k5identity.c
+@@ -168,7 +168,7 @@ k5identity_choose(krb5_context context, krb5_ccselect_moddata data,
      free(homedir);
      if (ret)
          return ret;
@@ -232,10 +232,10 @@
      free(filename);
      if (fp == NULL)
          return KRB5_PLUGIN_NO_HANDLE;
-diff -ur krb5-1.13.2/src/lib/krb5/keytab/kt_file.c krb5-1.13.2.fopen/src/lib/krb5/keytab/kt_file.c
---- krb5-1.13.2/src/lib/krb5/keytab/kt_file.c	2015-08-11 14:09:05.422898949 -0500
-+++ krb5-1.13.2.fopen/src/lib/krb5/keytab/kt_file.c	2015-08-11 13:39:18.503152692 -0500
-@@ -1022,11 +1022,11 @@
+diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c
+--- a/src/lib/krb5/keytab/kt_file.c
++++ b/src/lib/krb5/keytab/kt_file.c
+@@ -1028,11 +1028,11 @@ typedef krb5_int16  krb5_kt_vno;
  #define krb5_kt_default_vno ((krb5_kt_vno)KRB5_KT_DEFAULT_VNO)
  
  #ifdef ANSI_STDIO
@@ -251,10 +251,10 @@
  #endif
  
  static krb5_error_code
-diff -ur krb5-1.13.2/src/lib/krb5/keytab/kt_srvtab.c krb5-1.13.2.fopen/src/lib/krb5/keytab/kt_srvtab.c
---- krb5-1.13.2/src/lib/krb5/keytab/kt_srvtab.c	2015-05-08 18:27:02.000000000 -0500
-+++ krb5-1.13.2.fopen/src/lib/krb5/keytab/kt_srvtab.c	2015-08-11 13:36:28.107510825 -0500
-@@ -342,9 +342,9 @@
+diff --git a/src/lib/krb5/keytab/kt_srvtab.c b/src/lib/krb5/keytab/kt_srvtab.c
+--- a/src/lib/krb5/keytab/kt_srvtab.c
++++ b/src/lib/krb5/keytab/kt_srvtab.c
+@@ -342,9 +342,9 @@ const struct _krb5_kt_ops krb5_kts_ops = {
  #include <stdio.h>
  
  #ifdef ANSI_STDIO
@@ -266,10 +266,10 @@
  #endif
  
  /* The maximum sizes for V4 aname, realm, sname, and instance +1 */
-diff -ur krb5-1.13.2/src/lib/krb5/os/localaddr.c krb5-1.13.2.fopen/src/lib/krb5/os/localaddr.c
---- krb5-1.13.2/src/lib/krb5/os/localaddr.c	2015-05-08 18:27:02.000000000 -0500
-+++ krb5-1.13.2.fopen/src/lib/krb5/os/localaddr.c	2015-08-11 13:40:00.997639967 -0500
-@@ -368,7 +368,7 @@
+diff --git a/src/lib/krb5/os/localaddr.c b/src/lib/krb5/os/localaddr.c
+--- a/src/lib/krb5/os/localaddr.c
++++ b/src/lib/krb5/os/localaddr.c
+@@ -368,7 +368,7 @@ get_linux_ipv6_addrs ()
      FILE *f;
  
      /* _PATH_PROCNET_IFINET6 */
@@ -278,10 +278,10 @@
      if (f) {
          char ifname[21];
          unsigned int idx, pfxlen, scope, dadstat;
-diff -ur krb5-1.13.2/src/lib/krb5/os/localauth_k5login.c krb5-1.13.2.fopen/src/lib/krb5/os/localauth_k5login.c
---- krb5-1.13.2/src/lib/krb5/os/localauth_k5login.c	2015-05-08 18:27:02.000000000 -0500
-+++ krb5-1.13.2.fopen/src/lib/krb5/os/localauth_k5login.c	2015-08-11 13:45:18.115959001 -0500
-@@ -116,7 +116,7 @@
+diff --git a/src/lib/krb5/os/localauth_k5login.c b/src/lib/krb5/os/localauth_k5login.c
+--- a/src/lib/krb5/os/localauth_k5login.c
++++ b/src/lib/krb5/os/localauth_k5login.c
+@@ -116,7 +116,7 @@ userok_k5login(krb5_context context, krb5_localauth_moddata data,
      if (ret)
          goto cleanup;
  
@@ -290,10 +290,10 @@
      if (fp == NULL) {
          ret = errno;
          goto cleanup;
-diff -ur krb5-1.13.2/src/lib/krb5/rcache/t_replay.c krb5-1.13.2.fopen/src/lib/krb5/rcache/t_replay.c
---- krb5-1.13.2/src/lib/krb5/rcache/t_replay.c	2015-05-08 18:27:02.000000000 -0500
-+++ krb5-1.13.2.fopen/src/lib/krb5/rcache/t_replay.c	2015-08-11 13:45:29.971685638 -0500
-@@ -66,7 +66,7 @@
+diff --git a/src/lib/krb5/rcache/t_replay.c b/src/lib/krb5/rcache/t_replay.c
+--- a/src/lib/krb5/rcache/t_replay.c
++++ b/src/lib/krb5/rcache/t_replay.c
+@@ -66,7 +66,7 @@ dump_rcache(const char *filename)
      krb5_int32 usec;
      krb5_timestamp timestamp;
  
@@ -302,10 +302,10 @@
      if (!fp) {
          fprintf(stderr, "Can't open filename: %s\n", strerror(errno));
          return;
-diff -ur krb5-1.13.2/src/lib/krb5/unicode/ucdata/ucdata.c krb5-1.13.2.fopen/src/lib/krb5/unicode/ucdata/ucdata.c
---- krb5-1.13.2/src/lib/krb5/unicode/ucdata/ucdata.c	2015-05-08 18:27:02.000000000 -0500
-+++ krb5-1.13.2.fopen/src/lib/krb5/unicode/ucdata/ucdata.c	2015-08-11 13:43:57.692003927 -0500
-@@ -156,7 +156,7 @@
+diff --git a/src/lib/krb5/unicode/ucdata/ucdata.c b/src/lib/krb5/unicode/ucdata/ucdata.c
+--- a/src/lib/krb5/unicode/ucdata/ucdata.c
++++ b/src/lib/krb5/unicode/ucdata/ucdata.c
+@@ -156,7 +156,7 @@ _ucprop_load(char *paths, int reload)
          _ucprop_size = 0;
      }
  
@@ -314,7 +314,7 @@
        return -1;
  
      /*
-@@ -337,7 +337,7 @@
+@@ -337,7 +337,7 @@ _uccase_load(char *paths, int reload)
          _uccase_size = 0;
      }
  
@@ -323,7 +323,7 @@
        return -1;
  
      /*
-@@ -532,7 +532,7 @@
+@@ -532,7 +532,7 @@ _uccomp_load(char *paths, int reload)
          _uccomp_size = 0;
      }
  
@@ -332,7 +332,7 @@
          return -1;
  
      /*
-@@ -730,7 +730,7 @@
+@@ -730,7 +730,7 @@ _ucdcmp_load(char *paths, int reload)
          _ucdcmp_size = 0;
      }
  
@@ -341,7 +341,7 @@
          return -1;
  
      /*
-@@ -785,7 +785,7 @@
+@@ -785,7 +785,7 @@ _uckdcmp_load(char *paths, int reload)
          _uckdcmp_size = 0;
      }
  
@@ -350,7 +350,7 @@
          return -1;
  
      /*
-@@ -1042,7 +1042,7 @@
+@@ -1042,7 +1042,7 @@ _uccmcl_load(char *paths, int reload)
          _uccmcl_size = 0;
      }
  
@@ -359,7 +359,7 @@
          return -1;
  
      /*
-@@ -1138,7 +1138,7 @@
+@@ -1138,7 +1138,7 @@ _ucnumb_load(char *paths, int reload)
          _ucnum_size = 0;
      }
  
@@ -368,10 +368,10 @@
        return -1;
  
      /*
-diff -ur krb5-1.13.2/src/lib/krb5/unicode/ucdata/ucgendat.c krb5-1.13.2.fopen/src/lib/krb5/unicode/ucdata/ucgendat.c
---- krb5-1.13.2/src/lib/krb5/unicode/ucdata/ucgendat.c	2015-05-08 18:27:02.000000000 -0500
-+++ krb5-1.13.2.fopen/src/lib/krb5/unicode/ucdata/ucgendat.c	2015-08-11 13:51:21.938013410 -0500
-@@ -1296,14 +1296,14 @@
+diff --git a/src/lib/krb5/unicode/ucdata/ucgendat.c b/src/lib/krb5/unicode/ucdata/ucgendat.c
+--- a/src/lib/krb5/unicode/ucdata/ucgendat.c
++++ b/src/lib/krb5/unicode/ucdata/ucgendat.c
+@@ -1296,14 +1296,14 @@ write_cdata(char *opath)
       * Open the output file.
       */
      snprintf(path, sizeof path, "%s" LDAP_DIRSEP "uctable.h", opath);
@@ -388,7 +388,7 @@
        return;
  #endif
  
-@@ -1436,7 +1436,7 @@
+@@ -1436,7 +1436,7 @@ write_cdata(char *opath)
       * Open the case.dat file.
       */
      snprintf(path, sizeof path, "%s" LDAP_DIRSEP "case.dat", opath);
@@ -397,7 +397,7 @@
        return;
  
      /*
-@@ -1513,7 +1513,7 @@
+@@ -1513,7 +1513,7 @@ write_cdata(char *opath)
       * Open the comp.dat file.
       */
      snprintf(path, sizeof path, "%s" LDAP_DIRSEP "comp.dat", opath);
@@ -406,7 +406,7 @@
  	return;
  
      /*
-@@ -1589,7 +1589,7 @@
+@@ -1589,7 +1589,7 @@ write_cdata(char *opath)
       * Open the decomp.dat file.
       */
      snprintf(path, sizeof path, "%s" LDAP_DIRSEP "decomp.dat", opath);
@@ -415,7 +415,7 @@
        return;
  
      hdr[1] = decomps_used;
-@@ -1682,7 +1682,7 @@
+@@ -1682,7 +1682,7 @@ write_cdata(char *opath)
       * Open the kdecomp.dat file.
       */
      snprintf(path, sizeof path, "%s" LDAP_DIRSEP "kdecomp.dat", opath);
@@ -424,7 +424,7 @@
        return;
  
      hdr[1] = kdecomps_used;
-@@ -1762,7 +1762,7 @@
+@@ -1762,7 +1762,7 @@ write_cdata(char *opath)
       * Open the cmbcl.dat file.
       */
      snprintf(path, sizeof path, "%s" LDAP_DIRSEP "cmbcl.dat", opath);
@@ -433,7 +433,7 @@
        return;
  
      /*
-@@ -1836,7 +1836,7 @@
+@@ -1836,7 +1836,7 @@ write_cdata(char *opath)
       * Open the num.dat file.
       */
      snprintf(path, sizeof path, "%s" LDAP_DIRSEP "num.dat", opath);
@@ -442,7 +442,7 @@
        return;
  
      /*
-@@ -1908,7 +1908,7 @@
+@@ -1908,7 +1908,7 @@ main(int argc, char *argv[])
                case 'x':
                  argc--;
                  argv++;
@@ -451,7 +451,7 @@
                    fprintf(stderr,
                            "%s: unable to open composition exclusion file %s\n",
                            prog, argv[0]);
-@@ -1924,7 +1924,7 @@
+@@ -1924,7 +1924,7 @@ main(int argc, char *argv[])
          } else {
              if (in != stdin && in != NULL)
                fclose(in);
@@ -460,10 +460,10 @@
                fprintf(stderr, "%s: unable to open ctype file %s\n",
                        prog, argv[0]);
              else {
-diff -ur krb5-1.13.2/src/lib/rpc/getrpcent.c krb5-1.13.2.fopen/src/lib/rpc/getrpcent.c
---- krb5-1.13.2/src/lib/rpc/getrpcent.c	2015-05-08 18:27:02.000000000 -0500
-+++ krb5-1.13.2.fopen/src/lib/rpc/getrpcent.c	2015-08-11 13:25:58.125779542 -0500
-@@ -121,7 +121,7 @@
+diff --git a/src/lib/rpc/getrpcent.c b/src/lib/rpc/getrpcent.c
+--- a/src/lib/rpc/getrpcent.c
++++ b/src/lib/rpc/getrpcent.c
+@@ -121,7 +121,7 @@ SETRPCENT_TYPE setrpcent(int f)
  	if (d == 0)
  		return;
  	if (d->rpcf == NULL) {
@@ -472,7 +472,7 @@
  		if (d->rpcf)
  		    set_cloexec_file(d->rpcf);
  	} else
-@@ -160,7 +160,7 @@
+@@ -160,7 +160,7 @@ getrpcent(void)
  	if (d == 0)
  		return(NULL);
  	if (d->rpcf == NULL) {
@@ -481,10 +481,10 @@
  		return (NULL);
  	    set_cloexec_file(d->rpcf);
  	}
-diff -ur krb5-1.13.2/src/lib/rpc/svc_auth_gssapi.c krb5-1.13.2.fopen/src/lib/rpc/svc_auth_gssapi.c
---- krb5-1.13.2/src/lib/rpc/svc_auth_gssapi.c	2015-05-08 18:27:02.000000000 -0500
-+++ krb5-1.13.2.fopen/src/lib/rpc/svc_auth_gssapi.c	2015-08-11 13:52:59.222895641 -0500
-@@ -57,7 +57,7 @@
+diff --git a/src/lib/rpc/svc_auth_gssapi.c b/src/lib/rpc/svc_auth_gssapi.c
+--- a/src/lib/rpc/svc_auth_gssapi.c
++++ b/src/lib/rpc/svc_auth_gssapi.c
+@@ -57,7 +57,7 @@ void gssrpcint_printf(const char *format, ...)
      {
  	static FILE *f;
  	if (f == NULL)
@@ -493,10 +493,10 @@
  	if (f) {
  	    vfprintf(f, format, ap);
  	    fflush(f);
-diff -ur krb5-1.13.2/src/plugins/audit/test/au_test.c krb5-1.13.2.fopen/src/plugins/audit/test/au_test.c
---- krb5-1.13.2/src/plugins/audit/test/au_test.c	2015-05-08 18:27:02.000000000 -0500
-+++ krb5-1.13.2.fopen/src/plugins/audit/test/au_test.c	2015-08-11 13:41:56.337778968 -0500
-@@ -54,7 +54,7 @@
+diff --git a/src/plugins/audit/test/au_test.c b/src/plugins/audit/test/au_test.c
+--- a/src/plugins/audit/test/au_test.c
++++ b/src/plugins/audit/test/au_test.c
+@@ -54,7 +54,7 @@ static k5_mutex_t lock = K5_MUTEX_PARTIAL_INITIALIZER;
  static krb5_error_code
  open_au(krb5_audit_moddata *auctx)
  {
@@ -505,10 +505,10 @@
      if (au_fd == NULL)
          return KRB5_PLUGIN_NO_HANDLE; /* audit module is unavailable */
      k5_mutex_init(&lock);
-diff -ur krb5-1.13.2/src/plugins/kdb/db2/adb_openclose.c krb5-1.13.2.fopen/src/plugins/kdb/db2/adb_openclose.c
---- krb5-1.13.2/src/plugins/kdb/db2/adb_openclose.c	2015-05-08 18:27:02.000000000 -0500
-+++ krb5-1.13.2.fopen/src/plugins/kdb/db2/adb_openclose.c	2015-08-11 13:51:43.944888036 -0500
-@@ -147,12 +147,12 @@
+diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c
+--- a/src/plugins/kdb/db2/adb_openclose.c
++++ b/src/plugins/kdb/db2/adb_openclose.c
+@@ -147,12 +147,12 @@ osa_adb_init_db(osa_adb_db_t *dbp, char *filename, char *lockfilename,
           * POSIX systems
           */
          lockp->lockinfo.filename = strdup(lockfilename);
@@ -523,10 +523,10 @@
                  == NULL) {
                  free(db);
                  return OSA_ADB_NOLOCKFILE;
-diff -ur krb5-1.13.2/src/plugins/kdb/db2/libdb2/btree/bt_debug.c krb5-1.13.2.fopen/src/plugins/kdb/db2/libdb2/btree/bt_debug.c
---- krb5-1.13.2/src/plugins/kdb/db2/libdb2/btree/bt_debug.c	2015-05-08 18:27:02.000000000 -0500
-+++ krb5-1.13.2.fopen/src/plugins/kdb/db2/libdb2/btree/bt_debug.c	2015-08-11 13:57:58.472374191 -0500
-@@ -66,7 +66,7 @@
+diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_debug.c b/src/plugins/kdb/db2/libdb2/btree/bt_debug.c
+--- a/src/plugins/kdb/db2/libdb2/btree/bt_debug.c
++++ b/src/plugins/kdb/db2/libdb2/btree/bt_debug.c
+@@ -66,7 +66,7 @@ __bt_dinit()
  	first = 0;
  
