23116175 Get the cyrus-sasl component ready for MIT-default Kerberos
23041772 Reconcile redundancies between patches and Makefile
23044356 Unable to build openldap if cyrus-sasl requests -lldap_r for ldapdb
22928693 Now that libsasl2 is available, openldap should call it out as a dependency
23072799 fix dead/broken links in sasl html docs
23077448 Broken links with Net TI install with facet.devel=false - libsasl2
--- a/components/cyrus-sasl/Makefile Wed Apr 27 16:15:18 2016 -0700
+++ b/components/cyrus-sasl/Makefile Wed Apr 27 16:55:22 2016 -0700
@@ -54,7 +54,7 @@
SASL_CONFDIR = $(ETCDIR)/sasl2
PROTO_CONFDIR = $(PROTO_DIR)$(SASL_CONFDIR)
-TESTS_DIR=$(PROTO_DIR)/$(SASL2)/tests
+TESTS_DIR=$(PROTO_DIR)/tests
TESTS_32_DIR=$(TESTS_DIR)/$(MACH32)
# Migrated from ON in S12, including stuff from system/header, so this
@@ -73,11 +73,18 @@
CPPFLAGS += -I$(USRINCDIR)/openldap
LDFLAGS += $(CC_BITS) -lscf -lresolv
+# if there is no mediator, use MIT
+KRB5_API = $(shell pkg mediator -H kerberos5 2>/dev/null | nawk '{print $$4;}')
+
CONFIGURE_OPTIONS += --sysconfdir=$(ETCDIR)
CONFIGURE_OPTIONS += --enable-auth-sasldb
CONFIGURE_OPTIONS += --with-dblib=berkeley
CONFIGURE_OPTIONS += --with-saslauthd=$(USRSBINDIR)/saslauthd
+ifeq ($(KRB5_API), solaris)
CONFIGURE_OPTIONS += --with-gss_impl=seam
+else
+CONFIGURE_OPTIONS += --with-gss_impl=mit
+endif
CONFIGURE_OPTIONS += --without-gnu-ld
CONFIGURE_OPTIONS.32 += --with-plugindir=$(SASL2.32)
CONFIGURE_OPTIONS.64 += --with-plugindir=$(SASL2.64)
@@ -88,11 +95,7 @@
CONFIGURE_OPTIONS += --enable-sample
CONFIGURE_OPTIONS += --enable-login
CONFIGURE_OPTIONS += --with-configdir=$(ETCDIR)/sasl2
-
-# 23044356 must be fixed before this can be enabled
-# bugzilla.cyrusimap.org 3926 must be fixed before this can be useful
-# except for testing
-# CONFIGURE_OPTIONS += --enable-ldapdb
+CONFIGURE_OPTIONS += --enable-ldapdb
PKG_PROTO_DIRS += $(SOURCE_DIR)/doc $(COMPONENT_DIR)/Solaris
@@ -176,7 +179,8 @@
CLEAN_PATHS += $(TARBALL_DIR)
test_tarball: sasltest.tgz
-TEST_SCRIPTS= setup_testsuite run_testsuite transform-results cleanup
+TEST_SCRIPTS= setup_testsuite run_testsuite transform-results cleanup \
+ setup-for-mit setup-for-seam
sasltest.tgz: install
$(MKDIR) $(TARBALL_DIR)
@@ -193,4 +197,7 @@
REQUIRED_PACKAGES += developer/build/automake-115
REQUIRED_PACKAGES += library/openldap
REQUIRED_PACKAGES += library/security/openssl
+ifneq ($(KRB5_API), solaris)
+ REQUIRED_PACKAGES += security/kerberos-5
+endif
REQUIRED_PACKAGES += system/library/security/gss
--- a/components/cyrus-sasl/libsasl2.p5m Wed Apr 27 16:15:18 2016 -0700
+++ b/components/cyrus-sasl/libsasl2.p5m Wed Apr 27 16:55:22 2016 -0700
@@ -42,7 +42,7 @@
value=org.opensolaris.category.2008:System/Libraries
set name=info.source-url value=$(COMPONENT_ARCHIVE_URL)
set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
-set name=org.opensolaris.arc-caseid value=PSARC/2015/194
+set name=org.opensolaris.arc-caseid value=PSARC/2015/194 value=PSARC/2016/158
set name=org.opensolaris.consolidation value=$(CONSOLIDATION)
dir path=etc/sasl2 owner=root group=sys mode=0755
file README path=etc/sasl2/README
@@ -58,9 +58,7 @@
link path=usr/lib/$(MACH64)/libsasl2.so target=libsasl2.so.3.0.0
link path=usr/lib/$(MACH64)/libsasl2.so.3 target=libsasl2.so.3.0.0
file path=usr/lib/$(MACH64)/libsasl2.so.3.0.0
-link path=usr/lib/$(MACH64)/llib-lsasl target=../llib-lsasl2
