PSARC/2016/244 Sync MIT Kerberos to 1.14.2
authorShawn Emery <shawn.emery@oracle.com>
Wed, 11 May 2016 20:33:52 -0700
changeset 5969 96bac9fbcfbd
parent 5968 a64f1dcdc61b
child 5970 86291cd54b86
PSARC/2016/244 Sync MIT Kerberos to 1.14.2 22954706 Should synchronize with MIT Kerberos 1.14 23116276 Userland krb pkgs must have mediation removed
components/krb5/Makefile
components/krb5/Solaris/libkadm5clnt.mapfile-vers
components/krb5/krb5-kdc.p5m
components/krb5/krb5-message-files.p5m
components/krb5/krb5.license
components/krb5/krb5.p5m
components/krb5/patches/024-smb-compat.patch
components/krb5/patches/028-rpc-gss.patch
components/krb5/patches/029-kadmin_disable_anonymity.patch
components/krb5/patches/032-pam-krb5.patch
components/krb5/patches/035-multi-master.patch
components/krb5/patches/036-verify-nofail.patch
components/krb5/patches/045-correct_err_code_for_bad_QOP.patch
components/krb5/patches/046-creds_usage_mismatch_err_code.patch
components/krb5/patches/051-fopenF.patch
components/krb5/patches/061-ccache-nounlink.patch
components/krb5/patches/064-enable-debug-compile.patch
components/krb5/patches/066-sanitize_context_ptr.patch
components/krb5/patches/067-iprop-double-free-fix.patch
--- a/components/krb5/Makefile	Tue May 10 22:37:01 2016 -0700
+++ b/components/krb5/Makefile	Wed May 11 20:33:52 2016 -0700
@@ -18,28 +18,35 @@
 #
 # CDDL HEADER END
 #
+
+#
 # Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
 #
-
+BUILD_BITS= 64_and_32
 include ../../make-rules/shared-macros.mk
 
 COMPONENT_NAME=		Kerberos
-COMPONENT_MINOR=	1.13
-COMPONENT_VERSION=	1.13.3
+# Encoding rule for MAJOR: MIT KerberosV5 x.y[.z] => MAJOR x
+# Encoding rule for MINOR: MIT KerberosV5 x.y[.z] => MINOR $MAJOR.y
+# Encoding rule for MICRO: MIT KerberosV5 x.y[.z] => MICRO $MINOR[.z]
+COMPONENT_MAJOR=	1
+COMPONENT_MINOR=	$(COMPONENT_MAJOR).14
+COMPONENT_MICRO=	$(COMPONENT_MINOR).2
+
+COMPONENT_VERSION=		$(COMPONENT_MICRO)
+IPS_COMPONENT_VERSION=	$(COMPONENT_VERSION).0
+
 COMPONENT_PROJECT_URL=	http://web.mit.edu/kerberos/
 COMPONENT_SRC=		krb5-$(COMPONENT_VERSION)
-COMPONENT_ARCHIVE=	$(COMPONENT_SRC).tar.gz
 COMPONENT_ARCHIVE_HASH=	\
-	sha256:5d4af08ead9b7a1e9493cfd65e821234f151a46736e1ce586f886c8a8e65fabe
+	sha256:6bcad7e6778d1965e4ce4af21d2efdc15b274c5ce5c69031c58e4c954cda8b27
 COMPONENT_ARCHIVE_URL=	\
 	$(COMPONENT_PROJECT_URL)dist/krb5/$(COMPONENT_MINOR)/$(COMPONENT_ARCHIVE)
 COMPONENT_BUGDB=	utility/kerberos
 
-TPNO=	26018
+TPNO=		27916
 
-include $(WS_MAKE_RULES)/prep.mk
-include $(WS_MAKE_RULES)/configure.mk
-include $(WS_MAKE_RULES)/lint-libraries.mk
+include $(WS_MAKE_RULES)/common.mk
 
 LINT_FLAGS += -I$(PROTOUSRINCDIR) -I$(PROTOUSRINCDIR)/kerberosv5 -I$(COMPONENT_DIR)/Solaris
 
@@ -50,11 +57,6 @@
 PUBLISH_STAMP=
 endif
 
-include $(WS_MAKE_RULES)/ips.mk
-
-# Encoding rules for IPS: MIT KerberosV5 <x>.<y>[.<z>] => IPS <x>.<y>.[<z>|0].0
-IPS_COMPONENT_VERSION=	1.13.3.0
-
 # The configure script is not at the top of the source directory.
 CONFIGURE_SCRIPT=	$(SOURCE_DIR)/src/configure
 
@@ -70,11 +72,6 @@
 # If you make changes to LDFLAGS, check krb5-config and 052-krb5-config.patch.
 LDFLAGS += -lc $(LD_Z_DEFS)
 
-CONFIGURE_ENV += LDFLAGS="$(LDFLAGS)"
-CONFIGURE_ENV += CFLAGS="$(CFLAGS)"
-CONFIGURE_ENV += CXXFLAGS="$(CXXFLAGS)"
-CONFIGURE_ENV += CPPFLAGS="$(CPPFLAGS)"
-CONFIGURE_ENV += PKG_CONFIG_PATH="$(PKG_CONFIG_PATH)"
 CONFIGURE_ENV += DEFKTNAME="FILE:$(ETCDIR)/krb5/krb5.keytab"
 CONFIGURE_ENV += DEFCKTNAME="FILE:/var/user/%{username}/client.keytab"
 
@@ -84,9 +81,6 @@
 CONFIGURE_OPTIONS.32 += --libexecdir=$(USRLIBDIR)
 CONFIGURE_OPTIONS.64 += --libexecdir=$(USRLIBDIR)/$(MACH64)
 CONFIGURE_OPTIONS += --includedir=$(USRINCDIR)/kerberosv5
-# to avoid executing subprocesses from /usr/[s]bin/$(MACH64):
-CONFIGURE_OPTIONS += --bindir=$(USRBINDIR)
-CONFIGURE_OPTIONS += --sbindir=$(USRSBINDIR)
 CONFIGURE_OPTIONS += --with-crypto-impl=openssl
 CONFIGURE_OPTIONS += --with-ldap
 CONFIGURE_OPTIONS += --with-prng-alg=os
@@ -188,16 +182,6 @@
 	$(CP) $(BUILD_DIR)/$(MACH64)/lib/libkadm5clnt.so.1 \
 		$(PROTO_DIR)$(USRLIBDIR)/$(MACH64);
 
-ASLR_MODE = $(ASLR_ENABLE)
-
-# common targets
-build:	$(BUILD_32_and_64)
-
-install:	$(INSTALL_32_and_64)
-
-# build does this always
-test:	$(TEST_32_and_64)
-
 REQUIRED_PACKAGES += developer/test/dejagnu
 REQUIRED_PACKAGES += library/libedit
 REQUIRED_PACKAGES += library/openldap
@@ -205,7 +189,7 @@
 REQUIRED_PACKAGES += network/dns/bind
 REQUIRED_PACKAGES += service/security/kerberos-5
 REQUIRED_PACKAGES += shell/ksh93
-REQUIRED_PACKAGES += system/library
+REQUIRED_PACKAGES += system/core-os
 REQUIRED_PACKAGES += system/library/math
 REQUIRED_PACKAGES += system/library/security/gss
 
--- a/components/krb5/Solaris/libkadm5clnt.mapfile-vers	Tue May 10 22:37:01 2016 -0700
+++ b/components/krb5/Solaris/libkadm5clnt.mapfile-vers	Wed May 11 20:33:52 2016 -0700
@@ -18,7 +18,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
 #
 
 $mapfile_version 2
@@ -26,22 +26,22 @@
 STUB_OBJECT;
 SYMBOL_VERSION SUNWprivate_1.1 {
     global:
-	free_srv_names	{ TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
-	kadm5_chpass_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
-	kadm5_chpass_principal_util { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
-	kadm5_create_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
-	kadm5_destroy	{ TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
-	kadm5_free_principal_ent { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
-	kadm5_get_adm_host_srv_names { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
-	kadm5_get_cpw_host_srv_names { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
-	kadm5_get_master { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
-	kadm5_get_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
-	kadm5_init_krb5_context { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
-	kadm5_init_with_password { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
-	kadm5_init_with_password_mm { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
-	kadm5_init_with_skey { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
-	kadm5_init_with_skey_mm { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
-	kadm5_modify_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
+	free_srv_names	{ TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 };
+	kadm5_chpass_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 };
+	kadm5_chpass_principal_util { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 };
+	kadm5_create_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 };
+	kadm5_destroy	{ TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 };
+	kadm5_free_principal_ent { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 };
+	kadm5_get_adm_host_srv_names { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 };
+	kadm5_get_cpw_host_srv_names { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 };
+	kadm5_get_master { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 };
+	kadm5_get_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 };
+	kadm5_init_krb5_context { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 };
+	kadm5_init_with_password { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 };
+	kadm5_init_with_password_mm { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 };
+	kadm5_init_with_skey { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 };
+	kadm5_init_with_skey_mm { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 };
+	kadm5_modify_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 };
 
     local:
 	*;
--- a/components/krb5/krb5-kdc.p5m	Tue May 10 22:37:01 2016 -0700
+++ b/components/krb5/krb5-kdc.p5m	Wed May 11 20:33:52 2016 -0700
@@ -21,7 +21,7 @@
 # Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
 #
 
-<transform file path=usr.*/man/.+ -> default mangler.man.stability uncommitted>
+<transform file path=usr.*/man/.+ -> default mangler.man.stability "pass-through committed">
 set name=pkg.fmri \
     value=pkg:/security/kerberos-5/[email protected]$(IPS_COMPONENT_VERSION),$(BUILD_VERSION)
 set name=pkg.summary value="Kerberos V5 Key Distribution Center (KDC)"
@@ -33,91 +33,39 @@
 set name=info.classification value=org.opensolaris.category.2008:System/Security
 set name=info.source-url value=$(COMPONENT_ARCHIVE_URL)
 set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
-set name=org.opensolaris.arc-caseid value=PSARC/2015/144
+set name=org.opensolaris.arc-caseid value=PSARC/2015/144 value=PSARC/2016/244
 set name=org.opensolaris.consolidation value=$(CONSOLIDATION)
-file Solaris/kadmin.xml \
-    path=lib/kerberos5/$(COMPONENT_VERSION)/svc/manifest/network/security/kadmin.xml \
+file Solaris/kadmin.xml path=lib/svc/manifest/network/security/kadmin.xml \
     restart_fmri=svc:/system/manifest-import:default
 file Solaris/krb5_prop.xml \
-    path=lib/kerberos5/$(COMPONENT_VERSION)/svc/manifest/network/security/krb5_prop.xml \
-    restart_fmri=svc:/system/manifest-import:default
-file Solaris/krb5kdc.xml \
-    path=lib/kerberos5/$(COMPONENT_VERSION)/svc/manifest/network/security/krb5kdc.xml \
+    path=lib/svc/manifest/network/security/krb5_prop.xml \
     restart_fmri=svc:/system/manifest-import:default
-link path=lib/svc/manifest/network/security/kadmin.xml \
-    target=../../../../kerberos5/$(COMPONENT_VERSION)/svc/manifest/network/security/kadmin.xml \
-    mediator=kerberos5 mediator-implementation=MIT
-link path=lib/svc/manifest/network/security/krb5_prop.xml \
-    target=../../../../kerberos5/$(COMPONENT_VERSION)/svc/manifest/network/security/krb5_prop.xml \
-    mediator=kerberos5 mediator-implementation=MIT
-link path=lib/svc/manifest/network/security/krb5kdc.xml \
-    target=../../../../kerberos5/$(COMPONENT_VERSION)/svc/manifest/network/security/krb5kdc.xml \
-    mediator=kerberos5 mediator-implementation=MIT
-file usr/sbin/kadmin.local \
-    path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kadmin.local
-file usr/sbin/kadmind \
-    path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kadmind
-file usr/sbin/kdb5_ldap_util \
-    path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kdb5_ldap_util
-file usr/sbin/kdb5_util \
-    path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kdb5_util
-file usr/sbin/kprop path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kprop
-file usr/sbin/kpropd \
-    path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kpropd
-file usr/sbin/kproplog \
-    path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kproplog
-file usr/sbin/krb5kdc \
-    path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/krb5kdc
-file src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif \
-    path=usr/kerberos5/$(COMPONENT_VERSION)/share/lib/ldif/kerberos.ldif
-file src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema \
-    path=usr/kerberos5/$(COMPONENT_VERSION)/share/lib/ldif/kerberos.schema
+file Solaris/krb5kdc.xml path=lib/svc/manifest/network/security/krb5kdc.xml \
+    restart_fmri=svc:/system/manifest-import:default
 dir  path=usr/lib/$(MACH64)/krb5/plugins/kdb
 file path=usr/lib/$(MACH64)/krb5/plugins/kdb/db2.so
 file path=usr/lib/$(MACH64)/krb5/plugins/kdb/kldap.so
 link path=usr/lib/$(MACH64)/libkdb_ldap.so target=libkdb_ldap.so.1.0
 link path=usr/lib/$(MACH64)/libkdb_ldap.so.1 target=libkdb_ldap.so.1.0
 file path=usr/lib/$(MACH64)/libkdb_ldap.so.1.0
-link path=usr/lib/krb5/kadmind \
-    target=../../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kadmind \
-    mediator=kerberos5 mediator-implementation=MIT
-link path=usr/lib/krb5/kprop \
-    target=../../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kprop \
-    mediator=kerberos5 mediator-implementation=MIT
-link path=usr/lib/krb5/kpropd \
-    target=../../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kpropd \
-    mediator=kerberos5 mediator-implementation=MIT
-link path=usr/lib/krb5/krb5kdc \
-    target=../../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/krb5kdc \
-    mediator=kerberos5 mediator-implementation=MIT
 dir  path=usr/lib/krb5/plugins/kdb
 file path=usr/lib/krb5/plugins/kdb/db2.so
 file path=usr/lib/krb5/plugins/kdb/kldap.so
-link path=usr/lib/libkdb_ldap.so target=libkdb_ldap.so.1.0 mediator=kerberos5 \
-    mediator-implementation=MIT
-link path=usr/lib/libkdb_ldap.so.1 target=libkdb_ldap.so.1.0 \
-    mediator=kerberos5 mediator-implementation=MIT
+link path=usr/lib/libkdb_ldap.so target=libkdb_ldap.so.1.0
+link path=usr/lib/libkdb_ldap.so.1 target=libkdb_ldap.so.1.0
 file path=usr/lib/libkdb_ldap.so.1.0
-link path=usr/sbin/kadmin.local \
-    target=../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kadmin.local \
-    mediator=kerberos5 mediator-implementation=MIT
-link path=usr/sbin/kdb5_ldap_util \
-    target=../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kdb5_ldap_util \
-    mediator=kerberos5 mediator-implementation=MIT
-link path=usr/sbin/kdb5_util \
-    target=../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kdb5_util \
-    mediator=kerberos5 mediator-implementation=MIT
-link path=usr/sbin/kprop target=../lib/krb5/kprop mediator=kerberos5 \
-    mediator-implementation=MIT
-link path=usr/sbin/kproplog \
-    target=../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kproplog \
-    mediator=kerberos5 mediator-implementation=MIT
-link path=usr/share/lib/ldif/kerberos.ldif \
-    target=../../../kerberos5/$(COMPONENT_VERSION)/share/lib/ldif/kerberos.ldif \
-    mediator=kerberos5 mediator-implementation=MIT
-link path=usr/share/lib/ldif/kerberos.schema \
-    target=../../../kerberos5/$(COMPONENT_VERSION)/share/lib/ldif/kerberos.schema \
-    mediator=kerberos5 mediator-implementation=MIT
+file usr/sbin/kadmin.local path=usr/sbin/$(MACH64)/kadmin.local
+file usr/sbin/kadmind path=usr/sbin/$(MACH64)/kadmind
+file usr/sbin/kdb5_ldap_util path=usr/sbin/$(MACH64)/kdb5_ldap_util
+file usr/sbin/kdb5_util path=usr/sbin/$(MACH64)/kdb5_util
+file usr/sbin/kprop path=usr/sbin/$(MACH64)/kprop
+file usr/sbin/kpropd path=usr/sbin/$(MACH64)/kpropd
+file usr/sbin/kproplog path=usr/sbin/$(MACH64)/kproplog
+file usr/sbin/krb5kdc path=usr/sbin/$(MACH64)/krb5kdc
+file src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif \
+    path=usr/share/lib/ldif/kerberos.ldif
+file src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema \
+    path=usr/share/lib/ldif/kerberos.schema
 file path=usr/share/man/man5/kadm5.acl.5
 file path=usr/share/man/man5/kdc.conf.5
 file path=usr/share/man/man8/kadmin.local.8
--- a/components/krb5/krb5-message-files.p5m	Tue May 10 22:37:01 2016 -0700
+++ b/components/krb5/krb5-message-files.p5m	Wed May 11 20:33:52 2016 -0700
@@ -29,7 +29,7 @@
     value="translatable message content for KerberosV5"
 set name=com.oracle.info.tpno value=$(TPNO)
 set name=info.classification value=org.opensolaris.category.2008:System/Security
-set name=org.opensolaris.arc-caseid value=PSARC/2015/144
+set name=org.opensolaris.arc-caseid value=PSARC/2015/144 value=PSARC/2016/244
 set name=org.opensolaris.consolidation value=$(CONSOLIDATION)
 file src/po/mit-krb5.pot path=usr/share/applications/mit-krb5.pot
 license krb5.license license="BSD, BSD-like (KerberosV5)"
--- a/components/krb5/krb5.license	Tue May 10 22:37:01 2016 -0700
+++ b/components/krb5/krb5.license	Wed May 11 20:33:52 2016 -0700
@@ -1,4 +1,4 @@
-Copyright (C) 1985-2015 by the Massachusetts Institute of Technology.
+Copyright (C) 1985-2016 by the Massachusetts Institute of Technology.
 