  #ifndef TRACE_TO_STDERR
@@ -535,10 +535,22 @@
  		return;
  #endif
  	tracefp = stderr;
-diff -ur krb5-1.13.2/src/plugins/kdb/db2/libdb2/test/btree.tests/main.c krb5-1.13.2.fopen/src/plugins/kdb/db2/libdb2/test/btree.tests/main.c
---- krb5-1.13.2/src/plugins/kdb/db2/libdb2/test/btree.tests/main.c	2015-05-08 18:27:02.000000000 -0500
-+++ krb5-1.13.2.fopen/src/plugins/kdb/db2/libdb2/test/btree.tests/main.c	2015-08-11 13:52:17.919976635 -0500
-@@ -224,7 +224,7 @@
+diff --git a/src/plugins/kdb/db2/libdb2/test/SEQ_TEST/t.c b/src/plugins/kdb/db2/libdb2/test/SEQ_TEST/t.c
+--- a/src/plugins/kdb/db2/libdb2/test/SEQ_TEST/t.c
++++ b/src/plugins/kdb/db2/libdb2/test/SEQ_TEST/t.c
+@@ -18,7 +18,7 @@ void main(int argc, char *argv[]) {
+   FILE *fopen(), *fin;
+ 
+   unlink("test.db");
+-  if ((fin = fopen("data","r")) == NULL) {
++  if ((fin = fopen("data","rF")) == NULL) {
+     printf("Unable to open %s\n","data");
+     exit(25);
+   }
+diff --git a/src/plugins/kdb/db2/libdb2/test/btree.tests/main.c b/src/plugins/kdb/db2/libdb2/test/btree.tests/main.c
+--- a/src/plugins/kdb/db2/libdb2/test/btree.tests/main.c
++++ b/src/plugins/kdb/db2/libdb2/test/btree.tests/main.c
+@@ -224,7 +224,7 @@ user(db)
  	int argc, i, last;
  	char *lbuf, *argv[4], buf[512];
  
@@ -547,7 +559,7 @@
  		(void)fprintf(stderr,
  		    "/dev/tty: %s\n", strerror(errno));
  		exit(1);
-@@ -624,7 +624,7 @@
+@@ -624,7 +624,7 @@ list(db, argv)
  	FILE *fp;
  	int status;
  
@@ -556,7 +568,7 @@
  		(void)fprintf(stderr, "%s: %s\n", argv[1], strerror(errno));
  		return;
  	}
-@@ -649,7 +649,7 @@
+@@ -649,7 +649,7 @@ rlist(db, argv)
  	void *cookie;
  
  	cookie = NULL;
@@ -565,7 +577,7 @@
  		(void)fprintf(stderr, "%s: %s\n", argv[1], strerror(errno));
  		return;
  	}
-@@ -679,7 +679,7 @@
+@@ -679,7 +679,7 @@ load(db, argv)
  	char *lp, buf[16 * 1024];
  
  	BUGdb = db;
@@ -574,10 +586,10 @@
  		(void)fprintf(stderr, "%s: %s\n", argv[1], strerror(errno));
  		return;
  	}
-diff -ur krb5-1.13.2/src/plugins/kdb/db2/libdb2/test/hash1.tests/tdel.c krb5-1.13.2.fopen/src/plugins/kdb/db2/libdb2/test/hash1.tests/tdel.c
---- krb5-1.13.2/src/plugins/kdb/db2/libdb2/test/hash1.tests/tdel.c	2015-05-08 18:27:02.000000000 -0500
-+++ krb5-1.13.2.fopen/src/plugins/kdb/db2/libdb2/test/hash1.tests/tdel.c	2015-08-11 13:58:10.679774122 -0500
-@@ -103,7 +103,7 @@
+diff --git a/src/plugins/kdb/db2/libdb2/test/hash1.tests/tdel.c b/src/plugins/kdb/db2/libdb2/test/hash1.tests/tdel.c
+--- a/src/plugins/kdb/db2/libdb2/test/hash1.tests/tdel.c
++++ b/src/plugins/kdb/db2/libdb2/test/hash1.tests/tdel.c
+@@ -103,7 +103,7 @@ char **argv;
  	}
  
  	if ( --argc ) {
@@ -586,10 +598,10 @@
  		i = 0;
  		while ( fgets(wp1, 8192, fp) &&
  			fgets(wp2, 8192, fp) &&
-diff -ur krb5-1.13.2/src/plugins/kdb/db2/libdb2/test/hash1.tests/thash4.c krb5-1.13.2.fopen/src/plugins/kdb/db2/libdb2/test/hash1.tests/thash4.c
---- krb5-1.13.2/src/plugins/kdb/db2/libdb2/test/hash1.tests/thash4.c	2015-05-08 18:27:02.000000000 -0500
-+++ krb5-1.13.2.fopen/src/plugins/kdb/db2/libdb2/test/hash1.tests/thash4.c	2015-08-11 13:37:47.137256617 -0500
-@@ -106,7 +106,7 @@
+diff --git a/src/plugins/kdb/db2/libdb2/test/hash1.tests/thash4.c b/src/plugins/kdb/db2/libdb2/test/hash1.tests/thash4.c
+--- a/src/plugins/kdb/db2/libdb2/test/hash1.tests/thash4.c
++++ b/src/plugins/kdb/db2/libdb2/test/hash1.tests/thash4.c
+@@ -106,7 +106,7 @@ char **argv;
  	}
  
  	if ( --argc ) {
@@ -598,10 +610,10 @@
  		i = 0;
  		while ( fgets(wp1, 256, fp) &&
  			fgets(wp2, 8192, fp) &&
-diff -ur krb5-1.13.2/src/plugins/kdb/db2/libdb2/test/hash2.tests/passtest.c krb5-1.13.2.fopen/src/plugins/kdb/db2/libdb2/test/hash2.tests/passtest.c
---- krb5-1.13.2/src/plugins/kdb/db2/libdb2/test/hash2.tests/passtest.c	2015-05-08 18:27:02.000000000 -0500
-+++ krb5-1.13.2.fopen/src/plugins/kdb/db2/libdb2/test/hash2.tests/passtest.c	2015-08-11 13:46:12.282862828 -0500
-@@ -19,8 +19,8 @@
+diff --git a/src/plugins/kdb/db2/libdb2/test/hash2.tests/passtest.c b/src/plugins/kdb/db2/libdb2/test/hash2.tests/passtest.c
+--- a/src/plugins/kdb/db2/libdb2/test/hash2.tests/passtest.c
++++ b/src/plugins/kdb/db2/libdb2/test/hash2.tests/passtest.c
+@@ -19,8 +19,8 @@ main(void)
      val_line = (char *)malloc(300);
      old = (char *)malloc(300);
  
@@ -612,7 +624,7 @@
  
      passwd.bsize =  1024;
      passwd.cachesize = 1024 * 1024;
-@@ -61,8 +61,8 @@
+@@ -61,8 +61,8 @@ main(void)
  
  
  
@@ -623,7 +635,7 @@
      get_key = (char *)malloc(100);
      get_val = (char *)malloc(300);
  
-@@ -120,8 +120,8 @@
+@@ -120,8 +120,8 @@ main(void)
      get_key = (char *)malloc(100);
      key2 = (char *)malloc(100);
  
@@ -634,7 +646,7 @@
  
      db = dbopen("/usr/tmp/passwd.db", O_RDWR|O_BINARY, 0664, DB_HASH, &passwd);
      n = 0;
-@@ -148,8 +148,8 @@
+@@ -148,8 +148,8 @@ main(void)
      key2 = (char *)malloc(100);
      get_val = (char *)malloc(300);
  
@@ -645,22 +657,10 @@
  
      db = dbopen("/usr/tmp/passwd.db", O_RDWR|O_BINARY, 0664, DB_HASH, &passwd);
      n = 0;
-diff -ur krb5-1.13.2/src/plugins/kdb/db2/libdb2/test/SEQ_TEST/t.c krb5-1.13.2.fopen/src/plugins/kdb/db2/libdb2/test/SEQ_TEST/t.c
---- krb5-1.13.2/src/plugins/kdb/db2/libdb2/test/SEQ_TEST/t.c	2015-05-08 18:27:02.000000000 -0500
-+++ krb5-1.13.2.fopen/src/plugins/kdb/db2/libdb2/test/SEQ_TEST/t.c	2015-08-11 13:35:18.997485992 -0500
-@@ -18,7 +18,7 @@
-   FILE *fopen(), *fin;
- 
-   unlink("test.db");
--  if ((fin = fopen("data","r")) == NULL) {
-+  if ((fin = fopen("data","rF")) == NULL) {
-     printf("Unable to open %s\n","data");
-     exit(25);
-   }
-diff -ur krb5-1.13.2/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c krb5-1.13.2.fopen/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
---- krb5-1.13.2/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c	2015-05-08 18:27:02.000000000 -0500
-+++ krb5-1.13.2.fopen/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c	2015-08-11 13:50:27.043180087 -0500
-@@ -178,7 +178,7 @@
+diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
++++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+@@ -178,7 +178,7 @@ done:
  
      /* set password in the file */
      old_mode = umask(0177);
@@ -669,7 +669,7 @@
      if (pfile == NULL) {
          com_err(me, errno, _("Failed to open file %s: %s"), file_name,
                  strerror (errno));
-@@ -230,7 +230,7 @@
+@@ -230,7 +230,7 @@ done:
          }
  
          omask = umask(077);
@@ -678,10 +678,10 @@
          umask (omask);
          if (newfile == NULL) {
              com_err(me, errno, _("Error creating file %s"), tmp_file);
-diff -ur krb5-1.13.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c krb5-1.13.2.fopen/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c
---- krb5-1.13.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c	2015-05-08 18:27:02.000000000 -0500
-+++ krb5-1.13.2.fopen/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c	2015-08-11 13:38:33.143752493 -0500
-@@ -87,7 +87,7 @@
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c
+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c
++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c
+@@ -87,7 +87,7 @@ krb5_ldap_readpassword(krb5_context context, const char *filename,
  
      *password_out = NULL;
  
@@ -690,10 +690,10 @@
      if (fp == NULL) {
          ret = errno;
          k5_setmsg(context, ret, _("Cannot open LDAP password file '%s': %s"),
-diff -ur krb5-1.13.2/src/plugins/locate/python/py-locate.c krb5-1.13.2.fopen/src/plugins/locate/python/py-locate.c
---- krb5-1.13.2/src/plugins/locate/python/py-locate.c	2015-05-08 18:27:02.000000000 -0500
-+++ krb5-1.13.2.fopen/src/plugins/locate/python/py-locate.c	2015-08-11 13:27:01.588118726 -0500
-@@ -98,7 +98,7 @@
+diff --git a/src/plugins/locate/python/py-locate.c b/src/plugins/locate/python/py-locate.c
+--- a/src/plugins/locate/python/py-locate.c
++++ b/src/plugins/locate/python/py-locate.c
+@@ -98,7 +98,7 @@ my_init(void)
  
