author | Shawn Emery <shawn.emery@oracle.com> |
Wed, 11 May 2016 20:33:52 -0700 | |
changeset 5969 | 96bac9fbcfbd |
parent 5968 | a64f1dcdc61b |
child 5970 | 86291cd54b86 |
--- a/components/krb5/Makefile Tue May 10 22:37:01 2016 -0700 +++ b/components/krb5/Makefile Wed May 11 20:33:52 2016 -0700 @@ -18,28 +18,35 @@ # # CDDL HEADER END # + +# # Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved. # - +BUILD_BITS= 64_and_32 include ../../make-rules/shared-macros.mk COMPONENT_NAME= Kerberos -COMPONENT_MINOR= 1.13 -COMPONENT_VERSION= 1.13.3 +# Encoding rule for MAJOR: MIT KerberosV5 x.y[.z] => MAJOR x +# Encoding rule for MINOR: MIT KerberosV5 x.y[.z] => MINOR $MAJOR.y +# Encoding rule for MICRO: MIT KerberosV5 x.y[.z] => MICRO $MINOR[.z] +COMPONENT_MAJOR= 1 +COMPONENT_MINOR= $(COMPONENT_MAJOR).14 +COMPONENT_MICRO= $(COMPONENT_MINOR).2 + +COMPONENT_VERSION= $(COMPONENT_MICRO) +IPS_COMPONENT_VERSION= $(COMPONENT_VERSION).0 + COMPONENT_PROJECT_URL= http://web.mit.edu/kerberos/ COMPONENT_SRC= krb5-$(COMPONENT_VERSION) -COMPONENT_ARCHIVE= $(COMPONENT_SRC).tar.gz COMPONENT_ARCHIVE_HASH= \ - sha256:5d4af08ead9b7a1e9493cfd65e821234f151a46736e1ce586f886c8a8e65fabe + sha256:6bcad7e6778d1965e4ce4af21d2efdc15b274c5ce5c69031c58e4c954cda8b27 COMPONENT_ARCHIVE_URL= \ $(COMPONENT_PROJECT_URL)dist/krb5/$(COMPONENT_MINOR)/$(COMPONENT_ARCHIVE) COMPONENT_BUGDB= utility/kerberos -TPNO= 26018 +TPNO= 27916 -include $(WS_MAKE_RULES)/prep.mk -include $(WS_MAKE_RULES)/configure.mk -include $(WS_MAKE_RULES)/lint-libraries.mk +include $(WS_MAKE_RULES)/common.mk LINT_FLAGS += -I$(PROTOUSRINCDIR) -I$(PROTOUSRINCDIR)/kerberosv5 -I$(COMPONENT_DIR)/Solaris @@ -50,11 +57,6 @@ PUBLISH_STAMP= endif -include $(WS_MAKE_RULES)/ips.mk - -# Encoding rules for IPS: MIT KerberosV5 <x>.<y>[.<z>] => IPS <x>.<y>.[<z>|0].0 -IPS_COMPONENT_VERSION= 1.13.3.0 - # The configure script is not at the top of the source directory. CONFIGURE_SCRIPT= $(SOURCE_DIR)/src/configure @@ -70,11 +72,6 @@ # If you make changes to LDFLAGS, check krb5-config and 052-krb5-config.patch. LDFLAGS += -lc $(LD_Z_DEFS) -CONFIGURE_ENV += LDFLAGS="$(LDFLAGS)" -CONFIGURE_ENV += CFLAGS="$(CFLAGS)" -CONFIGURE_ENV += CXXFLAGS="$(CXXFLAGS)" -CONFIGURE_ENV += CPPFLAGS="$(CPPFLAGS)" -CONFIGURE_ENV += PKG_CONFIG_PATH="$(PKG_CONFIG_PATH)" CONFIGURE_ENV += DEFKTNAME="FILE:$(ETCDIR)/krb5/krb5.keytab" CONFIGURE_ENV += DEFCKTNAME="FILE:/var/user/%{username}/client.keytab" @@ -84,9 +81,6 @@ CONFIGURE_OPTIONS.32 += --libexecdir=$(USRLIBDIR) CONFIGURE_OPTIONS.64 += --libexecdir=$(USRLIBDIR)/$(MACH64) CONFIGURE_OPTIONS += --includedir=$(USRINCDIR)/kerberosv5 -# to avoid executing subprocesses from /usr/[s]bin/$(MACH64): -CONFIGURE_OPTIONS += --bindir=$(USRBINDIR) -CONFIGURE_OPTIONS += --sbindir=$(USRSBINDIR) CONFIGURE_OPTIONS += --with-crypto-impl=openssl CONFIGURE_OPTIONS += --with-ldap CONFIGURE_OPTIONS += --with-prng-alg=os @@ -188,16 +182,6 @@ $(CP) $(BUILD_DIR)/$(MACH64)/lib/libkadm5clnt.so.1 \ $(PROTO_DIR)$(USRLIBDIR)/$(MACH64); -ASLR_MODE = $(ASLR_ENABLE) - -# common targets -build: $(BUILD_32_and_64) - -install: $(INSTALL_32_and_64) - -# build does this always -test: $(TEST_32_and_64) - REQUIRED_PACKAGES += developer/test/dejagnu REQUIRED_PACKAGES += library/libedit REQUIRED_PACKAGES += library/openldap @@ -205,7 +189,7 @@ REQUIRED_PACKAGES += network/dns/bind REQUIRED_PACKAGES += service/security/kerberos-5 REQUIRED_PACKAGES += shell/ksh93 -REQUIRED_PACKAGES += system/library +REQUIRED_PACKAGES += system/core-os REQUIRED_PACKAGES += system/library/math REQUIRED_PACKAGES += system/library/security/gss
--- a/components/krb5/Solaris/libkadm5clnt.mapfile-vers Tue May 10 22:37:01 2016 -0700 +++ b/components/krb5/Solaris/libkadm5clnt.mapfile-vers Wed May 11 20:33:52 2016 -0700 @@ -18,7 +18,7 @@ # # CDDL HEADER END # -# Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. # $mapfile_version 2 @@ -26,22 +26,22 @@ STUB_OBJECT; SYMBOL_VERSION SUNWprivate_1.1 { global: - free_srv_names { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; - kadm5_chpass_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; - kadm5_chpass_principal_util { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; - kadm5_create_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; - kadm5_destroy { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; - kadm5_free_principal_ent { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; - kadm5_get_adm_host_srv_names { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; - kadm5_get_cpw_host_srv_names { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; - kadm5_get_master { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; - kadm5_get_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; - kadm5_init_krb5_context { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; - kadm5_init_with_password { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; - kadm5_init_with_password_mm { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; - kadm5_init_with_skey { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; - kadm5_init_with_skey_mm { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; - kadm5_modify_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; + free_srv_names { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 }; + kadm5_chpass_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 }; + kadm5_chpass_principal_util { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 }; + kadm5_create_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 }; + kadm5_destroy { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 }; + kadm5_free_principal_ent { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 }; + kadm5_get_adm_host_srv_names { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 }; + kadm5_get_cpw_host_srv_names { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 }; + kadm5_get_master { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 }; + kadm5_get_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 }; + kadm5_init_krb5_context { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 }; + kadm5_init_with_password { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 }; + kadm5_init_with_password_mm { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 }; + kadm5_init_with_skey { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 }; + kadm5_init_with_skey_mm { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 }; + kadm5_modify_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 }; local: *;
--- a/components/krb5/krb5-kdc.p5m Tue May 10 22:37:01 2016 -0700 +++ b/components/krb5/krb5-kdc.p5m Wed May 11 20:33:52 2016 -0700 @@ -21,7 +21,7 @@ # Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved. # -<transform file path=usr.*/man/.+ -> default mangler.man.stability uncommitted> +<transform file path=usr.*/man/.+ -> default mangler.man.stability "pass-through committed"> set name=pkg.fmri \ value=pkg:/security/kerberos-5/kdc@$(IPS_COMPONENT_VERSION),$(BUILD_VERSION) set name=pkg.summary value="Kerberos V5 Key Distribution Center (KDC)" @@ -33,91 +33,39 @@ set name=info.classification value=org.opensolaris.category.2008:System/Security set name=info.source-url value=$(COMPONENT_ARCHIVE_URL) set name=info.upstream-url value=$(COMPONENT_PROJECT_URL) -set name=org.opensolaris.arc-caseid value=PSARC/2015/144 +set name=org.opensolaris.arc-caseid value=PSARC/2015/144 value=PSARC/2016/244 set name=org.opensolaris.consolidation value=$(CONSOLIDATION) -file Solaris/kadmin.xml \ - path=lib/kerberos5/$(COMPONENT_VERSION)/svc/manifest/network/security/kadmin.xml \ +file Solaris/kadmin.xml path=lib/svc/manifest/network/security/kadmin.xml \ restart_fmri=svc:/system/manifest-import:default file Solaris/krb5_prop.xml \ - path=lib/kerberos5/$(COMPONENT_VERSION)/svc/manifest/network/security/krb5_prop.xml \ - restart_fmri=svc:/system/manifest-import:default -file Solaris/krb5kdc.xml \ - path=lib/kerberos5/$(COMPONENT_VERSION)/svc/manifest/network/security/krb5kdc.xml \ + path=lib/svc/manifest/network/security/krb5_prop.xml \ restart_fmri=svc:/system/manifest-import:default -link path=lib/svc/manifest/network/security/kadmin.xml \ - target=../../../../kerberos5/$(COMPONENT_VERSION)/svc/manifest/network/security/kadmin.xml \ - mediator=kerberos5 mediator-implementation=MIT -link path=lib/svc/manifest/network/security/krb5_prop.xml \ - target=../../../../kerberos5/$(COMPONENT_VERSION)/svc/manifest/network/security/krb5_prop.xml \ - mediator=kerberos5 mediator-implementation=MIT -link path=lib/svc/manifest/network/security/krb5kdc.xml \ - target=../../../../kerberos5/$(COMPONENT_VERSION)/svc/manifest/network/security/krb5kdc.xml \ - mediator=kerberos5 mediator-implementation=MIT -file usr/sbin/kadmin.local \ - path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kadmin.local -file usr/sbin/kadmind \ - path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kadmind -file usr/sbin/kdb5_ldap_util \ - path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kdb5_ldap_util -file usr/sbin/kdb5_util \ - path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kdb5_util -file usr/sbin/kprop path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kprop -file usr/sbin/kpropd \ - path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kpropd -file usr/sbin/kproplog \ - path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kproplog -file usr/sbin/krb5kdc \ - path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/krb5kdc -file src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif \ - path=usr/kerberos5/$(COMPONENT_VERSION)/share/lib/ldif/kerberos.ldif -file src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema \ - path=usr/kerberos5/$(COMPONENT_VERSION)/share/lib/ldif/kerberos.schema +file Solaris/krb5kdc.xml path=lib/svc/manifest/network/security/krb5kdc.xml \ + restart_fmri=svc:/system/manifest-import:default dir path=usr/lib/$(MACH64)/krb5/plugins/kdb file path=usr/lib/$(MACH64)/krb5/plugins/kdb/db2.so file path=usr/lib/$(MACH64)/krb5/plugins/kdb/kldap.so link path=usr/lib/$(MACH64)/libkdb_ldap.so target=libkdb_ldap.so.1.0 link path=usr/lib/$(MACH64)/libkdb_ldap.so.1 target=libkdb_ldap.so.1.0 file path=usr/lib/$(MACH64)/libkdb_ldap.so.1.0 -link path=usr/lib/krb5/kadmind \ - target=../../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kadmind \ - mediator=kerberos5 mediator-implementation=MIT -link path=usr/lib/krb5/kprop \ - target=../../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kprop \ - mediator=kerberos5 mediator-implementation=MIT -link path=usr/lib/krb5/kpropd \ - target=../../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kpropd \ - mediator=kerberos5 mediator-implementation=MIT -link path=usr/lib/krb5/krb5kdc \ - target=../../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/krb5kdc \ - mediator=kerberos5 mediator-implementation=MIT dir path=usr/lib/krb5/plugins/kdb file path=usr/lib/krb5/plugins/kdb/db2.so file path=usr/lib/krb5/plugins/kdb/kldap.so -link path=usr/lib/libkdb_ldap.so target=libkdb_ldap.so.1.0 mediator=kerberos5 \ - mediator-implementation=MIT -link path=usr/lib/libkdb_ldap.so.1 target=libkdb_ldap.so.1.0 \ - mediator=kerberos5 mediator-implementation=MIT +link path=usr/lib/libkdb_ldap.so target=libkdb_ldap.so.1.0 +link path=usr/lib/libkdb_ldap.so.1 target=libkdb_ldap.so.1.0 file path=usr/lib/libkdb_ldap.so.1.0 -link path=usr/sbin/kadmin.local \ - target=../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kadmin.local \ - mediator=kerberos5 mediator-implementation=MIT -link path=usr/sbin/kdb5_ldap_util \ - target=../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kdb5_ldap_util \ - mediator=kerberos5 mediator-implementation=MIT -link path=usr/sbin/kdb5_util \ - target=../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kdb5_util \ - mediator=kerberos5 mediator-implementation=MIT -link path=usr/sbin/kprop target=../lib/krb5/kprop mediator=kerberos5 \ - mediator-implementation=MIT -link path=usr/sbin/kproplog \ - target=../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kproplog \ - mediator=kerberos5 mediator-implementation=MIT -link path=usr/share/lib/ldif/kerberos.ldif \ - target=../../../kerberos5/$(COMPONENT_VERSION)/share/lib/ldif/kerberos.ldif \ - mediator=kerberos5 mediator-implementation=MIT -link path=usr/share/lib/ldif/kerberos.schema \ - target=../../../kerberos5/$(COMPONENT_VERSION)/share/lib/ldif/kerberos.schema \ - mediator=kerberos5 mediator-implementation=MIT +file usr/sbin/kadmin.local path=usr/sbin/$(MACH64)/kadmin.local +file usr/sbin/kadmind path=usr/sbin/$(MACH64)/kadmind +file usr/sbin/kdb5_ldap_util path=usr/sbin/$(MACH64)/kdb5_ldap_util +file usr/sbin/kdb5_util path=usr/sbin/$(MACH64)/kdb5_util +file usr/sbin/kprop path=usr/sbin/$(MACH64)/kprop +file usr/sbin/kpropd path=usr/sbin/$(MACH64)/kpropd +file usr/sbin/kproplog path=usr/sbin/$(MACH64)/kproplog +file usr/sbin/krb5kdc path=usr/sbin/$(MACH64)/krb5kdc +file src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif \ + path=usr/share/lib/ldif/kerberos.ldif +file src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema \ + path=usr/share/lib/ldif/kerberos.schema file path=usr/share/man/man5/kadm5.acl.5 file path=usr/share/man/man5/kdc.conf.5 file path=usr/share/man/man8/kadmin.local.8
--- a/components/krb5/krb5-message-files.p5m Tue May 10 22:37:01 2016 -0700 +++ b/components/krb5/krb5-message-files.p5m Wed May 11 20:33:52 2016 -0700 @@ -29,7 +29,7 @@ value="translatable message content for KerberosV5" set name=com.oracle.info.tpno value=$(TPNO) set name=info.classification value=org.opensolaris.category.2008:System/Security -set name=org.opensolaris.arc-caseid value=PSARC/2015/144 +set name=org.opensolaris.arc-caseid value=PSARC/2015/144 value=PSARC/2016/244 set name=org.opensolaris.consolidation value=$(CONSOLIDATION) file src/po/mit-krb5.pot path=usr/share/applications/mit-krb5.pot license krb5.license license="BSD, BSD-like (KerberosV5)"
--- a/components/krb5/krb5.license Tue May 10 22:37:01 2016 -0700 +++ b/components/krb5/krb5.license Wed May 11 20:33:52 2016 -0700 @@ -1,4 +1,4 @@ -Copyright (C) 1985-2015 by the Massachusetts Institute of Technology. +Copyright (C) 1985-2016 by the Massachusetts Institute of Technology. All rights reserved.