 All rights reserved.
 
--- a/components/krb5/krb5.p5m	Tue May 10 22:37:01 2016 -0700
+++ b/components/krb5/krb5.p5m	Wed May 11 20:33:52 2016 -0700
@@ -21,7 +21,7 @@
 # Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
 #
 
-<transform file path=usr.*/man/.+ -> default mangler.man.stability uncommitted>
+<transform file path=usr.*/man/.+ -> default mangler.man.stability "pass-through committed">
 set name=pkg.fmri \
     value=pkg:/security/[email protected]$(IPS_COMPONENT_VERSION),$(BUILD_VERSION)
 set name=pkg.summary value="Kerberos V5 Support"
@@ -32,42 +32,24 @@
 set name=info.classification value=org.opensolaris.category.2008:System/Security
 set name=info.source-url value=$(COMPONENT_ARCHIVE_URL)
 set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
-set name=org.opensolaris.arc-caseid value=PSARC/2015/144
+set name=org.opensolaris.arc-caseid value=PSARC/2015/144 value=PSARC/2016/244
 set name=org.opensolaris.consolidation value=$(CONSOLIDATION)
 dir  path=etc/gss/mech.d group=sys
-link path=usr/bin/kdestroy \
-    target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kdestroy \
-    mediator=kerberos5 mediator-implementation=MIT
-link path=usr/bin/kinit \
-    target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kinit \
-    mediator=kerberos5 mediator-implementation=MIT
-link path=usr/bin/klist \
-    target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/klist \
-    mediator=kerberos5 mediator-implementation=MIT
-link path=usr/bin/kpasswd \
-    target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kpasswd \
-    mediator=kerberos5 mediator-implementation=MIT
-link path=usr/bin/krb5-config \
-    target=../kerberos5/$(COMPONENT_VERSION)/bin/krb5-config \
-    mediator=kerberos5 mediator-implementation=MIT
+file path=usr/bin/k5srvutil
+file path=usr/bin/kadmin
+file path=usr/bin/kdestroy
+file path=usr/bin/kinit
+file path=usr/bin/klist
+file path=usr/bin/kpasswd
+file path=usr/bin/krb5-config
 file path=usr/bin/kswitch
-link path=usr/bin/ktutil \
-    target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/ktutil \
-    mediator=kerberos5 mediator-implementation=MIT
-link path=usr/bin/kvno \
-    target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kvno \
-    mediator=kerberos5 mediator-implementation=MIT
-link path=usr/include/gssapi/gssapi.h \
-    target=../../kerberos5/$(COMPONENT_VERSION)/include/gssapi/gssapi.h \
-    mediator=kerberos5 mediator-implementation=MIT
-link path=usr/include/gssapi/gssapi_ext.h \
-    target=../../kerberos5/$(COMPONENT_VERSION)/include/gssapi/gssapi_ext.h \
-    mediator=kerberos5 mediator-implementation=MIT
-link path=usr/include/kerberosv5/com_err.h \
-    target=../../kerberos5/$(COMPONENT_VERSION)/include/kerberosv5/com_err.h \
-    mediator=kerberos5 mediator-implementation=MIT
+file path=usr/bin/ktutil
+file path=usr/bin/kvno
+file path=usr/include/kerberosv5/com_err.h
 dir  path=usr/include/kerberosv5/gssapi
 file path=usr/include/kerberosv5/gssapi.h
+file path=usr/include/kerberosv5/gssapi/gssapi.h
+file path=usr/include/kerberosv5/gssapi/gssapi_ext.h
 file path=usr/include/kerberosv5/gssapi/gssapi_generic.h
 file path=usr/include/kerberosv5/gssapi/gssapi_krb5.h
 file path=usr/include/kerberosv5/gssapi/mechglue.h
@@ -78,9 +60,7 @@
 file path=usr/include/kerberosv5/kdb.h
 file path=usr/include/kerberosv5/krad.h
 dir  path=usr/include/kerberosv5/krb5
-link path=usr/include/kerberosv5/krb5.h \
-    target=../../kerberos5/$(COMPONENT_VERSION)/include/kerberosv5/krb5.h \
-    mediator=kerberos5 mediator-implementation=MIT
+file path=usr/include/kerberosv5/krb5.h
 file path=usr/include/kerberosv5/krb5/ccselect_plugin.h
 file path=usr/include/kerberosv5/krb5/clpreauth_plugin.h
 file path=usr/include/kerberosv5/krb5/hostrealm_plugin.h
@@ -95,49 +75,13 @@
 dir  path=usr/include/kerberosv5/private
 dir  path=usr/include/kerberosv5/private/krb5
 dir  path=usr/include/kerberosv5/private/krb5/keytab
-link path=usr/include/kerberosv5/private/krb5/keytab/kt_solaris.h \
-    target=../../../../../kerberos5/$(COMPONENT_VERSION)/include/kerberosv5/private/krb5/keytab/kt_solaris.h \
-    mediator=kerberos5 mediator-implementation=MIT
+file Solaris/private/krb5/keytab/kt_solaris.h \
+    path=usr/include/kerberosv5/private/krb5/keytab/kt_solaris.h
 file Solaris/private/krb5/prof_solaris.h \
     path=usr/include/kerberosv5/private/krb5/prof_solaris.h
 file path=usr/include/kerberosv5/profile.h
 file path=usr/include/kerberosv5/verto-module.h
 file path=usr/include/kerberosv5/verto.h
-file usr/bin/k5srvutil \
-    path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/k5srvutil
-file usr/bin/kadmin path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kadmin
-file usr/bin/kdestroy \
-    path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kdestroy
-file usr/bin/kinit path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kinit
-file usr/bin/klist path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/klist
-file usr/bin/kpasswd \
-    path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kpasswd
-file usr/bin/ktutil path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/ktutil
-file usr/bin/kvno path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kvno
-file usr/bin/krb5-config path=usr/kerberos5/$(COMPONENT_VERSION)/bin/krb5-config
-file usr/include/kerberosv5/gssapi/gssapi.h \
-    path=usr/kerberos5/$(COMPONENT_VERSION)/include/gssapi/gssapi.h
-file usr/include/kerberosv5/gssapi/gssapi_ext.h \
-    path=usr/kerberos5/$(COMPONENT_VERSION)/include/gssapi/gssapi_ext.h
-file usr/include/kerberosv5/com_err.h \
-    path=usr/kerberos5/$(COMPONENT_VERSION)/include/kerberosv5/com_err.h
-file usr/include/kerberosv5/krb5.h \
-    path=usr/kerberos5/$(COMPONENT_VERSION)/include/kerberosv5/krb5.h
-file Solaris/private/krb5/keytab/kt_solaris.h \
-    path=usr/kerberos5/$(COMPONENT_VERSION)/include/kerberosv5/private/krb5/keytab/kt_solaris.h
-file usr/lib/$(MACH64)/libgss.so.1 \
-    path=usr/kerberos5/$(COMPONENT_VERSION)/lib/$(MACH64)/libgss.so.1
-file usr/lib/$(MACH64)/libkadm5clnt.so.1 \
-    path=usr/kerberos5/$(COMPONENT_VERSION)/lib/$(MACH64)/libkadm5clnt.so.1
-file usr/lib/$(MACH64)/libkrb5.so.1 \
-    path=usr/kerberos5/$(COMPONENT_VERSION)/lib/$(MACH64)/libkrb5.so.1
-file usr/lib/krb5/plugins/preauth/pkinit.so \
-    path=usr/kerberos5/$(COMPONENT_VERSION)/lib/krb5/plugins/preauth/pkinit.so
-file usr/lib/libgss.so.1 path=usr/kerberos5/$(COMPONENT_VERSION)/lib/libgss.so.1
-file usr/lib/libkadm5clnt.so.1 \
-    path=usr/kerberos5/$(COMPONENT_VERSION)/lib/libkadm5clnt.so.1
-file usr/lib/libkrb5.so.1 \
-    path=usr/kerberos5/$(COMPONENT_VERSION)/lib/libkrb5.so.1
 dir  path=usr/lib/$(MACH64)/krb5
 dir  path=usr/lib/$(MACH64)/krb5/plugins
 dir  path=usr/lib/$(MACH64)/krb5/plugins/authdata
@@ -150,40 +94,29 @@
 link path=usr/lib/$(MACH64)/libcom_err.so target=libcom_err.so.3.0
 link path=usr/lib/$(MACH64)/libcom_err.so.3 target=libcom_err.so.3.0
 file path=usr/lib/$(MACH64)/libcom_err.so.3.0
-link path=usr/lib/$(MACH64)/libgss.so target=libgssapi_krb5.so.2.2 \
-    mediator=kerberos5 mediator-implementation=MIT
-link path=usr/lib/$(MACH64)/libgss.so.1 \
-    target=../../kerberos5/$(COMPONENT_VERSION)/lib/$(MACH64)/libgss.so.1 \
-    mediator=kerberos5 mediator-implementation=MIT
+file path=usr/lib/$(MACH64)/libgss.so.1
 link path=usr/lib/$(MACH64)/libgssapi_krb5.so target=libgssapi_krb5.so.2.2
 link path=usr/lib/$(MACH64)/libgssapi_krb5.so.2 target=libgssapi_krb5.so.2.2
 file path=usr/lib/$(MACH64)/libgssapi_krb5.so.2.2
 link path=usr/lib/$(MACH64)/libk5crypto.so target=libk5crypto.so.3.1
 link path=usr/lib/$(MACH64)/libk5crypto.so.3 target=libk5crypto.so.3.1
 file path=usr/lib/$(MACH64)/libk5crypto.so.3.1
-link path=usr/lib/$(MACH64)/libkadm5clnt.so target=libkadm5clnt_mit.so \
-    mediator=kerberos5 mediator-implementation=MIT
-link path=usr/lib/$(MACH64)/libkadm5clnt.so.1 \
-    target=../../kerberos5/$(COMPONENT_VERSION)/lib/$(MACH64)/libkadm5clnt.so.1 \
-    mediator=kerberos5 mediator-implementation=MIT
-link path=usr/lib/$(MACH64)/libkadm5clnt_mit.so target=libkadm5clnt_mit.so.9.0
-link path=usr/lib/$(MACH64)/libkadm5clnt_mit.so.9 target=libkadm5clnt_mit.so.9.0
-file path=usr/lib/$(MACH64)/libkadm5clnt_mit.so.9.0
+file path=usr/lib/$(MACH64)/libkadm5clnt.so.1
+link path=usr/lib/$(MACH64)/libkadm5clnt_mit.so target=libkadm5clnt_mit.so.10.0
+link path=usr/lib/$(MACH64)/libkadm5clnt_mit.so.10 \
+    target=libkadm5clnt_mit.so.10.0
+file path=usr/lib/$(MACH64)/libkadm5clnt_mit.so.10.0
 link path=usr/lib/$(MACH64)/libkadm5srv.so target=libkadm5srv_mit.so
-link path=usr/lib/$(MACH64)/libkadm5srv_mit.so target=libkadm5srv_mit.so.9.0
-link path=usr/lib/$(MACH64)/libkadm5srv_mit.so.9 target=libkadm5srv_mit.so.9.0
-file path=usr/lib/$(MACH64)/libkadm5srv_mit.so.9.0
+link path=usr/lib/$(MACH64)/libkadm5srv_mit.so target=libkadm5srv_mit.so.10.0
+link path=usr/lib/$(MACH64)/libkadm5srv_mit.so.10 target=libkadm5srv_mit.so.10.0
+file path=usr/lib/$(MACH64)/libkadm5srv_mit.so.10.0
 link path=usr/lib/$(MACH64)/libkdb5.so target=libkdb5.so.8.0
 link path=usr/lib/$(MACH64)/libkdb5.so.8 target=libkdb5.so.8.0
 file path=usr/lib/$(MACH64)/libkdb5.so.8.0
 link path=usr/lib/$(MACH64)/libkrad.so target=libkrad.so.0.0
 link path=usr/lib/$(MACH64)/libkrad.so.0 target=libkrad.so.0.0
 file path=usr/lib/$(MACH64)/libkrad.so.0.0
-link path=usr/lib/$(MACH64)/libkrb5.so target=libkrb5.so.3.3 \
-    mediator=kerberos5 mediator-implementation=MIT
-link path=usr/lib/$(MACH64)/libkrb5.so.1 \
-    target=../../kerberos5/$(COMPONENT_VERSION)/lib/$(MACH64)/libkrb5.so.1 \
-    mediator=kerberos5 mediator-implementation=MIT
+file path=usr/lib/$(MACH64)/libkrb5.so.1
 link path=usr/lib/$(MACH64)/libkrb5.so.3 target=libkrb5.so.3.3
 file path=usr/lib/$(MACH64)/libkrb5.so.3.3
 link path=usr/lib/$(MACH64)/libkrb5support.so target=libkrb5support.so.0.1
@@ -212,49 +145,33 @@
 dir  path=usr/lib/krb5/plugins/libkrb5
 dir  path=usr/lib/krb5/plugins/preauth
 file path=usr/lib/krb5/plugins/preauth/otp.so
-link path=usr/lib/krb5/plugins/preauth/pkinit.so \
-    target=../../../../kerberos5/$(COMPONENT_VERSION)/lib/krb5/plugins/preauth/pkinit.so \
-    mediator=kerberos5 mediator-implementation=MIT
+file path=usr/lib/krb5/plugins/preauth/pkinit.so
 dir  path=usr/lib/krb5/plugins/tls
 file path=usr/lib/krb5/plugins/tls/k5tls.so
 link path=usr/lib/libcom_err.so target=libcom_err.so.3.0
 link path=usr/lib/libcom_err.so.3 target=libcom_err.so.3.0
 file path=usr/lib/libcom_err.so.3.0
-link path=usr/lib/libgss.so target=libgssapi_krb5.so.2.2 mediator=kerberos5 \
-    mediator-implementation=MIT
-link path=usr/lib/libgss.so.1 \
-    target=../kerberos5/$(COMPONENT_VERSION)/lib/libgss.so.1 \
-    mediator=kerberos5 mediator-implementation=MIT
+file path=usr/lib/libgss.so.1
 link path=usr/lib/libgssapi_krb5.so target=libgssapi_krb5.so.2.2
 link path=usr/lib/libgssapi_krb5.so.2 target=libgssapi_krb5.so.2.2
 file path=usr/lib/libgssapi_krb5.so.2.2
 link path=usr/lib/libk5crypto.so target=libk5crypto.so.3.1
 link path=usr/lib/libk5crypto.so.3 target=libk5crypto.so.3.1
 file path=usr/lib/libk5crypto.so.3.1
-link path=usr/lib/libkadm5clnt.so target=libkadm5clnt_mit.so \
-    mediator=kerberos5 mediator-implementation=MIT
-link path=usr/lib/libkadm5clnt.so.1 \
-    target=../kerberos5/$(COMPONENT_VERSION)/lib/libkadm5clnt.so.1 \
-    mediator=kerberos5 mediator-implementation=MIT
-link path=usr/lib/libkadm5clnt_mit.so target=libkadm5clnt_mit.so.9.0
-link path=usr/lib/libkadm5clnt_mit.so.9 target=libkadm5clnt_mit.so.9.0
-file path=usr/lib/libkadm5clnt_mit.so.9.0
-link path=usr/lib/libkadm5srv.so target=libkadm5srv_mit.so mediator=kerberos5 \
-    mediator-implementation=MIT
-link path=usr/lib/libkadm5srv_mit.so target=libkadm5srv_mit.so.9.0
-link path=usr/lib/libkadm5srv_mit.so.9 target=libkadm5srv_mit.so.9.0
-file path=usr/lib/libkadm5srv_mit.so.9.0
+file path=usr/lib/libkadm5clnt.so.1
+link path=usr/lib/libkadm5clnt_mit.so target=libkadm5clnt_mit.so.10.0
+link path=usr/lib/libkadm5clnt_mit.so.10 target=libkadm5clnt_mit.so.10.0
+file path=usr/lib/libkadm5clnt_mit.so.10.0
+link path=usr/lib/libkadm5srv_mit.so target=libkadm5srv_mit.so.10.0
+link path=usr/lib/libkadm5srv_mit.so.10 target=libkadm5srv_mit.so.10.0
+file path=usr/lib/libkadm5srv_mit.so.10.0
 link path=usr/lib/libkdb5.so target=libkdb5.so.8.0
 link path=usr/lib/libkdb5.so.8 target=libkdb5.so.8.0
 file path=usr/lib/libkdb5.so.8.0
 link path=usr/lib/libkrad.so target=libkrad.so.0.0
 link path=usr/lib/libkrad.so.0 target=libkrad.so.0.0
 file path=usr/lib/libkrad.so.0.0
-link path=usr/lib/libkrb5.so target=libkrb5.so.3.3 mediator=kerberos5 \
-    mediator-implementation=MIT
-link path=usr/lib/libkrb5.so.1 \
-    target=../kerberos5/$(COMPONENT_VERSION)/lib/libkrb5.so.1 \
-    mediator=kerberos5 mediator-implementation=MIT
+file path=usr/lib/libkrb5.so.1
 link path=usr/lib/libkrb5.so.3 target=libkrb5.so.3.3
 file path=usr/lib/libkrb5.so.3.3
 link path=usr/lib/libkrb5support.so target=libkrb5support.so.0.1
@@ -284,12 +201,6 @@
 file path=usr/lib/pkgconfig/krb5.pc
 file path=usr/lib/pkgconfig/mit-krb5-gssapi.pc
 file path=usr/lib/pkgconfig/mit-krb5.pc
-link path=usr/sbin/k5srvutil \
-    target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/k5srvutil \
-    mediator=kerberos5 mediator-implementation=MIT
-link path=usr/sbin/kadmin \
-    target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kadmin \
-    mediator=kerberos5 mediator-implementation=MIT
 dir  path=usr/share/et
 file path=usr/share/et/et_c.awk
 file path=usr/share/et/et_h.awk
@@ -297,266 +208,119 @@
 dir  path=usr/share/examples/krb5
 file path=usr/share/examples/krb5/services.append
 file path=usr/share/locale/en_US/LC_MESSAGES/mit-krb5.mo
-link path=usr/share/man/3lib/libgss.3lib target=./libgss.mit.3lib \
-    mediator=kerberos5 mediator-implementation=MIT
-file Solaris/man/libgss.3lib path=usr/share/man/3lib/libgss.mit.3lib
-link path=usr/share/man/3lib/libkrb5.3lib target=./libkrb5.mit.3lib \
-    mediator=kerberos5 mediator-implementation=MIT
-file Solaris/man/libkrb5.3lib path=usr/share/man/3lib/libkrb5.mit.3lib
-link path=usr/share/man/ja_JP.UTF-8/man5/kerberos.5 target=./kerberos.mit.5 \
-    mediator=kerberos5 mediator-implementation=MIT
+file Solaris/man/libgss.3lib path=usr/share/man/3lib/libgss.3lib
+file Solaris/man/libkrb5.3lib path=usr/share/man/3lib/libkrb5.3lib \
+    mangler.man.stability="pass-through uncommitted"
 file Solaris/man/ja_JP.UTF-8/kerberos.5 \
-    path=usr/share/man/ja_JP.UTF-8/man5/kerberos.mit.5
-link path=usr/share/man/ja_JP.UTF-8/man5/krb5envvar.5 \
-    target=./krb5envvar.mit.5 mediator=kerberos5 mediator-implementation=MIT
+    path=usr/share/man/ja_JP.UTF-8/man5/kerberos.5
 file Solaris/man/ja_JP.UTF-8/krb5envvar.5 \
-    path=usr/share/man/ja_JP.UTF-8/man5/krb5envvar.mit.5
-link path=usr/share/man/ja_JP.UTF-8/man7/krb5_auth_rules.7 \
-    target=./krb5_auth_rules.mit.7 mediator=kerberos5 \
-    mediator-implementation=MIT
+    path=usr/share/man/ja_JP.UTF-8/man5/krb5envvar.5 \
+    mangler.man.stability="pass-through uncommitted"
 file Solaris/man/ja_JP.UTF-8/krb5_auth_rules.7 \
-    path=usr/share/man/ja_JP.UTF-8/man7/krb5_auth_rules.mit.7
+    path=usr/share/man/ja_JP.UTF-8/man7/krb5_auth_rules.7
 file path=usr/share/man/man1/k5srvutil.1
 file path=usr/share/man/man1/kadmin.1
-link path=usr/share/man/man1/kdestroy.1 target=./kdestroy.mit.1 \
-    mediator=kerberos5 mediator-implementation=MIT
-file usr/share/man/man1/kdestroy.1 path=usr/share/man/man1/kdestroy.mit.1
-link path=usr/share/man/man1/kinit.1 target=./kinit.mit.1 mediator=kerberos5 \
-    mediator-implementation=MIT
-file usr/share/man/man1/kinit.1 path=usr/share/man/man1/kinit.mit.1
-link path=usr/share/man/man1/klist.1 target=./klist.mit.1 mediator=kerberos5 \
-    mediator-implementation=MIT
-file usr/share/man/man1/klist.1 path=usr/share/man/man1/klist.mit.1
-link path=usr/share/man/man1/kpasswd.1 target=./kpasswd.mit.1 \
-    mediator=kerberos5 mediator-implementation=MIT
-file usr/share/man/man1/kpasswd.1 path=usr/share/man/man1/kpasswd.mit.1
-link path=usr/share/man/man1/krb5-config.1 target=./krb5-config.mit.1 \
-    mediator=kerberos5 mediator-implementation=MIT
-file usr/share/man/man1/krb5-config.1 path=usr/share/man/man1/krb5-config.mit.1
+file path=usr/share/man/man1/kdestroy.1
+file path=usr/share/man/man1/kinit.1
+file path=usr/share/man/man1/klist.1
+file path=usr/share/man/man1/kpasswd.1
+file path=usr/share/man/man1/krb5-config.1 \
+    mangler.man.stability="pass-through uncommitted"
 file path=usr/share/man/man1/kswitch.1
-link path=usr/share/man/man1/ktutil.1 target=./ktutil.mit.1 mediator=kerberos5 \