link path=usr/lib/$(MACH64)/llib-lsasl.ln target=llib-lsasl2.ln
-link path=usr/lib/$(MACH64)/llib-lsasl2 target=../llib-lsasl2
file path=usr/lib/$(MACH64)/llib-lsasl2.ln
link path=usr/lib/$(MACH64)/pkgconfig/libsasl.pc target=libsasl2.pc
file path=usr/lib/$(MACH64)/pkgconfig/libsasl2.pc
@@ -134,6 +132,28 @@
file advanced.html path=usr/share/doc/libsasl2/advanced.html
file appconvert.html path=usr/share/doc/libsasl2/appconvert.html
file components.html path=usr/share/doc/libsasl2/components.html
+file draft-burdis-cat-srp-sasl-xx.txt \
+ path=usr/share/doc/libsasl2/draft-burdis-cat-srp-sasl-xx.txt
+file draft-ietf-sasl-anon-xx.txt \
+ path=usr/share/doc/libsasl2/draft-ietf-sasl-anon-xx.txt
+file draft-ietf-sasl-crammd5-xx.txt \
+ path=usr/share/doc/libsasl2/draft-ietf-sasl-crammd5-xx.txt
+file draft-ietf-sasl-gssapi-xx.txt \
+ path=usr/share/doc/libsasl2/draft-ietf-sasl-gssapi-xx.txt
+file draft-ietf-sasl-plain-xx.txt \
+ path=usr/share/doc/libsasl2/draft-ietf-sasl-plain-xx.txt
+file draft-ietf-sasl-rfc2222bis-xx.txt \
+ path=usr/share/doc/libsasl2/draft-ietf-sasl-rfc2222bis-xx.txt
+file draft-ietf-sasl-rfc2831bis-xx.txt \
+ path=usr/share/doc/libsasl2/draft-ietf-sasl-rfc2831bis-xx.txt
+file draft-ietf-sasl-saslprep-xx.txt \
+ path=usr/share/doc/libsasl2/draft-ietf-sasl-saslprep-xx.txt
+file draft-murchison-sasl-login-xx.txt \
+ path=usr/share/doc/libsasl2/draft-murchison-sasl-login-xx.txt
+file draft-newman-sasl-c-api-xx.txt \
+ path=usr/share/doc/libsasl2/draft-newman-sasl-c-api-xx.txt
+file draft-newman-sasl-passdss-xx.txt \
+ path=usr/share/doc/libsasl2/draft-newman-sasl-passdss-xx.txt
file gssapi.html path=usr/share/doc/libsasl2/gssapi.html
file index.html path=usr/share/doc/libsasl2/index.html
file install.html path=usr/share/doc/libsasl2/install.html
@@ -142,6 +162,19 @@
file options.html path=usr/share/doc/libsasl2/options.html
file plugprog.html path=usr/share/doc/libsasl2/plugprog.html
file programming.html path=usr/share/doc/libsasl2/programming.html
+file rfc1321.txt path=usr/share/doc/libsasl2/rfc1321.txt
+file rfc1939.txt path=usr/share/doc/libsasl2/rfc1939.txt
+file rfc2104.txt path=usr/share/doc/libsasl2/rfc2104.txt
+file rfc2195.txt path=usr/share/doc/libsasl2/rfc2195.txt
+file rfc2222.txt path=usr/share/doc/libsasl2/rfc2222.txt
+file rfc2243.txt path=usr/share/doc/libsasl2/rfc2243.txt
+file rfc2245.txt path=usr/share/doc/libsasl2/rfc2245.txt
+file rfc2289.txt path=usr/share/doc/libsasl2/rfc2289.txt
+file rfc2444.txt path=usr/share/doc/libsasl2/rfc2444.txt
+file rfc2595.txt path=usr/share/doc/libsasl2/rfc2595.txt
+file rfc2831.txt path=usr/share/doc/libsasl2/rfc2831.txt
+file rfc2945.txt path=usr/share/doc/libsasl2/rfc2945.txt
+file rfc3174.txt path=usr/share/doc/libsasl2/rfc3174.txt
file sysadmin.html path=usr/share/doc/libsasl2/sysadmin.html
file upgrading.html path=usr/share/doc/libsasl2/upgrading.html
file windows.html path=usr/share/doc/libsasl2/windows.html
--- a/components/cyrus-sasl/patches/102-sasldir-fix.patch Wed Apr 27 16:15:18 2016 -0700
+++ b/components/cyrus-sasl/patches/102-sasldir-fix.patch Wed Apr 27 16:55:22 2016 -0700
@@ -1,5 +1,6 @@
-Developed in-house at Oracle
-Bugzilla Bug 3401 sasldir and plugindir in Makefile.am
+# Developed in-house at Oracle
+# Commented on bugzilla Bug 3401 sasldir and plugindir in Makefile.am
+# Upstream is considering multiple solutions, attached this patch to the bug.