      Py_Initialize ();
  //    fprintf(stderr, "trying to load %s\n", SCRIPT_PATH);
@@ -702,10 +702,10 @@
      if (f == NULL) {
          if (sctx)
              krb5_set_error_message(sctx, -1,
-diff -ur krb5-1.13.2/src/plugins/preauth/otp/otp_state.c krb5-1.13.2.fopen/src/plugins/preauth/otp/otp_state.c
---- krb5-1.13.2/src/plugins/preauth/otp/otp_state.c	2015-05-08 18:27:02.000000000 -0500
-+++ krb5-1.13.2.fopen/src/plugins/preauth/otp/otp_state.c	2015-08-11 13:45:35.971590182 -0500
-@@ -94,7 +94,7 @@
+diff --git a/src/plugins/preauth/otp/otp_state.c b/src/plugins/preauth/otp/otp_state.c
+--- a/src/plugins/preauth/otp/otp_state.c
++++ b/src/plugins/preauth/otp/otp_state.c
+@@ -96,7 +96,7 @@ read_secret_file(const char *secret_file, char **secret)
          return retval;
      }
  
@@ -714,10 +714,10 @@
      if (file == NULL) {
          retval = errno;
          com_err("otp", retval, "Unable to open secret file '%s'", filename);
-diff -ur krb5-1.13.2/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c krb5-1.13.2.fopen/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
---- krb5-1.13.2/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c	2015-08-11 14:09:05.679850166 -0500
-+++ krb5-1.13.2.fopen/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c	2015-08-11 13:47:00.667400771 -0500
-@@ -4256,7 +4256,7 @@
+diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+@@ -4281,7 +4281,7 @@ pkinit_get_certs_pkcs12(krb5_context context,
          goto cleanup;
      }
  
@@ -726,10 +726,10 @@
      if (fp == NULL) {
          pkiDebug("Failed to open PKCS12 file '%s', error %d\n",
                   idopts->cert_filename, errno);
-diff -ur krb5-1.13.2/src/plugins/preauth/pkinit/pkinit_lib.c krb5-1.13.2.fopen/src/plugins/preauth/pkinit/pkinit_lib.c
---- krb5-1.13.2/src/plugins/preauth/pkinit/pkinit_lib.c	2015-05-08 18:27:02.000000000 -0500
-+++ krb5-1.13.2.fopen/src/plugins/preauth/pkinit/pkinit_lib.c	2015-08-11 13:37:29.585859289 -0500
-@@ -365,7 +365,7 @@
+diff --git a/src/plugins/preauth/pkinit/pkinit_lib.c b/src/plugins/preauth/pkinit/pkinit_lib.c
+--- a/src/plugins/preauth/pkinit/pkinit_lib.c
++++ b/src/plugins/preauth/pkinit/pkinit_lib.c
+@@ -365,7 +365,7 @@ print_buffer_bin(unsigned char *buf, unsigned int len, char *filename)
      if (len <= 0 || filename == NULL)
          return;
  
@@ -738,10 +738,10 @@
          return;
  
      set_cloexec_file(f);
-diff -ur krb5-1.13.2/src/plugins/tls/k5tls/openssl.c krb5-1.13.2.fopen/src/plugins/tls/k5tls/openssl.c
---- krb5-1.13.2/src/plugins/tls/k5tls/openssl.c	2015-05-08 18:27:02.000000000 -0500
-+++ krb5-1.13.2.fopen/src/plugins/tls/k5tls/openssl.c	2015-08-11 13:39:50.077659500 -0500
-@@ -348,7 +348,7 @@
+diff --git a/src/plugins/tls/k5tls/openssl.c b/src/plugins/tls/k5tls/openssl.c
+--- a/src/plugins/tls/k5tls/openssl.c
++++ b/src/plugins/tls/k5tls/openssl.c
+@@ -348,7 +348,7 @@ load_anchor_file(X509_STORE *store, const char *path)
      X509_INFO *xi;
      int i;
  
@@ -750,10 +750,10 @@
      if (fp == NULL)
          return errno;
      sk = PEM_X509_INFO_read(fp, NULL, NULL, NULL);
-diff -ur krb5-1.13.2/src/slave/kpropd.c krb5-1.13.2.fopen/src/slave/kpropd.c
---- krb5-1.13.2/src/slave/kpropd.c	2015-08-11 14:09:06.005972821 -0500
-+++ krb5-1.13.2.fopen/src/slave/kpropd.c	2015-08-11 13:36:51.675274120 -0500
-@@ -1306,7 +1306,7 @@
+diff --git a/src/slave/kpropd.c b/src/slave/kpropd.c
+--- a/src/slave/kpropd.c
++++ b/src/slave/kpropd.c
+@@ -1310,7 +1310,7 @@ authorized_principal(krb5_context context, krb5_principal p,
      if (retval)
          return FALSE;
  
@@ -762,10 +762,10 @@
      if (acl_file == NULL)
          return FALSE;
  
-diff -ur krb5-1.13.2/src/tests/asn.1/t_trval.c krb5-1.13.2.fopen/src/tests/asn.1/t_trval.c
---- krb5-1.13.2/src/tests/asn.1/t_trval.c	2015-05-08 18:27:02.000000000 -0500
-+++ krb5-1.13.2.fopen/src/tests/asn.1/t_trval.c	2015-08-11 13:26:43.068639205 -0500
-@@ -93,7 +93,7 @@
+diff --git a/src/tests/asn.1/t_trval.c b/src/tests/asn.1/t_trval.c
+--- a/src/tests/asn.1/t_trval.c
++++ b/src/tests/asn.1/t_trval.c
+@@ -93,7 +93,7 @@ int main(argc, argv)
              }
          } else {
              optflg = 0;
@@ -774,10 +774,10 @@
                  fprintf(stderr,"trval: unable to open %s\n", *argv);
                  continue;
              }
-diff -ur krb5-1.13.2/src/tests/gss-threads/gss-server.c krb5-1.13.2.fopen/src/tests/gss-threads/gss-server.c
---- krb5-1.13.2/src/tests/gss-threads/gss-server.c	2015-05-08 18:27:02.000000000 -0500
-+++ krb5-1.13.2.fopen/src/tests/gss-threads/gss-server.c	2015-08-11 13:38:08.680788848 -0500
-@@ -733,7 +733,7 @@
+diff --git a/src/tests/gss-threads/gss-server.c b/src/tests/gss-threads/gss-server.c
+--- a/src/tests/gss-threads/gss-server.c
++++ b/src/tests/gss-threads/gss-server.c
+@@ -733,7 +733,7 @@ main(int argc, char **argv)
              if (!strcmp(*argv, "/dev/null")) {
                  logfile = display_file = NULL;
              } else {
@@ -786,10 +786,10 @@
                  display_file = logfile;
                  if (!logfile) {
                      perror(*argv);
-diff -ur krb5-1.13.2/src/util/profile/prof_file.c krb5-1.13.2.fopen/src/util/profile/prof_file.c
---- old/src/util/profile/prof_file.c	2016-03-31 16:44:53.634245353 -0700
-+++ patched/src/util/profile/prof_file.c	2016-03-31 20:07:34.843286876 -0700
-@@ -126,7 +126,7 @@ static int rw_access(const_profile_files
+diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c
+--- a/src/util/profile/prof_file.c
++++ b/src/util/profile/prof_file.c
+@@ -126,7 +126,7 @@ static int rw_access(const_profile_filespec_t filespec)
       */
      FILE    *f;
  
@@ -798,7 +798,7 @@
      if (f) {
          fclose(f);
          return 1;
-@@ -150,7 +150,7 @@ static int r_access(const_profile_filesp
+@@ -150,7 +150,7 @@ static int r_access(const_profile_filespec_t filespec)
       */
      FILE    *f;
  
@@ -807,7 +807,7 @@
      if (f) {
          fclose(f);
          return 1;
-@@ -355,7 +355,7 @@ errcode_t profile_update_file_data_locke
+@@ -355,7 +355,7 @@ errcode_t profile_update_file_data_locked(prf_data_t data, char **ret_modspec)
  #endif
      if (!isdir) {
          errno = 0;
@@ -816,7 +816,7 @@
          if (f == NULL)
              return (errno != 0) ? errno : ENOENT;
          set_cloexec_file(f);
-@@ -423,7 +423,7 @@ static errcode_t write_data_to_file(prf_
+@@ -423,7 +423,7 @@ static errcode_t write_data_to_file(prf_data_t data, const char *outfile,
  
      errno = 0;
  
@@ -825,22 +825,22 @@
      if (!f) {
          retval = errno;
          if (retval == 0)
-diff -ur krb5-1.13.2/src/util/profile/prof_parse.c krb5-1.13.2.fopen/src/util/profile/prof_parse.c
---- krb5-1.13.2/src/util/profile/prof_parse.c	2015-05-08 18:27:02.000000000 -0500
-+++ krb5-1.13.2.fopen/src/util/profile/prof_parse.c	2015-08-11 13:40:28.548611243 -0500
-@@ -212,7 +212,7 @@
-     incstate.root_section = state->root_section;
-     incstate.current_section = NULL;
+diff --git a/src/util/profile/prof_parse.c b/src/util/profile/prof_parse.c
+--- a/src/util/profile/prof_parse.c
++++ b/src/util/profile/prof_parse.c
+@@ -213,7 +213,7 @@ static errcode_t parse_include_file(const char *filename,
+     state.root_section = root_section;
+     state.current_section = NULL;
  
 -    fp = fopen(filename, "r");
 +    fp = fopen(filename, "rF");
      if (fp == NULL)
          return PROF_FAIL_INCLUDE_FILE;
-     retval = parse_file(fp, &incstate, NULL);
-diff -ur krb5-1.13.2/src/util/profile/test_parse.c krb5-1.13.2.fopen/src/util/profile/test_parse.c
---- krb5-1.13.2/src/util/profile/test_parse.c	2015-05-08 18:27:02.000000000 -0500
-+++ krb5-1.13.2.fopen/src/util/profile/test_parse.c	2015-08-11 13:41:47.994085591 -0500
-@@ -25,7 +25,7 @@
+     retval = parse_file(fp, &state, NULL);
+diff --git a/src/util/profile/test_parse.c b/src/util/profile/test_parse.c
+--- a/src/util/profile/test_parse.c
++++ b/src/util/profile/test_parse.c
+@@ -25,7 +25,7 @@ int main(argc, argv)
          exit(1);
      }
  