-    mediator-implementation=MIT
-file usr/share/man/man1/ktutil.1 path=usr/share/man/man1/ktutil.mit.1
-link path=usr/share/man/man1/kvno.1 target=./kvno.mit.1 mediator=kerberos5 \
-    mediator-implementation=MIT
-file usr/share/man/man1/kvno.1 path=usr/share/man/man1/kvno.mit.1
-link path=usr/share/man/man3gss/gss_accept_sec_context.3gss \
-    target=./gss_accept_sec_context.mit.3gss mediator=kerberos5 \
-    mediator-implementation=MIT
+file path=usr/share/man/man1/ktutil.1
+file path=usr/share/man/man1/kvno.1
 file Solaris/man/gss_accept_sec_context.3gss \
-    path=usr/share/man/man3gss/gss_accept_sec_context.mit.3gss
-link path=usr/share/man/man3gss/gss_acquire_cred.3gss \
-    target=./gss_acquire_cred.mit.3gss mediator=kerberos5 \
-    mediator-implementation=MIT
+    path=usr/share/man/man3gss/gss_accept_sec_context.3gss
 file Solaris/man/gss_acquire_cred.3gss \
-    path=usr/share/man/man3gss/gss_acquire_cred.mit.3gss
-link path=usr/share/man/man3gss/gss_add_cred.3gss \
-    target=./gss_add_cred.mit.3gss mediator=kerberos5 \
-    mediator-implementation=MIT
-file Solaris/man/gss_add_cred.3gss \
-    path=usr/share/man/man3gss/gss_add_cred.mit.3gss
-link path=usr/share/man/man3gss/gss_add_oid_set_member.3gss \
-    target=./gss_add_oid_set_member.mit.3gss mediator=kerberos5 \
-    mediator-implementation=MIT
+    path=usr/share/man/man3gss/gss_acquire_cred.3gss
+file Solaris/man/gss_add_cred.3gss path=usr/share/man/man3gss/gss_add_cred.3gss
 file Solaris/man/gss_add_oid_set_member.3gss \
-    path=usr/share/man/man3gss/gss_add_oid_set_member.mit.3gss
-link path=usr/share/man/man3gss/gss_canonicalize_name.3gss \
-    target=./gss_canonicalize_name.mit.3gss mediator=kerberos5 \
-    mediator-implementation=MIT
+    path=usr/share/man/man3gss/gss_add_oid_set_member.3gss
 file Solaris/man/gss_canonicalize_name.3gss \
-    path=usr/share/man/man3gss/gss_canonicalize_name.mit.3gss
-link path=usr/share/man/man3gss/gss_compare_name.3gss \
-    target=./gss_compare_name.mit.3gss mediator=kerberos5 \
-    mediator-implementation=MIT
+    path=usr/share/man/man3gss/gss_canonicalize_name.3gss
 file Solaris/man/gss_compare_name.3gss \
-    path=usr/share/man/man3gss/gss_compare_name.mit.3gss
-link path=usr/share/man/man3gss/gss_context_time.3gss \
-    target=./gss_context_time.mit.3gss mediator=kerberos5 \
-    mediator-implementation=MIT
+    path=usr/share/man/man3gss/gss_compare_name.3gss
 file Solaris/man/gss_context_time.3gss \
-    path=usr/share/man/man3gss/gss_context_time.mit.3gss
-link path=usr/share/man/man3gss/gss_create_empty_oid_set.3gss \
-    target=./gss_create_empty_oid_set.mit.3gss mediator=kerberos5 \
-    mediator-implementation=MIT
+    path=usr/share/man/man3gss/gss_context_time.3gss
 file Solaris/man/gss_create_empty_oid_set.3gss \
-    path=usr/share/man/man3gss/gss_create_empty_oid_set.mit.3gss
-link path=usr/share/man/man3gss/gss_delete_sec_context.3gss \
-    target=./gss_delete_sec_context.mit.3gss mediator=kerberos5 \
-    mediator-implementation=MIT
+    path=usr/share/man/man3gss/gss_create_empty_oid_set.3gss
 file Solaris/man/gss_delete_sec_context.3gss \
-    path=usr/share/man/man3gss/gss_delete_sec_context.mit.3gss
-link path=usr/share/man/man3gss/gss_display_name.3gss \
-    target=./gss_display_name.mit.3gss mediator=kerberos5 \
-    mediator-implementation=MIT
+    path=usr/share/man/man3gss/gss_delete_sec_context.3gss
 file Solaris/man/gss_display_name.3gss \
-    path=usr/share/man/man3gss/gss_display_name.mit.3gss
-link path=usr/share/man/man3gss/gss_display_status.3gss \
-    target=./gss_display_status.mit.3gss mediator=kerberos5 \
-    mediator-implementation=MIT
+    path=usr/share/man/man3gss/gss_display_name.3gss
 file Solaris/man/gss_display_status.3gss \
-    path=usr/share/man/man3gss/gss_display_status.mit.3gss
-link path=usr/share/man/man3gss/gss_duplicate_name.3gss \
-    target=./gss_duplicate_name.mit.3gss mediator=kerberos5 \
-    mediator-implementation=MIT
+    path=usr/share/man/man3gss/gss_display_status.3gss
 file Solaris/man/gss_duplicate_name.3gss \
-    path=usr/share/man/man3gss/gss_duplicate_name.mit.3gss
-link path=usr/share/man/man3gss/gss_export_name.3gss \
-    target=./gss_export_name.mit.3gss mediator=kerberos5 \
-    mediator-implementation=MIT
+    path=usr/share/man/man3gss/gss_duplicate_name.3gss
 file Solaris/man/gss_export_name.3gss \
-    path=usr/share/man/man3gss/gss_export_name.mit.3gss
-link path=usr/share/man/man3gss/gss_export_sec_context.3gss \
-    target=./gss_export_sec_context.mit.3gss mediator=kerberos5 \
-    mediator-implementation=MIT
+    path=usr/share/man/man3gss/gss_export_name.3gss
 file Solaris/man/gss_export_sec_context.3gss \
-    path=usr/share/man/man3gss/gss_export_sec_context.mit.3gss
-link path=usr/share/man/man3gss/gss_get_mic.3gss target=./gss_get_mic.mit.3gss \
-    mediator=kerberos5 mediator-implementation=MIT
-file Solaris/man/gss_get_mic.3gss \
-    path=usr/share/man/man3gss/gss_get_mic.mit.3gss
-link path=usr/share/man/man3gss/gss_import_name.3gss \
-    target=./gss_import_name.mit.3gss mediator=kerberos5 \
-    mediator-implementation=MIT
+    path=usr/share/man/man3gss/gss_export_sec_context.3gss
+file Solaris/man/gss_get_mic.3gss path=usr/share/man/man3gss/gss_get_mic.3gss
 file Solaris/man/gss_import_name.3gss \
-    path=usr/share/man/man3gss/gss_import_name.mit.3gss
-link path=usr/share/man/man3gss/gss_import_sec_context.3gss \
-    target=./gss_import_sec_context.mit.3gss mediator=kerberos5 \
-    mediator-implementation=MIT
+    path=usr/share/man/man3gss/gss_import_name.3gss
 file Solaris/man/gss_import_sec_context.3gss \
-    path=usr/share/man/man3gss/gss_import_sec_context.mit.3gss
-link path=usr/share/man/man3gss/gss_indicate_mechs.3gss \
-    target=./gss_indicate_mechs.mit.3gss mediator=kerberos5 \
-    mediator-implementation=MIT
+    path=usr/share/man/man3gss/gss_import_sec_context.3gss
 file Solaris/man/gss_indicate_mechs.3gss \
-    path=usr/share/man/man3gss/gss_indicate_mechs.mit.3gss
-link path=usr/share/man/man3gss/gss_init_sec_context.3gss \
-    target=./gss_init_sec_context.mit.3gss mediator=kerberos5 \
-    mediator-implementation=MIT
+    path=usr/share/man/man3gss/gss_indicate_mechs.3gss
 file Solaris/man/gss_init_sec_context.3gss \
-    path=usr/share/man/man3gss/gss_init_sec_context.mit.3gss
-link path=usr/share/man/man3gss/gss_inquire_context.3gss \
-    target=./gss_inquire_context.mit.3gss mediator=kerberos5 \
-    mediator-implementation=MIT
+    path=usr/share/man/man3gss/gss_init_sec_context.3gss
 file Solaris/man/gss_inquire_context.3gss \
-    path=usr/share/man/man3gss/gss_inquire_context.mit.3gss
-link path=usr/share/man/man3gss/gss_inquire_cred.3gss \
-    target=./gss_inquire_cred.mit.3gss mediator=kerberos5 \
-    mediator-implementation=MIT
+    path=usr/share/man/man3gss/gss_inquire_context.3gss
 file Solaris/man/gss_inquire_cred.3gss \
-    path=usr/share/man/man3gss/gss_inquire_cred.mit.3gss
-link path=usr/share/man/man3gss/gss_inquire_cred_by_mech.3gss \
-    target=./gss_inquire_cred_by_mech.mit.3gss mediator=kerberos5 \
-    mediator-implementation=MIT
+    path=usr/share/man/man3gss/gss_inquire_cred.3gss
 file Solaris/man/gss_inquire_cred_by_mech.3gss \
-    path=usr/share/man/man3gss/gss_inquire_cred_by_mech.mit.3gss
-link path=usr/share/man/man3gss/gss_inquire_mechs_for_name.3gss \
-    target=./gss_inquire_mechs_for_name.mit.3gss mediator=kerberos5 \
-    mediator-implementation=MIT
+    path=usr/share/man/man3gss/gss_inquire_cred_by_mech.3gss
 file Solaris/man/gss_inquire_mechs_for_name.3gss \
-    path=usr/share/man/man3gss/gss_inquire_mechs_for_name.mit.3gss
-link path=usr/share/man/man3gss/gss_inquire_names_for_mech.3gss \
-    target=./gss_inquire_names_for_mech.mit.3gss mediator=kerberos5 \
-    mediator-implementation=MIT
+    path=usr/share/man/man3gss/gss_inquire_mechs_for_name.3gss
 file Solaris/man/gss_inquire_names_for_mech.3gss \
-    path=usr/share/man/man3gss/gss_inquire_names_for_mech.mit.3gss
-link path=usr/share/man/man3gss/gss_oid_to_str.3gss \
-    target=./gss_oid_to_str.mit.3gss mediator=kerberos5 \
-    mediator-implementation=MIT
+    path=usr/share/man/man3gss/gss_inquire_names_for_mech.3gss
 file Solaris/man/gss_oid_to_str.3gss \
-    path=usr/share/man/man3gss/gss_oid_to_str.mit.3gss
-link path=usr/share/man/man3gss/gss_process_context_token.3gss \
-    target=./gss_process_context_token.mit.3gss mediator=kerberos5 \
-    mediator-implementation=MIT
+    path=usr/share/man/man3gss/gss_oid_to_str.3gss
 file Solaris/man/gss_process_context_token.3gss \
-    path=usr/share/man/man3gss/gss_process_context_token.mit.3gss
-link path=usr/share/man/man3gss/gss_release_buffer.3gss \
-    target=./gss_release_buffer.mit.3gss mediator=kerberos5 \
-    mediator-implementation=MIT
+    path=usr/share/man/man3gss/gss_process_context_token.3gss
 file Solaris/man/gss_release_buffer.3gss \
-    path=usr/share/man/man3gss/gss_release_buffer.mit.3gss
-link path=usr/share/man/man3gss/gss_release_cred.3gss \
-    target=./gss_release_cred.mit.3gss mediator=kerberos5 \
-    mediator-implementation=MIT
+    path=usr/share/man/man3gss/gss_release_buffer.3gss
 file Solaris/man/gss_release_cred.3gss \
-    path=usr/share/man/man3gss/gss_release_cred.mit.3gss
-link path=usr/share/man/man3gss/gss_release_name.3gss \
-    target=./gss_release_name.mit.3gss mediator=kerberos5 \
-    mediator-implementation=MIT
+    path=usr/share/man/man3gss/gss_release_cred.3gss
 file Solaris/man/gss_release_name.3gss \
-    path=usr/share/man/man3gss/gss_release_name.mit.3gss
-link path=usr/share/man/man3gss/gss_release_oid.3gss \
-    target=./gss_release_oid.mit.3gss mediator=kerberos5 \
-    mediator-implementation=MIT
+    path=usr/share/man/man3gss/gss_release_name.3gss
 file Solaris/man/gss_release_oid.3gss \
-    path=usr/share/man/man3gss/gss_release_oid.mit.3gss
-link path=usr/share/man/man3gss/gss_release_oid_set.3gss \
-    target=./gss_release_oid_set.mit.3gss mediator=kerberos5 \
-    mediator-implementation=MIT
+    path=usr/share/man/man3gss/gss_release_oid.3gss
 file Solaris/man/gss_release_oid_set.3gss \
-    path=usr/share/man/man3gss/gss_release_oid_set.mit.3gss
-link path=usr/share/man/man3gss/gss_store_cred.3gss \
-    target=./gss_store_cred.mit.3gss mediator=kerberos5 \
-    mediator-implementation=MIT
+    path=usr/share/man/man3gss/gss_release_oid_set.3gss
 file Solaris/man/gss_store_cred.3gss \
-    path=usr/share/man/man3gss/gss_store_cred.mit.3gss
-link path=usr/share/man/man3gss/gss_str_to_oid.3gss \
-    target=./gss_str_to_oid.mit.3gss mediator=kerberos5 \
-    mediator-implementation=MIT
+    path=usr/share/man/man3gss/gss_store_cred.3gss
 file Solaris/man/gss_str_to_oid.3gss \
-    path=usr/share/man/man3gss/gss_str_to_oid.mit.3gss
-link path=usr/share/man/man3gss/gss_test_oid_set_member.3gss \
-    target=./gss_test_oid_set_member.mit.3gss mediator=kerberos5 \
-    mediator-implementation=MIT
+    path=usr/share/man/man3gss/gss_str_to_oid.3gss
 file Solaris/man/gss_test_oid_set_member.3gss \
-    path=usr/share/man/man3gss/gss_test_oid_set_member.mit.3gss
-link path=usr/share/man/man3gss/gss_unwrap.3gss target=./gss_unwrap.mit.3gss \
-    mediator=kerberos5 mediator-implementation=MIT
-file Solaris/man/gss_unwrap.3gss path=usr/share/man/man3gss/gss_unwrap.mit.3gss
-link path=usr/share/man/man3gss/gss_verify_mic.3gss \
-    target=./gss_verify_mic.mit.3gss mediator=kerberos5 \
-    mediator-implementation=MIT
+    path=usr/share/man/man3gss/gss_test_oid_set_member.3gss
+file Solaris/man/gss_unwrap.3gss path=usr/share/man/man3gss/gss_unwrap.3gss
 file Solaris/man/gss_verify_mic.3gss \
-    path=usr/share/man/man3gss/gss_verify_mic.mit.3gss
-link path=usr/share/man/man3gss/gss_wrap.3gss target=./gss_wrap.mit.3gss \
-    mediator=kerberos5 mediator-implementation=MIT
-file Solaris/man/gss_wrap.3gss path=usr/share/man/man3gss/gss_wrap.mit.3gss
-link path=usr/share/man/man3gss/gss_wrap_size_limit.3gss \
-    target=./gss_wrap_size_limit.mit.3gss mediator=kerberos5 \
-    mediator-implementation=MIT
+    path=usr/share/man/man3gss/gss_verify_mic.3gss
+file Solaris/man/gss_wrap.3gss path=usr/share/man/man3gss/gss_wrap.3gss
 file Solaris/man/gss_wrap_size_limit.3gss \
-    path=usr/share/man/man3gss/gss_wrap_size_limit.mit.3gss
-file Solaris/man/libgss.3lib path=usr/share/man/man3lib/libgss.mit.3lib
-file Solaris/man/libkrb5.3lib path=usr/share/man/man3lib/libkrb5.mit.3lib
+    path=usr/share/man/man3gss/gss_wrap_size_limit.3gss
+file Solaris/man/libgss.3lib path=usr/share/man/man3lib/libgss.3lib
+file Solaris/man/libkrb5.3lib path=usr/share/man/man3lib/libkrb5.3lib \
+    mangler.man.stability="pass-through uncommitted"
 file path=usr/share/man/man5/.k5identity.5
 file path=usr/share/man/man5/.k5login.5
-link path=usr/share/man/man5/gss_auth_rules.5 target=./gss_auth_rules.mit.5 \
-    mediator=kerberos5 mediator-implementation=MIT
-file Solaris/man/gss_auth_rules.5 path=usr/share/man/man5/gss_auth_rules.mit.5
+file Solaris/man/gss_auth_rules.5 path=usr/share/man/man5/gss_auth_rules.5
 file path=usr/share/man/man5/k5identity.5
 file path=usr/share/man/man5/k5login.5
-link path=usr/share/man/man5/kerberos.5 target=./kerberos.mit.5 \
-    mediator=kerberos5 mediator-implementation=MIT
-file Solaris/man/kerberos.5 path=usr/share/man/man5/kerberos.mit.5
+file Solaris/man/kerberos.5 path=usr/share/man/man5/kerberos.5
 file path=usr/share/man/man5/krb5.conf.5
-link path=usr/share/man/man5/krb5envvar.5 target=./krb5envvar.mit.5 \
-    mediator=kerberos5 mediator-implementation=MIT
-file Solaris/man/krb5envvar.5 path=usr/share/man/man5/krb5envvar.mit.5
-link path=usr/share/man/man7/krb5_auth_rules.7 target=./krb5_auth_rules.mit.7 \
-    mediator=kerberos5 mediator-implementation=MIT
-file Solaris/man/krb5_auth_rules.7 path=usr/share/man/man7/krb5_auth_rules.mit.7
-link path=usr/share/man/zh_CN.UTF-8/man5/kerberos.5 target=./kerberos.mit.5 \
-    mediator=kerberos5 mediator-implementation=MIT
+file Solaris/man/krb5envvar.5 path=usr/share/man/man5/krb5envvar.5 \
+    mangler.man.stability="pass-through uncommitted"
+file Solaris/man/krb5_auth_rules.7 path=usr/share/man/man7/krb5_auth_rules.7
 file Solaris/man/zh_CN.UTF-8/kerberos.5 \
-    path=usr/share/man/zh_CN.UTF-8/man5/kerberos.mit.5
-link path=usr/share/man/zh_CN.UTF-8/man5/krb5envvar.5 \
-    target=./krb5envvar.mit.5 mediator=kerberos5 mediator-implementation=MIT
+    path=usr/share/man/zh_CN.UTF-8/man5/kerberos.5
 file Solaris/man/zh_CN.UTF-8/krb5envvar.5 \
-    path=usr/share/man/zh_CN.UTF-8/man5/krb5envvar.mit.5
-link path=usr/share/man/zh_CN.UTF-8/man7/krb5_auth_rules.7 \
-    target=./krb5_auth_rules.mit.7 mediator=kerberos5 \
-    mediator-implementation=MIT
+    path=usr/share/man/zh_CN.UTF-8/man5/krb5envvar.5 \
+    mangler.man.stability="pass-through uncommitted"
 file Solaris/man/zh_CN.UTF-8/krb5_auth_rules.7 \
-    path=usr/share/man/zh_CN.UTF-8/man7/krb5_auth_rules.mit.7
+    path=usr/share/man/zh_CN.UTF-8/man7/krb5_auth_rules.7
 dir  path=var/krb5/rcache group=sys mode=1777
 dir  path=var/krb5/rcache/root group=sys mode=0700 revert-tag=clone-archive=*
 license krb5.license license="BSD, BSD-like (KerberosV5)"
--- a/components/krb5/patches/024-smb-compat.patch	Tue May 10 22:37:01 2016 -0700
+++ b/components/krb5/patches/024-smb-compat.patch	Wed May 11 20:33:52 2016 -0700
@@ -4,7 +4,6 @@
 # stress testing.  The CRs in order:
 #
 # 15580724 SUNBT6868908 Solaris acceptors should have returned KRB5KRB_AP_...
-# 15648322 SUNBT6959251 coredump in gss_release_name+0x36
 # 20416772 spnego_gss_accept_sec_context issue with incorrect KRB OID
 # 16005842 Should retry SMB authentication upgrade to account for network...
 # 15579598 SUNBT6867208 Windows client cannot recover from KRB5KRB_AP_ERR_SKEW..
@@ -68,13 +67,15 @@
          code -= ERROR_TABLE_BASE_krb5;
          if (code < 0 || code > KRB_ERR_MAX)
              code = 60 /* KRB_ERR_GENERIC */;
-diff -ur krb5-1.13.3.023-mem-rcache.patch/src/lib/gssapi/spnego/spnego_mech.c krb5-1.13.3/src/lib/gssapi/spnego/spnego_mech.c
---- krb5-1.13.3.023-mem-rcache.patch/src/lib/gssapi/spnego/spnego_mech.c
-+++ krb5-1.13.3/src/lib/gssapi/spnego/spnego_mech.c
[email protected]@ -190,6 +190,13 @@
+
+diff -pur new/src/lib/gssapi/spnego/spnego_mech.c patched/src/lib/gssapi/spnego/spnego_mech.c
+--- new/src/lib/gssapi/spnego/spnego_mech.c	2016-02-29 11:50:13.000000000 -0800
++++ patched/src/lib/gssapi/spnego/spnego_mech.c	2016-03-18 21:55:31.131280297 -0700
[email protected]@ -191,7 +190,14 @@ static const gss_OID_set_desc spnego_oid
  };
  const gss_OID_set_desc * const gss_mech_set_spnego = spnego_oidsets+0;
  