--- a/components/krb5/krb5.p5m Tue May 10 22:37:01 2016 -0700 +++ b/components/krb5/krb5.p5m Wed May 11 20:33:52 2016 -0700 @@ -21,7 +21,7 @@ # Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved. # -<transform file path=usr.*/man/.+ -> default mangler.man.stability uncommitted> +<transform file path=usr.*/man/.+ -> default mangler.man.stability "pass-through committed"> set name=pkg.fmri \ value=pkg:/security/kerberos-5@$(IPS_COMPONENT_VERSION),$(BUILD_VERSION) set name=pkg.summary value="Kerberos V5 Support" @@ -32,42 +32,24 @@ set name=info.classification value=org.opensolaris.category.2008:System/Security set name=info.source-url value=$(COMPONENT_ARCHIVE_URL) set name=info.upstream-url value=$(COMPONENT_PROJECT_URL) -set name=org.opensolaris.arc-caseid value=PSARC/2015/144 +set name=org.opensolaris.arc-caseid value=PSARC/2015/144 value=PSARC/2016/244 set name=org.opensolaris.consolidation value=$(CONSOLIDATION) dir path=etc/gss/mech.d group=sys -link path=usr/bin/kdestroy \ - target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kdestroy \ - mediator=kerberos5 mediator-implementation=MIT -link path=usr/bin/kinit \ - target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kinit \ - mediator=kerberos5 mediator-implementation=MIT -link path=usr/bin/klist \ - target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/klist \ - mediator=kerberos5 mediator-implementation=MIT -link path=usr/bin/kpasswd \ - target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kpasswd \ - mediator=kerberos5 mediator-implementation=MIT -link path=usr/bin/krb5-config \ - target=../kerberos5/$(COMPONENT_VERSION)/bin/krb5-config \ - mediator=kerberos5 mediator-implementation=MIT +file path=usr/bin/k5srvutil +file path=usr/bin/kadmin +file path=usr/bin/kdestroy +file path=usr/bin/kinit +file path=usr/bin/klist +file path=usr/bin/kpasswd +file path=usr/bin/krb5-config file path=usr/bin/kswitch -link path=usr/bin/ktutil \ - target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/ktutil \ - mediator=kerberos5 mediator-implementation=MIT -link path=usr/bin/kvno \ - target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kvno \ - mediator=kerberos5 mediator-implementation=MIT -link path=usr/include/gssapi/gssapi.h \ - target=../../kerberos5/$(COMPONENT_VERSION)/include/gssapi/gssapi.h \ - mediator=kerberos5 mediator-implementation=MIT -link path=usr/include/gssapi/gssapi_ext.h \ - target=../../kerberos5/$(COMPONENT_VERSION)/include/gssapi/gssapi_ext.h \ - mediator=kerberos5 mediator-implementation=MIT -link path=usr/include/kerberosv5/com_err.h \ - target=../../kerberos5/$(COMPONENT_VERSION)/include/kerberosv5/com_err.h \ - mediator=kerberos5 mediator-implementation=MIT +file path=usr/bin/ktutil +file path=usr/bin/kvno +file path=usr/include/kerberosv5/com_err.h dir path=usr/include/kerberosv5/gssapi file path=usr/include/kerberosv5/gssapi.h +file path=usr/include/kerberosv5/gssapi/gssapi.h +file path=usr/include/kerberosv5/gssapi/gssapi_ext.h file path=usr/include/kerberosv5/gssapi/gssapi_generic.h file path=usr/include/kerberosv5/gssapi/gssapi_krb5.h file path=usr/include/kerberosv5/gssapi/mechglue.h @@ -78,9 +60,7 @@ file path=usr/include/kerberosv5/kdb.h file path=usr/include/kerberosv5/krad.h dir path=usr/include/kerberosv5/krb5 -link path=usr/include/kerberosv5/krb5.h \ - target=../../kerberos5/$(COMPONENT_VERSION)/include/kerberosv5/krb5.h \ - mediator=kerberos5 mediator-implementation=MIT +file path=usr/include/kerberosv5/krb5.h file path=usr/include/kerberosv5/krb5/ccselect_plugin.h file path=usr/include/kerberosv5/krb5/clpreauth_plugin.h file path=usr/include/kerberosv5/krb5/hostrealm_plugin.h @@ -95,49 +75,13 @@ dir path=usr/include/kerberosv5/private dir path=usr/include/kerberosv5/private/krb5 dir path=usr/include/kerberosv5/private/krb5/keytab -link path=usr/include/kerberosv5/private/krb5/keytab/kt_solaris.h \ - target=../../../../../kerberos5/$(COMPONENT_VERSION)/include/kerberosv5/private/krb5/keytab/kt_solaris.h \ - mediator=kerberos5 mediator-implementation=MIT +file Solaris/private/krb5/keytab/kt_solaris.h \ + path=usr/include/kerberosv5/private/krb5/keytab/kt_solaris.h file Solaris/private/krb5/prof_solaris.h \ path=usr/include/kerberosv5/private/krb5/prof_solaris.h file path=usr/include/kerberosv5/profile.h file path=usr/include/kerberosv5/verto-module.h file path=usr/include/kerberosv5/verto.h -file usr/bin/k5srvutil \ - path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/k5srvutil -file usr/bin/kadmin path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kadmin -file usr/bin/kdestroy \ - path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kdestroy -file usr/bin/kinit path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kinit -file usr/bin/klist path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/klist -file usr/bin/kpasswd \ - path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kpasswd -file usr/bin/ktutil path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/ktutil -file usr/bin/kvno path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kvno -file usr/bin/krb5-config path=usr/kerberos5/$(COMPONENT_VERSION)/bin/krb5-config -file usr/include/kerberosv5/gssapi/gssapi.h \ - path=usr/kerberos5/$(COMPONENT_VERSION)/include/gssapi/gssapi.h -file usr/include/kerberosv5/gssapi/gssapi_ext.h \ - path=usr/kerberos5/$(COMPONENT_VERSION)/include/gssapi/gssapi_ext.h -file usr/include/kerberosv5/com_err.h \ - path=usr/kerberos5/$(COMPONENT_VERSION)/include/kerberosv5/com_err.h -file usr/include/kerberosv5/krb5.h \ - path=usr/kerberos5/$(COMPONENT_VERSION)/include/kerberosv5/krb5.h -file Solaris/private/krb5/keytab/kt_solaris.h \ - path=usr/kerberos5/$(COMPONENT_VERSION)/include/kerberosv5/private/krb5/keytab/kt_solaris.h -file usr/lib/$(MACH64)/libgss.so.1 \ - path=usr/kerberos5/$(COMPONENT_VERSION)/lib/$(MACH64)/libgss.so.1 -file usr/lib/$(MACH64)/libkadm5clnt.so.1 \ - path=usr/kerberos5/$(COMPONENT_VERSION)/lib/$(MACH64)/libkadm5clnt.so.1 -file usr/lib/$(MACH64)/libkrb5.so.1 \ - path=usr/kerberos5/$(COMPONENT_VERSION)/lib/$(MACH64)/libkrb5.so.1 -file usr/lib/krb5/plugins/preauth/pkinit.so \ - path=usr/kerberos5/$(COMPONENT_VERSION)/lib/krb5/plugins/preauth/pkinit.so -file usr/lib/libgss.so.1 path=usr/kerberos5/$(COMPONENT_VERSION)/lib/libgss.so.1 -file usr/lib/libkadm5clnt.so.1 \ - path=usr/kerberos5/$(COMPONENT_VERSION)/lib/libkadm5clnt.so.1 -file usr/lib/libkrb5.so.1 \ - path=usr/kerberos5/$(COMPONENT_VERSION)/lib/libkrb5.so.1 dir path=usr/lib/$(MACH64)/krb5 dir path=usr/lib/$(MACH64)/krb5/plugins dir path=usr/lib/$(MACH64)/krb5/plugins/authdata @@ -150,40 +94,29 @@ link path=usr/lib/$(MACH64)/libcom_err.so target=libcom_err.so.3.0 link path=usr/lib/$(MACH64)/libcom_err.so.3 target=libcom_err.so.3.0 file path=usr/lib/$(MACH64)/libcom_err.so.3.0 -link path=usr/lib/$(MACH64)/libgss.so target=libgssapi_krb5.so.2.2 \ - mediator=kerberos5 mediator-implementation=MIT -link path=usr/lib/$(MACH64)/libgss.so.1 \ - target=../../kerberos5/$(COMPONENT_VERSION)/lib/$(MACH64)/libgss.so.1 \ - mediator=kerberos5 mediator-implementation=MIT +file path=usr/lib/$(MACH64)/libgss.so.1 link path=usr/lib/$(MACH64)/libgssapi_krb5.so target=libgssapi_krb5.so.2.2 link path=usr/lib/$(MACH64)/libgssapi_krb5.so.2 target=libgssapi_krb5.so.2.2 file path=usr/lib/$(MACH64)/libgssapi_krb5.so.2.2 link path=usr/lib/$(MACH64)/libk5crypto.so target=libk5crypto.so.3.1 link path=usr/lib/$(MACH64)/libk5crypto.so.3 target=libk5crypto.so.3.1 file path=usr/lib/$(MACH64)/libk5crypto.so.3.1 -link path=usr/lib/$(MACH64)/libkadm5clnt.so target=libkadm5clnt_mit.so \ - mediator=kerberos5 mediator-implementation=MIT -link path=usr/lib/$(MACH64)/libkadm5clnt.so.1 \ - target=../../kerberos5/$(COMPONENT_VERSION)/lib/$(MACH64)/libkadm5clnt.so.1 \ - mediator=kerberos5 mediator-implementation=MIT -link path=usr/lib/$(MACH64)/libkadm5clnt_mit.so target=libkadm5clnt_mit.so.9.0 -link path=usr/lib/$(MACH64)/libkadm5clnt_mit.so.9 target=libkadm5clnt_mit.so.9.0 -file path=usr/lib/$(MACH64)/libkadm5clnt_mit.so.9.0 +file path=usr/lib/$(MACH64)/libkadm5clnt.so.1 +link path=usr/lib/$(MACH64)/libkadm5clnt_mit.so target=libkadm5clnt_mit.so.10.0 +link path=usr/lib/$(MACH64)/libkadm5clnt_mit.so.10 \ + target=libkadm5clnt_mit.so.10.0 +file path=usr/lib/$(MACH64)/libkadm5clnt_mit.so.10.0 link path=usr/lib/$(MACH64)/libkadm5srv.so target=libkadm5srv_mit.so -link path=usr/lib/$(MACH64)/libkadm5srv_mit.so target=libkadm5srv_mit.so.9.0 -link path=usr/lib/$(MACH64)/libkadm5srv_mit.so.9 target=libkadm5srv_mit.so.9.0 -file path=usr/lib/$(MACH64)/libkadm5srv_mit.so.9.0 +link path=usr/lib/$(MACH64)/libkadm5srv_mit.so target=libkadm5srv_mit.so.10.0 +link path=usr/lib/$(MACH64)/libkadm5srv_mit.so.10 target=libkadm5srv_mit.so.10.0 +file path=usr/lib/$(MACH64)/libkadm5srv_mit.so.10.0 link path=usr/lib/$(MACH64)/libkdb5.so target=libkdb5.so.8.0 link path=usr/lib/$(MACH64)/libkdb5.so.8 target=libkdb5.so.8.0 file path=usr/lib/$(MACH64)/libkdb5.so.8.0 link path=usr/lib/$(MACH64)/libkrad.so target=libkrad.so.0.0 link path=usr/lib/$(MACH64)/libkrad.so.0 target=libkrad.so.0.0 file path=usr/lib/$(MACH64)/libkrad.so.0.0 -link path=usr/lib/$(MACH64)/libkrb5.so target=libkrb5.so.3.3 \ - mediator=kerberos5 mediator-implementation=MIT -link path=usr/lib/$(MACH64)/libkrb5.so.1 \ - target=../../kerberos5/$(COMPONENT_VERSION)/lib/$(MACH64)/libkrb5.so.1 \ - mediator=kerberos5 mediator-implementation=MIT +file path=usr/lib/$(MACH64)/libkrb5.so.1 link path=usr/lib/$(MACH64)/libkrb5.so.3 target=libkrb5.so.3.3 file path=usr/lib/$(MACH64)/libkrb5.so.3.3 link path=usr/lib/$(MACH64)/libkrb5support.so target=libkrb5support.so.0.1 @@ -212,49 +145,33 @@ dir path=usr/lib/krb5/plugins/libkrb5 dir path=usr/lib/krb5/plugins/preauth file path=usr/lib/krb5/plugins/preauth/otp.so -link path=usr/lib/krb5/plugins/preauth/pkinit.so \ - target=../../../../kerberos5/$(COMPONENT_VERSION)/lib/krb5/plugins/preauth/pkinit.so \ - mediator=kerberos5 mediator-implementation=MIT +file path=usr/lib/krb5/plugins/preauth/pkinit.so dir path=usr/lib/krb5/plugins/tls file path=usr/lib/krb5/plugins/tls/k5tls.so link path=usr/lib/libcom_err.so target=libcom_err.so.3.0 link path=usr/lib/libcom_err.so.3 target=libcom_err.so.3.0 file path=usr/lib/libcom_err.so.3.0 -link path=usr/lib/libgss.so target=libgssapi_krb5.so.2.2 mediator=kerberos5 \ - mediator-implementation=MIT -link path=usr/lib/libgss.so.1 \ - target=../kerberos5/$(COMPONENT_VERSION)/lib/libgss.so.1 \ - mediator=kerberos5 mediator-implementation=MIT +file path=usr/lib/libgss.so.1 link path=usr/lib/libgssapi_krb5.so target=libgssapi_krb5.so.2.2 link path=usr/lib/libgssapi_krb5.so.2 target=libgssapi_krb5.so.2.2 file path=usr/lib/libgssapi_krb5.so.2.2 link path=usr/lib/libk5crypto.so target=libk5crypto.so.3.1 link path=usr/lib/libk5crypto.so.3 target=libk5crypto.so.3.1 file path=usr/lib/libk5crypto.so.3.1 -link path=usr/lib/libkadm5clnt.so