--- a/components/krb5/patches/052-krb5-config.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/052-krb5-config.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -25,10 +25,10 @@
 # The patch is not intended for upstream contribution.
 # Patch source: in-house
 #
-diff -pur old/src/build-tools/krb5-config.in new/src/build-tools/krb5-config.in
---- old/src/build-tools/krb5-config.in	2015-08-14 08:08:25.045131098 -0700
-+++ new/src/build-tools/krb5-config.in	2015-08-19 01:45:24.697166086 -0700
-@@ -30,10 +30,11 @@ version_string="Kerberos 5 release @KRB5
+diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in
+--- a/src/build-tools/krb5-config.in
++++ b/src/build-tools/krb5-config.in
+@@ -30,10 +30,11 @@ version_string="Kerberos 5 release @KRB5_VERSION@"
  prefix=@prefix@
  exec_prefix=@exec_prefix@
  includedir=@includedir@
--- a/components/krb5/patches/053-kernel-mech.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/053-kernel-mech.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -28,45 +28,9 @@
 # therefore should not be considered as an upstream contribution to MIT.
 # Patch source: in-house
 #
-diff -pur old/src/lib/gssapi/generic/gssapiP_generic.h new/src/lib/gssapi/generic/gssapiP_generic.h
---- old/src/lib/gssapi/generic/gssapiP_generic.h	2015-08-24 23:54:31.967668939 -0600
-+++ new/src/lib/gssapi/generic/gssapiP_generic.h	2015-08-24 23:53:45.867622444 -0600
-@@ -116,6 +116,12 @@
- #define g_seqstate_size         gssint_g_seqstate_size
- #define g_seqstate_externalize  gssint_g_seqstate_externalize
- #define g_seqstate_internalize  gssint_g_seqstate_internalize
-+#define	g_order_init		gssint_g_order_init
-+#define	g_order_check		gssint_g_order_check
-+#define	g_order_free		gssint_g_order_free
-+#define	g_queue_size		gssint_g_queue_size
-+#define	g_queue_externalize	gssint_g_queue_externalize
-+#define	g_queue_internalize	gssint_g_queue_internalize
- #define g_canonicalize_host     gssint_g_canonicalize_host
- #define g_local_host_name       gssint_g_local_host_name
- #define g_strdup                gssint_g_strdup
-@@ -185,6 +191,19 @@ long g_seqstate_externalize(g_seqnum_sta
- long g_seqstate_internalize(g_seqnum_state *state_out, unsigned char **buf,
-                             size_t *lenremain);
- 
-+gss_int32 g_order_init (void **queue, uint64_t seqnum,
-+				  int do_replay, int do_sequence, int wide);
-+
-+gss_int32 g_order_check (void **queue, uint64_t seqnum);
-+
-+void g_order_free (void **queue);
-+
-+gss_uint32 g_queue_size(void *vqueue, size_t *sizep);
-+gss_uint32 g_queue_externalize(void *vqueue, unsigned char **buf,
-+			       size_t *lenremain);
-+gss_uint32 g_queue_internalize(void **vqueue, unsigned char **buf,
-+			       size_t *lenremain);
-+
- char *g_strdup (char *str);
- 
- /** declarations of internal name mechanism functions **/
-diff -pur old/src/lib/gssapi/generic/Makefile.in new/src/lib/gssapi/generic/Makefile.in
---- old/src/lib/gssapi/generic/Makefile.in	2015-08-24 23:54:31.968226730 -0600
-+++ new/src/lib/gssapi/generic/Makefile.in	2015-08-24 23:53:45.871579061 -0600
+diff --git a/src/lib/gssapi/generic/Makefile.in b/src/lib/gssapi/generic/Makefile.in
+--- a/src/lib/gssapi/generic/Makefile.in
++++ b/src/lib/gssapi/generic/Makefile.in
 @@ -66,6 +66,7 @@ SRCS = \
  	$(srcdir)/util_buffer.c \
  	$(srcdir)/util_buffer_set.c \
@@ -91,10 +55,63 @@
  	util_set.o \
  	util_seqstate.o \
  	util_token.o \
-diff -pur old/src/lib/gssapi/krb5/accept_sec_context.c new/src/lib/gssapi/krb5/accept_sec_context.c
---- old/src/lib/gssapi/krb5/accept_sec_context.c	2015-08-24 23:54:31.971814896 -0600
-+++ new/src/lib/gssapi/krb5/accept_sec_context.c	2015-08-24 23:53:45.848389600 -0600
-@@ -441,6 +441,7 @@ kg_accept_krb5(minor_status, context_han
+diff --git a/src/lib/gssapi/generic/deps b/src/lib/gssapi/generic/deps
+--- a/src/lib/gssapi/generic/deps
++++ b/src/lib/gssapi/generic/deps
+@@ -64,6 +64,13 @@ util_errmap.so util_errmap.po $(OUTPRE)util_errmap.$(OBJEXT): \
+   $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
+   errmap.h gssapiP_generic.h gssapi_err_generic.h gssapi_ext.h \
+   gssapi_generic.h util_errmap.c
++util_ordering.so util_ordering.po $(OUTPRE)util_ordering.$(OBJEXT): \
++  $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
++  $(BUILDTOP)/include/gssapi/gssapi_alloc.h $(COM_ERR_DEPS) \
++  $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-platform.h \
++  $(top_srcdir)/include/k5-thread.h gssapiP_generic.h \
++  gssapi_err_generic.h gssapi_ext.h gssapi_generic.h \
++  util_ordering.c
+ util_set.so util_set.po $(OUTPRE)util_set.$(OBJEXT): \
+   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
+   $(BUILDTOP)/include/gssapi/gssapi_alloc.h $(COM_ERR_DEPS) \
+diff --git a/src/lib/gssapi/generic/gssapiP_generic.h b/src/lib/gssapi/generic/gssapiP_generic.h
+--- a/src/lib/gssapi/generic/gssapiP_generic.h
++++ b/src/lib/gssapi/generic/gssapiP_generic.h
+@@ -116,6 +116,12 @@
+ #define g_seqstate_size         gssint_g_seqstate_size
+ #define g_seqstate_externalize  gssint_g_seqstate_externalize
+ #define g_seqstate_internalize  gssint_g_seqstate_internalize
++#define	g_order_init		gssint_g_order_init
++#define	g_order_check		gssint_g_order_check
++#define	g_order_free		gssint_g_order_free
++#define	g_queue_size		gssint_g_queue_size
++#define	g_queue_externalize	gssint_g_queue_externalize
++#define	g_queue_internalize	gssint_g_queue_internalize
+ #define g_canonicalize_host     gssint_g_canonicalize_host
+ #define g_local_host_name       gssint_g_local_host_name
+ #define g_strdup                gssint_g_strdup
+@@ -185,6 +191,19 @@ long g_seqstate_externalize(g_seqnum_state state, unsigned char **buf,
+ long g_seqstate_internalize(g_seqnum_state *state_out, unsigned char **buf,
+                             size_t *lenremain);
+ 
++gss_int32 g_order_init (void **queue, uint64_t seqnum,
++				  int do_replay, int do_sequence, int wide);
++
++gss_int32 g_order_check (void **queue, uint64_t seqnum);
++
++void g_order_free (void **queue);
++
++gss_uint32 g_queue_size(void *vqueue, size_t *sizep);
++gss_uint32 g_queue_externalize(void *vqueue, unsigned char **buf,
++			       size_t *lenremain);
++gss_uint32 g_queue_internalize(void **vqueue, unsigned char **buf,
++			       size_t *lenremain);
++
+ char *g_strdup (char *str);
+ 
+ /** declarations of internal name mechanism functions **/
+diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
+--- a/src/lib/gssapi/krb5/accept_sec_context.c
++++ b/src/lib/gssapi/krb5/accept_sec_context.c
+@@ -435,6 +435,7 @@ kg_accept_krb5(minor_status, context_handle,
      char *sptr;
      OM_uint32 tmp;
      size_t md5len;
@@ -102,7 +119,7 @@
      krb5_gss_cred_id_t cred = 0;
      krb5_data ap_rep, ap_req;
      unsigned int i;
-@@ -704,6 +705,7 @@ kg_accept_krb5(minor_status, context_han
+@@ -698,6 +699,7 @@ kg_accept_krb5(minor_status, context_handle,
          }
  
          gss_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
@@ -110,7 +127,7 @@
      } else {
          /* gss krb5 v1 */
  
-@@ -731,14 +733,22 @@ kg_accept_krb5(minor_status, context_han
+@@ -725,14 +727,22 @@ kg_accept_krb5(minor_status, context_handle,
          }
  
          ptr = (unsigned char *) authdat->checksum->contents;
@@ -139,7 +156,7 @@
  
          /*
            The following section of code attempts to implement the
-@@ -779,7 +789,7 @@ kg_accept_krb5(minor_status, context_han
+@@ -773,7 +783,7 @@ kg_accept_krb5(minor_status, context_handle,
  
          /* Read the token flags.  Remember if GSS_C_DELEG_FLAG was set, but
           * mask it out until we actually read a delegated credential. */
@@ -148,7 +165,7 @@
          token_deleg_flag = (gss_flags & GSS_C_DELEG_FLAG);
          gss_flags &= ~GSS_C_DELEG_FLAG;
  
-@@ -788,8 +798,8 @@ kg_accept_krb5(minor_status, context_han
+@@ -782,8 +792,8 @@ kg_accept_krb5(minor_status, context_handle,
          i = authdat->checksum->length - 24;
          if (i && token_deleg_flag) {
              if (i >= 4) {
@@ -159,7 +176,7 @@
                  i -= 4;
  
                  if (i < option.length) {
-@@ -886,6 +896,7 @@ kg_accept_krb5(minor_status, context_han
+@@ -880,6 +890,7 @@ kg_accept_krb5(minor_status, context_handle,
                                        GSS_C_DCE_STYLE | GSS_C_IDENTIFY_FLAG |
                                        GSS_C_EXTENDED_ERROR_FLAG)));
      ctx->seed_init = 0;
@@ -167,10 +184,21 @@
      ctx->cred_rcache = cred_rcache;
  
      /* XXX move this into gss_name_t */
-diff -pur old/src/lib/gssapi/krb5/gssapi_krb5.c new/src/lib/gssapi/krb5/gssapi_krb5.c
---- old/src/lib/gssapi/krb5/gssapi_krb5.c	2015-08-24 23:54:31.974446790 -0600
-+++ new/src/lib/gssapi/krb5/gssapi_krb5.c	2015-08-24 23:53:45.847910701 -0600
-@@ -938,6 +938,7 @@ static int gss_krb5mechglue_init(void)
+diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
+--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
++++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
+@@ -205,6 +205,7 @@ typedef struct _krb5_gss_ctx_id_rec {
+     krb5_magic magic;
+     unsigned int initiate : 1;   /* nonzero if initiating, zero if accepting */
+     unsigned int established : 1;
++    unsigned int big_endian : 1;
+     unsigned int have_acceptor_subkey : 1;
+     unsigned int seed_init : 1;  /* XXX tested but never actually set */
+     unsigned int terminated : 1;
+diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c
+--- a/src/lib/gssapi/krb5/gssapi_krb5.c
++++ b/src/lib/gssapi/krb5/gssapi_krb5.c
+@@ -1046,6 +1046,7 @@ static int gss_krb5mechglue_init(void)
  
      mech_krb5.mechNameStr = "kerberos_v5";
      mech_krb5.mech_type = (gss_OID)gss_mech_krb5;
@@ -178,21 +206,10 @@
      gssint_register_mechinfo(&mech_krb5);
  
      mech_krb5.mechNameStr = "kerberos_v5_old";
-diff -pur old/src/lib/gssapi/krb5/gssapiP_krb5.h new/src/lib/gssapi/krb5/gssapiP_krb5.h
---- old/src/lib/gssapi/krb5/gssapiP_krb5.h	2015-08-24 23:54:31.974815169 -0600
-+++ new/src/lib/gssapi/krb5/gssapiP_krb5.h	2015-08-24 23:53:45.845950677 -0600
-@@ -204,6 +204,7 @@ typedef struct _krb5_gss_ctx_id_rec {
-     krb5_magic magic;
-     unsigned int initiate : 1;   /* nonzero if initiating, zero if accepting */
-     unsigned int established : 1;
-+    unsigned int big_endian : 1;
-     unsigned int have_acceptor_subkey : 1;
-     unsigned int seed_init : 1;  /* XXX tested but never actually set */
-     unsigned int terminated : 1;
-diff -pur old/src/lib/gssapi/krb5/import_sec_context.c new/src/lib/gssapi/krb5/import_sec_context.c
---- old/src/lib/gssapi/krb5/import_sec_context.c	2015-08-24 23:54:31.969983292 -0600
-+++ new/src/lib/gssapi/krb5/import_sec_context.c	2015-08-24 23:53:45.845397252 -0600
-@@ -107,7 +107,6 @@ krb5_gss_import_sec_context(minor_status
+diff --git a/src/lib/gssapi/krb5/import_sec_context.c b/src/lib/gssapi/krb5/import_sec_context.c
+--- a/src/lib/gssapi/krb5/import_sec_context.c
++++ b/src/lib/gssapi/krb5/import_sec_context.c
+@@ -107,7 +107,6 @@ krb5_gss_import_sec_context(minor_status, interprocess_token, context_handle)
          krb5_free_context(context);
          return(GSS_S_FAILURE);
      }
@@ -200,9 +217,9 @@
  
      ctx->mech_used = krb5_gss_convert_static_mech_oid(ctx->mech_used);
  
-diff -pur old/src/lib/gssapi/krb5/ser_sctx.c new/src/lib/gssapi/krb5/ser_sctx.c
---- old/src/lib/gssapi/krb5/ser_sctx.c	2015-08-24 23:54:31.969825966 -0600
-+++ new/src/lib/gssapi/krb5/ser_sctx.c	2015-08-24 23:53:45.847452068 -0600
+diff --git a/src/lib/gssapi/krb5/ser_sctx.c b/src/lib/gssapi/krb5/ser_sctx.c
+--- a/src/lib/gssapi/krb5/ser_sctx.c
++++ b/src/lib/gssapi/krb5/ser_sctx.c
 @@ -150,6 +150,22 @@ kg_oid_size(kcontext, arg, sizep)
  }
  
@@ -226,7 +243,7 @@
  kg_seqstate_externalize(kcontext, arg, buffer, lenremain)
      krb5_context        kcontext;
      g_seqnum_state      arg;
-@@ -166,6 +182,48 @@ kg_seqstate_externalize(kcontext, arg, b
+@@ -166,6 +182,48 @@ kg_seqstate_externalize(kcontext, arg, buffer, lenremain)
  }
  
  static krb5_error_code
@@ -275,7 +292,7 @@
  kg_seqstate_internalize(kcontext, argp, buffer, lenremain)
      krb5_context        kcontext;
      g_seqnum_state      *argp;
-@@ -208,6 +266,26 @@ kg_seqstate_internalize(kcontext, argp,
+@@ -208,6 +266,26 @@ kg_seqstate_internalize(kcontext, argp, buffer, lenremain)
  }
  
  static krb5_error_code
@@ -335,7 +352,7 @@
          *sizep += required;
      }
      return(kret);
-@@ -400,6 +482,8 @@ kg_ctx_externalize(kcontext, arg, buffer
+@@ -400,6 +482,8 @@ kg_ctx_externalize(kcontext, arg, buffer, lenremain)
                                         &bp, &remain);
              (void) krb5_ser_pack_int32((krb5_int32) ctx->established,
                                         &bp, &remain);
@@ -344,7 +361,7 @@
              (void) krb5_ser_pack_int32((krb5_int32) ctx->have_acceptor_subkey,
                                         &bp, &remain);
              (void) krb5_ser_pack_int32((krb5_int32) ctx->seed_init,
-@@ -468,9 +552,10 @@ kg_ctx_externalize(kcontext, arg, buffer
+@@ -468,9 +552,10 @@ kg_ctx_externalize(kcontext, arg, buffer, lenremain)
                                                 &bp, &remain);
  
              if (!kret && ctx->seqstate)
@@ -356,7 +373,7 @@
              if (!kret)
                  kret = krb5_externalize_opaque(kcontext,
                                                 KV5M_CONTEXT,
-@@ -482,6 +567,7 @@ kg_ctx_externalize(kcontext, arg, buffer
+@@ -482,6 +567,7 @@ kg_ctx_externalize(kcontext, arg, buffer, lenremain)
                                                 KV5M_AUTH_CONTEXT,
                                                 (krb5_pointer) ctx->auth_context,
                                                 &bp, &remain);
@@ -364,7 +381,7 @@
  
              if (!kret)
                  kret = krb5_ser_pack_int32((krb5_int32) ctx->proto,
-@@ -501,6 +587,7 @@ kg_ctx_externalize(kcontext, arg, buffer
+@@ -501,6 +587,7 @@ kg_ctx_externalize(kcontext, arg, buffer, lenremain)
              if (!kret)
                  kret = krb5_ser_pack_int32((krb5_int32) ctx->cred_rcache,
                                             &bp, &remain);
@@ -372,7 +389,7 @@
              if (!kret) {
                  krb5_int32 i = 0;
  