+ static int make_NegHints(OM_uint32 *, gss_buffer_t *);
 +/* encoded OID octet string for NTLMSSP security mechanism */
 +#define GSS_MECH_NTLMSSP_OID_LENGTH 10
 +#define GSS_MECH_NTLMSSP_OID "\053\006\001\004\001\202\067\002\002\012"
@@ -82,19 +83,10 @@
 +	GSS_MECH_NTLMSSP_OID_LENGTH, GSS_MECH_NTLMSSP_OID
 +};
 +
- static int make_NegHints(OM_uint32 *, spnego_gss_cred_id_t, gss_buffer_t *);
  static int put_neg_hints(unsigned char **, gss_buffer_t, unsigned int);
  static OM_uint32
[email protected]@ -1237,7 +1244,7 @@
- 					&hintNameBuf,
- 					&hintNameType);
- 	if (major_status != GSS_S_COMPLETE) {
--		gss_release_name(&minor, &hintName);
-+		gss_release_name(&minor, &hintKerberosName);
- 		return (major_status);
- 	}
- 	gss_release_name(&minor, &hintKerberosName);
[email protected]@ -1380,6 +1387,7 @@
+ acc_ctx_hints(OM_uint32 *, gss_ctx_id_t *, spnego_gss_cred_id_t,
[email protected]@ -1325,6 +1387,7 @@ acc_ctx_new(OM_uint32 *minor_status,
  	gss_buffer_desc der_mechTypes;
  	gss_OID mech_wanted;
  	spnego_gss_ctx_id_t sc = NULL;
@@ -102,7 +94,7 @@
  
  	ret = GSS_S_DEFECTIVE_TOKEN;
  	der_mechTypes.length = 0;
[email protected]@ -1403,6 +1411,24 @@
[email protected]@ -1348,6 +1411,24 @@ acc_ctx_new(OM_uint32 *minor_status,
  		goto cleanup;
  	}
  	/*
@@ -127,15 +119,15 @@
  	 * Select the best match between the list of mechs
  	 * that the initiator requested and the list that
  	 * the acceptor will support.
[email protected]@ -3136,6 +3162,7 @@
- 	int		found = 0;
- 	OM_uint32 major_status = GSS_S_COMPLETE, tmpmin;
[email protected]@ -3072,6 +3163,7 @@ static OM_uint32
  	gss_OID_set mechs, goodmechs;
+	gss_OID_set_desc except_attrs;
+	gss_OID_desc attr_oids[2];
 +	char *msinterop = getenv("MS_INTEROP");
  
- 	major_status = gss_indicate_mechs(minor_status, &mechs);
- 
[email protected]@ -3150,6 +3177,15 @@
+	attr_oids[0] = *GSS_C_MA_DEPRECATED;
+	attr_oids[1] = *GSS_C_MA_NOT_DFLT_MECH;
[email protected]@ -3108,6 +3177,15 @@ get_available_mechs(OM_uint32 *minor_sta
  		return (major_status);
  	}
  
@@ -151,7 +143,7 @@
  	for (i = 0; i < mechs->count && major_status == GSS_S_COMPLETE; i++) {
  		if ((mechs->elements[i].length
  		    != spnego_mechanism.mech_type.length) ||
[email protected]@ -3165,6 +3201,25 @@
[email protected]@ -3123,6 +3201,25 @@ get_available_mechs(OM_uint32 *minor_sta
  		}
  	}
  
@@ -177,7 +169,7 @@
  	/*
  	 * If the caller wanted a list of creds returned,
  	 * trim the list of mechanisms down to only those
[email protected]@ -3740,9 +3795,17 @@
[email protected]@ -3698,9 +3795,17 @@ negotiate_mech(gss_OID_set supported, gs
  	for (i = 0; i < received->count; i++) {
  		gss_OID mech_oid = &received->elements[i];
  
--- a/components/krb5/patches/028-rpc-gss.patch	Tue May 10 22:37:01 2016 -0700
+++ b/components/krb5/patches/028-rpc-gss.patch	Wed May 11 20:33:52 2016 -0700
@@ -1897,9 +1897,9 @@
  RELDIR=kadm5/clnt
  
  ##DOSBUILDTOP = ..\..\..
-diff -pur old/src/lib/kadm5/clnt/client_init.c new/src/lib/kadm5/clnt/client_init.c
---- old/src/lib/kadm5/clnt/client_init.c
-+++ new/src/lib/kadm5/clnt/client_init.c
+diff -pur new/src/lib/kadm5/clnt/client_init.c patched.1/src/lib/kadm5/clnt/client_init.c
+--- no-028/src/lib/kadm5/clnt/client_init.c	2016-03-28 14:39:09.439503108 -0600
++++ 028/src/lib/kadm5/clnt/client_init.c	2016-03-28 14:40:49.154436988 -0600
 @@ -44,12 +44,12 @@
  #include <iprop_hdr.h>
  #include "iprop.h"
@@ -1915,7 +1915,7 @@
  
  enum init_type { INIT_PASS, INIT_SKEY, INIT_CREDS, INIT_ANONYMOUS };
  
[email protected]@ -138,9 +138,379 @@ kadm5_init_with_skey(krb5_context contex
[email protected]@ -138,9 +138,385 @@ kadm5_init_with_skey(krb5_context contex
                      server_handle);
  }
  
@@ -2096,6 +2096,7 @@
 +	enum clnt_stat rpc_err_code;
 +	char *server;
 +	int port;
++	struct timeval timeout;
 +
 +        /* service name is service/host */
 +        server = strpbrk(service_name, "/");
@@ -2157,6 +2158,11 @@
 +	if (iprop_svc)
 +		free(iprop_svc);
 +
++	/* Set a one-hour timeout. */
++	timeout.tv_sec = 3600;
++	timeout.tv_usec = 0;
++	(void)clnt_control(handle->clnt, CLSET_TIMEOUT, &timeout);
++
 +	handle->lhandle->clnt = handle->clnt;
 +
 +	/* now that handle->clnt is set, we can check the handle */
@@ -2296,7 +2302,14 @@
           kadm5_config_params *params_in, krb5_ui_4 struct_version,
           krb5_ui_4 api_version, char **db_args, void **server_handle)
  {
[email protected]@ -158,6 +528,7 @@ init_any(krb5_context context, char *cli
[email protected]@ -152,13 +528,13 @@ init_any(krb5_context context, char *cli
+     rpcvers_t rpc_vers;
+     krb5_ccache ccache;
+     krb5_principal client = NULL, server = NULL;
+-    struct timeval timeout;
+ 
+     kadm5_server_handle_t handle;
+     kadm5_config_params params_local;
  
      int code = 0;
      generic_ret *r;
@@ -2304,7 +2317,7 @@
  
      initialize_ovk_error_table();
  /*      initialize_adb_error_table(); */
[email protected]@ -225,99 +596,27 @@ init_any(krb5_context context, char *cli
[email protected]@ -226,105 +602,27 @@ init_any(krb5_context context, char *cli
      if (code)
          goto error;
  
@@ -2353,6 +2366,12 @@
 +        strncpy(svcname, svcname_in, sizeof(svcname));
 +        svcname[sizeof(svcname)-1] = '\0';
      }
+ 
+-    /* Set a one-hour timeout. */
+-    timeout.tv_sec = 3600;
+-    timeout.tv_usec = 0;
+-    (void)clnt_control(handle->clnt, CLSET_TIMEOUT, &timeout);
+-
 -    handle->client_socket = fd;
 -    handle->lhandle->clnt = handle->clnt;
 -    handle->lhandle->client_socket = fd;
@@ -2360,7 +2379,7 @@
 -    /* now that handle->clnt is set, we can check the handle */
 -    if ((code = _kadm5_check_handle((void *) handle)))
 -        goto error;
- 
+-
 -    /*
 -     * The RPC connection is open; establish the GSS-API
 -     * authentication context.
@@ -2419,7 +2438,7 @@
          goto error;
      }
  
[email protected]@ -357,31 +656,17 @@ cleanup:
[email protected]@ -364,31 +662,17 @@ cleanup:
      return code;
  }
  
@@ -2453,7 +2472,7 @@
      /*
       * Acquire a service ticket for [email protected] for client, using password
       * pass (which could be NULL), and create a ccache to store them in.  If
[email protected]@ -419,12 +704,6 @@ get_init_creds(kadm5_server_handle_t han
[email protected]@ -426,12 +710,6 @@ get_init_creds(kadm5_server_handle_t han
  
      code = gic_iter(handle, init_type, ccache, client, pass, svcname, realm,
                      server_out);
@@ -2466,7 +2485,7 @@
      /* Improved error messages */
      if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) code = KADM5_BAD_PASSWORD;
      if (code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN)
[email protected]@ -691,6 +970,26 @@ rpc_auth(kadm5_server_handle_t handle, k
[email protected]@ -698,6 +976,26 @@ rpc_auth(kadm5_server_handle_t handle, k
           gss_cred_id_t gss_client_creds, gss_name_t gss_target)
  {
      OM_uint32 gssstat, minor_stat;
@@ -2493,7 +2512,7 @@
      struct rpc_gss_sec sec;
  