diff -rupN old/configure.in new/configure.in
--- old/configure.in 2015-01-16 16:06:51.953695234 -0800
--- a/components/cyrus-sasl/patches/107-build-testsuite.patch Wed Apr 27 16:15:18 2016 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,15 +0,0 @@
-Developed in-house at Oracle
-Will file a bug upstream asking this to be an option for configure
-
-diff -rupN old/utils/Makefile.am new/utils/Makefile.am
---- old/utils/Makefile.am 2016-02-12 11:48:32.389775435 -0800
-+++ new/utils/Makefile.am 2016-02-12 11:51:08.007216490 -0800
-@@ -48,7 +48,7 @@ all_sasl_static_libs = ../lib/.libs/libs
- sbin_PROGRAMS = @SASL_DB_UTILS@ @SMTPTEST_PROGRAM@ pluginviewer
- EXTRA_PROGRAMS = saslpasswd2 sasldblistusers2 testsuite testsuitestatic smtptest pluginviewer
-
--noinst_PROGRAMS = dbconverter-2
-+noinst_PROGRAMS = dbconverter-2 testsuite
-
- if NO_SASL_DB_MANS
- man_MANS =
--- a/components/cyrus-sasl/patches/108-sample-test-tools.patch Wed Apr 27 16:15:18 2016 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,15 +0,0 @@
-Developed in-house at Oracle
-Will file a bug upstream asking for this to be a configure option
-
-diff -rupN old/sample/Makefile.am new/sample/Makefile.am
---- old/sample/Makefile.am 2016-02-16 13:53:52.473628366 -0800
-+++ new/sample/Makefile.am 2016-02-16 14:14:10.022927698 -0800
-@@ -44,7 +44,7 @@
-
- INCLUDES=-I$(top_srcdir)/include
-
--noinst_PROGRAMS = client server
-+noinst_PROGRAMS = client server sample-client sample-server
- EXTRA_PROGRAMS = sample-client sample-server
- CLEANFILES=sample-client sample-server ./.libs/*sample-client ./.libs/*sample-server
-
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/cyrus-sasl/patches/110-solaris-configure.patch Wed Apr 27 16:55:22 2016 -0700
@@ -0,0 +1,31 @@
+# Developed in-house at Oracle
+# File bug 3239 upstream asking for a configure option to give a path or name
+# for the openldap library.
+# http://bugzilla.cyrusimap.org/show_bug.cgi?id=3929
+
+diff -rupN old/configure.in new/configure.in
+--- old/configure.in 2016-02-23 19:24:33.185997552 -0800
++++ new/configure.in 2016-02-24 10:14:11.001802600 -0800
+@@ -968,7 +968,7 @@ if test "$ldapdb" != no; then
+ CMU_OPENLDAP_API
+
+ if test "$cmu_cv_openldap_api" = yes; then
+- AC_CHECK_LIB(ldap, ldap_initialize, [ cmu_link_openldap="-lldap -llber" ], [ cmu_link_openldap=no ],-llber)
++ AC_CHECK_LIB(ldap_r, ldap_initialize, [ cmu_link_openldap="-lldap_r -llber" ], [ cmu_link_openldap=no ],-llber)
+ fi
+ fi
+
+diff -rupN old/saslauthd/configure.in new/saslauthd/configure.in
+--- old/saslauthd/configure.in 2016-02-23 19:24:48.448493822 -0800
++++ new/saslauthd/configure.in 2016-02-24 06:26:13.041626875 -0800
+@@ -138,8 +138,8 @@ fi
+
+ LDAP_LIBS=""
+ if test "$with_ldap" != no; then
+- AC_CHECK_LIB(ldap, ldap_initialize, [ AC_DEFINE(HAVE_LDAP,[],[Support for LDAP?])
+- LDAP_LIBS="-lldap -llber"
++ AC_CHECK_LIB(ldap_r, ldap_initialize, [ AC_DEFINE(HAVE_LDAP,[],[Support for LDAP?])
++ LDAP_LIBS="-lldap_r -llber"
+ if test "$with_openssl" != "no"; then
+ LDAP_LIBS="$LDAP_LIBS -lcrypto $LIB_RSAREF"
+ fi],,-llber)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/cyrus-sasl/patches/111-fix-html-doc-links.patch Wed Apr 27 16:55:22 2016 -0700
@@ -0,0 +1,39 @@
+# This patch has been fed upstream.
+# Patch to remove links to documents that are no longer available, fix
+# changed links.
+# http://bugzilla.cyrusimap.org/show_bug.cgi?id=3930
+
+diff -rupN old/doc/index.html new/doc/index.html
+--- old/doc/index.html 2016-04-07 17:43:16.583489776 -0700
++++ new/doc/index.html 2016-04-12 11:01:09.353415779 -0700
+@@ -40,7 +40,6 @@ library distribution</B></A>
+ <b>Special Platforms</b>
+ <ul>
+ <li> <a href="macosx.html"><b>Mac OS X Build Guide</b></a>
+-<li> <a href="os390.html"><b>OS/390 Build Guide</b></a>
+ <li> <a href="windows.html"><b>Win32 Build Guide</b></a>
+ </ul>
+
+diff -rupN old/doc/install.html new/doc/install.html
+--- old/doc/install.html 2016-04-07 17:43:16.597328339 -0700
++++ new/doc/install.html 2016-04-12 11:01:33.989542591 -0700
+@@ -218,7 +218,6 @@ can be linked against other dynamic obje
+ library file extension is ".so", or where libtool creates the .la
+ files correctly. There is also documentation for
+ <a href=windows.html>Win32</a>, <a href=macosx.html>MacOS X</a>, and
+-<a href=os390.html>OS/390</a>.
+
+ <hr>
+ Back to the <a href="index.html">index</a>
+diff -rupN old/doc/readme.html new/doc/readme.html
+--- old/doc/readme.html 2016-04-07 17:43:16.589392684 -0700
++++ new/doc/readme.html 2016-04-12 11:02:38.062666985 -0700
+@@ -102,7 +102,7 @@ we only have static Krb5 libraries; the
+ these libraries in on platforms that support it (Solaris and Linux
+ among them) but it does not. It also doesn't always get the runpath
+ of libraries correct.