target=libkadm5clnt_mit.so \ - mediator=kerberos5 mediator-implementation=MIT -link path=usr/lib/libkadm5clnt.so.1 \ - target=../kerberos5/$(COMPONENT_VERSION)/lib/libkadm5clnt.so.1 \ - mediator=kerberos5 mediator-implementation=MIT -link path=usr/lib/libkadm5clnt_mit.so target=libkadm5clnt_mit.so.9.0 -link path=usr/lib/libkadm5clnt_mit.so.9 target=libkadm5clnt_mit.so.9.0 -file path=usr/lib/libkadm5clnt_mit.so.9.0 -link path=usr/lib/libkadm5srv.so target=libkadm5srv_mit.so mediator=kerberos5 \ - mediator-implementation=MIT -link path=usr/lib/libkadm5srv_mit.so target=libkadm5srv_mit.so.9.0 -link path=usr/lib/libkadm5srv_mit.so.9 target=libkadm5srv_mit.so.9.0 -file path=usr/lib/libkadm5srv_mit.so.9.0 +file path=usr/lib/libkadm5clnt.so.1 +link path=usr/lib/libkadm5clnt_mit.so target=libkadm5clnt_mit.so.10.0 +link path=usr/lib/libkadm5clnt_mit.so.10 target=libkadm5clnt_mit.so.10.0 +file path=usr/lib/libkadm5clnt_mit.so.10.0 +link path=usr/lib/libkadm5srv_mit.so target=libkadm5srv_mit.so.10.0 +link path=usr/lib/libkadm5srv_mit.so.10 target=libkadm5srv_mit.so.10.0 +file path=usr/lib/libkadm5srv_mit.so.10.0 link path=usr/lib/libkdb5.so target=libkdb5.so.8.0 link path=usr/lib/libkdb5.so.8 target=libkdb5.so.8.0 file path=usr/lib/libkdb5.so.8.0 link path=usr/lib/libkrad.so target=libkrad.so.0.0 link path=usr/lib/libkrad.so.0 target=libkrad.so.0.0 file path=usr/lib/libkrad.so.0.0 -link path=usr/lib/libkrb5.so target=libkrb5.so.3.3 mediator=kerberos5 \ - mediator-implementation=MIT -link path=usr/lib/libkrb5.so.1 \ - target=../kerberos5/$(COMPONENT_VERSION)/lib/libkrb5.so.1 \ - mediator=kerberos5 mediator-implementation=MIT +file path=usr/lib/libkrb5.so.1 link path=usr/lib/libkrb5.so.3 target=libkrb5.so.3.3 file path=usr/lib/libkrb5.so.3.3 link path=usr/lib/libkrb5support.so target=libkrb5support.so.0.1 @@ -284,12 +201,6 @@ file path=usr/lib/pkgconfig/krb5.pc file path=usr/lib/pkgconfig/mit-krb5-gssapi.pc file path=usr/lib/pkgconfig/mit-krb5.pc -link path=usr/sbin/k5srvutil \ - target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/k5srvutil \ - mediator=kerberos5 mediator-implementation=MIT -link path=usr/sbin/kadmin \ - target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kadmin \ - mediator=kerberos5 mediator-implementation=MIT dir path=usr/share/et file path=usr/share/et/et_c.awk file path=usr/share/et/et_h.awk @@ -297,266 +208,119 @@ dir path=usr/share/examples/krb5 file path=usr/share/examples/krb5/services.append file path=usr/share/locale/en_US/LC_MESSAGES/mit-krb5.mo -link path=usr/share/man/3lib/libgss.3lib target=./libgss.mit.3lib \ - mediator=kerberos5 mediator-implementation=MIT -file Solaris/man/libgss.3lib path=usr/share/man/3lib/libgss.mit.3lib -link path=usr/share/man/3lib/libkrb5.3lib target=./libkrb5.mit.3lib \ - mediator=kerberos5 mediator-implementation=MIT -file Solaris/man/libkrb5.3lib path=usr/share/man/3lib/libkrb5.mit.3lib -link path=usr/share/man/ja_JP.UTF-8/man5/kerberos.5 target=./kerberos.mit.5 \ - mediator=kerberos5 mediator-implementation=MIT +file Solaris/man/libgss.3lib path=usr/share/man/3lib/libgss.3lib +file Solaris/man/libkrb5.3lib path=usr/share/man/3lib/libkrb5.3lib \ + mangler.man.stability="pass-through uncommitted" file Solaris/man/ja_JP.UTF-8/kerberos.5 \ - path=usr/share/man/ja_JP.UTF-8/man5/kerberos.mit.5 -link path=usr/share/man/ja_JP.UTF-8/man5/krb5envvar.5 \ - target=./krb5envvar.mit.5 mediator=kerberos5 mediator-implementation=MIT + path=usr/share/man/ja_JP.UTF-8/man5/kerberos.5 file Solaris/man/ja_JP.UTF-8/krb5envvar.5 \ - path=usr/share/man/ja_JP.UTF-8/man5/krb5envvar.mit.5 -link path=usr/share/man/ja_JP.UTF-8/man7/krb5_auth_rules.7 \ - target=./krb5_auth_rules.mit.7 mediator=kerberos5 \ - mediator-implementation=MIT + path=usr/share/man/ja_JP.UTF-8/man5/krb5envvar.5 \ + mangler.man.stability="pass-through uncommitted" file Solaris/man/ja_JP.UTF-8/krb5_auth_rules.7 \ - path=usr/share/man/ja_JP.UTF-8/man7/krb5_auth_rules.mit.7 + path=usr/share/man/ja_JP.UTF-8/man7/krb5_auth_rules.7 file path=usr/share/man/man1/k5srvutil.1 file path=usr/share/man/man1/kadmin.1 -link path=usr/share/man/man1/kdestroy.1 target=./kdestroy.mit.1 \ - mediator=kerberos5 mediator-implementation=MIT -file usr/share/man/man1/kdestroy.1 path=usr/share/man/man1/kdestroy.mit.1 -link path=usr/share/man/man1/kinit.1 target=./kinit.mit.1 mediator=kerberos5 \ - mediator-implementation=MIT -file usr/share/man/man1/kinit.1 path=usr/share/man/man1/kinit.mit.1 -link path=usr/share/man/man1/klist.1 target=./klist.mit.1 mediator=kerberos5 \ - mediator-implementation=MIT -file usr/share/man/man1/klist.1 path=usr/share/man/man1/klist.mit.1 -link path=usr/share/man/man1/kpasswd.1 target=./kpasswd.mit.1 \ - mediator=kerberos5 mediator-implementation=MIT -file usr/share/man/man1/kpasswd.1 path=usr/share/man/man1/kpasswd.mit.1 -link path=usr/share/man/man1/krb5-config.1 target=./krb5-config.mit.1 \ - mediator=kerberos5 mediator-implementation=MIT -file usr/share/man/man1/krb5-config.1 path=usr/share/man/man1/krb5-config.mit.1 +file path=usr/share/man/man1/kdestroy.1 +file path=usr/share/man/man1/kinit.1 +file path=usr/share/man/man1/klist.1 +file path=usr/share/man/man1/kpasswd.1 +file path=usr/share/man/man1/krb5-config.1 \ + mangler.man.stability="pass-through uncommitted" file path=usr/share/man/man1/kswitch.1 -link path=usr/share/man/man1/ktutil.1 target=./ktutil.mit.1 mediator=kerberos5 \ - mediator-implementation=MIT -file usr/share/man/man1/ktutil.1 path=usr/share/man/man1/ktutil.mit.1 -link path=usr/share/man/man1/kvno.1 target=./kvno.mit.1 mediator=kerberos5 \ - mediator-implementation=MIT -file usr/share/man/man1/kvno.1 path=usr/share/man/man1/kvno.mit.1 -link path=usr/share/man/man3gss/gss_accept_sec_context.3gss \ - target=./gss_accept_sec_context.mit.3gss mediator=kerberos5 \ - mediator-implementation=MIT +file path=usr/share/man/man1/ktutil.1 +file path=usr/share/man/man1/kvno.1 file Solaris/man/gss_accept_sec_context.3gss \ - path=usr/share/man/man3gss/gss_accept_sec_context.mit.3gss -link path=usr/share/man/man3gss/gss_acquire_cred.3gss \ - target=./gss_acquire_cred.mit.3gss mediator=kerberos5 \ - mediator-implementation=MIT + path=usr/share/man/man3gss/gss_accept_sec_context.3gss file Solaris/man/gss_acquire_cred.3gss \ - path=usr/share/man/man3gss/gss_acquire_cred.mit.3gss -link path=usr/share/man/man3gss/gss_add_cred.3gss \ - target=./gss_add_cred.mit.3gss mediator=kerberos5 \ - mediator-implementation=MIT -file Solaris/man/gss_add_cred.3gss \ - path=usr/share/man/man3gss/gss_add_cred.mit.3gss -link path=usr/share/man/man3gss/gss_add_oid_set_member.3gss \ - target=./gss_add_oid_set_member.mit.3gss mediator=kerberos5 \ - mediator-implementation=MIT + path=usr/share/man/man3gss/gss_acquire_cred.3gss +file Solaris/man/gss_add_cred.3gss path=usr/share/man/man3gss/gss_add_cred.3gss file Solaris/man/gss_add_oid_set_member.3gss \ - path=usr/share/man/man3gss/gss_add_oid_set_member.mit.3gss -link path=usr/share/man/man3gss/gss_canonicalize_name.3gss \ - target=./gss_canonicalize_name.mit.3gss mediator=kerberos5 \ - mediator-implementation=MIT + path=usr/share/man/man3gss/gss_add_oid_set_member.3gss file Solaris/man/gss_canonicalize_name.3gss \ - path=usr/share/man/man3gss/gss_canonicalize_name.mit.3gss -link path=usr/share/man/man3gss/gss_compare_name.3gss \ - target=./gss_compare_name.mit.3gss mediator=kerberos5 \ - mediator-implementation=MIT + path=usr/share/man/man3gss/gss_canonicalize_name.3gss file Solaris/man/gss_compare_name.3gss \ - path=usr/share/man/man3gss/gss_compare_name.mit.3gss -link path=usr/share/man/man3gss/gss_context_time.3gss \ - target=./gss_context_time.mit.3gss mediator=kerberos5 \ - mediator-implementation=MIT + path=usr/share/man/man3gss/gss_compare_name.3gss file Solaris/man/gss_context_time.3gss \ - path=usr/share/man/man3gss/gss_context_time.mit.3gss -link path=usr/share/man/man3gss/gss_create_empty_oid_set.3gss \ - target=./gss_create_empty_oid_set.mit.3gss mediator=kerberos5 \ - mediator-implementation=MIT + path=usr/share/man/man3gss/gss_context_time.3gss file Solaris/man/gss_create_empty_oid_set.3gss \ - path=usr/share/man/man3gss/gss_create_empty_oid_set.mit.3gss -link path=usr/share/man/man3gss/gss_delete_sec_context.3gss \ - target=./gss_delete_sec_context.mit.3gss mediator=kerberos5 \ - mediator-implementation=MIT + path=usr/share/man/man3gss/gss_create_empty_oid_set.3gss file Solaris/man/gss_delete_sec_context.3gss \ - path=usr/share/man/man3gss/gss_delete_sec_context.mit.3gss -link path=usr/share/man/man3gss/gss_display_name.3gss \ - target=./gss_display_name.mit.3gss mediator=kerberos5 \ - mediator-implementation=MIT + path=usr/share/man/man3gss/gss_delete_sec_context.3gss file Solaris/man/gss_display_name.3gss \ - path=usr/share/man/man3gss/gss_display_name.mit.3gss -link path=usr/share/man/man3gss/gss_display_status.3gss \ - target=./gss_display_status.mit.3gss mediator=kerberos5 \ - mediator-implementation=MIT + path=usr/share/man/man3gss/gss_display_name.3gss file Solaris/man/gss_display_status.3gss \ - path=usr/share/man/man3gss/gss_display_status.mit.3gss -link path=usr/share/man/man3gss/gss_duplicate_name.3gss \ - target=./gss_duplicate_name.mit.3gss mediator=kerberos5 \ - mediator-implementation=MIT + path=usr/share/man/man3gss/gss_display_status.3gss file Solaris/man/gss_duplicate_name.3gss \ - path=usr/share/man/man3gss/gss_duplicate_name.mit.3gss -link path=usr/share/man/man3gss/gss_export_name.3gss \ - target=./gss_export_name.mit.3gss mediator=kerberos5 \ - mediator-implementation=MIT + path=usr/share/man/man3gss/gss_duplicate_name.3gss file Solaris/man/gss_export_name.3gss \ - path=usr/share/man/man3gss/gss_export_name.mit.3gss -link path=usr/share/man/man3gss/gss_export_sec_context.3gss \ - target=./gss_export_sec_context.mit.3gss mediator=kerberos5 \ - mediator-implementation=MIT + path=usr/share/man/man3gss/gss_export_name.3gss file Solaris/man/gss_export_sec_context.3gss \ - path=usr/share/man/man3gss/gss_export_sec_context.mit.3gss -link path=usr/share/man/man3gss/gss_get_mic.3gss target=./gss_get_mic.mit.3gss \ - mediator=kerberos5 mediator-implementation=MIT -file Solaris/man/gss_get_mic.3gss \ - path=usr/share/man/man3gss/gss_get_mic.mit.3gss -link path=usr/share/man/man3gss/gss_import_name.3gss \ - target=./gss_import_name.mit.3gss mediator=kerberos5 \ - mediator-implementation=MIT + path=usr/share/man/man3gss/gss_export_sec_context.3gss +file Solaris/man/gss_get_mic.3gss path=usr/share/man/man3gss/gss_get_mic.3gss file Solaris/man/gss_import_name.3gss \ - path=usr/share/man/man3gss/gss_import_name.mit.3gss -link path=usr/share/man/man3gss/gss_import_sec_context.3gss \ - target=./gss_import_sec_context.mit.3gss mediator=kerberos5 \ - mediator-implementation=MIT + path=usr/share/man/man3gss/gss_import_name.3gss file Solaris/man/gss_import_sec_context.3gss \ - path=usr/share/man/man3gss/gss_import_sec_context.mit.3gss -link