      /* Allow unauthenticated option for testing. */
[email protected]@ -725,6 +1024,7 @@ rpc_auth(kadm5_server_handle_t handle, k
[email protected]@ -732,6 +1030,7 @@ rpc_auth(kadm5_server_handle_t handle, k
                                                 GSS_C_MUTUAL_FLAG
                                                 | GSS_C_REPLAY_FLAG,
                                                 0, NULL, NULL, NULL);
@@ -2501,7 +2520,6 @@
  }
  
  kadm5_ret_t
-diff -pur old/src/lib/kadm5/clnt/client_principal.c new/src/lib/kadm5/clnt/client_principal.c
 --- old/src/lib/kadm5/clnt/client_principal.c
 +++ new/src/lib/kadm5/clnt/client_principal.c
 @@ -5,7 +5,7 @@
@@ -2937,10 +2955,10 @@
                         (caddr_t)&vers, (xdrproc_t)xdr_kdb_fullresync_result_t,
                         (caddr_t)&clnt_res, full_resync_timeout);
      if (status == RPC_PROCUNAVAIL) {
-diff -pur old/src/tests/misc/Makefile.in new/src/tests/misc/Makefile.in
---- old/src/tests/misc/Makefile.in
-+++ new/src/tests/misc/Makefile.in
[email protected]@ -12,18 +12,16 @@ SRCS=\
+diff -pur new/src/tests/misc/Makefile.in patched.1/src/tests/misc/Makefile.in
+--- new/src/tests/misc/Makefile.in	2016-02-29 11:50:13.000000000 -0800
++++ patched.1/src/tests/misc/Makefile.in	2016-03-19 08:15:59.222125882 -0700
[email protected]@ -12,19 +12,17 @@ SRCS=\
  	$(srcdir)/test_cxx_krb5.cpp \
  	$(srcdir)/test_cxx_k5int.cpp \
  	$(srcdir)/test_cxx_gss.cpp \
@@ -2951,15 +2969,16 @@
  
 -check:: test_getpw test_chpw_message test_cxx_krb5 test_cxx_gss test_cxx_rpc test_cxx_k5int test_cxx_kadm5
 +check:: test_getpw test_chpw_message test_cxx_krb5 test_cxx_gss test_cxx_k5int test_cxx_kadm5
- 	$(RUN_SETUP) $(VALGRIND) ./test_getpw
- 	$(RUN_SETUP) $(VALGRIND) ./test_chpw_message
- 	$(RUN_SETUP) $(VALGRIND) ./test_cxx_krb5
- 	$(RUN_SETUP) $(VALGRIND) ./test_cxx_k5int
- 	$(RUN_SETUP) $(VALGRIND) ./test_cxx_gss
--	$(RUN_SETUP) $(VALGRIND) ./test_cxx_rpc
- 	$(RUN_SETUP) $(VALGRIND) ./test_cxx_kadm5
+ 	$(RUN_TEST) ./test_getpw
+ 	$(RUN_TEST) ./test_chpw_message
+ 	$(RUN_TEST) ./test_cxx_krb5
+ 	$(RUN_TEST) ./test_cxx_k5int
+ 	$(RUN_TEST) ./test_cxx_gss
+-	$(RUN_TEST) ./test_cxx_rpc
+ 	$(RUN_TEST) ./test_cxx_kadm5
  
  test_getpw: $(OUTPRE)test_getpw.$(OBJEXT) $(SUPPORT_DEPLIB)
+ 	$(CC_LINK) $(ALL_CFLAGS) -o test_getpw $(OUTPRE)test_getpw.$(OBJEXT) $(SUPPORT_LIB)
 @@ -41,18 +39,15 @@ test_cxx_k5int: $(OUTPRE)test_cxx_k5int.
  	$(CXX_LINK) $(ALL_CXXFLAGS) -o test_cxx_k5int $(OUTPRE)test_cxx_k5int.$(OBJEXT) $(KRB5_BASE_LIBS) $(LIBS)
  test_cxx_gss: $(OUTPRE)test_cxx_gss.$(OBJEXT)
@@ -2981,9 +3000,9 @@
 +	$(RM) test_getpw test_chpw_message test_cxx_krb5 test_cxx_gss test_cxx_k5int test_cxx_kadm5 *.o
  
 diff -pur old/src/tests/t_iprop.py new/src/tests/t_iprop.py
---- old/src/tests/t_iprop.py
-+++ new/src/tests/t_iprop.py
[email protected]@ -1,50 +1,35 @@
+--- old/src/tests/t_iprop.py	2016-02-29 11:50:13.000000000 -0800
++++ new/src/tests/t_iprop.py	2016-04-08 11:08:10.225701596 -0700
[email protected]@ -1,44 +1,35 @@
  #!/usr/bin/python
  
  import os
@@ -2997,7 +3016,7 @@
 -def wait_for_prop(kpropd, full_expected, expected_old, expected_new):
 +def wait_for_prop(kpropd, full_expected):
      output('*** Waiting for sync from kpropd\n')
--    full_seen = sleep_seen = prodded_after_dump = False
+-    full_seen = sleep_seen = False
 -    old_sno = new_sno = -1
 +    full_seen = False
      while True:
@@ -3033,19 +3052,14 @@
 -            sleep_seen = True
          if 'load process for full propagation completed' in line:
              full_seen = True
--        if sleep_seen and full_seen and not prodded_after_dump:
--            # Prod the kpropd parent into getting incrementals after
--            # it finishes a DB load.  This will be unnecessary if
--            # kpropd is simplified to use a single process.
 +            # kpropd's child process has finished a DB load; make the parent
 +            # do another iprop request.  This will be unnecessary if kpropd
 +            # is simplified to use a single process.
-             kpropd.send_signal(signal.SIGUSR1)
--            prodded_after_dump = True
++            kpropd.send_signal(signal.SIGUSR1)
  
          # Detect some failure conditions.
          if 'Still waiting for full resync' in line:
[email protected]@ -60,92 +45,28 @@ def wait_for_prop(kpropd, full_expected,
[email protected]@ -54,98 +45,28 @@ def wait_for_prop(kpropd, full_expected,
          if 'invalid return' in line:
              fail('kadmind returned invalid result')
  
@@ -3095,7 +3109,13 @@
 -        m = re.match(r'\tUpdate principal : (.*)$', line)
 -        if m:
 -            eprinc = entries[ser - first]
--            if m.group(1) != eprinc:
+-            if eprinc == None:
+-                fail('Expected dummy update entry %d' % ser)
+-            elif m.group(1) != eprinc:
+-                fail('Expected princ %s in update entry %d' % (eprinc, ser))
+-        if line == '\tDummy entry':
+-            eprinc = entries[ser - first]
+-            if eprinc != None:
 -                fail('Expected princ %s in update entry %d' % (eprinc, ser))
 -
 -# slave1 will receive updates from master, and slave2 will receive
@@ -3158,11 +3178,8 @@
  
  ulog = os.path.join(realm.testdir, 'db.ulog')
  if not os.path.exists(ulog):
[email protected]@ -153,209 +74,117 @@ if not os.path.exists(ulog):
- 
- # Create the principal used to authenticate kpropd to kadmind.
[email protected]@ -155,234 +76,114 @@ if not os.path.exists(ulog):
  kiprop_princ = 'kiprop/' + hostname
-+realm.addprinc(kiprop_princ)
  realm.extract_keytab(kiprop_princ, realm.keytab)
  
 -# Create the initial slave1 and slave2 databases.
@@ -3177,7 +3194,7 @@
 -# Reinitialize the master ulog so we know exactly what to expect in
 -# it.
 -realm.run([kproplog, '-R'])
--check_ulog(0, 0, 0, [])
+-check_ulog(1, 1, 1, [None])
 +# Make some changes to the master db.
 +realm.addprinc('wakawaka')
 +# Add a principal enough to make realloc likely, but not enough to grow
@@ -3187,24 +3204,24 @@
 +longname = cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + c
 +realm.addprinc(longname)
 +realm.addprinc('w')
-+realm.run_kadminl('modprinc -allow_tix w')
-+realm.run_kadminl('modprinc +allow_tix w')
++realm.run([kadminl, 'modprinc', '-allow_tix', 'w'])
++realm.run([kadminl, 'modprinc', '+allow_tix', 'w'])
  
 -# Make some changes to the master DB.
 -realm.addprinc(pr1)
 -realm.addprinc(pr3)
 -realm.addprinc(pr2)
--realm.run_kadminl('modprinc -allow_tix ' + pr2)
--realm.run_kadminl('modprinc +allow_tix ' + pr2)
--check_ulog(5, 1, 5, [pr1, pr3, pr2, pr2, pr2])
+-realm.run([kadminl, 'modprinc', '-allow_tix', pr2])
+-realm.run([kadminl, 'modprinc', '+allow_tix', pr2])
+-check_ulog(6, 1, 6, [None, pr1, pr3, pr2, pr2, pr2])
 -
 -# Start kpropd for slave1 and get a full dump from master.
 -kpropd1 = realm.start_kpropd(slave1, ['-d'])
--wait_for_prop(kpropd1, True, 0, 5)
--out = realm.run_kadminl('listprincs', slave1)
+-wait_for_prop(kpropd1, True, 1, 6)
+-out = realm.run([kadminl, 'listprincs'], env=slave1)
 -if pr1 not in out or pr2 not in out or pr3 not in out:
 -    fail('slave1 does not have all principals from master')
--check_ulog(0, 0, 5, [], slave1)
+-check_ulog(1, 6, 6, [None], slave1)
 +check_serial(realm, '7')
 +
 +# Set up the kpropd acl file.
@@ -3216,23 +3233,23 @@
 +# Start kpropd and get a full dump from master.
 +kpropd = realm.start_kpropd(slave, ['-d'])
 +wait_for_prop(kpropd, True)
-+out = realm.run_kadminl('listprincs', slave)
++out = realm.run([kadminl, 'listprincs'], env=slave)
 +if longname not in out or 'wakawaka' not in out or '[email protected]' not in out:
 +    fail('Slave does not have all principals from master')
  
  # Make a change and check that it propagates incrementally.
--realm.run_kadminl('modprinc -allow_tix ' + pr2)
--check_ulog(6, 1, 6, [pr1, pr3, pr2, pr2, pr2, pr2])
+-realm.run([kadminl, 'modprinc', '-allow_tix', pr2])
+-check_ulog(7, 1, 7, [None, pr1, pr3, pr2, pr2, pr2, pr2])
 -kpropd1.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd1, False, 5, 6)
--check_ulog(1, 6, 6, [pr2], slave1)
--out = realm.run_kadminl('getprinc ' + pr2, slave1)
-+realm.run_kadminl('modprinc -allow_tix w')
+-wait_for_prop(kpropd1, False, 6, 7)
+-check_ulog(2, 6, 7, [None, pr2], slave1)
+-out = realm.run([kadminl, 'getprinc', pr2], env=slave1)
++realm.run([kadminl, 'modprinc', '-allow_tix', 'w'])
 +check_serial(realm, '8')
 +kpropd.send_signal(signal.SIGUSR1)
 +wait_for_prop(kpropd, False)
 +check_serial(realm, '8', slave)
-+out = realm.run_kadminl('getprinc w', slave)
++out = realm.run([kadminl, 'getprinc', 'w'], env=slave)
  if 'Attributes: DISALLOW_ALL_TIX' not in out:
 -    fail('slave1 does not have modification from master')
 +    fail('Slave does not have modification from master')
@@ -3254,26 +3271,26 @@
 -kpropd2 = realm.start_server([kpropd, '-d', '-D', '-P', slave2_kprop_port,
 -                              '-f', slave2_in_dump_path, '-p', kdb5_util,
 -                              '-a', acl_file, '-A', hostname], 'ready', slave2)
--wait_for_prop(kpropd2, True, 0, 6)
--check_ulog(0, 0, 6, [], slave2)
--out = realm.run_kadminl('listprincs', slave1)
+-wait_for_prop(kpropd2, True, 1, 7)
+-check_ulog(1, 7, 7, [None], slave2)
+-out = realm.run([kadminl, 'listprincs'], env=slave1)
 -if pr1 not in out or pr2 not in out or pr3 not in out:
 -    fail('slave2 does not have all principals from slave1')
 -
 -# Make another change and check that it propagates incrementally to
 -# both slaves.
--realm.run_kadminl('modprinc -maxrenewlife "22 hours" ' + pr1)
--check_ulog(7, 1, 7, [pr1, pr3, pr2, pr2, pr2, pr2, pr1])
+-realm.run([kadminl, 'modprinc', '-maxrenewlife', '22 hours', pr1])
+-check_ulog(8, 1, 8, [None, pr1, pr3, pr2, pr2, pr2, pr2, pr1])
 -kpropd1.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd1, False, 6, 7)
--check_ulog(2, 6, 7, [pr2, pr1], slave1)
--out = realm.run_kadminl('getprinc ' + pr1, slave1)
+-wait_for_prop(kpropd1, False, 7, 8)
+-check_ulog(3, 6, 8, [None, pr2, pr1], slave1)
+-out = realm.run([kadminl, 'getprinc', pr1], env=slave1)
 -if 'Maximum renewable life: 0 days 22:00:00\n' not in out:
 -    fail('slave1 does not have modification from master')
 -kpropd2.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd2, False, 6, 7)
--check_ulog(1, 7, 7, [pr1], slave2)
--out = realm.run_kadminl('getprinc ' + pr1, slave2)
+-wait_for_prop(kpropd2, False, 7, 8)
+-check_ulog(2, 7, 8, [None, pr1], slave2)
+-out = realm.run([kadminl, 'getprinc', pr1], env=slave2)
 -if 'Maximum renewable life: 0 days 22:00:00\n' not in out:
 -    fail('slave2 does not have modification from slave1')
 -
@@ -3282,34 +3299,34 @@
 -# slave2 should still be in sync with slave1 after the resync, so make
 -# sure it doesn't take a full resync.
 -realm.run([kproplog, '-R'], slave1)
--check_ulog(0, 0, 0, [], slave1)
+-check_ulog(1, 1, 1, [None], slave1)
 -kpropd1.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd1, True, 0, 7)
--check_ulog(2, 6, 7, [pr2, pr1], slave1)
+-wait_for_prop(kpropd1, True, 1, 8)
+-check_ulog(3, 6, 8, [None, pr2, pr1], slave1)
 -kpropd2.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd2, False, 7, 7)
--check_ulog(1, 7, 7, [pr1], slave2)
+-wait_for_prop(kpropd2, False, 8, 8)
+-check_ulog(2, 7, 8, [None, pr1], slave2)
 -
 -# Make another change and check that it propagates incrementally to
 -# both slaves.
 +# Make another change and check that it propagates incrementally.
- realm.run_kadminl('modprinc +allow_tix w')
--check_ulog(8, 1, 8, [pr1, pr3, pr2, pr2, pr2, pr2, pr1, pr2])
+ realm.run([kadminl, 'modprinc', '+allow_tix', 'w'])
+-check_ulog(9, 1, 9, [None, pr1, pr3, pr2, pr2, pr2, pr2, pr1, pr2])
 -kpropd1.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd1, False, 7, 8)
--check_ulog(3, 6, 8, [pr2, pr1, pr2], slave1)
--out = realm.run_kadminl('getprinc ' + pr2, slave1)
+-wait_for_prop(kpropd1, False, 8, 9)
+-check_ulog(4, 6, 9, [None, pr2, pr1, pr2], slave1)
+-out = realm.run([kadminl, 'getprinc', pr2], env=slave1)
 +check_serial(realm, '9')
 +kpropd.send_signal(signal.SIGUSR1)
 +wait_for_prop(kpropd, False)
 +check_serial(realm, '9', slave)
-+out = realm.run_kadminl('getprinc w', slave)
++out = realm.run([kadminl, 'getprinc', 'w'], env=slave)
  if 'Attributes:\n' not in out:
 -    fail('slave1 does not have modification from master')
 -kpropd2.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd2, False, 7, 8)
--check_ulog(2, 7, 8, [pr1, pr2], slave2)
--out = realm.run_kadminl('getprinc ' + pr2, slave2)
+-wait_for_prop(kpropd2, False, 8, 9)
+-check_ulog(3, 7, 9, [None, pr1, pr2], slave2)
+-out = realm.run([kadminl, 'getprinc', pr2], env=slave2)
 +    fail('Slave does not have modification from master')
 +
 +# Reset the ulog on the slave side to force a full resync to the slave.
@@ -3320,116 +3337,111 @@
 +check_serial(realm, '9', slave)
 +
 +# Make another change and check that it propagates incrementally.
-+realm.run_kadminl('modprinc +allow_tix w')
++realm.run([kadminl, 'modprinc', '+allow_tix', 'w'])
 +check_serial(realm, '10')
 +kpropd.send_signal(signal.SIGUSR1)
 +wait_for_prop(kpropd, False)
 +check_serial(realm, '10', slave)
-+out = realm.run_kadminl('getprinc w', slave)
++out = realm.run([kadminl, 'getprinc', 'w'], env=slave)
  if 'Attributes:\n' not in out:
 -    fail('slave2 does not have modification from slave1')
 +    fail('Slave has different state from master')
  