+-<li>Also see our <A HREF=http://bugzilla.andrew.cmu.edu>bugzilla</A>.
++<li>Also see our <A HREF="http://bugzilla.cyrusimap.org/index.cgi">bugzilla</A>.
+ </ul>
+
+ <H2>AUTHORS</H2>
--- a/components/cyrus-sasl/test/TestSuite.conf Wed Apr 27 16:15:18 2016 -0700
+++ b/components/cyrus-sasl/test/TestSuite.conf Wed Apr 27 16:55:22 2016 -0700
@@ -19,7 +19,7 @@
#
# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
-# Default test parameters
+# Default test parameters, NOT default production parameters.
auxprop_plugin: sasldb
canon_user_plugin: INTERNAL
mech_list: LOGIN PLAIN EXTERNAL OTP CRAM-MD5 DIGEST-MD5 ANONYMOUS GSSAPI SCRAM-SHA-1
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/cyrus-sasl/test/setup-for-mit Wed Apr 27 16:55:22 2016 -0700
@@ -0,0 +1,212 @@
+#!/bin/ksh93 -p
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+
+#
+# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+#
+
+# have to use longer string because the end of security/kerberos5 matches
+# 2 packages, old and new.
+PACKAGES_NEEDED="$SASL_PACKAGES_NEEDED \
+ pkg://solaris/security/kerberos-5 \
+ security/kerberos-5/kdc "
+
+pkg list $PACKAGES_NEEDED > /dev/null
+if (( $? != 0 ))
+then
+ pkg install $PACKAGES_NEEDED
+fi
+
+pkg list $PACKAGES_NEEDED > /dev/null
+if (( $? != 0 ))
+then
+ echo "One or more packages failed to install"
+ exit 1
+fi
+
+passwd="1234"
+
+trap "echo 'A command failed, aborting.'; exit 1" ERR
+
+if ! $force
+then
+ ok_to_proceed "Existing KDC config will be destroyed, okay to proceed?"
+fi
+
+trap - ERR # in kdcmgr destroy fails, run it again
+yes | /usr/sbin/kdcmgr destroy > /dev/null
+if (( $? != 0 ))
+then
+ yes | /usr/sbin/kdcmgr destroy > /dev/null
+fi
+print "Existing KDC config destroyed."
+trap "echo 'A command failed, aborting.'; exit 1" ERR
+
+passwd_file=$(/usr/bin/mktemp /var/run/setup_kdc_passwd.XXXXXX)
+
+print $passwd > $passwd_file
+
+# create the master KDC
+if [[ -n $master_kdc ]]
+then
+ /usr/sbin/kdcmgr -a $admin_princ -r $realm -p $passwd_file create -m $master_kdc slave
+else
+ /usr/sbin/kdcmgr -a $admin_princ -r $realm -p $passwd_file create master
+fi
+
+rm -f $passwd_file
+
+# Optional stuff follows...
+
+# Note, this next section is adding various service principals local to
+# this system. If you have servers running on other systems, edit this
+# section to add the services using the FQDN hostnames of those systems
+# and ouput the keytab to a non-default filename.
+# You will then either copy the non-default filename created on the
+# system you ran this script on or login to the other system and do a
+# kadmin/ktadd to add the service principal to the /etc/krb5/krb5.keytab
+# located on that server.
+
+# addprincs if not in slave mode
+if [[ -z $master_kdc ]]
+then
+ if [[ -n "$kt_config_file" ]]
+ then
+ if ! $force
+ then
+ ok_to_proceed "Existing keytab files will be modified, okay to proceed?"
+ fi
+ while read host services
+ do
+ if [[ "$host" == "#*" ]]
+ then
+ # skip comments
+ continue
+ fi
+ if [[ "$host" != "localhost" ]]
+ then
+ hostkeytab="/var/run/${host}.keytab"
+ rm -f $hostkeytab
+ kt_transfer_command[num_keytabs]="scp $hostkeytab ${host}:/etc/krb5/krb5.keytab"
+ fi
+ for service in $services
+ do
+ if [[ "$host" == "localhost" ]]
+ then
+ # add service to KDC's keytab
+ kadmin.local -q "addprinc -randkey $service/$fqdn"
+ kadmin.local -q "ktadd $service/$fqdn"
+ print "Added $service/$fqdn to /etc/krb5/krb5.keytab"
+ else
+ # add service to $host's keytab
+ kadmin.local -q "addprinc -randkey $service/$host"
+ kadmin.local -q "ktadd -k $hostkeytab $service/$host"
+ print "\nAdded $service/$host to $hostkeytab"
+ fi
+ done
+ ((num_keytabs = num_keytabs + 1))
+ done < $kt_config_file
+ fi
+
+ if [[ -n "$crossrealm" ]]
+ then
+ # Setup Cross-realm auth.
+ kadmin.local -q "addprinc -pw $passwd krbtgt/$realm@$crossrealm"
+ kadmin.local -q "addprinc -pw $passwd krbtgt/$crossrealm@$realm"
+ print "\n\nNote, /etc/krb5/krb5.conf will need to be modified to support crossrealm."
+ fi
+
+ # Optional, Add service principals on KDC
+ for srv in nfs ldap smtp imap cifs
+ do
+ # randomizes the key anyway so use the -randkey option for addprinc).