path=usr/share/man/man3gss/gss_indicate_mechs.3gss \ - target=./gss_indicate_mechs.mit.3gss mediator=kerberos5 \ - mediator-implementation=MIT + path=usr/share/man/man3gss/gss_import_sec_context.3gss file Solaris/man/gss_indicate_mechs.3gss \ - path=usr/share/man/man3gss/gss_indicate_mechs.mit.3gss -link path=usr/share/man/man3gss/gss_init_sec_context.3gss \ - target=./gss_init_sec_context.mit.3gss mediator=kerberos5 \ - mediator-implementation=MIT + path=usr/share/man/man3gss/gss_indicate_mechs.3gss file Solaris/man/gss_init_sec_context.3gss \ - path=usr/share/man/man3gss/gss_init_sec_context.mit.3gss -link path=usr/share/man/man3gss/gss_inquire_context.3gss \ - target=./gss_inquire_context.mit.3gss mediator=kerberos5 \ - mediator-implementation=MIT + path=usr/share/man/man3gss/gss_init_sec_context.3gss file Solaris/man/gss_inquire_context.3gss \ - path=usr/share/man/man3gss/gss_inquire_context.mit.3gss -link path=usr/share/man/man3gss/gss_inquire_cred.3gss \ - target=./gss_inquire_cred.mit.3gss mediator=kerberos5 \ - mediator-implementation=MIT + path=usr/share/man/man3gss/gss_inquire_context.3gss file Solaris/man/gss_inquire_cred.3gss \ - path=usr/share/man/man3gss/gss_inquire_cred.mit.3gss -link path=usr/share/man/man3gss/gss_inquire_cred_by_mech.3gss \ - target=./gss_inquire_cred_by_mech.mit.3gss mediator=kerberos5 \ - mediator-implementation=MIT + path=usr/share/man/man3gss/gss_inquire_cred.3gss file Solaris/man/gss_inquire_cred_by_mech.3gss \ - path=usr/share/man/man3gss/gss_inquire_cred_by_mech.mit.3gss -link path=usr/share/man/man3gss/gss_inquire_mechs_for_name.3gss \ - target=./gss_inquire_mechs_for_name.mit.3gss mediator=kerberos5 \ - mediator-implementation=MIT + path=usr/share/man/man3gss/gss_inquire_cred_by_mech.3gss file Solaris/man/gss_inquire_mechs_for_name.3gss \ - path=usr/share/man/man3gss/gss_inquire_mechs_for_name.mit.3gss -link path=usr/share/man/man3gss/gss_inquire_names_for_mech.3gss \ - target=./gss_inquire_names_for_mech.mit.3gss mediator=kerberos5 \ - mediator-implementation=MIT + path=usr/share/man/man3gss/gss_inquire_mechs_for_name.3gss file Solaris/man/gss_inquire_names_for_mech.3gss \ - path=usr/share/man/man3gss/gss_inquire_names_for_mech.mit.3gss -link path=usr/share/man/man3gss/gss_oid_to_str.3gss \ - target=./gss_oid_to_str.mit.3gss mediator=kerberos5 \ - mediator-implementation=MIT + path=usr/share/man/man3gss/gss_inquire_names_for_mech.3gss file Solaris/man/gss_oid_to_str.3gss \ - path=usr/share/man/man3gss/gss_oid_to_str.mit.3gss -link path=usr/share/man/man3gss/gss_process_context_token.3gss \ - target=./gss_process_context_token.mit.3gss mediator=kerberos5 \ - mediator-implementation=MIT + path=usr/share/man/man3gss/gss_oid_to_str.3gss file Solaris/man/gss_process_context_token.3gss \ - path=usr/share/man/man3gss/gss_process_context_token.mit.3gss -link path=usr/share/man/man3gss/gss_release_buffer.3gss \ - target=./gss_release_buffer.mit.3gss mediator=kerberos5 \ - mediator-implementation=MIT + path=usr/share/man/man3gss/gss_process_context_token.3gss file Solaris/man/gss_release_buffer.3gss \ - path=usr/share/man/man3gss/gss_release_buffer.mit.3gss -link path=usr/share/man/man3gss/gss_release_cred.3gss \ - target=./gss_release_cred.mit.3gss mediator=kerberos5 \ - mediator-implementation=MIT + path=usr/share/man/man3gss/gss_release_buffer.3gss file Solaris/man/gss_release_cred.3gss \ - path=usr/share/man/man3gss/gss_release_cred.mit.3gss -link path=usr/share/man/man3gss/gss_release_name.3gss \ - target=./gss_release_name.mit.3gss mediator=kerberos5 \ - mediator-implementation=MIT + path=usr/share/man/man3gss/gss_release_cred.3gss file Solaris/man/gss_release_name.3gss \ - path=usr/share/man/man3gss/gss_release_name.mit.3gss -link path=usr/share/man/man3gss/gss_release_oid.3gss \ - target=./gss_release_oid.mit.3gss mediator=kerberos5 \ - mediator-implementation=MIT + path=usr/share/man/man3gss/gss_release_name.3gss file Solaris/man/gss_release_oid.3gss \ - path=usr/share/man/man3gss/gss_release_oid.mit.3gss -link path=usr/share/man/man3gss/gss_release_oid_set.3gss \ - target=./gss_release_oid_set.mit.3gss mediator=kerberos5 \ - mediator-implementation=MIT + path=usr/share/man/man3gss/gss_release_oid.3gss file Solaris/man/gss_release_oid_set.3gss \ - path=usr/share/man/man3gss/gss_release_oid_set.mit.3gss -link path=usr/share/man/man3gss/gss_store_cred.3gss \ - target=./gss_store_cred.mit.3gss mediator=kerberos5 \ - mediator-implementation=MIT + path=usr/share/man/man3gss/gss_release_oid_set.3gss file Solaris/man/gss_store_cred.3gss \ - path=usr/share/man/man3gss/gss_store_cred.mit.3gss -link path=usr/share/man/man3gss/gss_str_to_oid.3gss \ - target=./gss_str_to_oid.mit.3gss mediator=kerberos5 \ - mediator-implementation=MIT + path=usr/share/man/man3gss/gss_store_cred.3gss file Solaris/man/gss_str_to_oid.3gss \ - path=usr/share/man/man3gss/gss_str_to_oid.mit.3gss -link path=usr/share/man/man3gss/gss_test_oid_set_member.3gss \ - target=./gss_test_oid_set_member.mit.3gss mediator=kerberos5 \ - mediator-implementation=MIT + path=usr/share/man/man3gss/gss_str_to_oid.3gss file Solaris/man/gss_test_oid_set_member.3gss \ - path=usr/share/man/man3gss/gss_test_oid_set_member.mit.3gss -link path=usr/share/man/man3gss/gss_unwrap.3gss target=./gss_unwrap.mit.3gss \ - mediator=kerberos5 mediator-implementation=MIT -file Solaris/man/gss_unwrap.3gss path=usr/share/man/man3gss/gss_unwrap.mit.3gss -link path=usr/share/man/man3gss/gss_verify_mic.3gss \ - target=./gss_verify_mic.mit.3gss mediator=kerberos5 \ - mediator-implementation=MIT + path=usr/share/man/man3gss/gss_test_oid_set_member.3gss +file Solaris/man/gss_unwrap.3gss path=usr/share/man/man3gss/gss_unwrap.3gss file Solaris/man/gss_verify_mic.3gss \ - path=usr/share/man/man3gss/gss_verify_mic.mit.3gss -link path=usr/share/man/man3gss/gss_wrap.3gss target=./gss_wrap.mit.3gss \ - mediator=kerberos5 mediator-implementation=MIT -file Solaris/man/gss_wrap.3gss path=usr/share/man/man3gss/gss_wrap.mit.3gss -link path=usr/share/man/man3gss/gss_wrap_size_limit.3gss \ - target=./gss_wrap_size_limit.mit.3gss mediator=kerberos5 \ - mediator-implementation=MIT + path=usr/share/man/man3gss/gss_verify_mic.3gss +file Solaris/man/gss_wrap.3gss path=usr/share/man/man3gss/gss_wrap.3gss file Solaris/man/gss_wrap_size_limit.3gss \ - path=usr/share/man/man3gss/gss_wrap_size_limit.mit.3gss -file Solaris/man/libgss.3lib path=usr/share/man/man3lib/libgss.mit.3lib -file Solaris/man/libkrb5.3lib path=usr/share/man/man3lib/libkrb5.mit.3lib + path=usr/share/man/man3gss/gss_wrap_size_limit.3gss +file Solaris/man/libgss.3lib path=usr/share/man/man3lib/libgss.3lib +file Solaris/man/libkrb5.3lib path=usr/share/man/man3lib/libkrb5.3lib \ + mangler.man.stability="pass-through uncommitted" file path=usr/share/man/man5/.k5identity.5 file path=usr/share/man/man5/.k5login.5 -link path=usr/share/man/man5/gss_auth_rules.5 target=./gss_auth_rules.mit.5 \ - mediator=kerberos5 mediator-implementation=MIT -file Solaris/man/gss_auth_rules.5 path=usr/share/man/man5/gss_auth_rules.mit.5 +file Solaris/man/gss_auth_rules.5 path=usr/share/man/man5/gss_auth_rules.5 file path=usr/share/man/man5/k5identity.5 file path=usr/share/man/man5/k5login.5 -link path=usr/share/man/man5/kerberos.5 target=./kerberos.mit.5 \ - mediator=kerberos5 mediator-implementation=MIT -file Solaris/man/kerberos.5 path=usr/share/man/man5/kerberos.mit.5 +file Solaris/man/kerberos.5 path=usr/share/man/man5/kerberos.5 file path=usr/share/man/man5/krb5.conf.5 -link path=usr/share/man/man5/krb5envvar.5 target=./krb5envvar.mit.5 \ - mediator=kerberos5 mediator-implementation=MIT -file Solaris/man/krb5envvar.5 path=usr/share/man/man5/krb5envvar.mit.5 -link path=usr/share/man/man7/krb5_auth_rules.7 target=./krb5_auth_rules.mit.7 \ - mediator=kerberos5 mediator-implementation=MIT -file Solaris/man/krb5_auth_rules.7 path=usr/share/man/man7/krb5_auth_rules.mit.7 -link path=usr/share/man/zh_CN.UTF-8/man5/kerberos.5 target=./kerberos.mit.5 \ - mediator=kerberos5 mediator-implementation=MIT +file Solaris/man/krb5envvar.5 path=usr/share/man/man5/krb5envvar.5 \ + mangler.man.stability="pass-through uncommitted" +file Solaris/man/krb5_auth_rules.7 path=usr/share/man/man7/krb5_auth_rules.7 file Solaris/man/zh_CN.UTF-8/kerberos.5 \ - path=usr/share/man/zh_CN.UTF-8/man5/kerberos.mit.5 -link path=usr/share/man/zh_CN.UTF-8/man5/krb5envvar.5 \ - target=./krb5envvar.mit.5 mediator=kerberos5 mediator-implementation=MIT + path=usr/share/man/zh_CN.UTF-8/man5/kerberos.5 file Solaris/man/zh_CN.UTF-8/krb5envvar.5 \ - path=usr/share/man/zh_CN.UTF-8/man5/krb5envvar.mit.5 -link path=usr/share/man/zh_CN.UTF-8/man7/krb5_auth_rules.7 \ - target=./krb5_auth_rules.mit.7 mediator=kerberos5 \ - mediator-implementation=MIT + path=usr/share/man/zh_CN.UTF-8/man5/krb5envvar.5 \ + mangler.man.stability="pass-through uncommitted" file Solaris/man/zh_CN.UTF-8/krb5_auth_rules.7 \ - path=usr/share/man/zh_CN.UTF-8/man7/krb5_auth_rules.mit.7 + path=usr/share/man/zh_CN.UTF-8/man7/krb5_auth_rules.7 dir path=var/krb5/rcache group=sys mode=1777 dir path=var/krb5/rcache/root group=sys mode=0700 revert-tag=clone-archive=* license krb5.license license="BSD, BSD-like (KerberosV5)"
--- a/components/krb5/patches/024-smb-compat.patch Tue May 10 22:37:01 2016 -0700 +++ b/components/krb5/patches/024-smb-compat.patch Wed May 11 20:33:52 2016 -0700 @@ -4,7 +4,6 @@ # stress testing. The CRs in order: # # 15580724 SUNBT6868908 Solaris acceptors should have returned KRB5KRB_AP_... -# 15648322 SUNBT6959251 coredump in gss_release_name+0x36 # 20416772 spnego_gss_accept_sec_context issue with incorrect KRB OID # 16005842 Should retry SMB authentication upgrade to account for network... # 15579598 SUNBT6867208 Windows client cannot recover from KRB5KRB_AP_ERR_SKEW.. @@ -68,13 +67,15 @@ code -= ERROR_TABLE_BASE_krb5; if (code < 0 || code > KRB_ERR_MAX) code = 60 /* KRB_ERR_GENERIC */; -diff -ur krb5-1.13.3.023-mem-rcache.patch/src/lib/gssapi/spnego/spnego_mech.c krb5-1.13.3/src/lib/gssapi/spnego/spnego_mech.c ---- krb5-1.13.3.023-mem-rcache.patch/src/lib/gssapi/spnego/spnego_mech.c -+++ krb5-1.13.3/src/lib/gssapi/spnego/spnego_mech.c -@@ -190,6 +190,13 @@ + +diff -pur new/src/lib/gssapi/spnego/spnego_mech.c patched/src/lib/gssapi/spnego/spnego_mech.c +--- new/src/lib/gssapi/spnego/spnego_mech.c 2016-02-29 11:50:13.000000000 -0800 ++++ patched/src/lib/gssapi/spnego/spnego_mech.c 2016-03-18 21:55:31.131280297 -0700 +@@ -191,7 +190,14 @@ static const gss_OID_set_desc spnego_oid }; const gss_OID_set_desc * const gss_mech_set_spnego = spnego_oidsets+0; + static int make_NegHints(OM_uint32 *, gss_buffer_t *); +/* encoded OID octet string for NTLMSSP security mechanism */ +#define GSS_MECH_NTLMSSP_OID_LENGTH 10 +#define GSS_MECH_NTLMSSP_OID "\053\006\001\004\001\202\067\002\002\012" @@ -82,19 +83,10 @@ + GSS_MECH_NTLMSSP_OID_LENGTH, GSS_MECH_NTLMSSP_OID +}; + - static int make_NegHints(OM_uint32 *, spnego_gss_cred_id_t, gss_buffer_t *); static int put_neg_hints(unsigned char **, gss_buffer_t, unsigned int); static OM_uint32 -@@ -1237,7 +1244,7 @@ - &hintNameBuf, - &hintNameType); - if (major_status != GSS_S_COMPLETE) { -- gss_release_name(&minor, &hintName); -+ gss_release_name(&minor, &hintKerberosName); - return (major_status); - } - gss_release_name(&minor, &hintKerberosName); -@@ -1380,6 +1387,7 @@ + acc_ctx_hints(OM_uint32 *, gss_ctx_id_t *, spnego_gss_cred_id_t, +@@ -1325,6 +1387,7 @@ acc_ctx_new(OM_uint32 *minor_status, gss_buffer_desc der_mechTypes; gss_OID mech_wanted; spnego_gss_ctx_id_t sc = NULL; @@ -102,7 +94,7 @@ ret = GSS_S_DEFECTIVE_TOKEN; der_mechTypes.length = 0; -@@ -1403,6 +1411,24 @@ +@@ -1348,6 +1411,24 @@ acc_ctx_new(OM_uint32 *minor_status, goto cleanup; } /* @@ -127,15 +119,15 @@ * Select the best match between the list of mechs * that the initiator requested and the list that * the acceptor will support. -@@ -3136,6 +3162,7 @@ - int found = 0; - OM_uint32 major_status = GSS_S_COMPLETE, tmpmin; +@@ -3072,6 +3163,7 @@ static OM_uint32 gss_OID_set mechs, goodmechs; + gss_OID_set_desc except_attrs; + gss_OID_desc attr_oids[2]; + char *msinterop = getenv("MS_INTEROP"); - major_status = gss_indicate_mechs(minor_status, &mechs); - -@@ -3150,6 +3177,15 @@ + attr_oids[0] = *GSS_C_MA_DEPRECATED; + attr_oids[1] = *GSS_C_MA_NOT_DFLT_MECH; +@@ -3108,6 +3177,15 @@ get_available_mechs(OM_uint32 *minor_sta return (major_status); } @@ -151,7 +143,7 @@ for (i = 0; i < mechs->count && major_status == GSS_S_COMPLETE; i++) { if ((mechs->elements[i].length != spnego_mechanism.mech_type.length) || -@@ -3165,6 +3201,25 @@ +@@ -3123,6 +3201,25 @@ get_available_mechs(OM_uint32 *minor_sta } } @@ -177,7 +169,7 @@ /* * If the caller wanted a list of creds returned, * trim the list of mechanisms down to only those -@@ -3740,9 +3795,17 @@ +@@ -3698,9 +3795,17 @@ negotiate_mech(gss_OID_set supported, gs for (i = 0; i < received->count; i++) { gss_OID mech_oid = &received->elements[i];
--- a/components/krb5/patches/028-rpc-gss.patch Tue May 10 22:37:01 2016 -0700 +++ b/components/krb5/patches/028-rpc-gss.patch Wed May 11 20:33:52 2016 -0700 @@ -1897,9 +1897,9 @@ RELDIR=kadm5/clnt ##DOSBUILDTOP = ..\..\.. -diff -pur old/src/lib/kadm5/clnt/client_init.c new/src/lib/kadm5/clnt/client_init.c ---- old/src/lib/kadm5/clnt/client_init.c -+++ new/src/lib/kadm5/clnt/client_init.c +diff -pur new/src/lib/kadm5/clnt/client_init.c patched.1/src/lib/kadm5/clnt/client_init.c +--- no-028/src/lib/kadm5/clnt/client_init.c 2016-03-28 14:39:09.439503108 -0600 ++++ 028/src/lib/kadm5/clnt/client_init.c 2016-03-28 14:40:49.154436988 -0600 @@ -44,12 +44,12 @@ #include <iprop_hdr.h> #include "iprop.h" @@ -1915,7 +1915,7 @@ enum init_type { INIT_PASS, INIT_SKEY, INIT_CREDS, INIT_ANONYMOUS }; -@@ -138,9 +138,379 @@ kadm5_init_with_skey(krb5_context contex +@@ -138,9 +138,385 @@ kadm5_init_with_skey(krb5_context contex server_handle); } @@ -2096,6 +2096,7 @@ + enum clnt_stat rpc_err_code; + char *server; + int port; ++ struct timeval timeout; + + /* service name is service/host */ + server = strpbrk(service_name, "/"); @@ -2157,6 +2158,11 @@ + if (iprop_svc) + free(iprop_svc); + ++ /* Set a one-hour timeout. */ ++ timeout.tv_sec = 3600; ++ timeout.tv_usec = 0; ++ (void)clnt_control(handle->clnt, CLSET_TIMEOUT, &timeout); ++ + handle->lhandle->clnt = handle->clnt; + + /* now that handle->clnt is set, we can check the handle */ @@ -2296,7 +2302,14 @@ kadm5_config_params *params_in, krb5_ui_4 struct_version, krb5_ui_4 api_version, char **db_args, void **server_handle) { -@@ -158,6 +528,7 @@ init_any(krb5_context context, char *cli +@@ -152,13 +528,13 @@ init_any(krb5_context context, char *cli + rpcvers_t rpc_vers; + krb5_ccache ccache; + krb5_principal client = NULL, server = NULL; +- struct timeval timeout; + + kadm5_server_handle_t handle; + kadm5_config_params params_local; int code = 0; generic_ret *r; @@ -2304,7 +2317,7 @@ initialize_ovk_error_table(); /* initialize_adb_error_table(); */ -@@ -225,99 +596,27 @@ init_any(krb5_context context, char *cli +@@ -226,105 +602,27 @@ init_any(krb5_context context, char *cli if (code) goto error; @@ -2353,6 +2366,12 @@ + strncpy(svcname, svcname_in, sizeof(svcname)); + svcname[sizeof(svcname)-1] = '\0'; } + +- /* Set a one-hour timeout. */ +- timeout.tv_sec = 3600; +- timeout.tv_usec = 0; +- (void)clnt_control(handle->clnt, CLSET_TIMEOUT, &timeout); +- - handle->client_socket = fd; - handle->lhandle->clnt = handle->clnt; - handle->lhandle->client_socket = fd; @@ -2360,7 +2379,7 @@ - /* now that handle->clnt is set, we can check the handle */ - if ((code = _kadm5_check_handle((void *) handle))) - goto error; - +- - /* - * The RPC connection is open; establish the GSS-API - * authentication context. @@ -2419,7 +2438,7 @@ goto error; } -@@ -357,31 +656,17 @@ cleanup: +@@ -364,31 +662,17 @@ cleanup: return code; } @@ -2453,7 +2472,7 @@ /* * Acquire a service ticket for svcname@realm for client, using password * pass (which could be NULL), and create a ccache to store them in. If -@@ -419,12 +704,6 @@ get_init_creds(kadm5_server_handle_t han +@@ -426,12 +710,6 @@ get_init_creds(kadm5_server_handle_t han code = gic_iter(handle, init_type, ccache, client, pass, svcname, realm, server_out); @@ -2466,7 +2485,7 @@ /* Improved error messages */ if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) code = KADM5_BAD_PASSWORD; if (code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) -@@ -691,6 +970,26 @@ rpc_auth(kadm5_server_handle_t handle, k +@@ -698,6 +976,26 @@ rpc_auth(kadm5_server_handle_t handle, k gss_cred_id_t gss_client_creds, gss_name_t gss_target) { OM_uint32 gssstat, minor_stat; @@ -2493,7 +2512,7 @@ struct rpc_gss_sec sec; /* Allow unauthenticated option for testing. */ -@@ -725,6 +1024,7 @@ rpc_auth(kadm5_server_handle_t handle, k +@@ -732,6 +1030,7 @@ rpc_auth(kadm5_server_handle_t handle, k GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG, 0, NULL, NULL, NULL); @@ -2501,7 +2520,6 @@ } kadm5_ret_t -diff -pur old/src/lib/kadm5/clnt/client_principal.c new/src/lib/kadm5/clnt/client_principal.c --- old/src/lib/kadm5/clnt/client_principal.c +++ new/src/lib/kadm5/clnt/client_principal.c @@ -5,7 +5,7 @@ @@ -2937,10 +2955,10 @@ (caddr_t)&vers, (xdrproc_t)xdr_kdb_fullresync_result_t, (caddr_t)&clnt_res, full_resync_timeout); if (status == RPC_PROCUNAVAIL) { -diff -pur old/src/tests/misc/Makefile.in new/src/tests/misc/Makefile.in ---- old/src/tests/misc/Makefile.in -+++ new/src/tests/misc/Makefile.in -@@ -12,18 +12,16 @@ SRCS=\ +diff -pur new/src/tests/misc/Makefile.in patched.1/src/tests/misc/Makefile.in +--- new/src/tests/misc/Makefile.in 2016-02-29 11:50:13.000000000 -0800 ++++ patched.1/src/tests/misc/Makefile.in 2016-03-19 08:15:59.222125882 -0700 +@@ -12,19 +12,17 @@ SRCS=\ $(srcdir)/test_cxx_krb5.cpp \ $(srcdir)/test_cxx_k5int.cpp \ $(srcdir)/test_cxx_gss.cpp \ @@ -2951,15 +2969,16 @@ -check:: test_getpw test_chpw_message test_cxx_krb5 test_cxx_gss test_cxx_rpc test_cxx_k5int test_cxx_kadm5 +check:: test_getpw test_chpw_message test_cxx_krb5 test_cxx_gss test_cxx_k5int test_cxx_kadm5 - $(RUN_SETUP) $(VALGRIND) ./test_getpw - $(RUN_SETUP) $(VALGRIND) ./test_chpw_message - $(RUN_SETUP) $(VALGRIND) ./test_cxx_krb5 - $(RUN_SETUP) $(VALGRIND) ./test_cxx_k5int - $(RUN_SETUP) $(VALGRIND) ./test_cxx_gss -- $(RUN_SETUP) $(VALGRIND) ./test_cxx_rpc - $(RUN_SETUP) $(VALGRIND) ./test_cxx_kadm5 + $(RUN_TEST) ./test_getpw + $(RUN_TEST) ./test_chpw_message + $(RUN_TEST) ./test_cxx_krb5 + $(RUN_TEST) ./test_cxx_k5int + $(RUN_TEST) ./test_cxx_gss +- $(RUN_TEST) ./test_cxx_rpc + $(RUN_TEST) ./test_cxx_kadm5 test_getpw: $(OUTPRE)test_getpw.$(OBJEXT) $(SUPPORT_DEPLIB) + $(CC_LINK) $(ALL_CFLAGS) -o test_getpw $(OUTPRE)test_getpw.$(OBJEXT) $(SUPPORT_LIB) @@ -41,18 +39,15 @@ test_cxx_k5int: $(OUTPRE)test_cxx_k5int. $(CXX_LINK) $(ALL_CXXFLAGS) -o test_cxx_k5int $(OUTPRE)test_cxx_k5int.$(OBJEXT) $(KRB5_BASE_LIBS) $(LIBS) test_cxx_gss: $(OUTPRE)test_cxx_gss.$(OBJEXT) @@ -2981,9 +3000,9 @@ + $(RM) test_getpw test_chpw_message test_cxx_krb5 test_cxx_gss test_cxx_k5int test_cxx_kadm5 *.o diff -pur old/src/tests/t_iprop.py new/src/tests/t_iprop.py ---- old/src/tests/t_iprop.py -+++ new/src/tests/t_iprop.py -@@ -1,50 +1,35 @@ +--- old/src/tests/t_iprop.py 2016-02-29 11:50:13.000000000 -0800 ++++ new/src/tests/t_iprop.py 2016-04-08 11:08:10.225701596 -0700 +@@ -1,44 +1,35 @@ #!/usr/bin/python import os @@ -2997,7 +3016,7 @@ -def wait_for_prop(kpropd, full_expected, expected_old, expected_new): +def wait_for_prop(kpropd, full_expected): output('*** Waiting for sync from kpropd\n') -- full_seen = sleep_seen = prodded_after_dump = False +- full_seen = sleep_seen = False - old_sno = new_sno = -1 + full_seen = False while True: @@ -3033,19 +3052,14 @@ - sleep_seen = True if 'load process for full propagation completed' in line: full_seen = True -- if sleep_seen and full_seen and not prodded_after_dump: -- # Prod the kpropd parent into getting incrementals after -- # it finishes a DB load. This will be unnecessary if -- # kpropd is simplified to use a single process. + # kpropd's child process has finished a DB load; make the parent + # do another iprop request. This will be unnecessary if kpropd + # is simplified to use a single process. - kpropd.send_signal(signal.SIGUSR1) -- prodded_after_dump = True ++ kpropd.send_signal(signal.SIGUSR1) # Detect some failure conditions. if 'Still waiting for full resync' in line: -@@ -60,92 +45,28 @@ def wait_for_prop(kpropd, full_expected, +@@ -54,98 +45,28 @@ def wait_for_prop(kpropd, full_expected, if 'invalid return' in line: fail('kadmind returned invalid result') @@ -3095,7 +3109,13 @@ - m = re.match(r'\tUpdate principal : (.