-@@ -534,6 +621,7 @@ kg_ctx_externalize(kcontext, arg, buffer
+@@ -534,6 +621,7 @@ kg_ctx_externalize(kcontext, arg, buffer, lenremain)
                                                     &remain);
                  }
              }
@@ -380,7 +397,7 @@
              /* trailer */
              if (!kret)
                  kret = krb5_ser_pack_int32(KG_CONTEXT, &bp, &remain);
-@@ -611,6 +699,8 @@ kg_ctx_internalize(kcontext, argp, buffe
+@@ -611,6 +699,8 @@ kg_ctx_internalize(kcontext, argp, buffer, lenremain)
              (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
              ctx->established = (int) ibuf;
              (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
@@ -389,7 +406,7 @@
              ctx->have_acceptor_subkey = (int) ibuf;
              (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
              ctx->seed_init = (int) ibuf;
-@@ -695,12 +785,13 @@ kg_ctx_internalize(kcontext, argp, buffe
+@@ -695,12 +785,13 @@ kg_ctx_internalize(kcontext, argp, buffer, lenremain)
              }
  
              if (!kret) {
@@ -404,7 +421,7 @@
              if (!kret)
                  kret = krb5_internalize_opaque(kcontext,
                                                 KV5M_CONTEXT,
-@@ -712,6 +803,7 @@ kg_ctx_internalize(kcontext, argp, buffe
+@@ -712,6 +803,7 @@ kg_ctx_internalize(kcontext, argp, buffer, lenremain)
                                                 KV5M_AUTH_CONTEXT,
                                                 (krb5_pointer *) &ctx->auth_context,
                                                 &bp, &remain);
@@ -412,7 +429,7 @@
  
              if (!kret)
                  kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
-@@ -731,6 +823,7 @@ kg_ctx_internalize(kcontext, argp, buffe
+@@ -731,6 +823,7 @@ kg_ctx_internalize(kcontext, argp, buffer, lenremain)
              if (!kret)
                  kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
              ctx->cred_rcache = ibuf;
@@ -420,7 +437,7 @@
              /* authdata */
              if (!kret)
                  kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
-@@ -769,6 +862,7 @@ kg_ctx_internalize(kcontext, argp, buffe
+@@ -769,6 +862,7 @@ kg_ctx_internalize(kcontext, argp, buffer, lenremain)
                          kret = 0;
                  }
              }
@@ -428,19 +445,3 @@
              /* Get trailer */
              if (!kret)
                  kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
---- krb5-1.13.3/src/lib/gssapi/generic/deps
-+++ ./deps
-@@ -64,6 +64,13 @@ util_errmap.so util_errmap.po $(OUTPRE)u
-   $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
-   errmap.h gssapiP_generic.h gssapi_err_generic.h gssapi_ext.h \
-   gssapi_generic.h util_errmap.c
-+util_ordering.so util_ordering.po $(OUTPRE)util_ordering.$(OBJEXT): \
-+  $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
-+  $(BUILDTOP)/include/gssapi/gssapi_alloc.h $(COM_ERR_DEPS) \
-+  $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-platform.h \
-+  $(top_srcdir)/include/k5-thread.h gssapiP_generic.h \
-+  gssapi_err_generic.h gssapi_ext.h gssapi_generic.h \
-+  util_ordering.c
- util_set.so util_set.po $(OUTPRE)util_set.$(OBJEXT): \
-   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
-   $(BUILDTOP)/include/gssapi/gssapi_alloc.h $(COM_ERR_DEPS) \
--- a/components/krb5/patches/054-trailing-comments.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/054-trailing-comments.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -7,10 +7,10 @@
 # so this is Solaris only for now.
 # Patch source: in-house
 #
-diff -ur krb5-1.13.2/src/lib/krb5/os/locate_kdc.c krb5-1.13.2.port-fix/src/lib/krb5/os/locate_kdc.c
---- krb5-1.13.2/src/lib/krb5/os/locate_kdc.c	2015-08-28 18:31:53.289596722 -0500
-+++ krb5-1.13.2.port-fix/src/lib/krb5/os/locate_kdc.c	2015-08-28 18:30:51.201317543 -0500
-@@ -270,6 +270,9 @@
+diff --git a/src/lib/krb5/os/locate_kdc.c b/src/lib/krb5/os/locate_kdc.c
+--- a/src/lib/krb5/os/locate_kdc.c
++++ b/src/lib/krb5/os/locate_kdc.c
+@@ -270,6 +270,9 @@ locate_srv_conf_1(krb5_context context, const krb5_data *realm,
          if (port) {
              unsigned long l;
              char *endptr;
--- a/components/krb5/patches/055-register_gsscred.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/055-register_gsscred.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -7,10 +7,10 @@
 # This is a Solaris specific patch, it is not meant for upstream contribution.
 # Patch source: in-house
 #
-diff -pur old/src/lib/krb5/os/localauth.c new/src/lib/krb5/os/localauth.c
---- old/src/lib/krb5/os/localauth.c
-+++ new/src/lib/krb5/os/localauth.c
-@@ -133,6 +133,10 @@ get_modules(krb5_context context, krb5_p
+diff --git a/src/lib/krb5/os/localauth.c b/src/lib/krb5/os/localauth.c
+--- a/src/lib/krb5/os/localauth.c
++++ b/src/lib/krb5/os/localauth.c
+@@ -133,6 +133,10 @@ get_modules(krb5_context context, krb5_plugin_initvt_fn **modules_out)
      if (ret)
          return ret;
  
--- a/components/krb5/patches/057-des-md5-fix.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/057-des-md5-fix.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -6,10 +6,10 @@
 # Patch source: in-house
 #
 
-diff -r -u krb5-1.13.2/src/kdc/kdc_util.c krb5-1.13.2.des-md5-fix/src/kdc/kdc_util.c
---- krb5-1.13.2/src/kdc/kdc_util.c
-+++ krb5-1.13.2.des-md5-fix/src/kdc/kdc_util.c
-@@ -912,16 +912,11 @@
+diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
+--- a/src/kdc/kdc_util.c
++++ b/src/kdc/kdc_util.c
+@@ -987,16 +987,11 @@ dbentry_supports_enctype(kdc_realm_t *kdc_active_realm, krb5_db_entry *server,
      free(etypes);
  
      /* If configured to, assume every server without a session_enctypes
--- a/components/krb5/patches/058-man-pages.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/058-man-pages.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -6,9 +6,9 @@
 # that the associated updates are for Solaris only features.
 # Patch source: in-house
 #
-diff -pur old/src/man/kadm5.acl.man new/src/man/kadm5.acl.man
---- old/src/man/kadm5.acl.man	2015-06-02 23:50:06.299043998 -0600
-+++ new/src/man/kadm5.acl.man	2015-06-03 00:21:02.470157817 -0600
+diff --git a/src/man/kadm5.acl.man b/src/man/kadm5.acl.man
+--- a/src/man/kadm5.acl.man
++++ b/src/man/kadm5.acl.man
 @@ -131,6 +131,12 @@ T}	T{
  T}
  _
@@ -22,12 +22,12 @@
  x
  T}	T{
  Short for admcilsp. All privileges
-diff -pur old/src/man/kadmind.man new/src/man/kadmind.man
---- old/src/man/kadmind.man	2015-06-02 23:50:06.300700577 -0600
-+++ new/src/man/kadmind.man	2015-06-03 00:14:42.953821215 -0600
+diff --git a/src/man/kadmind.man b/src/man/kadmind.man
+--- a/src/man/kadmind.man
++++ b/src/man/kadmind.man
 @@ -141,4 +141,16 @@ MIT
  .SH COPYRIGHT
- 1985-2015, MIT
+ 1985-2016, MIT
  .\" Generated by docutils manpage writer.
 +.SH NOTES
 +.sp
@@ -42,10 +42,10 @@
 +Administrative actions on this service, such as enabling, disabling, or requesting restart, can be performed using \fBsvcadm\fR(1M). The service's status can be queried using the \fBsvcs\fR(1) command.
 +.sp
  .
-diff -pur old/src/man/kdc.conf.man new/src/man/kdc.conf.man
---- old/src/man/kdc.conf.man	2015-06-02 23:50:06.299728571 -0600
-+++ new/src/man/kdc.conf.man	2015-07-10 02:34:59.845899733 -0600
-@@ -96,6 +96,8 @@ subsection does not contain a relation f
+diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
+--- a/src/man/kdc.conf.man
++++ b/src/man/kdc.conf.man
+@@ -96,6 +96,8 @@ subsection does not contain a relation for the tag.  See the
  .IP \(bu 2
  \fBhost_based_services\fP
  .IP \(bu 2
@@ -66,7 +66,7 @@
  .B \fBkdc_ports\fP
  (Whitespace\- or comma\-separated list.)  Lists the ports on which
  the Kerberos server should listen for UDP requests, as a
-@@ -600,11 +607,64 @@ If no severity is specified, the default
+@@ -600,11 +607,64 @@ If no severity is specified, the default is \fBERR\fP\&.  If no
  facility is specified, the default is \fBAUTH\fP\&.
  .UNINDENT
  .sp
@@ -131,7 +131,7 @@
  .INDENT 0.0
  .INDENT 3.5
  .sp
-@@ -615,6 +675,10 @@ administrative server will be appended t
+@@ -615,6 +675,10 @@ administrative server will be appended to the file
      kdc = SYSLOG:INFO:DAEMON
      admin_server = FILE:/var/adm/kadmin.log
      admin_server = DEVICE=/dev/tty04
@@ -142,12 +142,12 @@
  .ft P
  .fi
  .UNINDENT
-diff -pur old/src/man/kpropd.man new/src/man/kpropd.man
---- old/src/man/kpropd.man	2015-06-02 23:50:06.300408196 -0600
-+++ new/src/man/kpropd.man	2015-06-03 00:14:37.624396664 -0600
-@@ -151,4 +151,16 @@ MIT
+diff --git a/src/man/kpropd.man b/src/man/kpropd.man
+--- a/src/man/kpropd.man
++++ b/src/man/kpropd.man
+@@ -158,4 +158,16 @@ MIT
  .SH COPYRIGHT
- 1985-2015, MIT
+ 1985-2016, MIT
  .\" Generated by docutils manpage writer.
 +.SH NOTES
 +.sp
@@ -162,10 +162,10 @@
 +Administrative actions on this service, such as enabling, disabling, or requesting restart, can be performed using \fBsvcadm\fR(1M). The service's status can be queried using the \fBsvcs\fR(1) command.
 +.sp
  .
-diff -pur old/src/man/krb5.conf.man new/src/man/krb5.conf.man
---- old/src/man/krb5.conf.man	2015-06-02 23:50:06.301088663 -0600
-+++ new/src/man/krb5.conf.man	2015-07-10 01:32:03.489438178 -0600
-@@ -199,6 +199,10 @@ set if backward compatibility requires a
+diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
+--- a/src/man/krb5.conf.man
++++ b/src/man/krb5.conf.man
+@@ -204,6 +204,10 @@ set if backward compatibility requires a specific checksum type.
  See the \fBkdc_req_checksum_type\fP configuration option for the
  possible values and their meanings.
  .TP
@@ -176,7 +176,7 @@
  .B \fBcanonicalize\fP
  If this flag is set to true, initial ticket requests to the KDC
  will request canonicalization of the client principal name, and
-@@ -499,7 +503,7 @@ attempt fails.
+@@ -509,7 +513,7 @@ attempt fails.
  .B \fBverify_ap_req_nofail\fP
  If this flag is true, then an attempt to verify initial
  credentials will fail if the client machine does not have a
@@ -185,7 +185,7 @@
  .UNINDENT
  .SS [realms]
  .sp
-@@ -823,6 +827,52 @@ other realms should have \fBoption2\fP s
+@@ -833,6 +837,52 @@ other realms should have \fBoption2\fP set to true.
  The list of specifiable options for each application may be found in
  that application\(aqs man pages.  The application defaults specified here
  are overridden by those specified in the \fI\%realms\fP section.
@@ -238,12 +238,12 @@
  .SS [plugins]
  .INDENT 0.0
  .INDENT 3.5
-diff -pur old/src/man/krb5kdc.man new/src/man/krb5kdc.man
---- old/src/man/krb5kdc.man	2015-06-02 23:50:06.300178018 -0600
-+++ new/src/man/krb5kdc.man	2015-06-03 00:17:46.568377702 -0600
+diff --git a/src/man/krb5kdc.man b/src/man/krb5kdc.man
+--- a/src/man/krb5kdc.man
++++ b/src/man/krb5kdc.man
 @@ -152,4 +152,16 @@ MIT
  .SH COPYRIGHT
- 1985-2015, MIT
+ 1985-2016, MIT
  .\" Generated by docutils manpage writer.
 +.SH NOTES
 +.sp
--- a/components/krb5/patches/059-man-pages-fix-paths.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/059-man-pages-fix-paths.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -7,10 +7,10 @@
 # update.
 # Patch source: in-house
 #
-diff -ur krb5-1.13.2/src/man/kadm5.acl.man krb5-1.13.2-man-update/src/man/kadm5.acl.man
---- krb5-1.13.2/src/man/kadm5.acl.man
-+++ krb5-1.13.2-man-update/src/man/kadm5.acl.man
-@@ -38,7 +38,7 @@
+diff --git a/src/man/kadm5.acl.man b/src/man/kadm5.acl.man
+--- a/src/man/kadm5.acl.man
++++ b/src/man/kadm5.acl.man
+@@ -38,7 +38,7 @@ For operations that affect principals, the ACL file also controls
  which principals can operate on which other principals.
  .sp
  The default location of the Kerberos ACL file is
@@ -19,10 +19,10 @@
  variable in \fIkdc.conf(5)\fP\&.
  .SH SYNTAX
  .sp
-diff -ur krb5-1.13.2/src/man/kadmind.man krb5-1.13.2-man-update/src/man/kadmind.man
---- krb5-1.13.2/src/man/kadmind.man
-+++ krb5-1.13.2-man-update/src/man/kadmind.man
-@@ -67,7 +67,7 @@
+diff --git a/src/man/kadmind.man b/src/man/kadmind.man
+--- a/src/man/kadmind.man
++++ b/src/man/kadmind.man
+@@ -67,7 +67,7 @@ settings.
  kadmind\(aqs ACL (access control list) tells it which principals are
  allowed to perform administration actions.  The pathname to the
  ACL file can be specified with the \fBacl_file\fP \fIkdc.conf(5)\fP
@@ -31,10 +31,10 @@
  .UNINDENT
  .sp
  After the server begins running, it puts itself in the background and
-diff -ur krb5-1.13.2/src/man/kdb5_ldap_util.man krb5-1.13.2-man-update/src/man/kdb5_ldap_util.man
---- krb5-1.13.2/src/man/kdb5_ldap_util.man
-+++ krb5-1.13.2-man-update/src/man/kdb5_ldap_util.man
-@@ -325,7 +325,7 @@
+diff --git a/src/man/kdb5_ldap_util.man b/src/man/kdb5_ldap_util.man
+--- a/src/man/kdb5_ldap_util.man
++++ b/src/man/kdb5_ldap_util.man
+@@ -325,7 +325,7 @@ to the LDAP server.  Options:
  .TP
  .B \fB\-f\fP \fIfilename\fP
  Specifies the complete path of the service password file. By
@@ -43,10 +43,10 @@
  .TP
  .B \fIname\fP
  Specifies the name of the object whose password is to be stored.
-diff -ur krb5-1.13.2/src/man/kdc.conf.man krb5-1.13.2-man-update/src/man/kdc.conf.man
---- krb5-1.13.2/src/man/kdc.conf.man
-+++ krb5-1.13.2-man-update/src/man/kdc.conf.man
-@@ -39,7 +39,7 @@
+diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
+--- a/src/man/kdc.conf.man
++++ b/src/man/kdc.conf.man
+@@ -39,7 +39,7 @@ KDC programs mentioned, krb5.conf and kdc.conf will be merged into a
  single configuration profile.
  .sp
  Normally, the kdc.conf file is found in the KDC state directory,
@@ -55,7 +55,7 @@
  environment variable \fBKRB5_KDC_PROFILE\fP\&.
  .sp
  Please note that you need to restart the KDC daemon for any configuration
-@@ -139,7 +139,7 @@
+@@ -139,7 +139,7 @@ The following tags may be specified in a [realms] subsection:
  (String.)  Location of the access control list file that
  \fIkadmind(8)\fP uses to determine which principals are allowed
  which permissions on the Kerberos database.  The default value is
@@ -64,7 +64,7 @@
  file see \fIkadm5.acl(5)\fP\&.
  .TP
  .B \fBdatabase_module\fP
-@@ -153,7 +153,7 @@
+@@ -153,7 +153,7 @@ values will be used for all database parameters.
  (String, deprecated.)  This relation specifies the location of the
  Kerberos database for this realm, if the DB2 module is being used
  and the \fI\%[dbmodules]\fP configuration section does not specify a
@@ -73,7 +73,7 @@
  .TP
  .B \fBdefault_principal_expiration\fP
  (\fIabstime\fP string.)  Specifies the default expiration date of
-@@ -300,7 +300,7 @@
+@@ -300,7 +300,7 @@ is 749, which is used by default.
  .TP
  .B \fBkey_stash_file\fP
  (String.)  Specifies the location where the master key has been
@@ -82,7 +82,7 @@
  .TP
  .B \fBkdc_max_tcp_connections\fP
  This relation controls the maximum number of TCP connections the
-@@ -454,7 +454,7 @@
+@@ -454,7 +454,7 @@ The following tags may be specified in a [dbmodules] subsection:
  .TP
  .B \fBdatabase_name\fP
  This DB2\-specific tag indicates the location of the database in
@@ -91,7 +91,7 @@
  .TP
  .B \fBdb_library\fP
  This tag indicates the name of the loadable database module.  The
-@@ -662,8 +662,8 @@
+@@ -662,8 +662,8 @@ In the following example, the logging messages from the KDC will go to
  the console and to the system log under the facility LOG_DAEMON with
  default severity of LOG_INFO; and the logging messages from the
  administrative server will be appended to the file
@@ -102,7 +102,7 @@
  specified time interval of a day.
  .INDENT 0.0
  .INDENT 3.5
-@@ -673,7 +673,7 @@
+@@ -673,7 +673,7 @@ specified time interval of a day.
  [logging]
      kdc = CONSOLE
      kdc = SYSLOG:INFO:DAEMON
@@ -111,7 +111,7 @@
      admin_server = DEVICE=/dev/tty04
      admin_server_rotate = {
          period = 1d
-@@ -696,10 +696,10 @@
+@@ -696,10 +696,10 @@ For each token type, the following tags may be specified:
  This is the server to send the RADIUS request to.  It can be a
  hostname with optional port, an ip address with optional port, or
  a Unix domain socket address.  The default is
@@ -124,7 +124,7 @@
  containing the secret used to encrypt the RADIUS packets.  The
  secret should appear in the first line of the file by itself;
  leading and trailing whitespace on the line will be removed.  If
-@@ -1109,8 +1109,8 @@
+@@ -1119,8 +1119,8 @@ Here\(aqs an example of a kdc.conf file:
      }
  