+ kadmin.local -q "addprinc -randkey $srv/$fqdn"
+ kadmin.local -q "ktadd $srv/$fqdn"
+ done
+
+
+ # "tester" needed for setup
+ kadmin.local -q "addprinc -pw $passwd tester"
+
+ # "ken" needed for test
+ echo "$passwd" | saslpasswd2 -c -p -f ./sasldb ken
+ kadmin.local -q "addprinc -pw $passwd ken"
+
+fi # addprincs if not in slave mode
+
+# turn off err trap because svcadm below may return an unimportant error
+trap "" ERR
+
+if ! egrep '^[ ]*krb5[ ]+390003' /etc/nfssec.conf > /dev/null
+then
+ tmpnfssec=$(/usr/bin/mktemp /tmp/nfssec.conf_XXXXX)
+ [[ -n $tmpnfssec ]] || exit 1
+ sed -e 's/^ *# *krb5/krb5/g' /etc/nfssec.conf > $tmpnfssec
+ mv -f $tmpnfssec /etc/nfssec.conf
+ print 'Enabled krb5 sec in /etc/nfssec.conf.'
+ print 'Copy /etc/nfssec.conf to all systems doing NFS sec=krb5*.'
+ print
+fi
+
+# get time and DNS running
+
+if [[ ! -f /etc/inet/ntp.conf && -f /etc/inet/ntp.client ]]
+then
+ cp /etc/inet/ntp.client /etc/inet/ntp.conf
+fi
+if [[ -f /etc/inet/ntp.conf ]]
+then
+ svcadm enable -s svc:/network/ntp:default
+fi
+
+svcadm enable -s svc:/network/security/ktkt_warn:default
+
+if ! svcadm enable -s svc:/network/rpc/gss:default
+then
+ svcs -x svc:/network/rpc/gss:default
+ cat <<-EOF
+
+Error, the gss service did not start. You will not be able to do nfssec with sec=krb5*
+
+EOF
+ exit 1
+fi
+
+tmpccache=$(/usr/bin/mktemp /tmp/ccache_XXXXXX)
+[[ -n $tmpccache ]] || exit 1
+if ! print "$passwd" | kinit -c $tmpccache tester
+then
+ print -u2 "Warning, kinit for tester princ failed, kdc setup is not working!"
+ exit 1
+fi
+
+integer i=0
+while ((i < num_keytabs))
+do
+ if ((i == 0))
+ then
+ print "\nRun the following commands to transfer generated keytabs:"
+ fi
+ print ${kt_transfer_command[i]}
+ ((i = i + 1))
+done
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/cyrus-sasl/test/setup-for-seam Wed Apr 27 16:55:22 2016 -0700
@@ -0,0 +1,241 @@
+#!/bin/ksh93 -p
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+
+#
+# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+#
+
+PACKAGES_NEEDED="$SASL_PACKAGES_NEEDED \
+ service/security/kerberos-5 \
+ system/security/kerberos-5 "
+
+pkg list $PACKAGES_NEEDED > /dev/null
+if (( $? != 0 ))
+then
+ pkg install $PACKAGES_NEEDED
+fi
+
+pkg list $PACKAGES_NEEDED > /dev/null
+if (( $? != 0 ))
+then
+ echo "One or more packages failed to install"
+ exit 1
+fi
+
+
+passwd="1234"
+
+trap "echo 'A command failed, aborting.'; exit 1" ERR
+
+svcadm disable -s svc:/network/security/krb5kdc:default
+svcadm disable -s svc:/network/security/kadmin:default
+svcadm disable -s svc:/network/security/krb5_prop:default
+
+if ! $force
+then
+ ok_to_proceed "Existing KDC config will be destroyed, okay to proceed?"
+fi
+
+trap - ERR # in kdcmgr destroy fails, run it again
+yes | /usr/sbin/kdcmgr destroy > /dev/null
+if (( $? != 0 ))
+then
+ yes | /usr/sbin/kdcmgr destroy > /dev/null
+fi
+print "Existing KDC config destroyed."
+trap "echo 'A command failed, aborting.'; exit 1" ERR
+
+passwd_file=$(/usr/bin/mktemp /var/run/setup_kdc_passwd.XXXXXX)
+
+print $passwd > $passwd_file
+
+# create the master KDC
+if [[ -n $master_kdc ]]
+then
+ /usr/sbin/kdcmgr -a $admin_princ -r $realm -p $passwd_file create -m $master_kdc slave
+else
+ /usr/sbin/kdcmgr -a $admin_princ -r $realm -p $passwd_file create master
+fi
+
+rm -f $passwd_file
+
+# Optional stuff follows...
+
+# Note, this next section is adding various service principals local to
+# this system. If you have servers running on other systems, edit this
+# section to add the services using the FQDN hostnames of those systems
+# and ouput the keytab to a non-default filename.
+# You will then either copy the non-default filename created on the
+# system you ran this script on or login to the other system and do a
+# kadmin/ktadd to add the service principal to the /etc/krb5/krb5.keytab
+# located on that server.
+
+# addprincs if not in slave mode
+if [[ -z $master_kdc ]]
+then
+ if [[ -n "$kt_config_file" ]]
+ then
+ if ! $force
+ then
+ ok_to_proceed "Existing keytab files will be modified, okay to proceed?"