*)$', line) - if m: - eprinc = entries[ser - first] -- if m.group(1) != eprinc: +- if eprinc == None: +- fail('Expected dummy update entry %d' % ser) +- elif m.group(1) != eprinc: +- fail('Expected princ %s in update entry %d' % (eprinc, ser)) +- if line == '\tDummy entry': +- eprinc = entries[ser - first] +- if eprinc != None: - fail('Expected princ %s in update entry %d' % (eprinc, ser)) - -# slave1 will receive updates from master, and slave2 will receive @@ -3158,11 +3178,8 @@ ulog = os.path.join(realm.testdir, 'db.ulog') if not os.path.exists(ulog): -@@ -153,209 +74,117 @@ if not os.path.exists(ulog): - - # Create the principal used to authenticate kpropd to kadmind. +@@ -155,234 +76,114 @@ if not os.path.exists(ulog): kiprop_princ = 'kiprop/' + hostname -+realm.addprinc(kiprop_princ) realm.extract_keytab(kiprop_princ, realm.keytab) -# Create the initial slave1 and slave2 databases. @@ -3177,7 +3194,7 @@ -# Reinitialize the master ulog so we know exactly what to expect in -# it. -realm.run([kproplog, '-R']) --check_ulog(0, 0, 0, []) +-check_ulog(1, 1, 1, [None]) +# Make some changes to the master db. +realm.addprinc('wakawaka') +# Add a principal enough to make realloc likely, but not enough to grow @@ -3187,24 +3204,24 @@ +longname = cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + c +realm.addprinc(longname) +realm.addprinc('w') -+realm.run_kadminl('modprinc -allow_tix w') -+realm.run_kadminl('modprinc +allow_tix w') ++realm.run([kadminl, 'modprinc', '-allow_tix', 'w']) ++realm.run([kadminl, 'modprinc', '+allow_tix', 'w']) -# Make some changes to the master DB. -realm.addprinc(pr1) -realm.addprinc(pr3) -realm.addprinc(pr2) --realm.run_kadminl('modprinc -allow_tix ' + pr2) --realm.run_kadminl('modprinc +allow_tix ' + pr2) --check_ulog(5, 1, 5, [pr1, pr3, pr2, pr2, pr2]) +-realm.run([kadminl, 'modprinc', '-allow_tix', pr2]) +-realm.run([kadminl, 'modprinc', '+allow_tix', pr2]) +-check_ulog(6, 1, 6, [None, pr1, pr3, pr2, pr2, pr2]) - -# Start kpropd for slave1 and get a full dump from master. -kpropd1 = realm.start_kpropd(slave1, ['-d']) --wait_for_prop(kpropd1, True, 0, 5) --out = realm.run_kadminl('listprincs', slave1) +-wait_for_prop(kpropd1, True, 1, 6) +-out = realm.run([kadminl, 'listprincs'], env=slave1) -if pr1 not in out or pr2 not in out or pr3 not in out: - fail('slave1 does not have all principals from master') --check_ulog(0, 0, 5, [], slave1) +-check_ulog(1, 6, 6, [None], slave1) +check_serial(realm, '7') + +# Set up the kpropd acl file. @@ -3216,23 +3233,23 @@ +# Start kpropd and get a full dump from master. +kpropd = realm.start_kpropd(slave, ['-d']) +wait_for_prop(kpropd, True) -+out = realm.run_kadminl('listprincs', slave) ++out = realm.run([kadminl, 'listprincs'], env=slave) +if longname not in out or 'wakawaka' not in out or 'w@' not in out: + fail('Slave does not have all principals from master') # Make a change and check that it propagates incrementally. --realm.run_kadminl('modprinc -allow_tix ' + pr2) --check_ulog(6, 1, 6, [pr1, pr3, pr2, pr2, pr2, pr2]) +-realm.run([kadminl, 'modprinc', '-allow_tix', pr2]) +-check_ulog(7, 1, 7, [None, pr1, pr3, pr2, pr2, pr2, pr2]) -kpropd1.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd1, False, 5, 6) --check_ulog(1, 6, 6, [pr2], slave1) --out = realm.run_kadminl('getprinc ' + pr2, slave1) -+realm.run_kadminl('modprinc -allow_tix w') +-wait_for_prop(kpropd1, False, 6, 7) +-check_ulog(2, 6, 7, [None, pr2], slave1) +-out = realm.run([kadminl, 'getprinc', pr2], env=slave1) ++realm.run([kadminl, 'modprinc', '-allow_tix', 'w']) +check_serial(realm, '8') +kpropd.send_signal(signal.SIGUSR1) +wait_for_prop(kpropd, False) +check_serial(realm, '8', slave) -+out = realm.run_kadminl('getprinc w', slave) ++out = realm.run([kadminl, 'getprinc', 'w'], env=slave) if 'Attributes: DISALLOW_ALL_TIX' not in out: - fail('slave1 does not have modification from master') + fail('Slave does not have modification from master') @@ -3254,26 +3271,26 @@ -kpropd2 = realm.start_server([kpropd, '-d', '-D', '-P', slave2_kprop_port, - '-f', slave2_in_dump_path, '-p', kdb5_util, - '-a', acl_file, '-A', hostname], 'ready', slave2) --wait_for_prop(kpropd2, True, 0, 6) --check_ulog(0, 0, 6, [], slave2) --out = realm.run_kadminl('listprincs', slave1) +-wait_for_prop(kpropd2, True, 1, 7) +-check_ulog(1, 7, 7, [None], slave2) +-out = realm.run([kadminl, 'listprincs'], env=slave1) -if pr1 not in out or pr2 not in out or pr3 not in out: - fail('slave2 does not have all principals from slave1') - -# Make another change and check that it propagates incrementally to -# both slaves. --realm.run_kadminl('modprinc -maxrenewlife "22 hours" ' + pr1) --check_ulog(7, 1, 7, [pr1, pr3, pr2, pr2, pr2, pr2, pr1]) +-realm.run([kadminl, 'modprinc', '-maxrenewlife', '22 hours', pr1]) +-check_ulog(8, 1, 8, [None, pr1, pr3, pr2, pr2, pr2, pr2, pr1]) -kpropd1.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd1, False, 6, 7) --check_ulog(2, 6, 7, [pr2, pr1], slave1) --out = realm.run_kadminl('getprinc ' + pr1, slave1) +-wait_for_prop(kpropd1, False, 7, 8) +-check_ulog(3, 6, 8, [None, pr2, pr1], slave1) +-out = realm.run([kadminl, 'getprinc', pr1], env=slave1) -if 'Maximum renewable life: 0 days 22:00:00\n' not in out: - fail('slave1 does not have modification from master') -kpropd2.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd2, False, 6, 7) --check_ulog(1, 7, 7, [pr1], slave2) --out = realm.run_kadminl('getprinc ' + pr1, slave2) +-wait_for_prop(kpropd2, False, 7, 8) +-check_ulog(2, 7, 8, [None, pr1], slave2) +-out = realm.run([kadminl, 'getprinc', pr1], env=slave2) -if 'Maximum renewable life: 0 days 22:00:00\n' not in out: - fail('slave2 does not have modification from slave1') - @@ -3282,34 +3299,34 @@ -# slave2 should still be in sync with slave1 after the resync, so make -# sure it doesn't take a full resync. -realm.run([kproplog, '-R'], slave1) --check_ulog(0, 0, 0, [], slave1) +-check_ulog(1, 1, 1, [None], slave1) -kpropd1.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd1, True, 0, 7) --check_ulog(2, 6, 7, [pr2, pr1], slave1) +-wait_for_prop(kpropd1, True, 1, 8) +-check_ulog(3, 6, 8, [None, pr2, pr1], slave1) -kpropd2.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd2, False, 7, 7) --check_ulog(1, 7, 7, [pr1], slave2) +-wait_for_prop(kpropd2, False, 8, 8) +-check_ulog(2, 7, 8, [None, pr1], slave2) - -# Make another change and check that it propagates incrementally to -# both slaves. +# Make another change and check that it propagates incrementally. - realm.run_kadminl('modprinc +allow_tix w') --check_ulog(8, 1, 8, [pr1, pr3, pr2, pr2, pr2, pr2, pr1, pr2]) + realm.run([kadminl, 'modprinc', '+allow_tix', 'w']) +-check_ulog(9, 1, 9, [None, pr1, pr3, pr2, pr2, pr2, pr2, pr1, pr2]) -kpropd1.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd1, False, 7, 8) --check_ulog(3, 6, 8, [pr2, pr1, pr2], slave1) --out = realm.run_kadminl('getprinc ' + pr2, slave1) +-wait_for_prop(kpropd1, False, 8, 9) +-check_ulog(4, 6, 9, [None, pr2, pr1, pr2], slave1) +-out = realm.run([kadminl, 'getprinc', pr2], env=slave1) +check_serial(realm, '9') +kpropd.send_signal(signal.SIGUSR1) +wait_for_prop(kpropd, False) +check_serial(realm, '9', slave) -+out = realm.run_kadminl('getprinc w', slave) ++out = realm.run([kadminl, 'getprinc', 'w'], env=slave) if 'Attributes:\n' not in out: - fail('slave1 does not have modification from master') -kpropd2.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd2, False, 7, 8) --check_ulog(2, 7, 8, [pr1, pr2], slave2) --out = realm.run_kadminl('getprinc ' + pr2, slave2) +-wait_for_prop(kpropd2, False, 8, 9) +-check_ulog(3, 7, 9, [None, pr1, pr2], slave2) +-out = realm.run([kadminl, 'getprinc', pr2], env=slave2) + fail('Slave does not have modification from master') + +# Reset the ulog on the slave side to force a full resync to the slave. @@ -3320,116 +3337,111 @@ +check_serial(realm, '9', slave) + +# Make another change and check that it propagates incrementally. -+realm.run_kadminl('modprinc +allow_tix w') ++realm.run([kadminl, 'modprinc', '+allow_tix', 'w']) +check_serial(realm, '10') +kpropd.send_signal(signal.SIGUSR1) +wait_for_prop(kpropd, False) +check_serial(realm, '10', slave) -+out = realm.run_kadminl('getprinc w', slave) ++out = realm.run([kadminl, 'getprinc', 'w'], env=slave) if 'Attributes:\n' not in out: - fail('slave2 does not have modification from slave1') + fail('Slave has different state from master') # Create a policy and check that it propagates via full resync. - realm.run_kadminl('addpol -minclasses 2 testpol') --check_ulog(0, 0, 0, []) + realm.run([kadminl, 'addpol', '-minclasses', '2', 'testpol']) +-check_ulog(1, 1, 1, [None]) -kpropd1.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd1, True, 8, 0) --check_ulog(0, 0, 0, [], slave1) --out = realm.run_kadminl('getpol testpol', slave1) +-wait_for_prop(kpropd1, True, 9, 1) +-check_ulog(1, 1, 1, [None], slave1) +-out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1) +check_serial(realm, 'None') +kpropd.send_signal(signal.SIGUSR1) +wait_for_prop(kpropd, True) +check_serial(realm, 'None', slave) -+out = realm.run_kadminl('getpol testpol', slave) ++out = realm.run([kadminl, 'getpol', 'testpol'], env=slave) if 'Minimum number of password character classes: 2' not in out: - fail('slave1 does not have policy from master') -kpropd2.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd2, True, 8, 0) --check_ulog(0, 0, 0, [], slave2) --out = realm.run_kadminl('getpol testpol', slave2) +-wait_for_prop(kpropd2, True, 9, 1) +-check_ulog(1, 1, 1, [None], slave2) +-out = realm.run([kadminl, 'getpol', 'testpol'], env=slave2) -if 'Minimum number of password character classes: 2' not in out: - fail('slave2 does not have policy from slave1') + fail('Slave does not have policy from master') # Modify the policy and test that it also propagates via full resync. - realm.run_kadminl('modpol -minlength 17 testpol') --check_ulog(0, 0, 0, []) + realm.run([kadminl, 'modpol', '-minlength', '17', 'testpol']) +-check_ulog(1, 1, 1, [None]) -kpropd1.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd1, True, 0, 0) --check_ulog(0, 0, 0, [], slave1) --out = realm.run_kadminl('getpol testpol', slave1) +-wait_for_prop(kpropd1, True, 1, 1) +-check_ulog(1, 1, 1, [None], slave1) +-out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1) -if 'Minimum password length: 17' not in out: - fail('slave1 does not have policy change from master') -kpropd2.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd2, True, 0, 0) --check_ulog(0, 0, 0, [], slave2) --out = realm.run_kadminl('getpol testpol', slave2) +-wait_for_prop(kpropd2, True, 1, 1) +-check_ulog(1, 1, 1, [None], slave2) +-out = realm.run([kadminl, 'getpol', 'testpol'], env=slave2) +check_serial(realm, 'None') +kpropd.send_signal(signal.SIGUSR1) +wait_for_prop(kpropd, True) +check_serial(realm, 'None', slave) -+out = realm.run_kadminl('getpol testpol', slave) ++out = realm.run([kadminl, 'getpol', 'testpol'], env=slave) if 'Minimum password length: 17' not in out: - fail('slave2 does not have policy change from slave1') + fail('Slave does not have policy change from master') # Delete the policy and test that it propagates via full resync. - realm.run_kadminl('delpol -force testpol') --check_ulog(0, 0, 0, []) +-realm.run([kadminl, 'delpol', 'testpol']) +-check_ulog(1, 1, 1, [None]) -kpropd1.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd1, True, 0, 0) --check_ulog(0, 0, 0, [], slave1) --out = realm.run_kadminl('getpol testpol', slave1) +-wait_for_prop(kpropd1, True, 1, 1) +-check_ulog(1, 1, 1, [None], slave1) +-out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1, expected_code=1) ++realm.run([kadminl, 'delpol', '-force', 'testpol']) +check_serial(realm, 'None') +kpropd.send_signal(signal.SIGUSR1) +wait_for_prop(kpropd, True) +check_serial(realm, 'None', slave) -+out = realm.run_kadminl('getpol testpol', slave) ++out = realm.run([kadminl, 'getpol', 'testpol'], env=slave, expected_code=1) if 'Policy does not exist' not in out: - fail('slave1 did not get policy deletion from master') -kpropd2.