  # Create a policy and check that it propagates via full resync.
- realm.run_kadminl('addpol -minclasses 2 testpol')
--check_ulog(0, 0, 0, [])
+ realm.run([kadminl, 'addpol', '-minclasses', '2', 'testpol'])
+-check_ulog(1, 1, 1, [None])
 -kpropd1.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd1, True, 8, 0)
--check_ulog(0, 0, 0, [], slave1)
--out = realm.run_kadminl('getpol testpol', slave1)
+-wait_for_prop(kpropd1, True, 9, 1)
+-check_ulog(1, 1, 1, [None], slave1)
+-out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1)
 +check_serial(realm, 'None')
 +kpropd.send_signal(signal.SIGUSR1)
 +wait_for_prop(kpropd, True)
 +check_serial(realm, 'None', slave)
-+out = realm.run_kadminl('getpol testpol', slave)
++out = realm.run([kadminl, 'getpol', 'testpol'], env=slave)
  if 'Minimum number of password character classes: 2' not in out:
 -    fail('slave1 does not have policy from master')
 -kpropd2.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd2, True, 8, 0)
--check_ulog(0, 0, 0, [], slave2)
--out = realm.run_kadminl('getpol testpol', slave2)
+-wait_for_prop(kpropd2, True, 9, 1)
+-check_ulog(1, 1, 1, [None], slave2)
+-out = realm.run([kadminl, 'getpol', 'testpol'], env=slave2)
 -if 'Minimum number of password character classes: 2' not in out:
 -    fail('slave2 does not have policy from slave1')
 +    fail('Slave does not have policy from master')
  
  # Modify the policy and test that it also propagates via full resync.
- realm.run_kadminl('modpol -minlength 17 testpol')
--check_ulog(0, 0, 0, [])
+ realm.run([kadminl, 'modpol', '-minlength', '17', 'testpol'])
+-check_ulog(1, 1, 1, [None])
 -kpropd1.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd1, True, 0, 0)
--check_ulog(0, 0, 0, [], slave1)
--out = realm.run_kadminl('getpol testpol', slave1)
+-wait_for_prop(kpropd1, True, 1, 1)
+-check_ulog(1, 1, 1, [None], slave1)
+-out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1)
 -if 'Minimum password length: 17' not in out:
 -    fail('slave1 does not have policy change from master')
 -kpropd2.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd2, True, 0, 0)
--check_ulog(0, 0, 0, [], slave2)
--out = realm.run_kadminl('getpol testpol', slave2)
+-wait_for_prop(kpropd2, True, 1, 1)
+-check_ulog(1, 1, 1, [None], slave2)
+-out = realm.run([kadminl, 'getpol', 'testpol'], env=slave2)
 +check_serial(realm, 'None')
 +kpropd.send_signal(signal.SIGUSR1)
 +wait_for_prop(kpropd, True)
 +check_serial(realm, 'None', slave)
-+out = realm.run_kadminl('getpol testpol', slave)
++out = realm.run([kadminl, 'getpol', 'testpol'], env=slave)
  if 'Minimum password length: 17' not in out:
 -    fail('slave2 does not have policy change from slave1')
 +    fail('Slave does not have policy change from master')
  
  # Delete the policy and test that it propagates via full resync.
- realm.run_kadminl('delpol -force testpol')
--check_ulog(0, 0, 0, [])
+-realm.run([kadminl, 'delpol', 'testpol'])
+-check_ulog(1, 1, 1, [None])
 -kpropd1.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd1, True, 0, 0)
--check_ulog(0, 0, 0, [], slave1)
--out = realm.run_kadminl('getpol testpol', slave1)
+-wait_for_prop(kpropd1, True, 1, 1)
+-check_ulog(1, 1, 1, [None], slave1)
+-out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1, expected_code=1)
++realm.run([kadminl, 'delpol', '-force', 'testpol'])
 +check_serial(realm, 'None')
 +kpropd.send_signal(signal.SIGUSR1)
 +wait_for_prop(kpropd, True)
 +check_serial(realm, 'None', slave)
-+out = realm.run_kadminl('getpol testpol', slave)
++out = realm.run([kadminl, 'getpol', 'testpol'], env=slave, expected_code=1)
  if 'Policy does not exist' not in out:
 -    fail('slave1 did not get policy deletion from master')
 -kpropd2.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd2, True, 0, 0)
--check_ulog(0, 0, 0, [], slave2)
--out = realm.run_kadminl('getpol testpol', slave2)
+-wait_for_prop(kpropd2, True, 1, 1)
+-check_ulog(1, 1, 1, [None], slave2)
+-out = realm.run([kadminl, 'getpol', 'testpol'], env=slave2, expected_code=1)
 -if 'Policy does not exist' not in out:
 -    fail('slave2 did not get policy deletion from slave1')
 -
--# Modify a principal on the master and test that it propagates via
--# full resync.  (The master's ulog does not remember the timestamp it
--# had at serial number 0, so it does not know that an incremental
--# propagation is possible.)
--realm.run_kadminl('modprinc -maxlife "10 minutes" ' + pr1)
--check_ulog(1, 1, 1, [pr1])
+-# Modify a principal on the master and test that it propagates incrementally.
+-realm.run([kadminl, 'modprinc', '-maxlife', '10 minutes', pr1])
+-check_ulog(2, 1, 2, [None, pr1])
 -kpropd1.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd1, True, 0, 1)
--check_ulog(0, 0, 1, [], slave1)
--out = realm.run_kadminl('getprinc ' + pr1, slave1)
+-wait_for_prop(kpropd1, False, 1, 2)
+-check_ulog(2, 1, 2, [None, pr1], slave1)
+-out = realm.run([kadminl, 'getprinc', pr1], env=slave1)
 -if 'Maximum ticket life: 0 days 00:10:00' not in out:
 -    fail('slave1 does not have modification from master')
 -kpropd2.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd2, True, 0, 1)
--check_ulog(0, 0, 1, [], slave2)
--out = realm.run_kadminl('getprinc ' + pr1, slave2)
+-wait_for_prop(kpropd2, False, 1, 2)
+-check_ulog(2, 1, 2, [None, pr1], slave2)
+-out = realm.run([kadminl, 'getprinc', pr1], env=slave2)
 -if 'Maximum ticket life: 0 days 00:10:00' not in out:
 -    fail('slave2 does not have modification from slave1')
 -
--# Delete a principal and test that it propagates incrementally to
--# slave1.  slave2 needs another full resync because slave1 no longer
--# has serial number 1 in its ulog after processing its first
--# incremental update.
--realm.run_kadminl('delprinc -force ' + pr3)
--check_ulog(2, 1, 2, [pr1, pr3])
+-# Delete a principal and test that it propagates incrementally.
+-realm.run([kadminl, 'delprinc', pr3])
+-check_ulog(3, 1, 3, [None, pr1, pr3])
 -kpropd1.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd1, False, 1, 2)
--check_ulog(1, 2, 2, [pr3], slave1)
--out = realm.run_kadminl('getprinc ' + pr3, slave1)
+-wait_for_prop(kpropd1, False, 2, 3)
+-check_ulog(3, 1, 3, [None, pr1, pr3], slave1)
+-out = realm.run([kadminl, 'getprinc', pr3], env=slave1, expected_code=1)
 -if 'Principal does not exist' not in out:
 -    fail('slave1 does not have principal deletion from master')
 -kpropd2.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd2, True, 1, 2)
--check_ulog(0, 0, 2, [], slave2)
--out = realm.run_kadminl('getprinc ' + pr3, slave2)
+-wait_for_prop(kpropd2, False, 2, 3)
+-check_ulog(3, 1, 3, [None, pr1, pr3], slave2)
+-out = realm.run([kadminl, 'getprinc', pr3], env=slave2, expected_code=1)
 -if 'Principal does not exist' not in out:
 -    fail('slave2 does not have principal deletion from slave1')
 +    fail('Slave did not get policy deletion from master')
@@ -3439,13 +3451,46 @@
 +# XXX Note that we only have one slave in this test, so we can't really
 +# test this.
  realm.run([kproplog, '-R'])
--check_ulog(0, 0, 0, [])
+-check_ulog(1, 1, 1, [None])
 -kpropd1.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd1, True, 2, 0)
--check_ulog(0, 0, 0, [], slave1)
+-wait_for_prop(kpropd1, True, 3, 1)
+-check_ulog(1, 1, 1, [None], slave1)
 -kpropd2.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd2, True, 2, 0)
--check_ulog(0, 0, 0, [], slave2)
+-wait_for_prop(kpropd2, True, 3, 1)
+-check_ulog(1, 1, 1, [None], slave2)
+-
+-# Stop the kprop daemons so we can test kpropd -t.
+-stop_daemon(kpropd1)
+-stop_daemon(kpropd2)
+-
+-# Test the case where no updates are needed.
+-out = realm.run_kpropd_once(slave1, ['-d'])
+-if 'KDC is synchronized' not in out:
+-    fail('Expected synchronized from kpropd -t')
+-check_ulog(1, 1, 1, [None], slave1)
+-
+-# Make a change on the master and fetch it incrementally.
+-realm.run([kadminl, 'modprinc', '-maxlife', '5 minutes', pr1])
+-check_ulog(2, 1, 2, [None, pr1])
+-out = realm.run_kpropd_once(slave1, ['-d'])
+-if 'Got incremental updates (sno=2 ' not in out:
+-    fail('Expected full dump and synchronized from kpropd -t')
+-check_ulog(2, 1, 2, [None, pr1], slave1)
+-out = realm.run([kadminl, 'getprinc', pr1], env=slave1)
+-if 'Maximum ticket life: 0 days 00:05:00' not in out:
+-    fail('slave1 does not have modification from master after kpropd -t')
+-
+-# Propagate a policy change via full resync.
+-realm.run([kadminl, 'addpol', '-minclasses', '3', 'testpol'])
+-check_ulog(1, 1, 1, [None])
+-out = realm.run_kpropd_once(slave1, ['-d'])
+-if ('Full propagation transfer finished' not in out or
+-    'KDC is synchronized' not in out):
+-    fail('Expected full dump and synchronized from kpropd -t')
+-check_ulog(1, 1, 1, [None], slave1)
+-out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1)
+-if 'Minimum number of password character classes: 3' not in out:
+-    fail('slave1 does not have policy from master after kpropd -t')
 +check_serial(realm, 'None')
 +kpropd.send_signal(signal.SIGUSR1)
 +wait_for_prop(kpropd, True)
@@ -3489,3 +3534,15 @@
                                   '-c', self.kadmin_ccache] + flags)
  
      def run_kadmin(self, query, **keywords):
+/usr/gnu/bin/diff -pur old/src/tests/t_ccache.py new/src/tests/t_ccache.py
+--- old/src/tests/t_ccache.py     2016-04-08 09:50:18.104351949 -0700
++++ new/src/tests/t_ccache.py 2016-04-08 09:48:10.841275532 -0700
[email protected]@ -51,7 +51,7 @@ realm.kinit(realm.user_princ, password('
+ realm.run([klist, '-s'])
+ realm.kinit(realm.user_princ, password('user'), ['-l', '-1s'])
+ realm.run([klist, '-s'], expected_code=1)
+-realm.kinit(realm.user_princ, password('user'), ['-S', 'kadmin/admin'])
++realm.kinit(realm.user_princ, password('user'), ['-S', 'kadmin/changepw'])
+ realm.run([klist, '-s'])
+ realm.run([kdestroy])
+ realm.run([klist, '-s'], expected_code=1)
--- a/components/krb5/patches/029-kadmin_disable_anonymity.patch	Tue May 10 22:37:01 2016 -0700
+++ b/components/krb5/patches/029-kadmin_disable_anonymity.patch	Wed May 11 20:33:52 2016 -0700
@@ -24,8 +24,8 @@
      }
  
      while ((optchar = getopt(argc, argv,
--                             "x:r:p:knq:w:d:s:mc:t:e:ON")) != EOF) {
-+                             "x:r:p:kq:w:d:s:mc:t:e:ON")) != EOF) {
+-                             "+x:r:p:knq:w:d:s:mc:t:e:ON")) != EOF) {
++                             "+x:r:p:kq:w:d:s:mc:t:e:ON")) != EOF) {
          switch (optchar) {
          case 'x':
              db_args_size++;
@@ -64,35 +64,31 @@
  Use \fIcredentials_cache\fP as the credentials cache.  The
  cache should contain a service ticket for the \fBkadmin/ADMINHOST\fP
 diff -pur old/src/tests/t_pkinit.py new/src/tests/t_pkinit.py
---- old/src/tests/t_pkinit.py	2015-02-11 19:16:43.000000000 -0800
-+++ new/src/tests/t_pkinit.py	2015-03-05 09:09:09.690228292 -0800
[email protected]@ -72,17 +72,18 @@ realm.klist('WELLKNOWN/[email protected]
- realm.run([kvno, realm.host_princ])
+--- new/src/tests/t_pkinit.py   2016-02-29 11:50:13.000000000 -0800
++++ patched.1/src/tests/t_pkinit.py     2016-03-19 08:15:59.287791038 -0700
[email protected]@ -73,15 +73,16 @@ if '97:' in out:
+     fail('auth indicators seen in anonymous PKINIT ticket')
  
  # Test anonymous kadmin.
 -f = open(os.path.join(realm.testdir, 'acl'), 'a')
 -f.write('WELLKNOWN/[email protected]:ANONYMOUS a *')
 -f.close()
 -realm.start_kadmind()
--out = realm.run([kadmin, '-n', '-q', 'addprinc -pw test testadd'])
--if 'created.' not in out:
--    fail('Could not create principal with anonymous kadmin')
--out = realm.run([kadmin, '-n', '-q', 'getprinc testadd'])
+-realm.run([kadmin, '-n', 'addprinc', '-pw', 'test', 'testadd'])
+-out = realm.run([kadmin, '-n', 'getprinc', 'testadd'], expected_code=1)
 -if "Operation requires ``get'' privilege" not in out:
 -    fail('Anonymous kadmin has too much privilege')
 -realm.stop_kadmind()
-+sys.stderr.write("Anonymous pkinit support in kadmin disabled, skipping...\n");
 +#f = open(os.path.join(realm.testdir, 'acl'), 'a')
 +#f.write('WELLKNOWN/[email protected]:ANONYMOUS a *')
 +#f.close()
 +#realm.start_kadmind()
-+#out = realm.run([kadmin, '-n', '-q', 'addprinc -pw test testadd'])
-+#if 'created.' not in out:
-+#    fail('Could not create principal with anonymous kadmin')
-+#out = realm.run([kadmin, '-n', '-q', 'getprinc testadd'])
++#realm.run([kadmin, '-n', 'addprinc', '-pw', 'test', 'testadd'])
++#out = realm.run([kadmin, '-n', 'getprinc', 'testadd'], expected_code=1)
 +#if "Operation requires ``get'' privilege" not in out:
 +#    fail('Anonymous kadmin has too much privilege')
 +#realm.stop_kadmind()
++sys.stderr.write("Anonymous pkinit support in kadmin disabled, skipping...\n");
  
  # Test with anonymous restricted; FAST should work but kvno should fail.
  r_env = realm.special_env('restrict', True, kdc_conf=restrictive_kdc_conf)
--- a/components/krb5/patches/032-pam-krb5.patch	Tue May 10 22:37:01 2016 -0700
+++ b/components/krb5/patches/032-pam-krb5.patch	Wed May 11 20:33:52 2016 -0700
@@ -14,8 +14,8 @@
 # Patch source: in-house
 #
 diff -pur old/src/lib/kadm5/clnt/client_init.c new/src/lib/kadm5/clnt/client_init.c
---- old/src/lib/kadm5/clnt/client_init.c	2015-04-30 01:12:10.579373279 -0600
-+++ new/src/lib/kadm5/clnt/client_init.c	2015-05-26 23:38:41.638267439 -0600
+--- no-032/src/lib/kadm5/clnt/client_init.c	2016-03-28 14:25:17.265078167 -0600
++++ 032/src/lib/kadm5/clnt/client_init.c	2016-03-28 14:27:42.301681052 -0600
 @@ -299,7 +299,7 @@ _kadm5_initialize_rpcsec_gss_handle(kadm
  {
  	int code = 0;
@@ -25,9 +25,9 @@
  	char *iprop_svc;
  	boolean_t iprop_enable = B_FALSE;
  	char mech[] = "kerberos_v5";
[email protected]@ -316,15 +316,13 @@ _kadm5_initialize_rpcsec_gss_handle(kadm
- 	char *server;
[email protected]@ -317,15 +317,13 @@ _kadm5_initialize_rpcsec_gss_handle(kadm
  	int port;
+ 	struct timeval timeout;
  
 -        /* service name is service/host */
 -        server = strpbrk(service_name, "/");
@@ -44,7 +44,7 @@
  
  	iprop_svc = strdup(KIPROP_SVC_NAME);
  	if (iprop_svc == NULL)
[email protected]@ -510,7 +508,7 @@ cleanup:
[email protected]@ -516,7 +514,7 @@ cleanup:
  
  static kadm5_ret_t
  init_any(krb5_context context, char *client_name, enum init_type init_type,
@@ -53,7 +53,7 @@
           kadm5_config_params *params_in, krb5_ui_4 struct_version,
           krb5_ui_4 api_version, char **db_args, void **server_handle)
  {
[email protected]@ -528,7 +526,6 @@ init_any(krb5_context context, char *cli
[email protected]@ -534,7 +532,6 @@ init_any(krb5_context context, char *cli
  
      int code = 0;
      generic_ret *r;
@@ -61,7 +61,7 @@
  
      initialize_ovk_error_table();
  /*      initialize_adb_error_table(); */
[email protected]@ -597,15 +594,19 @@ init_any(krb5_context context, char *cli
[email protected]@ -603,15 +600,19 @@ init_any(krb5_context context, char *cli
          goto error;
  