+ fi
+ while read host services
+ do
+ if [[ "$host" == "#*" ]]
+ then
+ # skip comments
+ continue
+ fi
+ if [[ "$host" != "localhost" ]]
+ then
+ hostkeytab="/var/run/${host}.keytab"
+ rm -f $hostkeytab
+ kt_transfer_command[num_keytabs]="scp $hostkeytab ${host}:/etc/krb5/krb5.keytab"
+ fi
+ for service in $services
+ do
+ if [[ "$host" == "localhost" ]]
+ then
+ # add service to KDC's keytab
+ kadmin.local -q "addprinc -randkey $service/$fqdn"
+ kadmin.local -q "ktadd $service/$fqdn"
+ print "Added $service/$fqdn to /etc/krb5/krb5.keytab"
+ else
+ # add service to $host's keytab
+ kadmin.local -q "addprinc -randkey $service/$host"
+ kadmin.local -q "ktadd -k $hostkeytab $service/$host"
+ print "\nAdded $service/$host to $hostkeytab"
+ fi
+ done
+ ((num_keytabs = num_keytabs + 1))
+ done < $kt_config_file
+ fi
+
+ if [[ -n "$crossrealm" ]]
+ then
+ # Setup Cross-realm auth.
+ kadmin.local -q "addprinc -pw $passwd krbtgt/$realm@$crossrealm"
+ kadmin.local -q "addprinc -pw $passwd krbtgt/$crossrealm@$realm"
+ print "\n\nNote, /etc/krb5/krb5.conf will need to be modified to support crossrealm."
+ fi
+
+ # Optional, Add service principals on KDC
+ for srv in nfs ldap smtp imap cifs
+ do
+ # randomizes the key anyway so use the -randkey option for addprinc).
+ kadmin.local -q "addprinc -randkey $srv/$fqdn"
+ kadmin.local -q "ktadd $srv/$fqdn"
+ done
+
+
+ # "tester" needed for setup
+ kadmin.local -q "addprinc -pw $passwd tester"
+
+ # "ken" needed for test
+ echo "$passwd" | saslpasswd2 -c -p -f ./sasldb ken
+ kadmin.local -q "addprinc -pw $passwd ken"
+
+fi # addprincs if not in slave mode
+
+# turn off err trap because svcadm below may return an unimportant error
+trap "" ERR
+
+if ! egrep '^[ ]*krb5[ ]+390003' /etc/nfssec.conf > /dev/null
+then
+ tmpnfssec=$(/usr/bin/mktemp /tmp/nfssec.conf_XXXXX)
+ [[ -n $tmpnfssec ]] || exit 1
+ sed -e 's/^ *# *krb5/krb5/g' /etc/nfssec.conf > $tmpnfssec
+ mv -f $tmpnfssec /etc/nfssec.conf
+ print 'Enabled krb5 sec in /etc/nfssec.conf.'
+ print 'Copy /etc/nfssec.conf to all systems doing NFS sec=krb5*.'
+ print
+fi
+
+# get time and DNS running
+
+if [[ ! -f /etc/inet/ntp.conf && -f /etc/inet/ntp.client ]]
+then
+ cp /etc/inet/ntp.client /etc/inet/ntp.conf
+fi
+if [[ -f /etc/inet/ntp.conf ]]
+then
+ svcadm enable -s svc:/network/ntp:default
+fi
+
+
+svcadm enable svc:/network/security/ktkt_warn:default
+
+if ! svcadm enable -s svc:/network/security/krb5kdc:default
+then
+ svcs -x svc:/network/security/krb5kdc:default
+ cat <<-EOF
+
+Error, the krb5kdc daemon did not start. You will not be able to do Kerberos
+authentication. Check your kerberos config and rerun this script.
+
+ EOF
+ exit 1
+fi
+
+if [[ -z $master_kdc ]] && ! svcadm enable -s svc:/network/security/kadmin:default
+then
+ svcs -x svc:/network/security/kadmin:default
+ cat <<-EOF
+
+Error, the kadmind daemon did not start. You will not be able to change
+passwords or run the kadmin command. Make sure /etc/krb5/kadm5.acl is
+configured properly and rerun this script.
+
+ EOF
+ exit 1
+fi
+
+if ! svcadm enable -s svc:/network/rpc/gss:default
+then
+ svcs -x svc:/network/rpc/gss:default
+ cat <<-EOF
+
+Error, the gss service did not start. You will not be able to do nfssec with sec=krb5*
+
+ EOF
+ exit 1
+fi
+
+tmpccache=$(/usr/bin/mktemp /tmp/ccache_XXXXXX)
+[[ -n $tmpccache ]] || exit 1
+if ! print "$passwd" | kinit -c $tmpccache tester
+then
+ print -u2 "Warning, kinit for tester princ failed, kdc setup is not working!"