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd2, True, 0, 0) --check_ulog(0, 0, 0, [], slave2) --out = realm.run_kadminl('getpol testpol', slave2) +-wait_for_prop(kpropd2, True, 1, 1) +-check_ulog(1, 1, 1, [None], slave2) +-out = realm.run([kadminl, 'getpol', 'testpol'], env=slave2, expected_code=1) -if 'Policy does not exist' not in out: - fail('slave2 did not get policy deletion from slave1') - --# Modify a principal on the master and test that it propagates via --# full resync. (The master's ulog does not remember the timestamp it --# had at serial number 0, so it does not know that an incremental --# propagation is possible.) --realm.run_kadminl('modprinc -maxlife "10 minutes" ' + pr1) --check_ulog(1, 1, 1, [pr1]) +-# Modify a principal on the master and test that it propagates incrementally. +-realm.run([kadminl, 'modprinc', '-maxlife', '10 minutes', pr1]) +-check_ulog(2, 1, 2, [None, pr1]) -kpropd1.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd1, True, 0, 1) --check_ulog(0, 0, 1, [], slave1) --out = realm.run_kadminl('getprinc ' + pr1, slave1) +-wait_for_prop(kpropd1, False, 1, 2) +-check_ulog(2, 1, 2, [None, pr1], slave1) +-out = realm.run([kadminl, 'getprinc', pr1], env=slave1) -if 'Maximum ticket life: 0 days 00:10:00' not in out: - fail('slave1 does not have modification from master') -kpropd2.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd2, True, 0, 1) --check_ulog(0, 0, 1, [], slave2) --out = realm.run_kadminl('getprinc ' + pr1, slave2) +-wait_for_prop(kpropd2, False, 1, 2) +-check_ulog(2, 1, 2, [None, pr1], slave2) +-out = realm.run([kadminl, 'getprinc', pr1], env=slave2) -if 'Maximum ticket life: 0 days 00:10:00' not in out: - fail('slave2 does not have modification from slave1') - --# Delete a principal and test that it propagates incrementally to --# slave1. slave2 needs another full resync because slave1 no longer --# has serial number 1 in its ulog after processing its first --# incremental update. --realm.run_kadminl('delprinc -force ' + pr3) --check_ulog(2, 1, 2, [pr1, pr3]) +-# Delete a principal and test that it propagates incrementally. +-realm.run([kadminl, 'delprinc', pr3]) +-check_ulog(3, 1, 3, [None, pr1, pr3]) -kpropd1.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd1, False, 1, 2) --check_ulog(1, 2, 2, [pr3], slave1) --out = realm.run_kadminl('getprinc ' + pr3, slave1) +-wait_for_prop(kpropd1, False, 2, 3) +-check_ulog(3, 1, 3, [None, pr1, pr3], slave1) +-out = realm.run([kadminl, 'getprinc', pr3], env=slave1, expected_code=1) -if 'Principal does not exist' not in out: - fail('slave1 does not have principal deletion from master') -kpropd2.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd2, True, 1, 2) --check_ulog(0, 0, 2, [], slave2) --out = realm.run_kadminl('getprinc ' + pr3, slave2) +-wait_for_prop(kpropd2, False, 2, 3) +-check_ulog(3, 1, 3, [None, pr1, pr3], slave2) +-out = realm.run([kadminl, 'getprinc', pr3], env=slave2, expected_code=1) -if 'Principal does not exist' not in out: - fail('slave2 does not have principal deletion from slave1') + fail('Slave did not get policy deletion from master') @@ -3439,13 +3451,46 @@ +# XXX Note that we only have one slave in this test, so we can't really +# test this. realm.run([kproplog, '-R']) --check_ulog(0, 0, 0, []) +-check_ulog(1, 1, 1, [None]) -kpropd1.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd1, True, 2, 0) --check_ulog(0, 0, 0, [], slave1) +-wait_for_prop(kpropd1, True, 3, 1) +-check_ulog(1, 1, 1, [None], slave1) -kpropd2.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd2, True, 2, 0) --check_ulog(0, 0, 0, [], slave2) +-wait_for_prop(kpropd2, True, 3, 1) +-check_ulog(1, 1, 1, [None], slave2) +- +-# Stop the kprop daemons so we can test kpropd -t. +-stop_daemon(kpropd1) +-stop_daemon(kpropd2) +- +-# Test the case where no updates are needed. +-out = realm.run_kpropd_once(slave1, ['-d']) +-if 'KDC is synchronized' not in out: +- fail('Expected synchronized from kpropd -t') +-check_ulog(1, 1, 1, [None], slave1) +- +-# Make a change on the master and fetch it incrementally. +-realm.run([kadminl, 'modprinc', '-maxlife', '5 minutes', pr1]) +-check_ulog(2, 1, 2, [None, pr1]) +-out = realm.run_kpropd_once(slave1, ['-d']) +-if 'Got incremental updates (sno=2 ' not in out: +- fail('Expected full dump and synchronized from kpropd -t') +-check_ulog(2, 1, 2, [None, pr1], slave1) +-out = realm.run([kadminl, 'getprinc', pr1], env=slave1) +-if 'Maximum ticket life: 0 days 00:05:00' not in out: +- fail('slave1 does not have modification from master after kpropd -t') +- +-# Propagate a policy change via full resync. +-realm.run([kadminl, 'addpol', '-minclasses', '3', 'testpol']) +-check_ulog(1, 1, 1, [None]) +-out = realm.run_kpropd_once(slave1, ['-d']) +-if ('Full propagation transfer finished' not in out or +- 'KDC is synchronized' not in out): +- fail('Expected full dump and synchronized from kpropd -t') +-check_ulog(1, 1, 1, [None], slave1) +-out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1) +-if 'Minimum number of password character classes: 3' not in out: +- fail('slave1 does not have policy from master after kpropd -t') +check_serial(realm, 'None') +kpropd.send_signal(signal.SIGUSR1) +wait_for_prop(kpropd, True) @@ -3489,3 +3534,15 @@ '-c', self.kadmin_ccache] + flags) def run_kadmin(self, query, **keywords): +/usr/gnu/bin/diff -pur old/src/tests/t_ccache.py new/src/tests/t_ccache.py +--- old/src/tests/t_ccache.py 2016-04-08 09:50:18.104351949 -0700 ++++ new/src/tests/t_ccache.py 2016-04-08 09:48:10.841275532 -0700 +@@ -51,7 +51,7 @@ realm.kinit(realm.user_princ, password(' + realm.run([klist, '-s']) + realm.kinit(realm.user_princ, password('user'), ['-l', '-1s']) + realm.run([klist, '-s'], expected_code=1) +-realm.kinit(realm.user_princ, password('user'), ['-S', 'kadmin/admin']) ++realm.kinit(realm.user_princ, password('user'), ['-S', 'kadmin/changepw']) + realm.run([klist, '-s']) + realm.run([kdestroy]) + realm.run([klist, '-s'], expected_code=1)
--- a/components/krb5/patches/029-kadmin_disable_anonymity.patch Tue May 10 22:37:01 2016 -0700 +++ b/components/krb5/patches/029-kadmin_disable_anonymity.patch Wed May 11 20:33:52 2016 -0700 @@ -24,8 +24,8 @@ } while ((optchar = getopt(argc, argv, -- "x:r:p:knq:w:d:s:mc:t:e:ON")) != EOF) { -+ "x:r:p:kq:w:d:s:mc:t:e:ON")) != EOF) { +- "+x:r:p:knq:w:d:s:mc:t:e:ON")) != EOF) { ++ "+x:r:p:kq:w:d:s:mc:t:e:ON")) != EOF) { switch (optchar) { case 'x': db_args_size++; @@ -64,35 +64,31 @@ Use \fIcredentials_cache\fP as the credentials cache. The cache should contain a service ticket for the \fBkadmin/ADMINHOST\fP diff -pur old/src/tests/t_pkinit.py new/src/tests/t_pkinit.py ---- old/src/tests/t_pkinit.py 2015-02-11 19:16:43.000000000 -0800 -+++ new/src/tests/t_pkinit.py 2015-03-05 09:09:09.690228292 -0800 -@@ -72,17 +72,18 @@ realm.klist('WELLKNOWN/ANONYMOUS@WELLKNO - realm.run([kvno, realm.host_princ]) +--- new/src/tests/t_pkinit.py 2016-02-29 11:50:13.000000000 -0800 ++++ patched.1/src/tests/t_pkinit.py 2016-03-19 08:15:59.287791038 -0700 +@@ -73,15 +73,16 @@ if '97:' in out: + fail('auth indicators seen in anonymous PKINIT ticket') # Test anonymous kadmin. -f = open(os.path.join(realm.testdir, 'acl'), 'a') -f.write('WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS a *') -f.close() -realm.start_kadmind() --out = realm.run([kadmin, '-n', '-q', 'addprinc -pw test testadd']) --if 'created.' not in out: -- fail('Could not create principal with anonymous kadmin') --out = realm.run([kadmin, '-n', '-q', 'getprinc testadd']) +-realm.run([kadmin, '-n', 'addprinc', '-pw', 'test', 'testadd']) +-out = realm.run([kadmin, '-n', 'getprinc', 'testadd'], expected_code=1) -if "Operation requires ``get'' privilege" not in out: - fail('Anonymous kadmin has too much privilege') -realm.stop_kadmind() -+sys.stderr.write("Anonymous pkinit support in kadmin disabled, skipping...\n"); +#f = open(os.path.join(realm.testdir, 'acl'), 'a') +#f.write('WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS a *') +#f.close() +#realm.start_kadmind() -+#out = realm.run([kadmin, '-n', '-q', 'addprinc -pw test testadd']) -+#if 'created.' not in out: -+# fail('Could not create principal with anonymous kadmin') -+#out = realm.run([kadmin, '-n', '-q', 'getprinc testadd']) ++#realm.run([kadmin, '-n', 'addprinc', '-pw', 'test', 'testadd']) ++#out = realm.run([kadmin, '-n', 'getprinc', 'testadd'], expected_code=1) +#if "Operation requires ``get'' privilege" not in out: +# fail('Anonymous kadmin has too much privilege') +#realm.stop_kadmind() ++sys.stderr.write("Anonymous pkinit support in kadmin disabled, skipping...\n"); # Test with anonymous restricted; FAST should work but kvno should fail. r_env = realm.special_env('restrict', True, kdc_conf=restrictive_kdc_conf)
--- a/components/krb5/patches/032-pam-krb5.patch Tue May 10 22:37:01 2016 -0700 +++ b/components/krb5/patches/032-pam-krb5.patch Wed May 11 20:33:52 2016 -0700 @@ -14,8 +14,8 @@ # Patch source: in-house # diff -pur old/src/lib/kadm5/clnt/client_init.c new/src/lib/kadm5/clnt/client_init.c ---- old/src/lib/kadm5/clnt/client_init.c 2015-04-30 01:12:10.579373279 -0600 -+++ new/src/lib/kadm5/clnt/client_init.c 2015-05-26 23:38:41.638267439 -0600 +--- no-032/src/lib/kadm5/clnt/client_init.c 2016-03-28 14:25:17.265078167 -0600 ++++ 032/src/lib/kadm5/clnt/client_init.c 2016-03-28 14:27:42.301681052 -0600 @@ -299,7 +299,7 @@ _kadm5_initialize_rpcsec_gss_handle(kadm { int code = 0; @@ -25,9 +25,9 @@ char *iprop_svc; boolean_t iprop_enable = B_FALSE; char mech[] = "kerberos_v5"; -@@ -316,15 +316,13 @@ _kadm5_initialize_rpcsec_gss_handle(kadm - char *server; +@@ -317,15 +317,13 @@ _kadm5_initialize_rpcsec_gss_handle(kadm int port; + struct timeval timeout; - /* service name is service/host */ - server = strpbrk(service_name, "/"); @@ -44,7 +44,7 @@ iprop_svc = strdup(KIPROP_SVC_NAME); if (iprop_svc == NULL) -@@ -510,7 +508,7 @@ cleanup: +@@ -516,7 +514,7 @@ cleanup: static kadm5_ret_t init_any(krb5_context context, char *client_name, enum init_type init_type, @@ -53,7 +53,7 @@ kadm5_config_params *params_in, krb5_ui_4 struct_version, krb5_ui_4 api_version, char **db_args, void **server_handle) { -@@ -528,7 +526,6 @@ init_any(krb5_context context, char *cli +@@ -534,7 +532,6 @@ init_any(krb5_context context, char *cli int code = 0; generic_ret *r; @@ -61,7 +61,7 @@ initialize_ovk_error_table(); /* initialize_adb_error_table(); */ -@@ -597,15 +594,19 @@ init_any(krb5_context context, char *cli +@@ -603,15 +600,19 @@ init_any(krb5_context context, char *cli goto error; /* NULL svcname means use host-based. */ @@ -88,7 +88,7 @@ } /* Get credentials. */ -@@ -660,14 +661,52 @@ cleanup: +@@ -666,14 +667,52 @@ cleanup: static kadm5_ret_t get_init_creds(kadm5_server_handle_t handle, krb5_principal client, enum init_type init_type, char *pass, krb5_ccache ccache_in, @@ -142,7 +142,7 @@ * Acquire a service ticket for svcname@realm for client, using password * pass (which could be NULL), and create a ccache to store them in. If * INIT_CREDS, use the ccache we were provided instead. -@@ -702,7 +741,7 @@ get_init_creds(kadm5_server_handle_t han +@@ -708,7 +747,7 @@ get_init_creds(kadm5_server_handle_t han } handle->lhandle->cache_name = handle->cache_name;