      /* NULL svcname means use host-based. */
@@ -88,7 +88,7 @@
      }
  
      /* Get credentials. */
[email protected]@ -660,14 +661,52 @@ cleanup:
[email protected]@ -666,14 +667,52 @@ cleanup:
  static kadm5_ret_t
  get_init_creds(kadm5_server_handle_t handle, krb5_principal client,
                 enum init_type init_type, char *pass, krb5_ccache ccache_in,
@@ -142,7 +142,7 @@
       * Acquire a service ticket for [email protected] for client, using password
       * pass (which could be NULL), and create a ccache to store them in.  If
       * INIT_CREDS, use the ccache we were provided instead.
[email protected]@ -702,7 +741,7 @@ get_init_creds(kadm5_server_handle_t han
[email protected]@ -708,7 +747,7 @@ get_init_creds(kadm5_server_handle_t han
      }
      handle->lhandle->cache_name = handle->cache_name;
  
--- a/components/krb5/patches/035-multi-master.patch	Tue May 10 22:37:01 2016 -0700
+++ b/components/krb5/patches/035-multi-master.patch	Wed May 11 20:33:52 2016 -0700
@@ -8,10 +8,10 @@
 # should look at modifying/deleting this patch.
 # Patch source: in-house
 #
-diff -u -r old/src/kadmin/cli/kadmin.c new/src/kadmin/cli/kadmin.c
---- old/src/kadmin/cli/kadmin.c	2015-05-28 15:10:45.129616302 -0500
-+++ new/src/kadmin/cli/kadmin.c	2015-05-29 13:32:41.901105712 -0500
[email protected]@ -268,7 +268,7 @@
+diff -pur new/src/kadmin/cli/kadmin.c old/src/kadmin/cli/kadmin.c
+--- old/src/kadmin/cli/kadmin.c	2016-03-31 16:44:43.282366236 -0700
++++ patched/src/kadmin/cli/kadmin.c	2016-03-31 19:24:20.929551275 -0700
[email protected]@ -255,7 +255,7 @@ kadmin_startup(int argc, char *argv[], c
      char **db_args = NULL;
      int db_args_size = 0;
      char *db_name = NULL;
@@ -20,7 +20,7 @@
  
      memset(&params, 0, sizeof(params));
  
[email protected]@ -380,11 +380,6 @@
[email protected]@ -370,11 +370,6 @@ kadmin_startup(int argc, char *argv[], c
      params.mask |= KADM5_CONFIG_REALM;
      params.realm = def_realm;
  
@@ -32,36 +32,35 @@
      /*
       * Set cc to an open credentials cache, either specified by the -c
       * argument or the default.
[email protected]@ -515,13 +510,15 @@
[email protected]@ -503,13 +498,14 @@ kadmin_startup(int argc, char *argv[], c
      if (ccache_name) {
-         printf(_("Authenticating as principal %s with existing "
-                  "credentials.\n"), princstr);
+         info(_("Authenticating as principal %s with existing "
+                "credentials.\n"), princstr);
 -        retval = kadm5_init_with_creds(context, princstr, cc, svcname, &params,
 +        retval = kadm5_init_with_creds_mm(context, princstr, cc, svcnames,
 +                                       &params,
                                         KADM5_STRUCT_VERSION,
                                         KADM5_API_VERSION_4, db_args, &handle);
      } else if (use_anonymous) {
-         printf(_("Authenticating as principal %s with password; "
-                  "anonymous requested.\n"), princstr);
+         info(_("Authenticating as principal %s with password; "
+                "anonymous requested.\n"), princstr);
 -        retval = kadm5_init_anonymous(context, princstr, svcname, &params,
-+        retval = kadm5_init_anonymous_mm(context, princstr, svcnames,
-+                                      &params,
++        retval = kadm5_init_anonymous_mm(context, princstr, svcnames, &params,
                                        KADM5_STRUCT_VERSION,
                                        KADM5_API_VERSION_4, db_args, &handle);
      } else if (use_keytab) {
[email protected]@ -531,17 +528,20 @@
-         else
-             printf(_("Authenticating as principal %s with default keytab.\n"),
-                    princstr);
[email protected]@ -520,17 +516,20 @@ kadmin_startup(int argc, char *argv[], c
+             info(_("Authenticating as principal %s with default keytab.\n"),
+                  princstr);
+         }
 -        retval = kadm5_init_with_skey(context, princstr, keytab_name, svcname,
 +        retval = kadm5_init_with_skey_mm(context, princstr, keytab_name,
 +                                      svcnames,
                                        &params, KADM5_STRUCT_VERSION,
                                        KADM5_API_VERSION_4, db_args, &handle);
      } else {
-         printf(_("Authenticating as principal %s with password.\n"),
-                princstr);
+         info(_("Authenticating as principal %s with password.\n"),
+              princstr);
 -        retval = kadm5_init_with_password(context, princstr, password, svcname,
 +        retval = kadm5_init_with_password_mm(context, princstr, password,
 +                                          svcnames,
@@ -128,10 +127,10 @@
  kadm5_ret_t    kadm5_lock(void *server_handle);
  kadm5_ret_t    kadm5_unlock(void *server_handle);
  kadm5_ret_t    kadm5_flush(void *server_handle);
-diff -u -r old/src/lib/kadm5/clnt/client_init.c new/src/lib/kadm5/clnt/client_init.c
---- old/src/lib/kadm5/clnt/client_init.c	2015-05-28 15:10:45.192975632 -0500
-+++ new/src/lib/kadm5/clnt/client_init.c	2015-06-02 10:33:51.639341637 -0500
[email protected]@ -55,7 +55,7 @@
+/usr/gnu/bin/diff -pur old/src/lib/kadm5/clnt/client_init.c new/src/lib/kadm5/clnt/client_init.c
+--- unpatched/src/lib/kadm5/clnt/client_init.c	2016-03-28 00:19:36.988270188 -0600
++++ patched/src/lib/kadm5/clnt/client_init.c	2016-03-28 13:12:43.769371355 -0600
[email protected]@ -55,7 +55,7 @@ enum init_type { INIT_PASS, INIT_SKEY, I
  
  static kadm5_ret_t
  init_any(krb5_context context, char *client_name, enum init_type init_type,
@@ -140,7 +139,7 @@
           kadm5_config_params *params, krb5_ui_4 struct_version,
           krb5_ui_4 api_version, char **db_args, void **server_handle);
  
[email protected]@ -87,8 +87,25 @@
[email protected]@ -87,8 +87,25 @@ kadm5_init_with_creds(krb5_context conte
                        krb5_ui_4 api_version, char **db_args,
                        void **server_handle)
  {
@@ -167,7 +166,7 @@
                      server_handle);
  }
  
[email protected]@ -99,7 +116,24 @@
[email protected]@ -99,7 +116,24 @@ kadm5_init_with_password(krb5_context co
                           krb5_ui_4 api_version, char **db_args,
                           void **server_handle)
  {
@@ -193,7 +192,7 @@
                      params, struct_version, api_version, db_args,
                      server_handle);
  }
[email protected]@ -110,8 +144,24 @@
[email protected]@ -110,8 +144,24 @@ kadm5_init_anonymous(krb5_context contex
                       krb5_ui_4 struct_version, krb5_ui_4 api_version,
                       char **db_args, void **server_handle)
  {
@@ -219,7 +218,7 @@
                      db_args, server_handle);
  }
  
[email protected]@ -121,7 +171,23 @@
[email protected]@ -121,7 +171,23 @@ kadm5_init(krb5_context context, char *c
             krb5_ui_4 struct_version, krb5_ui_4 api_version, char **db_args,
             void **server_handle)
  {
@@ -244,7 +243,7 @@
                      params, struct_version, api_version, db_args,
                      server_handle);
  }
[email protected]@ -133,8 +199,25 @@
[email protected]@ -133,8 +199,25 @@ kadm5_init_with_skey(krb5_context contex
                       krb5_ui_4 api_version, char **db_args,
                       void **server_handle)
  {
@@ -271,7 +270,7 @@
                      server_handle);
  }
  
[email protected]@ -338,7 +421,7 @@
[email protected]@ -339,7 +422,7 @@ _kadm5_initialize_rpcsec_gss_handle(kadm
  	}
  
  	/*
@@ -280,7 +279,7 @@
  	 *    - if iprop_port is configured, connect to iprop_port
  	 *    - if not, query remote rpc/bind
  	 *    - if that fails, try consuming iprop service on kadmin port
[email protected]@ -506,9 +589,35 @@
[email protected]@ -512,9 +595,35 @@ cleanup:
  	return (code);
  }
  
@@ -317,7 +316,7 @@
           kadm5_config_params *params_in, krb5_ui_4 struct_version,
           krb5_ui_4 api_version, char **db_args, void **server_handle)
  {
[email protected]@ -526,6 +635,10 @@
[email protected]@ -532,6 +641,10 @@ init_any(krb5_context context, char *cli
  
      int code = 0;
      generic_ret *r;
@@ -328,7 +327,7 @@
  
      initialize_ovk_error_table();
  /*      initialize_adb_error_table(); */
[email protected]@ -593,34 +706,56 @@
[email protected]@ -599,34 +712,56 @@ init_any(krb5_context context, char *cli
      if (code)
          goto error;
  
@@ -407,7 +406,7 @@
      *server_handle = (void *) handle;
  
      goto cleanup;
[email protected]@ -653,6 +788,8 @@
[email protected]@ -659,6 +794,8 @@ cleanup:
      krb5_free_principal(handle->context, server);
      if (code)
          free(handle);
@@ -416,7 +415,7 @@
  
      return code;
  }
[email protected]@ -665,46 +802,43 @@
[email protected]@ -671,46 +808,43 @@ get_init_creds(kadm5_server_handle_t han
  {
      kadm5_ret_t code;
      krb5_ccache ccache = NULL;
@@ -494,7 +493,7 @@
  
      /*
       * Acquire a service ticket for [email protected] for client, using password
[email protected]@ -741,7 +875,7 @@
[email protected]@ -747,7 +881,7 @@ get_init_creds(kadm5_server_handle_t han
      }
      handle->lhandle->cache_name = handle->cache_name;
  
--- a/components/krb5/patches/036-verify-nofail.patch	Tue May 10 22:37:01 2016 -0700
+++ b/components/krb5/patches/036-verify-nofail.patch	Wed May 11 20:33:52 2016 -0700
@@ -21,8 +21,8 @@
      if (*argv != NULL)
          check(krb5_parse_name(context, *argv, &princ));
 diff -pur old/src/lib/krb5/krb/t_vfy_increds.py new/src/lib/krb5/krb/t_vfy_increds.py
---- old/src/lib/krb5/krb/t_vfy_increds.py	2015-05-28 14:42:17.100176857 -0600
-+++ new/src/lib/krb5/krb/t_vfy_increds.py	2015-05-28 18:03:03.977698328 -0600
+--- old/src/lib/krb5/krb/t_vfy_increds.py	2016-03-31 16:44:48.483714940 -0700
++++ patched/src/lib/krb5/krb/t_vfy_increds.py	2016-03-31 19:34:30.816360770 -0700
 @@ -53,29 +53,31 @@ realm.run(['./t_vfy_increds'])
  realm.run(['./t_vfy_increds', '-n'])
  
@@ -55,8 +55,8 @@
 -# default (succeeding unless nofail is set), but should verify with it
 +# default (succeeding only when nofail is unset), but should verify with it
  # when it is specifically requested.
- realm.run_kadminl('addprinc -randkey ' + realm.nfs_princ)
- realm.run_kadminl('ktadd ' + realm.nfs_princ)
+ realm.run([kadminl, 'addprinc', '-randkey', realm.nfs_princ])
+ realm.run([kadminl, 'ktadd', realm.nfs_princ])
 -realm.run(['./t_vfy_increds'])
 +realm.run(['./t_vfy_increds'], expected_code=1)
  realm.run(['./t_vfy_increds', '-n'], expected_code=1)
@@ -65,7 +65,7 @@
 @@ -84,7 +86,7 @@ realm.run(['./t_vfy_increds', '-n', real
  # results with the default principal argument, but verification should
  # now fail if we request it specifically.
- realm.run_kadminl('change_password -randkey ' + realm.nfs_princ)
+ realm.run([kadminl, 'change_password', '-randkey', realm.nfs_princ])
 -realm.run(['./t_vfy_increds'])
 +realm.run(['./t_vfy_increds'], expected_code=1)
  realm.run(['./t_vfy_increds', '-n'], expected_code=1)
--- a/components/krb5/patches/045-correct_err_code_for_bad_QOP.patch	Tue May 10 22:37:01 2016 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,55 +0,0 @@
-#
-# This patch fixes krb5_gss_wrap_size_limit return code to comply with
-# RFC 2743.
-#
-# Found by usr/ontest/lib/libgss/gss_api:gss.17.
-#
-# The patch was accepted upstream and will be part of krb5 1.14:
-# https://github.com/krb5/krb5/commit/45ccc1c85f42e4f41f2042df8a51dd7826533029
-# Patch source: in-house
-#
-diff -pur old/src/lib/gssapi/krb5/k5seal.c new/src/lib/gssapi/krb5/k5seal.c
---- old/src/lib/gssapi/krb5/k5seal.c
-+++ new/src/lib/gssapi/krb5/k5seal.c
[email protected]@ -337,7 +337,7 @@ kg_seal(minor_status, context_handle, co
-        them later.  */
-     if (qop_req != 0) {
-         *minor_status = (OM_uint32) G_UNKNOWN_QOP;
--        return GSS_S_FAILURE;
-+        return GSS_S_BAD_QOP;
-     }
- 
-     ctx = (krb5_gss_ctx_id_rec *) context_handle;
-diff -pur old/src/lib/gssapi/krb5/k5sealiov.c new/src/lib/gssapi/krb5/k5sealiov.c
---- old/src/lib/gssapi/krb5/k5sealiov.c
-+++ new/src/lib/gssapi/krb5/k5sealiov.c
[email protected]@ -277,7 +277,7 @@ kg_seal_iov(OM_uint32 *minor_status,
- 
-     if (qop_req != 0) {
-         *minor_status = (OM_uint32)G_UNKNOWN_QOP;
--        return GSS_S_FAILURE;
-+        return GSS_S_BAD_QOP;
-     }
- 
-     ctx = (krb5_gss_ctx_id_rec *)context_handle;
[email protected]@ -342,7 +342,7 @@ kg_seal_iov_length(OM_uint32 *minor_stat
- 
-     if (qop_req != GSS_C_QOP_DEFAULT) {
-         *minor_status = (OM_uint32)G_UNKNOWN_QOP;
--        return GSS_S_FAILURE;
-+        return GSS_S_BAD_QOP;
-     }
- 
-     ctx = (krb5_gss_ctx_id_rec *)context_handle;
-diff -pur old/src/lib/gssapi/krb5/wrap_size_limit.c new/src/lib/gssapi/krb5/wrap_size_limit.c
---- old/src/lib/gssapi/krb5/wrap_size_limit.c
-+++ new/src/lib/gssapi/krb5/wrap_size_limit.c
[email protected]@ -91,7 +91,7 @@ krb5_gss_wrap_size_limit(minor_status, c
-     /* only default qop is allowed */
-     if (qop_req != GSS_C_QOP_DEFAULT) {
-         *minor_status = (OM_uint32) G_UNKNOWN_QOP;
--        return(GSS_S_FAILURE);
-+        return(GSS_S_BAD_QOP);
-     }
- 
-     ctx = (krb5_gss_ctx_id_rec *) context_handle;
--- a/components/krb5/patches/046-creds_usage_mismatch_err_code.patch	Tue May 10 22:37:01 2016 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,26 +0,0 @@
-#
-# In krb5_gss_store_cred_into(), if the credential is acceptor-only, set
-# the minor status to G_STORE_ACCEPTOR_CRED_NOSUPP instead of
-# G_BAD_USAGE.
-#
-# Found by usr/ontest/lib/libgss/gss_api:gss.27.
-#
-# Accepted upstream, will be part of krb5 1.14:
-# https://github.com/krb5/krb5/commit/c0e16bb2f654038ad81602e89851f232916da051
-# Patch source: in-house
-#
-diff -pur old/src/lib/gssapi/krb5/store_cred.c new/src/lib/gssapi/krb5/store_cred.c
---- old/src/lib/gssapi/krb5/store_cred.c	2015-06-12 08:13:27.399201700 -0700
-+++ new/src/lib/gssapi/krb5/store_cred.c	2015-06-12 08:17:35.570611897 -0700
[email protected]@ -241,7 +241,10 @@ krb5_gss_store_cred_into(OM_uint32 *mino
-     if (lifetime == 0)
-         return GSS_S_CREDENTIALS_EXPIRED;
- 
--    if (actual_usage != GSS_C_INITIATE && actual_usage != GSS_C_BOTH) {
-+    if (actual_usage == GSS_C_ACCEPT) {
-+        *minor_status = G_STORE_ACCEPTOR_CRED_NOSUPP;
-+        return GSS_S_FAILURE;
-+    } else if (actual_usage != GSS_C_INITIATE && actual_usage != GSS_C_BOTH) {
-         *minor_status = G_BAD_USAGE;
-         return GSS_S_FAILURE;
-     }
--- a/components/krb5/patches/051-fopenF.patch	Tue May 10 22:37:01 2016 -0700
+++ b/components/krb5/patches/051-fopenF.patch	Wed May 11 20:33:52 2016 -0700
@@ -787,9 +787,9 @@
                  if (!logfile) {
                      perror(*argv);
 diff -ur krb5-1.13.2/src/util/profile/prof_file.c krb5-1.13.2.fopen/src/util/profile/prof_file.c
---- krb5-1.13.2/src/util/profile/prof_file.c	2015-05-08 18:27:02.000000000 -0500
-+++ krb5-1.13.2.fopen/src/util/profile/prof_file.c	2015-08-11 13:56:49.450805045 -0500
[email protected]@ -123,7 +123,7 @@
+--- old/src/util/profile/prof_file.c	2016-03-31 16:44:53.634245353 -0700
++++ patched/src/util/profile/prof_file.c	2016-03-31 20:07:34.843286876 -0700
[email protected]@ -126,7 +126,7 @@ static int rw_access(const_profile_files
       */
      FILE    *f;
  