  [logging]
@@ -135,7 +135,7 @@
  
  [dbdefaults]
      ldap_kerberos_container_dn = cn=krbcontainer,dc=mit,dc=edu
-@@ -1135,7 +1135,7 @@
+@@ -1145,7 +1145,7 @@ Here\(aqs an example of a kdc.conf file:
  .UNINDENT
  .SH FILES
  .sp
@@ -144,10 +144,10 @@
  .SH SEE ALSO
  .sp
  \fIkrb5.conf(5)\fP, \fIkrb5kdc(8)\fP, \fIkadm5.acl(5)\fP
-diff -ur krb5-1.13.2/src/man/kprop.man krb5-1.13.2-man-update/src/man/kprop.man
---- krb5-1.13.2/src/man/kprop.man
-+++ krb5-1.13.2-man-update/src/man/kprop.man
-@@ -54,7 +54,7 @@
+diff --git a/src/man/kprop.man b/src/man/kprop.man
+--- a/src/man/kprop.man
++++ b/src/man/kprop.man
+@@ -54,7 +54,7 @@ Specifies the realm of the master server.
  .B \fB\-f\fP \fIfile\fP
  Specifies the filename where the dumped principal database file is
  to be found; by default the dumped database file is normally
@@ -156,10 +156,10 @@
  .TP
  .B \fB\-P\fP \fIport\fP
  Specifies the port to use to contact the \fIkpropd(8)\fP server
-diff -ur krb5-1.13.2/src/man/kpropd.man krb5-1.13.2-man-update/src/man/kpropd.man
---- krb5-1.13.2/src/man/kpropd.man
-+++ krb5-1.13.2-man-update/src/man/kpropd.man
-@@ -105,7 +105,7 @@
+diff --git a/src/man/kpropd.man b/src/man/kpropd.man
+--- a/src/man/kpropd.man
++++ b/src/man/kpropd.man
+@@ -106,7 +106,7 @@ default, the master admin server is contacted.
  .TP
  .B \fB\-f\fP \fIfile\fP
  Specifies the filename where the dumped principal database file is
@@ -168,7 +168,7 @@
  .TP
  .B \fB\-p\fP
  Allows the user to specify the pathname to the \fIkdb5_util(8)\fP
-@@ -123,7 +123,7 @@
+@@ -130,7 +130,7 @@ is only useful in combination with the \fB\-S\fP option.
  .TP
  .B \fB\-a\fP \fIacl_file\fP
  Allows the user to specify the path to the kpropd.acl file; by
--- a/components/krb5/patches/060-header-files-cleanup.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/060-header-files-cleanup.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -11,10 +11,10 @@
 #       pushed upstream. We will maintain them as patch.
 # Patch source: in-house
 #
-diff -Naru old/src/lib/gssapi/generic/gssapi.hin new/src/lib/gssapi/generic/gssapi.hin
---- old/src/lib/gssapi/generic/gssapi.hin	2015-10-15 16:48:36.022390540 -0700
-+++ new/src/lib/gssapi/generic/gssapi.hin	2015-10-15 16:43:04.812546338 -0700
-@@ -55,11 +55,6 @@
+diff --git a/src/lib/gssapi/generic/gssapi.hin b/src/lib/gssapi/generic/gssapi.hin
+--- a/src/lib/gssapi/generic/gssapi.hin
++++ b/src/lib/gssapi/generic/gssapi.hin
+@@ -55,11 +55,6 @@ extern "C" {
  #include <stdint.h>
  
  /*
@@ -26,10 +26,10 @@
   * POSIX says that sys/types.h is where size_t is defined.
   */
  #include <sys/types.h>
-diff -Naru old/src/lib/kadm5/admin.h new/src/lib/kadm5/admin.h
---- old/src/lib/kadm5/admin.h	2015-10-15 16:48:35.974641703 -0700
-+++ new/src/lib/kadm5/admin.h	2015-10-16 11:24:09.072080201 -0700
-@@ -547,6 +547,9 @@
+diff --git a/src/lib/kadm5/admin.h b/src/lib/kadm5/admin.h
+--- a/src/lib/kadm5/admin.h
++++ b/src/lib/kadm5/admin.h
+@@ -547,6 +547,9 @@ kadm5_ret_t    kadm5_free_strings(void *server_handle,
                                    krb5_string_attr *strings,
                                    int count);
  
--- a/components/krb5/patches/062-ldap-fixes.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/062-ldap-fixes.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -27,10 +27,22 @@
 # I think we don't need a ticket for this, since it isn't really a
 # user-visible bug.
 # Patch source: in-house
-diff -ur krb5-1.13.3/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c krb5-1.13.3-ldap-fix/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
---- krb5-1.13.3/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
-+++ krb5-1.13.3-ldap-fix/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
-@@ -125,7 +125,8 @@
+diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
+--- a/src/man/kdc.conf.man
++++ b/src/man/kdc.conf.man
+@@ -533,6 +533,8 @@ passwords (created by \fBkdb5_ldap_util stashsrvpw\fP) for the
+ \fBldap_kdc_dn\fP and \fBldap_kadmind_dn\fP objects, or for the
+ \fBldap_kdc_sasl_authcid\fP or \fBldap_kadmind_sasl_authcid\fP names
+ for SASL authentication.  This file must be kept secure.
++If \fBldap_service_password_file\fP is not specified the default
++of \fB@LOCALSTATEDIR@\fP\fB/krb5\fP\fB/service_passwd\fP is used.
+ .TP
+ .B \fBunlockiter\fP
+ If set to \fBtrue\fP, this DB2\-specific tag causes iteration
+diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
++++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+@@ -125,7 +125,8 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
          }
  
          profile_get_string (util_context->profile, KDB_MODULE_SECTION, section,
@@ -40,9 +52,9 @@
      }
  done:
  
-diff -ur krb5-1.13.3/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h krb5-1.13.3-ldap-fix/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h
---- krb5-1.13.3/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h
-+++ krb5-1.13.3-ldap-fix/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h
+diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h
+--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h
++++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h
 @@ -32,8 +32,6 @@
  #define MAX_LEN                 1024
  #define MAX_SERVICE_PASSWD_LEN  256
@@ -52,10 +64,10 @@
  extern int tohex(krb5_data, krb5_data *);
  
  extern void kdb5_ldap_stash_service_password(int argc, char **argv);
-diff -ur krb5-1.13.3/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c krb5-1.13.3-ldap-fix/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c
---- krb5-1.13.3/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c
-+++ krb5-1.13.3-ldap-fix/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c
-@@ -176,6 +176,7 @@
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c
+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c
++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c
+@@ -176,6 +176,7 @@ krb5_ldap_cleanup_handles(krb5_ldap_server_info *ldap_server_info)
          ldap_server_handle = ldap_server_info->ldap_server_handles;
          ldap_server_info->ldap_server_handles = ldap_server_handle->next;
          /* ldap_unbind_s(ldap_server_handle); */
@@ -63,10 +75,10 @@
          free (ldap_server_handle);
          ldap_server_handle = NULL;
      }
-diff -ur krb5-1.13.3/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c krb5-1.13.3-ldap-fix/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
---- krb5-1.13.3/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
-+++ krb5-1.13.3-ldap-fix/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
-@@ -360,6 +360,17 @@
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
+@@ -360,6 +360,17 @@ krb5_ldap_read_server_params(krb5_context context, char *conf_section,
                                    &ldap_context->service_password_file);
          if (ret)
              return ret;
@@ -84,9 +96,9 @@
      }
  
      if (ldap_context->sasl_mech == NULL) {
-diff -ur krb5-1.13.3/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h krb5-1.13.3-ldap-fix/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h
---- krb5-1.13.3/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h
-+++ krb5-1.13.3-ldap-fix/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h
+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h
++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h
 @@ -36,6 +36,8 @@
  #ifndef _HAVE_LDAP_MISC_H
  #define _HAVE_LDAP_MISC_H 1
@@ -96,10 +108,10 @@
  /* misc functions */
  
  krb5_boolean
-diff -ur krb5-1.13.3/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c krb5-1.13.3-ldap-fix/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
---- krb5-1.13.3/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
-+++ krb5-1.13.3-ldap-fix/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
-@@ -461,7 +461,8 @@
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
+@@ -461,7 +461,8 @@ krb5_ldap_iterate_password_policy(krb5_context context, char *match_expr,
      }
  
  cleanup:
@@ -109,15 +121,3 @@
      free(policy);
      ldap_msgfree(result);
      krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
-diff -ur krb5-1.13.3/src/man/kdc.conf.man krb5-1.13.3.ldap-man-fix/src/man/kdc.conf.man
---- krb5-1.13.3/src/man/kdc.conf.man
-+++ krb5-1.13.3.ldap-man-fix/src/man/kdc.conf.man
-@@ -533,6 +533,8 @@
- \fBldap_kdc_dn\fP and \fBldap_kadmind_dn\fP objects, or for the
- \fBldap_kdc_sasl_authcid\fP or \fBldap_kadmind_sasl_authcid\fP names
- for SASL authentication.  This file must be kept secure.
-+If \fBldap_service_password_file\fP is not specified the default
-+of \fB@LOCALSTATEDIR@\fP\fB/krb5\fP\fB/service_passwd\fP is used.
- .TP
- .B \fBunlockiter\fP
- If set to \fBtrue\fP, this DB2\-specific tag causes iteration
--- a/components/krb5/patches/063-disable-rev-dns-lookup.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/063-disable-rev-dns-lookup.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -4,9 +4,9 @@
 # Solaris in this regard.  MIT will not take this change upstream.
 # Patch source: in-house
 #
-diff -ur krb5-1.13.2/src/lib/krb5/os/sn2princ.c krb5-1.13.2.rev-dns-disable/src/lib/krb5/os/sn2princ.c
---- krb5-1.13.2/src/lib/krb5/os/sn2princ.c
-+++ krb5-1.13.2.rev-dns-disable/src/lib/krb5/os/sn2princ.c
+diff --git a/src/lib/krb5/os/sn2princ.c b/src/lib/krb5/os/sn2princ.c
+--- a/src/lib/krb5/os/sn2princ.c
++++ b/src/lib/krb5/os/sn2princ.c
 @@ -36,7 +36,7 @@
  #endif
  