+ exit 1
+fi
+
+integer i=0
+while ((i < num_keytabs))
+do
+ if ((i == 0))
+ then
+ print "\nRun the following commands to transfer generated keytabs:"
+ fi
+ print ${kt_transfer_command[i]}
+ ((i = i + 1))
+done
+
--- a/components/cyrus-sasl/test/setup_testsuite Wed Apr 27 16:15:18 2016 -0700
+++ b/components/cyrus-sasl/test/setup_testsuite Wed Apr 27 16:55:22 2016 -0700
@@ -29,10 +29,6 @@
# -- create/recreate the KDC principal DB
# -- create a sasldb
-#TODO
-# -- create a TestSuite.conf file for a default simple test
-
-#PATH=/usr/bin:/usr/sbin:/usr/gnu/bin
export THIRTYTWO
case `uname -p` in
@@ -50,7 +46,7 @@
# realm used as default, edit if a different realm is desired.
-realm="SASLTEST.NET"
+export realm="SASLTEST.NET"
# realm for cross-realm auth.
crossrealm=
@@ -61,7 +57,8 @@
# Be default you would do: "kadmin -p kdc/admin" and use the passwd above.
admin_princ="kdc/admin"
-# used to determine if in batch/non-intera/home/willf/app_support/etc/krb5/templates/db2ctive mode
+# used to determine if in
+# batch/non-intera/home/willf/app_support/etc/krb5/templates/db2ctive mode
force='false'
check_leaks='false'
@@ -70,8 +67,6 @@
num_keytabs=0
set -A kt_transfer_command
-ldap_ds=
-
# should be null if seting up master kdc
master_kdc=
@@ -147,7 +142,7 @@
if [[ -f .setup ]]
then
- print -u2 "Notice: $me alread run"
+ print -u2 "Notice: $me already run"
exit 0
fi
@@ -167,24 +162,10 @@
fi
ln -s $THIRTYTWO 32
-PACKAGES_NEEDED="service/security/kerberos-5 \
- system/security/kerberos-5 \
- system/library/security/sasl/crammd5 \
+export SASL_PACKAGES_NEEDED="system/library/security/sasl/crammd5 \
system/library/security/sasl/digestmd5 \
system/library/security/sasl/anonymous "
-pkg list $PACKAGES_NEEDED > /dev/null
-if (( $? != 0 ))
-then
- pkg install $PACKAGES_NEEDED
-fi
-
-pkg list $PACKAGES_NEEDED > /dev/null
-if (( $? != 0 ))
-then
- echo "One or more packages failed to install"
- exit 1
-fi
export MYLOC=`pwd`
if [[ ! -f /etc/sasl2/TestSuite.conf ]] ; then
@@ -224,134 +205,6 @@
exit 1
fi
-passwd="1234"
-
-trap "echo 'A command failed, aborting.'; exit 1" ERR
-
-svcadm disable -s svc:/network/security/krb5kdc:default
-svcadm disable -s svc:/network/security/kadmin:default
-svcadm disable -s svc:/network/security/krb5_prop:default
-
-if ! $force
-then
- ok_to_proceed "Existing KDC config will be destroyed, okay to proceed?"
-fi
-
-trap - ERR # in kdcmgr destroy fails, run it again
-yes | /usr/sbin/kdcmgr destroy > /dev/null
-if (( $? != 0 ))
-then
- yes | /usr/sbin/kdcmgr destroy > /dev/null
-fi
-print "Existing KDC config destroyed."
-trap "echo 'A command failed, aborting.'; exit 1" ERR
-
-passwd_file=$(/usr/bin/mktemp /var/run/setup_kdc_passwd.XXXXXX)
-
-print $passwd > $passwd_file
-
-# create the master KDC
-if [[ -n $master_kdc ]]
-then
- /usr/sbin/kdcmgr -a $admin_princ -r $realm -p $passwd_file create -m $master_kdc slave
-else
- /usr/sbin/kdcmgr -a $admin_princ -r $realm -p $passwd_file create master
-fi
-
-rm -f $passwd_file
-
-# Optional stuff follows...
-
-# Note, this next section is adding various service principals local to
-# this system. If you have servers running on other systems, edit this
-# section to add the services using the FQDN hostnames of those systems
-# and ouput the keytab to a non-default filename.
-# You will then either copy the non-default filename created on the
-# system you ran this script on or login to the other system and do a
-# kadmin/ktadd to add the service principal to the /etc/krb5/krb5.keytab
-# located on that server.
-
-# addprincs if not in slave mode
-if [[ -z $master_kdc ]]
-then
- if [[ -n "$kt_config_file" ]]
- then
- if ! $force
- then
- ok_to_proceed "Existing keytab files will be modified, okay to proceed?"
- fi
- while read host services
- do
- if [[ "$host" == "#*" ]]
- then
- # skip comments
- continue
- fi
- if [[ "$host" != "localhost" ]]
- then
- hostkeytab="/var/run/${host}.keytab"
- rm -f $hostkeytab
- kt_transfer_command[num_keytabs]="scp $hostkeytab ${host}:/etc/krb5/krb5.keytab"
- fi
- for service in $services
- do
- if [[ "$host" == "localhost" ]]
- then
- # add service to KDC's keytab
- kadmin.local -q "addprinc -randkey $service/$fqdn"
- kadmin.local -q "ktadd $service/$fqdn"
- print "Added $service/$fqdn to /etc/krb5/krb5.keytab"
- else
- # add service to $host's keytab
- kadmin.local -q "addprinc -randkey $service/$host"
- kadmin.local -q "ktadd -k $hostkeytab $service/$host"
- print "\nAdded $service/$host to $hostkeytab"
- fi
- done
- ((num_keytabs = num_keytabs + 1))
- done < $kt_config_file
- fi
-
- if [[ -n "$crossrealm" ]]
- then
- # Setup Cross-realm auth.