@@ -798,7 +798,7 @@
      if (f) {
          fclose(f);
          return 1;
[email protected]@ -147,7 +147,7 @@
[email protected]@ -150,7 +150,7 @@ static int r_access(const_profile_filesp
       */
      FILE    *f;
  
@@ -807,16 +807,16 @@
      if (f) {
          fclose(f);
          return 1;
[email protected]@ -346,7 +346,7 @@
-     }
[email protected]@ -355,7 +355,7 @@ errcode_t profile_update_file_data_locke
  #endif
-     errno = 0;
--    f = fopen(data->filespec, "r");
-+    f = fopen(data->filespec, "rF");
-     if (f == NULL) {
-         retval = errno;
-         if (retval == 0)
[email protected]@ -411,7 +411,7 @@
+     if (!isdir) {
+         errno = 0;
+-        f = fopen(data->filespec, "r");
++        f = fopen(data->filespec, "rF");
+         if (f == NULL)
+             return (errno != 0) ? errno : ENOENT;
+         set_cloexec_file(f);
[email protected]@ -423,7 +423,7 @@ static errcode_t write_data_to_file(prf_
  
      errno = 0;
  
--- a/components/krb5/patches/061-ccache-nounlink.patch	Tue May 10 22:37:01 2016 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,269 +0,0 @@
-#
-# This patch modifies the MIT implementation of krb5_fcc_initialize() so
-# it doesn't call unlink() on an existing ccache file.  This modification
-# was done a long time ago in Solaris to workaround a race condition
-# brought on by the interaction between Solaris pam_krb5 and MIT's
-# implementation of krb5_fcc_initialize().  Given there are better ways of
-# fixing the race condition we will not give this patch to MIT however a
-# proper race condition fix would take prohibitively long to implement
-# hence this patch.  When pam_krb5 is modified to better deal with the
-# ccache file and RFE 22229031 regarding ktkt_warnd is implemented then
-# this patch can be removed.
-# Patch source: in-house
-#
-
-diff -Naru old/src/lib/krb5/ccache/cc_file.c new/src/lib/krb5/ccache/cc_file.c
---- old/src/lib/krb5/ccache/cc_file.c	2015-05-08 16:27:02.000000000 -0700
-+++ new/src/lib/krb5/ccache/cc_file.c	2015-11-16 15:54:02.138183303 -0800
[email protected]@ -64,6 +64,10 @@
- #include "k5-int.h"
- #include "cc-int.h"
- 
-+/* Solaris Kerberos */
-+#include <syslog.h>
-+#include <ctype.h>
-+
- #include <stdio.h>
- #include <errno.h>
- 
[email protected]@ -71,6 +75,11 @@
- #include <unistd.h>
- #endif
- 
-+/* Solaris Kerberos */
-+/* How long to block if flock fails with EAGAIN */
-+#define    LOCK_RETRIES    100
-+#define    WAIT_LENGTH    20    /* in milliseconds */
-+
- extern const krb5_cc_ops krb5_cc_file_ops;
- 
- krb5_error_code krb5_change_cache(void);
[email protected]@ -85,6 +94,7 @@
- #define FCC_OPEN_AND_ERASE      1
- #define FCC_OPEN_RDWR           2
- #define FCC_OPEN_RDONLY         3
-+#define	FCC_OPEN_AND_ERASE_NOUNLINK	255    /* Solaris Kerberos */
- 
- #define FCC_TAG_DELTATIME       1
- 
[email protected]@ -524,6 +534,130 @@
-     ((SIZE) < BUFSIZE ? (abort(),0) : setbuf(FILE, BUF))
- #endif
- 
-+/* Solaris Kerberos */
-+static krb5_error_code
-+krb5_fcc_open_nounlink(char *filename, int open_flag, int *ret_fd, int *new)
-+{
-+     struct stat lres;
-+     struct stat fres;
-+     int error;
-+     uid_t uid, euid;
-+     int fd;
-+     int newfile = 0;
-+
-+     *ret_fd = -1;
-+     /*
-+      * Solaris Kerberos
-+      * If we are opening in NOUNLINK mode, we have to check that the
-+      * existing file, if any, is not a symlink. If it is, we try to
-+      * delete and re-create it.
-+      */
-+     error = lstat(filename, &lres);
-+     if (error == -1 && errno != ENOENT) {
-+         syslog(LOG_ERR, "lstat failed for %s [%m]", filename);
-+         return (-1);
-+     }
-+
-+     if (error == 0 && !S_ISREG(lres.st_mode)) {
-+         syslog(LOG_WARNING, "%s is not a plain file!", filename);
-+         syslog(LOG_WARNING, "trying to unlink %s", filename);
-+         if (unlink(filename) != 0) {
-+              syslog(LOG_ERR, "could not unlink %s [%m]", filename);
-+              return (-1);
-+         }
-+     }
-+
-+     fd = THREEPARAMOPEN(filename, open_flag | O_NONBLOCK | O_NOFOLLOW, 0600);
-+     if (fd == -1) {
-+         if (errno == ENOENT) {
-+              fd = THREEPARAMOPEN(filename, open_flag | O_EXCL | O_CREAT,
-+                  0600);
-+              if (fd != -1) {
-+                  newfile = 1;
-+              } else {
-+                  /* If the file got created after the open we must retry */
-+                  if (errno == EEXIST)
-+                      return (0);
-+              }
-+         } else if (errno == EACCES) {
-+            /*
-+             * We failed since the file existed with wrong permissions.
-+             * Let's try to unlink it and if that succeeds retry.
-+             */
-+            syslog(LOG_WARNING, "Insufficient permissions on %s", filename);
-+            syslog(LOG_WARNING, "trying to unlink %s", filename);
-+            if (unlink(filename) != 0) {
-+                syslog(LOG_ERR, "could not unlink %s [%m]", filename);
-+                return (-1);
-+            }
-+            return (0);
-+        }
-+    }
-+    /* If we still don't have a valid fd, we stop trying */
-+    if (fd == -1)
-+        return (-1);
-+
-+    /*
-+     * Solaris Kerberos
-+     * If the file was not created now with a O_CREAT | O_EXCL open,
-+     * we have opened an existing file. We should check if the file
-+     * owner is us, if not, unlink and retry. If unlink fails we log
-+     * the error and return.
-+     */
-+    if (!newfile) {
-+        if (fstat(fd, &fres) == -1) {
-+            syslog(LOG_ERR, "lstat failed for %s [%m]", filename);
-+            close(fd);
-+            return (-1);
-+        }
-+        /* Check if this is the same file we lstat'd earlier */
-+        if (lres.st_dev != fres.st_dev || lres.st_ino != fres.st_ino) {
-+            syslog(LOG_ERR, "%s changed between stat and open!", filename);
-+            close(fd);
-+            return (-1);
-+        }
-+
-+        /*
-+         * Solaris Kerberos
-+         * Check if the cc filename uid matches owner of file.
-+         * Expects cc file to be in the form of /tmp/krb5cc_<uid>,
-+         * else skip this check.
-+         */
-+        if (strncmp(filename, "/tmp/krb5cc_", strlen("/tmp/krb5cc_")) == 0) {
-+            uid_t fname_uid;
-+            char *uidstr = strchr(filename, '_');
-+            char *s = NULL;
-+
-+            /* make sure we have some non-null char after '_' */
-+            if (!*++uidstr)
-+                goto out;
-+
-+            /* make sure the uid part is all digits */
-+            for (s = uidstr; *s; s++)
-+                if (!isdigit(*s))
-+                    goto out;
-+
-+            fname_uid = (uid_t) atoi(uidstr);
-+            if (fname_uid != fres.st_uid) {
-+                close(fd);
-+                syslog(LOG_WARNING, "%s owned by %d instead of %d",
-+                    filename, fres.st_uid, fname_uid);
-+                syslog(LOG_WARNING, "trying to unlink %s", filename);
-+                if (unlink(filename) != 0) {
-+                    syslog(LOG_ERR, "could not unlink %s [%m]", filename);
-+                    return (-1);
-+                }
-+                return (0);
-+            }
-+        }
-+    }
-+
-+out:
-+    *new = newfile;
-+    *ret_fd = fd;
-+    return (0);
-+}
-+
- /* Open and lock the cache file.  If mode is FCC_OPEN_AND_ERASE, initialize it
-  * with a header.  Call with the mutex locked. */
- static krb5_error_code
[email protected]@ -538,6 +672,10 @@
-     int f, open_flag, lock_flag, cnt;
-     char buf[1024];
- 
-+    /* Solaris Kerberos */
-+    int retries = 0;
-+    int newfile = 0;
-+
-     k5_cc_mutex_assert_locked(context, &data->lock);
-     invalidate_cache(data);
- 
[email protected]@ -549,6 +687,10 @@
-     }
- 
-     switch (mode) {
-+	/* Solaris Kerberos */
-+    case FCC_OPEN_AND_ERASE_NOUNLINK:
-+        open_flag = O_RDWR;
-+        break;
-     case FCC_OPEN_AND_ERASE:
-         unlink(data->filename);
-         open_flag = O_CREAT | O_EXCL | O_TRUNC | O_RDWR;
[email protected]@ -562,7 +704,21 @@
-         break;
-     }
- 
-+fcc_retry:
-+    /*
-+     * Solaris Kerberos
-+     * If we are opening in NOUNLINK mode, check whether we are opening a
-+     * symlink or a file owned by some other user and take preventive action.
-+     */
-+    newfile = 0;
-+    if (mode == FCC_OPEN_AND_ERASE_NOUNLINK) {
-+     ret = krb5_fcc_open_nounlink(data->filename, open_flag,
-+                     &f, &newfile);
-+     if (ret == 0 && f == -1)
-+          goto fcc_retry;
-+    } else {
-     f = THREEPARAMOPEN(data->filename, open_flag | O_BINARY, 0600);
-+    }
-     if (f == NO_FILE) {
-         if (errno == ENOENT) {
-             ret = KRB5_FCC_NOFILE;
[email protected]@ -584,10 +740,26 @@
-     ret = krb5_lock_file(context, f, lock_flag);
-     if (ret) {
-         (void)close(f);
-+        if (ret == EAGAIN && retries++ < LOCK_RETRIES) {
-+            /* Solaris Kerberos wait some time before retrying */
-+            if (poll(NULL, 0, WAIT_LENGTH) == 0)
-+                goto fcc_retry;
-+        }
-+        syslog(LOG_ERR, "Failed to lock %s [%m]", data->filename);
-         return ret;
-     }
- 
--    if (mode == FCC_OPEN_AND_ERASE) {
-+    if (mode == FCC_OPEN_AND_ERASE || mode == FCC_OPEN_AND_ERASE_NOUNLINK) {
-+        /*
-+         * Solaris Kerberos
-+         * If this file was not created, we have to flush existing data.
-+         * This will happen only if we are doing an ERASE_NOUNLINK open.
-+         */
-+        if (newfile == 0 && (ftruncate(f, 0) == -1)) {
-+            syslog(LOG_ERR, "ftruncate failed for %s [%m]", data->filename);
-+            close(f);
-+            return (interpret_errno(context, errno));
-+        }
-         /* write the version number */
-         store_16_be(context->fcc_default_format, fcc_fvno);
-         data->version = context->fcc_default_format;
[email protected]@ -755,14 +927,16 @@
- 
-     k5_cc_mutex_lock(context, &data->lock);
- 
--    MAYBE_OPEN(context, id, FCC_OPEN_AND_ERASE);
-+    MAYBE_OPEN(context, id, FCC_OPEN_AND_ERASE_NOUNLINK);
- 
-+#if 0
- #if defined(HAVE_FCHMOD) || defined(HAVE_CHMOD)
- #ifdef HAVE_FCHMOD
-     st = fchmod(data->fd, S_IRUSR | S_IWUSR);
- #else
-     st = chmod(data->filename, S_IRUSR | S_IWUSR);
- #endif
-+#endif
-     if (st == -1) {
-         ret = interpret_errno(context, errno);
-         MAYBE_CLOSE(context, id, ret);
--- a/components/krb5/patches/064-enable-debug-compile.patch	Tue May 10 22:37:01 2016 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,25 +0,0 @@
-#
-# This patch fixes a minor issue where the hostrealm plugin test program will
-# not compile non-optimized.  There is a MIT ticket which they intend on
-# fixing: Ticket #8326 hostrealm code won't compile in debug mode using Solaris
-# Studio C 
-# Patch source: in-house
-#
-diff -ur krb5-1.13.2/src/plugins/hostrealm/test/Makefile.in krb5-1.13.2.debug-build/src/plugins/hostrealm/test/Makefile.in
---- krb5-1.13.2/src/plugins/hostrealm/test/Makefile.in
-+++ krb5-1.13.2.debug-build/src/plugins/hostrealm/test/Makefile.in
[email protected]@ -5,9 +5,10 @@
- LIBMAJOR=0
- LIBMINOR=0
- RELDIR=../plugins/hostrealm/test
--# Depends on libkrb5
--SHLIB_EXPDEPS= $(KRB5_DEPLIB)
--SHLIB_EXPLIBS= $(KRB5_LIB)
-+# Depends on libkrb5 and libkrb5support when building non-optimized with
-+# certain compilers.
-+SHLIB_EXPDEPS= $(KRB5_DEPLIB) $(SUPPORT_DEPLIB)
-+SHLIB_EXPLIBS= $(KRB5_LIB) $(SUPPORT_LIB)
- 
- STLIBOBJS=main.o
- 
-
--- a/components/krb5/patches/066-sanitize_context_ptr.patch	Tue May 10 22:37:01 2016 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,34 +0,0 @@
-# Sanitize context pointer in gss_export_sec_context
-# 
-# After 4f35b27 context pointer in gss_export_sec_context() is first
-# dereferenced before arguments are sanitized in val_exp_sec_ctx_args().
-# With context == NULL the new code segfaults instead of failing
-# gracefully.
-# 
-# Revert this part of 4f35b27 and only dereference context if not NULL.
-#
-# Patch submitted upstream:
-# https://github.com/krb5/krb5/pull/382
-# Patch source: in-house
-#
-
-diff -pur old/src/lib/gssapi/mechglue/g_exp_sec_context.c new/src/lib/gssapi/mechglue/g_exp_sec_context.c
---- old/src/lib/gssapi/mechglue/g_exp_sec_context.c
-+++ new/src/lib/gssapi/mechglue/g_exp_sec_context.c
[email protected]@ -79,7 +79,7 @@ gss_buffer_t		interprocess_token;
- {
-     OM_uint32		status;
-     OM_uint32 		length;
--    gss_union_ctx_id_t	ctx = (gss_union_ctx_id_t) *context_handle;
-+    gss_union_ctx_id_t	ctx;
-     gss_mechanism	mech;
-     gss_buffer_desc	token = GSS_C_EMPTY_BUFFER;
-     char		*buf;
[email protected]@ -94,6 +94,7 @@ gss_buffer_t		interprocess_token;
-      * call it.
-      */
- 
-+    ctx = (gss_union_ctx_id_t) *context_handle;
-     mech = gssint_get_mechanism (ctx->mech_type);
-     if (!mech)
- 	return GSS_S_BAD_MECH;
--- a/components/krb5/patches/067-iprop-double-free-fix.patch	Tue May 10 22:37:01 2016 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,26 +0,0 @@
-# Fix a potential but unlikely to occur double free() in a couple places in ipropd_svc.c.
-# This has been reported to MIT who will be fixing this via pull request
-# https://github.com/krb5/krb5/pull/396 .
-# Patch source: in-house
-
-diff -ur krb5-1.13.3/src/kadmin/server/ipropd_svc.c krb5-1.13.3.memleak/src/kadmin/server/ipropd_svc.c
---- krb5-1.13.3/src/kadmin/server/ipropd_svc.c
-+++ krb5-1.13.3.memleak/src/kadmin/server/ipropd_svc.c
[email protected]@ -160,8 +160,6 @@
- 	client_name = buf_to_string(&client_desc);
- 	service_name = buf_to_string(&service_desc);
- 	if (client_name == NULL || service_name == NULL) {
--	    free(client_name);
--	    free(service_name);
- 	    krb5_klog_syslog(LOG_ERR,
- 			     _("%s: out of memory recording principal names"),
- 			     whoami);
[email protected]@ -288,8 +286,6 @@
- 	client_name = buf_to_string(&client_desc);
- 	service_name = buf_to_string(&service_desc);
- 	if (client_name == NULL || service_name == NULL) {
--	    free(client_name);
--	    free(service_name);
- 	    DPRINT("%s: out of memory\n", whoami);
- 	    krb5_klog_syslog(LOG_ERR,
- 			     _("%s: out of memory recording principal names"),