@@ -16,10 +16,10 @@
  #endif
  
  /*
-diff -ur krb5-1.13.2/src/man/krb5.conf.man krb5-1.13.2.rev-dns-disable/src/man/krb5.conf.man
---- krb5-1.13.2/src/man/krb5.conf.man
-+++ krb5-1.13.2.rev-dns-disable/src/man/krb5.conf.man
-@@ -463,7 +463,7 @@
+diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
+--- a/src/man/krb5.conf.man
++++ b/src/man/krb5.conf.man
+@@ -473,7 +473,7 @@ default, if allowed by the KDC.  The default value is false.
  If this flag is true, reverse name lookup will be used in addition
  to forward name lookup to canonicalizing hostnames for use in
  service principal names.  If \fBdns_canonicalize_hostname\fP is set
@@ -28,10 +28,10 @@
  .TP
  .B \fBrealm_try_domains\fP
  Indicate whether a host\(aqs domain components should be used to
-diff -pur krb5-1.14.2/src/tests/t_sn2princ.py krb5-1.14.2.rev-dns-disable/src/tests/t_sn2princ.py
---- krb5-1.14.2/src/tests/t_sn2princ.py     2016-05-29 21:41:37.484247675 -0700
-+++ krb5-1.14.2.rev-dns-disable/src/tests/t_sn2princ.py     2016-05-29 21:41:18.309183555 -0700
-@@ -6,10 +6,12 @@ offline = (len(args) > 0 and args[0] !=
+diff --git a/src/tests/t_sn2princ.py b/src/tests/t_sn2princ.py
+--- a/src/tests/t_sn2princ.py
++++ b/src/tests/t_sn2princ.py
+@@ -6,10 +6,12 @@ offline = (len(args) > 0 and args[0] != "no")
  conf = {'domain_realm': {'kerberos.org': 'R1',
                           'example.com': 'R2',
                           'mit.edu': 'R3'}}
@@ -55,25 +55,9 @@
  def testnr(host, princhost, princrealm):
      # Test with the host-based name type with reverse lookup disabled.
      testbase(host, 'srv-hst', princhost, princrealm, env=no_rdns)
-@@ -69,7 +75,6 @@ if offline:
- # and reverse resolving to these names.
- oname = 'ptr-mismatch.kerberos.org'
- fname = 'www.kerberos.org'
--rname = 'kerberos-org.mit.edu'
- 
- # Verify forward resolution before testing for it.
- try:
-@@ -91,13 +96,20 @@ try:
-     names = socket.getnameinfo(sockaddr, socket.NI_NAMEREQD)
- except socket.gaierror:
-     skip_rest('reverse sn2princ tests', 'cannot reverse resolve %s' % oname)
--if names[0].lower() != rname:
-+rname = names[0].lower()
-+if rname == fname:
-     skip_rest('reverse sn2princ tests',
--              '%s reverse resolves to %s, not %s' % (oname, names[0], rname))
-+              '%s reverse resolves to %s '
-+             'which should be different from %s' % (oname, rname, fname))
+@@ -96,9 +102,14 @@ if rname == fname:
+               '%s reverse resolves to %s '
+               'which should be different from %s' % (oname, rname, fname))
  
 -# Test default canonicalization (forward and reverse lookup).
 -test(oname, rname, 'R3')
--- a/components/krb5/patches/065-no_MD5_in_rcache.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/065-no_MD5_in_rcache.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -15,10 +15,10 @@
 # http://mailman.mit.edu/pipermail/krbdev/2015-December/012508.html
 # Patch source: in-house
 #
-diff -pur old/src/lib/krb5/rcache/rc_conv.c new/src/lib/krb5/rcache/rc_conv.c
---- old/src/lib/krb5/rcache/rc_conv.c
-+++ new/src/lib/krb5/rcache/rc_conv.c
-@@ -55,7 +55,7 @@ krb5_rc_hash_message(krb5_context contex
+diff --git a/src/lib/krb5/rcache/rc_conv.c b/src/lib/krb5/rcache/rc_conv.c
+--- a/src/lib/krb5/rcache/rc_conv.c
++++ b/src/lib/krb5/rcache/rc_conv.c
+@@ -55,7 +55,7 @@ krb5_rc_hash_message(krb5_context context, const krb5_data *message,
      *out = NULL;
  
      /* Calculate the binary checksum. */
@@ -27,10 +27,10 @@
                                    message, &cksum);
      if (retval)
          return retval;
-diff -pur old/src/lib/krb5/rcache/rc_dfl.c new/src/lib/krb5/rcache/rc_dfl.c
---- old/src/lib/krb5/rcache/rc_dfl.c
-+++ new/src/lib/krb5/rcache/rc_dfl.c
-@@ -391,7 +391,7 @@ parse_counted_string(char **strptr, char
+diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c
+--- a/src/lib/krb5/rcache/rc_dfl.c
++++ b/src/lib/krb5/rcache/rc_dfl.c
+@@ -391,7 +391,7 @@ parse_counted_string(char **strptr, char **result)
  /*
   * Hash extension records have the format:
   *  client = <empty string>
@@ -39,7 +39,7 @@
   * Spaces in the client and server string are represented with
   * with backslashes.  Client and server lengths are represented in
   * ASCII decimal (which is different from the 32-bit binary we use
-@@ -408,7 +408,7 @@ check_hash_extension(krb5_donot_replay *
+@@ -408,7 +408,7 @@ check_hash_extension(krb5_donot_replay *rep)
      /* Check if this appears to match the hash extension format. */
      if (*rep->client)
          return 0;
@@ -48,7 +48,7 @@
          return 0;
  
      /* Parse out the message hash. */
-@@ -664,7 +664,7 @@ krb5_rc_io_store(krb5_context context, s
+@@ -664,7 +664,7 @@ krb5_rc_io_store(krb5_context context, struct dfl_data *t,
  
          /* Format the extension value so we know its length. */
          k5_buf_init_dynamic(&extbuf);
--- a/components/krb5/patches/068-ldif-format.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/068-ldif-format.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -8,10 +8,10 @@
 #
 # Patch source: in-house
 #
-diff -pur old/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif new/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
---- old/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif	2016-04-26 18:05:50.610166618 -0600
-+++ new/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif	2016-04-26 18:10:14.036980432 -0600
-@@ -46,7 +46,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
+--- a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
++++ b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
+@@ -46,7 +46,7 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.1.1
                  NAME 'krbPrincipalName'
                  EQUALITY caseExactIA5Match
                  SUBSTR caseExactSubstringsMatch
@@ -20,7 +20,7 @@
  
  
  ##### If there are multiple krbPrincipalName values for an entry, this
-@@ -62,7 +62,7 @@ attributetypes: ( 1.2.840.113554.1.4.1.6
+@@ -62,7 +62,7 @@ attributetypes: ( 1.2.840.113554.1.4.1.6.1
                  EQUALITY caseExactIA5Match
                  SUBSTR caseExactSubstringsMatch
                  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
@@ -29,7 +29,7 @@
  
  ##### This specifies the type of the principal, the types could be any of
  ##### the types mentioned in section 6.2 of RFC 4120
-@@ -74,7 +74,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+@@ -74,7 +74,7 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.3.1
                  NAME 'krbPrincipalType'
                  EQUALITY integerMatch
                  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
@@ -38,7 +38,7 @@
  
  
  ##### This flag is used to find whether directory User Password has to be used
-@@ -89,7 +89,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+@@ -89,7 +89,7 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.5.1
                  NAME 'krbUPEnabled'
                  DESC 'Boolean'
                  SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
@@ -47,7 +47,7 @@
  
  
  ##### The time at which the principal expires
-@@ -101,7 +101,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+@@ -101,7 +101,7 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.6.1
                  NAME 'krbPrincipalExpiration'
                  EQUALITY generalizedTimeMatch
                  SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
@@ -56,7 +56,7 @@
  
  
  ##### The krbTicketFlags attribute holds information about the kerberos flags for a principal
-@@ -129,7 +129,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+@@ -129,7 +129,7 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.8.1
                  NAME 'krbTicketFlags'
                  EQUALITY integerMatch
                  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
@@ -65,7 +65,7 @@
  
  
  ##### The maximum ticket lifetime for a principal in seconds
-@@ -141,7 +141,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+@@ -141,7 +141,7 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.9.1
                  NAME 'krbMaxTicketLife'
                  EQUALITY integerMatch
                  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
@@ -74,7 +74,7 @@
  
  
  ##### Maximum renewable lifetime for a principal's ticket in seconds
-@@ -153,7 +153,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+@@ -153,7 +153,7 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.10.1
                  NAME 'krbMaxRenewableAge'
                  EQUALITY integerMatch
                  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
@@ -128,7 +128,7 @@
  
  
  ##### This attribute holds the scope for searching the principals
-@@ -236,7 +236,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+@@ -236,7 +236,7 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.25.1
                  NAME 'krbSearchScope'
                  EQUALITY integerMatch
                  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
@@ -146,7 +146,7 @@
  
  
  ##### This attribute specifies which attribute of the user objects  
-@@ -261,7 +261,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+@@ -261,7 +261,7 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.28.1
                  NAME 'krbPrincNamingAttr'
                  EQUALITY caseIgnoreMatch
                  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
@@ -164,7 +164,7 @@
  
  
  ##### Maximum lifetime of a principal's password
-@@ -286,7 +286,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+@@ -286,7 +286,7 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.30.1
                  NAME 'krbMaxPwdLife'
                  EQUALITY integerMatch
                  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 
@@ -173,7 +173,7 @@
  
  
  ##### Minimum lifetime of a principal's password
-@@ -298,7 +298,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+@@ -298,7 +298,7 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.31.1
                  NAME 'krbMinPwdLife'
                  EQUALITY integerMatch
                  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 
@@ -182,7 +182,7 @@
  
  
  ##### Minimum number of character clases allowed in a password
-@@ -310,7 +310,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+@@ -310,7 +310,7 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.32.1
                  NAME 'krbPwdMinDiffChars' 
                  EQUALITY integerMatch
                  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 
@@ -191,7 +191,7 @@
  
  
  ##### Minimum length of the password
-@@ -322,7 +322,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+@@ -322,7 +322,7 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.33.1
                  NAME 'krbPwdMinLength' 
                  EQUALITY integerMatch
                  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 
@@ -200,7 +200,7 @@
  
  
  ##### Number of previous versions of passwords that are stored
-@@ -334,7 +334,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+@@ -334,7 +334,7 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.34.1
                  NAME 'krbPwdHistoryLength' 
                  EQUALITY integerMatch
                  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 
@@ -209,7 +209,7 @@
  
  
  ##### Number of consecutive pre-authentication failures before lockout
-@@ -346,7 +346,7 @@ attributetypes: ( 1.3.6.1.4.1.5322.21.2.
+@@ -346,7 +346,7 @@ attributetypes: ( 1.3.6.1.4.1.5322.21.2.1
                  NAME 'krbPwdMaxFailure' 
                  EQUALITY integerMatch
                  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
@@ -218,7 +218,7 @@
  
  
  ##### Period after which bad preauthentication count will be reset
-@@ -358,7 +358,7 @@ attributetypes: ( 1.3.6.1.4.1.5322.21.2.
+@@ -358,7 +358,7 @@ attributetypes: ( 1.3.6.1.4.1.5322.21.2.2
                  NAME 'krbPwdFailureCountInterval' 
                  EQUALITY integerMatch
                  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
@@ -227,7 +227,7 @@
  
  
  ##### Period in which lockout is enforced
-@@ -370,7 +370,7 @@ attributetypes: ( 1.3.6.1.4.1.5322.21.2.
+@@ -370,7 +370,7 @@ attributetypes: ( 1.3.6.1.4.1.5322.21.2.3
                  NAME 'krbPwdLockoutDuration' 
                  EQUALITY integerMatch
                  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
@@ -236,7 +236,7 @@
  
  
  ##### Policy attribute flags
-@@ -382,7 +382,7 @@ attributetypes: ( 1.2.840.113554.1.4.1.6
+@@ -382,7 +382,7 @@ attributetypes: ( 1.2.840.113554.1.4.1.6.2
                  NAME 'krbPwdAttributes'
                  EQUALITY integerMatch
                  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
@@ -245,7 +245,7 @@
  
  
  ##### Policy maximum ticket lifetime
-@@ -394,7 +394,7 @@ attributetypes: ( 1.2.840.113554.1.4.1.6
+@@ -394,7 +394,7 @@ attributetypes: ( 1.2.840.113554.1.4.1.6.3
                  NAME 'krbPwdMaxLife'
                  EQUALITY integerMatch
                  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
@@ -254,7 +254,7 @@
  
  
  ##### Policy maximum ticket renewable lifetime
-@@ -406,7 +406,7 @@ attributetypes: ( 1.2.840.113554.1.4.1.6
+@@ -406,7 +406,7 @@ attributetypes: ( 1.2.840.113554.1.4.1.6.4
                  NAME 'krbPwdMaxRenewableLife'
                  EQUALITY integerMatch
                  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
@@ -263,7 +263,7 @@
  
  
  ##### Allowed enctype:salttype combinations for key changes
-@@ -418,7 +418,7 @@ attributetypes: ( 1.2.840.113554.1.4.1.6
+@@ -418,7 +418,7 @@ attributetypes: ( 1.2.840.113554.1.4.1.6.5
                  NAME 'krbPwdAllowedKeysalts'
                  EQUALITY caseIgnoreIA5Match
                  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
@@ -272,7 +272,7 @@
  
  
  ##### FDN pointing to a Kerberos Password Policy object
-@@ -430,7 +430,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+@@ -430,7 +430,7 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.36.1
                  NAME 'krbPwdPolicyReference'
                  EQUALITY distinguishedNameMatch
                  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
@@ -281,7 +281,7 @@
  
  
  ##### The time at which the principal's password expires
-@@ -442,7 +442,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+@@ -442,7 +442,7 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.37.1
                  NAME 'krbPasswordExpiration'
                  EQUALITY generalizedTimeMatch
                  SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
@@ -299,7 +299,7 @@
  