- kadmin.local -q "addprinc -pw $passwd krbtgt/$realm@$crossrealm"
- kadmin.local -q "addprinc -pw $passwd krbtgt/$crossrealm@$realm"
- print "\n\nNote, /etc/krb5/krb5.conf will need to be modified to support crossrealm."
- fi
-
- # Optional, Add service principals on KDC
- for srv in nfs ldap smtp imap cifs
- do
- # randomizes the key anyway so use the -randkey option for addprinc).
- kadmin.local -q "addprinc -randkey $srv/$fqdn"
- kadmin.local -q "ktadd $srv/$fqdn"
- done
-
-
- # "tester" needed for setup
- kadmin.local -q "addprinc -pw $passwd tester"
-
- # "ken" needed for test
- echo "1234" | saslpasswd2 -c -p -f ./sasldb ken
- kadmin.local -q "addprinc -pw $passwd ken"
-
-fi # addprincs if not in slave mode
-
-# turn off err trap because svcadm below may return an unimportant error
-trap "" ERR
-
-if ! egrep '^[ ]*krb5[ ]+390003' /etc/nfssec.conf > /dev/null
-then
- tmpnfssec=$(/usr/bin/mktemp /tmp/nfssec.conf_XXXXX)
- [[ -n $tmpnfssec ]] || exit 1
- sed -e 's/^ *# *krb5/krb5/g' /etc/nfssec.conf > $tmpnfssec
- mv -f $tmpnfssec /etc/nfssec.conf
- print 'Enabled krb5 sec in /etc/nfssec.conf.'
- print 'Copy /etc/nfssec.conf to all systems doing NFS sec=krb5*.'
- print
-fi
-
# get time and DNS running
if [[ ! -f /etc/inet/ntp.conf && -f /etc/inet/ntp.client ]]
@@ -363,63 +216,27 @@
svcadm enable -s svc:/network/ntp:default
fi
-
-svcadm enable svc:/network/security/ktkt_warn:default
+export KMODE="mit"
+set -A MEDIATOR `pkg mediator -H kerberos5`
-if ! svcadm enable -s svc:/network/security/krb5kdc:default
-then
- svcs -x svc:/network/security/krb5kdc:default
- cat <<-EOF
+case ${MEDIATOR[3]} in
-Error, the krb5kdc daemon did not start. You will not be able to do Kerberos
-authentication. Check your kerberos config and rerun this script.
+ "solaris" ) # old kerberos configured
+ KMODE="seam"
+ ;;
- EOF
- exit 1
-fi
+ *) # "MIT" or mediator does not exist
+ KMODE="mit"
+ ;;
+esac
-if [[ -z $master_kdc ]] && ! svcadm enable -s svc:/network/security/kadmin:default
+. ./setup-for-$KMODE
+if (( $? != 0 ))
then
- svcs -x svc:/network/security/kadmin:default
- cat <<-EOF
-
-Error, the kadmind daemon did not start. You will not be able to change
-passwords or run the kadmin command. Make sure /etc/krb5/kadm5.acl is
-configured properly and rerun this script.
-
- EOF
- exit 1
+ print -u2 "Setup failed"
+ exit 1
fi
-if ! svcadm enable -s svc:/network/rpc/gss:default
-then
- svcs -x svc:/network/rpc/gss:default
- cat <<-EOF
-Error, the gss service did not start. You will not be able to do nfssec with sec=krb5*
-
- EOF
- exit 1
-fi
-
-tmpccache=$(/usr/bin/mktemp /tmp/ccache_XXXXXX)
-[[ -n $tmpccache ]] || exit 1
-if ! print "$passwd" | kinit -c $tmpccache tester
-then
- print -u2 "Warning, kinit for tester princ failed, kdc setup is not working!"
- exit 1
-fi
-
-integer i=0
-while ((i < num_keytabs))
-do
- if ((i == 0))
- then
- print "\nRun the following commands to transfer generated keytabs:"
- fi
- print ${kt_transfer_command[i]}
- ((i = i + 1))
-done
-
-print 1234 | kinit ken
+print "$passwd" | kinit ken
touch .setup
--- a/components/openldap/openldap.p5m Wed Apr 27 16:15:18 2016 -0700
+++ b/components/openldap/openldap.p5m Wed Apr 27 16:55:22 2016 -0700
@@ -20,7 +20,7 @@
#
#
-# Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved.
#
<transform file path=usr.*/man/.+ -> default mangler.man.stability committed>
@@ -513,10 +513,6 @@
uid=75
license openldap.license license="openldap license"
# This dependency is because we are building against cyrus-sasl from its proto
-# area and bypassing the auto-generated dependency. When libsasl is updated,
-# this version number really should be adjusted, but the userland-incorporation
-# will force the cyrus-sasl packaging and openldap packaging to be from the same
-# build and not just this version or later.
-# The strange version number is caused by historical versioning in ON and will
-# go away when the libsasl package name is changed to libsasl2
-depend type=require fmri=pkg:/system/library/security/[email protected]
+# area and bypassing the auto-generated dependency. When upstream libsasl
+# is updated, this version number must be adjusted.
+depend type=require fmri=pkg:/system/library/security/[email protected]