  
  ##### FDN pointing to a Kerberos Ticket Policy object.
-@@ -494,7 +494,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+@@ -494,7 +494,7 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.40.1
                  NAME 'krbTicketPolicyReference'
                  EQUALITY distinguishedNameMatch
                  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
@@ -344,7 +344,7 @@
  
  
  ##### The time at which the principal's password last password change happened.
-@@ -596,7 +596,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+@@ -596,7 +596,7 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.45.1
                  NAME 'krbLastPwdChange'
                  EQUALITY generalizedTimeMatch
                  SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
@@ -353,7 +353,7 @@
  
  ##### The time at which the principal was last administratively unlocked.
  
-@@ -607,7 +607,7 @@ attributetypes: ( 1.3.6.1.4.1.5322.21.2.
+@@ -607,7 +607,7 @@ attributetypes: ( 1.3.6.1.4.1.5322.21.2.5
                  NAME 'krbLastAdminUnlock'
                  EQUALITY generalizedTimeMatch
                  SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
@@ -380,7 +380,7 @@
  
  
  ##### The time at which the principal's last successful authentication happened.
-@@ -655,7 +655,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+@@ -655,7 +655,7 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.48.1
                  NAME 'krbLastSuccessfulAuth'
                  EQUALITY generalizedTimeMatch
                  SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
@@ -389,7 +389,7 @@
  
  
  ##### The time at which the principal's last failed authentication happened.
-@@ -667,7 +667,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+@@ -667,7 +667,7 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.49.1
                  NAME 'krbLastFailedAuth'
                  EQUALITY generalizedTimeMatch
                  SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
@@ -398,7 +398,7 @@
  
  
  ##### This attribute stores the number of failed authentication attempts
-@@ -680,7 +680,7 @@ attributetypes: ( 2.16.840.1.113719.1.30
+@@ -680,7 +680,7 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.50.1
                  NAME 'krbLoginFailedCount' 
                  EQUALITY integerMatch
                  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 
@@ -434,7 +434,7 @@
  
  ##### A list of services to which a service principal can delegate.
  dn: cn=schema
-@@ -728,7 +728,7 @@ attributetypes: ( 1.3.6.1.4.1.5322.21.2.
+@@ -728,7 +728,7 @@ attributetypes: ( 1.3.6.1.4.1.5322.21.2.4
                  NAME 'krbAllowedToDelegateTo'
                  EQUALITY caseExactIA5Match
                  SUBSTR caseExactSubstringsMatch
--- a/components/krb5/patches/069-k5identity-disable.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/069-k5identity-disable.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -16,10 +16,10 @@
 #
 # Patch source: in-house
 #
-diff -ur krb5-1.14.2/src/lib/krb5/ccache/ccselect.c krb5-1.14.2-23301407/src/lib/krb5/ccache/ccselect.c
---- krb5-1.14.2/src/lib/krb5/ccache/ccselect.c
-+++ krb5-1.14.2-23301407/src/lib/krb5/ccache/ccselect.c
-@@ -59,12 +59,17 @@
+diff --git a/src/lib/krb5/ccache/ccselect.c b/src/lib/krb5/ccache/ccselect.c
+--- a/src/lib/krb5/ccache/ccselect.c
++++ b/src/lib/krb5/ccache/ccselect.c
+@@ -59,12 +59,17 @@ load_modules(krb5_context context)
      krb5_plugin_initvt_fn *modules = NULL, *mod;
      size_t count;
  
@@ -39,10 +39,10 @@
  
      ret = k5_plugin_register(context, PLUGIN_INTERFACE_CCSELECT, "realm",
                               ccselect_realm_initvt);
-diff -ur krb5-1.14.2/src/man/krb5.conf.man krb5-1.14.2-23301407/src/man/krb5.conf.man
---- krb5-1.14.2/src/man/krb5.conf.man
-+++ krb5-1.14.2-23301407/src/man/krb5.conf.man
-@@ -943,10 +943,6 @@
+diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
+--- a/src/man/krb5.conf.man
++++ b/src/man/krb5.conf.man
+@@ -943,10 +943,6 @@ dynamic modules, the following built\-in modules exist (and may be
  disabled with the disable tag):
  .INDENT 0.0
  .TP
@@ -53,10 +53,10 @@
  .B \fBrealm\fP
  Uses the service realm to guess an appropriate cache from the
  collection
-diff -ur krb5-1.14.2/src/tests/gssapi/t_ccselect.py krb5-1.14.2-23301407/src/tests/gssapi/t_ccselect.py
---- krb5-1.14.2/src/tests/gssapi/t_ccselect.py
-+++ krb5-1.14.2-23301407/src/tests/gssapi/t_ccselect.py
-@@ -103,22 +103,24 @@
+diff --git a/src/tests/gssapi/t_ccselect.py b/src/tests/gssapi/t_ccselect.py
+--- a/src/tests/gssapi/t_ccselect.py
++++ b/src/tests/gssapi/t_ccselect.py
+@@ -103,22 +103,24 @@ r1.run(['./t_ccselect', gssserver], expected_code=1)
  r1.kinit(bob, password('bob'))
  
  # Try some cache selections using .k5identity.
@@ -98,10 +98,10 @@
 +    "k5identity tests...\n");
  
  success('GSSAPI credential selection tests')
-diff -ur krb5-1.14.2/src/tests/gssapi/t_client_keytab.py krb5-1.14.2-23301407/src/tests/gssapi/t_client_keytab.py
---- krb5-1.14.2/src/tests/gssapi/t_client_keytab.py
-+++ krb5-1.14.2-23301407/src/tests/gssapi/t_client_keytab.py
-@@ -21,15 +21,17 @@
+diff --git a/src/tests/gssapi/t_client_keytab.py b/src/tests/gssapi/t_client_keytab.py
+--- a/src/tests/gssapi/t_client_keytab.py
++++ b/src/tests/gssapi/t_client_keytab.py
+@@ -21,15 +21,17 @@ if realm.user_princ not in out:
  realm.run([kdestroy])
  
  # Test 2: no name/cache specified, pick principal from k5identity
--- a/components/krb5/patches/070-gss_store_cred-fix.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/070-gss_store_cred-fix.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -10,10 +10,10 @@
 # Patch source: in-house
 #
 
-diff -ur krb5-1.14.2/src/lib/gssapi/krb5/store_cred.c krb5-1.14.2-23587748/src/lib/gssapi/krb5/store_cred.c
---- krb5-1.14.2/src/lib/gssapi/krb5/store_cred.c
-+++ krb5-1.14.2-23587748/src/lib/gssapi/krb5/store_cred.c
-@@ -144,6 +144,15 @@
+diff --git a/src/lib/gssapi/krb5/store_cred.c b/src/lib/gssapi/krb5/store_cred.c
+--- a/src/lib/gssapi/krb5/store_cred.c
++++ b/src/lib/gssapi/krb5/store_cred.c
+@@ -143,6 +143,15 @@ copy_initiator_creds(OM_uint32 *minor_status,
              major_status = GSS_S_FAILURE;
              goto cleanup;
          }
--- a/components/krb5/patches/071-t_kdb-slapd.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/071-t_kdb-slapd.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -6,9 +6,10 @@
 # Patch source: in-house
 #
 
---- krb5-1.14.2-23587748/src/tests/t_kdb.py
-+++ krb5-1.14.2/src/tests/t_kdb.py
-@@ -14,7 +14,10 @@
+diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py
+--- a/src/tests/t_kdb.py
++++ b/src/tests/t_kdb.py
+@@ -14,7 +14,10 @@ if (not os.path.exists(os.path.join(plugins, 'kdb', 'kldap.so')) and
  
  system_slapd = which('slapd')
  if not system_slapd:
@@ -20,7 +21,7 @@
  
  ldapdir = os.path.abspath('ldap')
  slapd = os.path.join(ldapdir, 'slapd')
-@@ -44,6 +47,8 @@
+@@ -44,6 +47,8 @@ shutil.copy(system_slapd, slapd)
  core_schema = None
  if os.path.isfile('/etc/ldap/schema/core.schema'):
      core_schema = '/etc/ldap/schema/core.schema'
@@ -29,7 +30,7 @@
  
  # Make a slapd config file.  This is deprecated in OpenLDAP 2.3 and
  # later, but it's easier than using LDIF and slapadd.  Include some
-@@ -54,8 +59,7 @@
+@@ -54,8 +59,7 @@ file.write('pidfile %s\n' % slapd_pidfile)
  file.write('include %s\n' % schema)
  if core_schema:
      file.write('include %s\n' % core_schema)
--- a/components/krb5/patches/072-client-keytab-fix.patch	Tue Aug 09 17:39:40 2016 +0000
+++ b/components/krb5/patches/072-client-keytab-fix.patch	Tue Aug 09 21:10:38 2016 -0700
@@ -11,17 +11,13 @@
 # The final commit was
 # https://github.com/krb5/krb5/commit/bd2c2a02e22c609b3c7e9f92d6634e151d14e478
 #
-# Also note that the fix to src/lib/krb5/os/expand_path.c was handled by MIT
-# via ticket 8455 k5_expand_path_tokens_extra() always returns 0 even if
-# expand_token() fails which was integrated in MIT v1.14.3.
-#
 # Patch source: in-house
 #
 
-diff -ur krb5-1.14.2/src/include/k5-trace.h krb5-1.14.2-patched/src/include/k5-trace.h
---- krb5-1.14.2/src/include/k5-trace.h
-+++ krb5-1.14.2-patched/src/include/k5-trace.h
-@@ -180,6 +180,9 @@
+diff --git a/src/include/k5-trace.h b/src/include/k5-trace.h
+--- a/src/include/k5-trace.h
++++ b/src/include/k5-trace.h
+@@ -180,6 +180,9 @@ void krb5int_trace(krb5_context context, const char *fmt, ...);
  #define TRACE_GIC_PWD_MASTER(c)                         \
      TRACE(c, "Retrying AS request with master KDC")
  
@@ -31,10 +27,10 @@
  #define TRACE_ENCTYPE_LIST_UNKNOWN(c, profvar, name)                    \
      TRACE(c, "Unrecognized enctype name in {str}: {str}", profvar, name)
  
-diff -ur krb5-1.14.2/src/lib/gssapi/krb5/acquire_cred.c krb5-1.14.2-patched/src/lib/gssapi/krb5/acquire_cred.c
---- krb5-1.14.2/src/lib/gssapi/krb5/acquire_cred.c
-+++ krb5-1.14.2-patched/src/lib/gssapi/krb5/acquire_cred.c
-@@ -348,6 +348,9 @@
+diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
+--- a/src/lib/gssapi/krb5/acquire_cred.c
++++ b/src/lib/gssapi/krb5/acquire_cred.c
+@@ -348,6 +348,9 @@ can_get_initial_creds(krb5_context context, krb5_gss_cred_id_rec *cred)
      if (cred->password != NULL)
          return TRUE;
  
@@ -44,7 +40,7 @@
      /* If we don't know the client principal yet, check for any keytab keys. */
      if (cred->name == NULL)
          return !krb5_kt_have_content(context, cred->client_keytab);
-@@ -522,6 +525,10 @@
+@@ -522,6 +525,10 @@ get_name_from_client_keytab(krb5_context context, krb5_gss_cred_id_rec *cred)
      krb5_principal princ;
  
      assert(cred->name == NULL);
@@ -55,7 +51,7 @@
      code = k5_kt_get_principal(context, cred->client_keytab, &princ);
      if (code)
          return code;
-@@ -601,9 +608,11 @@
+@@ -601,9 +608,11 @@ get_initial_cred(krb5_context context, krb5_gss_cred_id_rec *cred)
          code = krb5_get_init_creds_password(context, &creds, cred->name->princ,
                                              cred->password, NULL, NULL, 0,
                                              NULL, opt);
@@ -68,7 +64,7 @@
      }
      if (code)
          goto cleanup;
-@@ -680,10 +689,18 @@
+@@ -680,10 +689,18 @@ acquire_init_cred(krb5_context context,
              goto error;
      }
  
@@ -89,10 +85,10 @@
      if (code)
          goto error;
  
-diff -ur krb5-1.14.2/src/lib/gssapi/krb5/iakerb.c krb5-1.14.2-patched/src/lib/gssapi/krb5/iakerb.c
---- krb5-1.14.2/src/lib/gssapi/krb5/iakerb.c
-+++ krb5-1.14.2-patched/src/lib/gssapi/krb5/iakerb.c
-@@ -454,9 +454,11 @@
+diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
+--- a/src/lib/gssapi/krb5/iakerb.c
++++ b/src/lib/gssapi/krb5/iakerb.c
+@@ -454,9 +454,11 @@ iakerb_init_creds_ctx(iakerb_ctx_id_t ctx,
      if (cred->password != NULL) {
          code = krb5_init_creds_set_password(ctx->k5c, ctx->icc,
                                              cred->password);
@@ -105,20 +101,10 @@
      }
      if (code != 0)
          goto cleanup;
-diff -ur krb5-1.14.2/src/lib/krb5/os/expand_path.c krb5-1.14.2-patched/src/lib/krb5/os/expand_path.c
---- krb5-1.14.2/src/lib/krb5/os/expand_path.c
-+++ krb5-1.14.2-patched/src/lib/krb5/os/expand_path.c
-@@ -537,5 +537,5 @@
- cleanup:
-     k5_buf_free(&buf);
-     free_extra_tokens(extra_tokens);
--    return 0;
-+    return ret;
- }
-diff -ur krb5-1.14.2/src/tests/gssapi/t_client_keytab.py krb5-1.14.2-patched/src/tests/gssapi/t_client_keytab.py
---- krb5-1.14.2/src/tests/gssapi/t_client_keytab.py
-+++ krb5-1.14.2-patched/src/tests/gssapi/t_client_keytab.py
-@@ -141,4 +141,14 @@
+diff --git a/src/tests/gssapi/t_client_keytab.py b/src/tests/gssapi/t_client_keytab.py
+--- a/src/tests/gssapi/t_client_keytab.py
++++ b/src/tests/gssapi/t_client_keytab.py
+@@ -141,4 +141,14 @@ if 'No credentials cache found' not in out:
      fail('Expected error not seen')
  realm.run([kdestroy, '-A'])
upstream/oracle/userland-gate