--- a/components/krb5/patches/035-multi-master.patch Tue May 10 22:37:01 2016 -0700 +++ b/components/krb5/patches/035-multi-master.patch Wed May 11 20:33:52 2016 -0700 @@ -8,10 +8,10 @@ # should look at modifying/deleting this patch. # Patch source: in-house # -diff -u -r old/src/kadmin/cli/kadmin.c new/src/kadmin/cli/kadmin.c ---- old/src/kadmin/cli/kadmin.c 2015-05-28 15:10:45.129616302 -0500 -+++ new/src/kadmin/cli/kadmin.c 2015-05-29 13:32:41.901105712 -0500 -@@ -268,7 +268,7 @@ +diff -pur new/src/kadmin/cli/kadmin.c old/src/kadmin/cli/kadmin.c +--- old/src/kadmin/cli/kadmin.c 2016-03-31 16:44:43.282366236 -0700 ++++ patched/src/kadmin/cli/kadmin.c 2016-03-31 19:24:20.929551275 -0700 +@@ -255,7 +255,7 @@ kadmin_startup(int argc, char *argv[], c char **db_args = NULL; int db_args_size = 0; char *db_name = NULL; @@ -20,7 +20,7 @@ memset(¶ms, 0, sizeof(params)); -@@ -380,11 +380,6 @@ +@@ -370,11 +370,6 @@ kadmin_startup(int argc, char *argv[], c params.mask |= KADM5_CONFIG_REALM; params.realm = def_realm; @@ -32,36 +32,35 @@ /* * Set cc to an open credentials cache, either specified by the -c * argument or the default. -@@ -515,13 +510,15 @@ +@@ -503,13 +498,14 @@ kadmin_startup(int argc, char *argv[], c if (ccache_name) { - printf(_("Authenticating as principal %s with existing " - "credentials.\n"), princstr); + info(_("Authenticating as principal %s with existing " + "credentials.\n"), princstr); - retval = kadm5_init_with_creds(context, princstr, cc, svcname, ¶ms, + retval = kadm5_init_with_creds_mm(context, princstr, cc, svcnames, + ¶ms, KADM5_STRUCT_VERSION, KADM5_API_VERSION_4, db_args, &handle); } else if (use_anonymous) { - printf(_("Authenticating as principal %s with password; " - "anonymous requested.\n"), princstr); + info(_("Authenticating as principal %s with password; " + "anonymous requested.\n"), princstr); - retval = kadm5_init_anonymous(context, princstr, svcname, ¶ms, -+ retval = kadm5_init_anonymous_mm(context, princstr, svcnames, -+ ¶ms, ++ retval = kadm5_init_anonymous_mm(context, princstr, svcnames, ¶ms, KADM5_STRUCT_VERSION, KADM5_API_VERSION_4, db_args, &handle); } else if (use_keytab) { -@@ -531,17 +528,20 @@ - else - printf(_("Authenticating as principal %s with default keytab.\n"), - princstr); +@@ -520,17 +516,20 @@ kadmin_startup(int argc, char *argv[], c + info(_("Authenticating as principal %s with default keytab.\n"), + princstr); + } - retval = kadm5_init_with_skey(context, princstr, keytab_name, svcname, + retval = kadm5_init_with_skey_mm(context, princstr, keytab_name, + svcnames, ¶ms, KADM5_STRUCT_VERSION, KADM5_API_VERSION_4, db_args, &handle); } else { - printf(_("Authenticating as principal %s with password.\n"), - princstr); + info(_("Authenticating as principal %s with password.\n"), + princstr); - retval = kadm5_init_with_password(context, princstr, password, svcname, + retval = kadm5_init_with_password_mm(context, princstr, password, + svcnames, @@ -128,10 +127,10 @@ kadm5_ret_t kadm5_lock(void *server_handle); kadm5_ret_t kadm5_unlock(void *server_handle); kadm5_ret_t kadm5_flush(void *server_handle); -diff -u -r old/src/lib/kadm5/clnt/client_init.c new/src/lib/kadm5/clnt/client_init.c ---- old/src/lib/kadm5/clnt/client_init.c 2015-05-28 15:10:45.192975632 -0500 -+++ new/src/lib/kadm5/clnt/client_init.c 2015-06-02 10:33:51.639341637 -0500 -@@ -55,7 +55,7 @@ +/usr/gnu/bin/diff -pur old/src/lib/kadm5/clnt/client_init.c new/src/lib/kadm5/clnt/client_init.c +--- unpatched/src/lib/kadm5/clnt/client_init.c 2016-03-28 00:19:36.988270188 -0600 ++++ patched/src/lib/kadm5/clnt/client_init.c 2016-03-28 13:12:43.769371355 -0600 +@@ -55,7 +55,7 @@ enum init_type { INIT_PASS, INIT_SKEY, I static kadm5_ret_t init_any(krb5_context context, char *client_name, enum init_type init_type, @@ -140,7 +139,7 @@ kadm5_config_params *params, krb5_ui_4 struct_version, krb5_ui_4 api_version, char **db_args, void **server_handle); -@@ -87,8 +87,25 @@ +@@ -87,8 +87,25 @@ kadm5_init_with_creds(krb5_context conte krb5_ui_4 api_version, char **db_args, void **server_handle) { @@ -167,7 +166,7 @@ server_handle); } -@@ -99,7 +116,24 @@ +@@ -99,7 +116,24 @@ kadm5_init_with_password(krb5_context co krb5_ui_4 api_version, char **db_args, void **server_handle) { @@ -193,7 +192,7 @@ params, struct_version, api_version, db_args, server_handle); } -@@ -110,8 +144,24 @@ +@@ -110,8 +144,24 @@ kadm5_init_anonymous(krb5_context contex krb5_ui_4 struct_version, krb5_ui_4 api_version, char **db_args, void **server_handle) { @@ -219,7 +218,7 @@ db_args, server_handle); } -@@ -121,7 +171,23 @@ +@@ -121,7 +171,23 @@ kadm5_init(krb5_context context, char *c krb5_ui_4 struct_version, krb5_ui_4 api_version, char **db_args, void **server_handle) { @@ -244,7 +243,7 @@ params, struct_version, api_version, db_args, server_handle); } -@@ -133,8 +199,25 @@ +@@ -133,8 +199,25 @@ kadm5_init_with_skey(krb5_context contex krb5_ui_4 api_version, char **db_args, void **server_handle) { @@ -271,7 +270,7 @@ server_handle); } -@@ -338,7 +421,7 @@ +@@ -339,7 +422,7 @@ _kadm5_initialize_rpcsec_gss_handle(kadm } /* @@ -280,7 +279,7 @@ * - if iprop_port is configured, connect to iprop_port * - if not, query remote rpc/bind * - if that fails, try consuming iprop service on kadmin port -@@ -506,9 +589,35 @@ +@@ -512,9 +595,35 @@ cleanup: return (code); } @@ -317,7 +316,7 @@ kadm5_config_params *params_in, krb5_ui_4 struct_version, krb5_ui_4 api_version, char **db_args, void **server_handle) { -@@ -526,6 +635,10 @@ +@@ -532,6 +641,10 @@ init_any(krb5_context context, char *cli int code = 0; generic_ret *r; @@ -328,7 +327,7 @@ initialize_ovk_error_table(); /* initialize_adb_error_table(); */ -@@ -593,34 +706,56 @@ +@@ -599,34 +712,56 @@ init_any(krb5_context context, char *cli if (code) goto error; @@ -407,7 +406,7 @@ *server_handle = (void *) handle; goto cleanup; -@@ -653,6 +788,8 @@ +@@ -659,6 +794,8 @@ cleanup: krb5_free_principal(handle->context, server); if (code) free(handle); @@ -416,7 +415,7 @@ return code; } -@@ -665,46 +802,43 @@ +@@ -671,46 +808,43 @@ get_init_creds(kadm5_server_handle_t han { kadm5_ret_t code; krb5_ccache ccache = NULL; @@ -494,7 +493,7 @@ /* * Acquire a service ticket for svcname@realm for client, using password -@@ -741,7 +875,7 @@ +@@ -747,7 +881,7 @@ get_init_creds(kadm5_server_handle_t han } handle->lhandle->cache_name = handle->cache_name;
--- a/components/krb5/patches/036-verify-nofail.patch Tue May 10 22:37:01 2016 -0700 +++ b/components/krb5/patches/036-verify-nofail.patch Wed May 11 20:33:52 2016 -0700 @@ -21,8 +21,8 @@ if (*argv != NULL) check(krb5_parse_name(context, *argv, &princ)); diff -pur old/src/lib/krb5/krb/t_vfy_increds.py new/src/lib/krb5/krb/t_vfy_increds.py ---- old/src/lib/krb5/krb/t_vfy_increds.py 2015-05-28 14:42:17.100176857 -0600 -+++ new/src/lib/krb5/krb/t_vfy_increds.py 2015-05-28 18:03:03.977698328 -0600 +--- old/src/lib/krb5/krb/t_vfy_increds.py 2016-03-31 16:44:48.483714940 -0700 ++++ patched/src/lib/krb5/krb/t_vfy_increds.py 2016-03-31 19:34:30.816360770 -0700 @@ -53,29 +53,31 @@ realm.run(['./t_vfy_increds']) realm.run(['./t_vfy_increds', '-n']) @@ -55,8 +55,8 @@ -# default (succeeding unless nofail is set), but should verify with it +# default (succeeding only when nofail is unset), but should verify with it # when it is specifically requested. - realm.run_kadminl('addprinc -randkey ' + realm.nfs_princ) - realm.run_kadminl('ktadd ' + realm.nfs_princ) + realm.run([kadminl, 'addprinc', '-randkey', realm.nfs_princ]) + realm.run([kadminl, 'ktadd', realm.nfs_princ]) -realm.run(['./t_vfy_increds']) +realm.run(['./t_vfy_increds'], expected_code=1) realm.run(['./t_vfy_increds', '-n'], expected_code=1) @@ -65,7 +65,7 @@ @@ -84,7 +86,7 @@ realm.run(['./t_vfy_increds', '-n', real # results with the default principal argument, but verification should # now fail if we request it specifically. - realm.run_kadminl('change_password -randkey ' + realm.nfs_princ) + realm.run([kadminl, 'change_password', '-randkey', realm.nfs_princ]) -realm.run(['./t_vfy_increds']) +realm.run(['./t_vfy_increds'], expected_code=1) realm.run(['./t_vfy_increds', '-n'], expected_code=1)
--- a/components/krb5/patches/045-correct_err_code_for_bad_QOP.patch Tue May 10 22:37:01 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,55 +0,0 @@ -# -# This patch fixes krb5_gss_wrap_size_limit return code to comply with -# RFC 2743. -# -# Found by usr/ontest/lib/libgss/gss_api:gss.17. -# -# The patch was accepted upstream and will be part of krb5 1.14: -# https://github.com/krb5/krb5/commit/45ccc1c85f42e4f41f2042df8a51dd7826533029 -# Patch source: in-house -# -diff -pur old/src/lib/gssapi/krb5/k5seal.c new/src/lib/gssapi/krb5/k5seal.c ---- old/src/lib/gssapi/krb5/k5seal.c -+++ new/src/lib/gssapi/krb5/k5seal.c -@@ -337,7 +337,7 @@ kg_seal(minor_status, context_handle, co - them later. */ - if (qop_req != 0) { - *minor_status = (OM_uint32) G_UNKNOWN_QOP; -- return GSS_S_FAILURE; -+ return GSS_S_BAD_QOP; - } - - ctx = (krb5_gss_ctx_id_rec *) context_handle; -diff -pur old/src/lib/gssapi/krb5/k5sealiov.c new/src/lib/gssapi/krb5/k5sealiov.c ---- old/src/lib/gssapi/krb5/k5sealiov.c -+++ new/src/lib/gssapi/krb5/k5sealiov.c -@@ -277,7 +277,7 @@ kg_seal_iov(OM_uint32 *minor_status, - - if (qop_req != 0) { - *minor_status = (OM_uint32)G_UNKNOWN_QOP; -- return GSS_S_FAILURE; -+ return GSS_S_BAD_QOP; - } - - ctx = (krb5_gss_ctx_id_rec *)context_handle; -@@ -342,7 +342,7 @@ kg_seal_iov_length(OM_uint32 *minor_stat - - if (qop_req != GSS_C_QOP_DEFAULT) { - *minor_status = (OM_uint32)G_UNKNOWN_QOP; -- return GSS_S_FAILURE; -+ return GSS_S_BAD_QOP; - } - - ctx = (krb5_gss_ctx_id_rec *)context_handle; -diff -pur old/src/lib/gssapi/krb5/wrap_size_limit.c new/src/lib/gssapi/krb5/wrap_size_limit.c ---- old/src/lib/gssapi/krb5/wrap_size_limit.c -+++ new/src/lib/gssapi/krb5/wrap_size_limit.c -@@ -91,7 +91,7 @@ krb5_gss_wrap_size_limit(minor_status, c - /* only default qop is allowed */ - if (qop_req != GSS_C_QOP_DEFAULT) { - *minor_status = (OM_uint32) G_UNKNOWN_QOP; -- return(GSS_S_FAILURE); -+ return(GSS_S_BAD_QOP); - } - - ctx = (krb5_gss_ctx_id_rec *) context_handle;
--- a/components/krb5/patches/046-creds_usage_mismatch_err_code.patch Tue May 10 22:37:01 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,26 +0,0 @@ -# -# In krb5_gss_store_cred_into(), if the credential is acceptor-only, set -# the minor status to G_STORE_ACCEPTOR_CRED_NOSUPP instead of -# G_BAD_USAGE. -# -# Found by usr/ontest/lib/libgss/gss_api:gss.27. -# -# Accepted upstream, will be part of krb5 1.14: -# https://github.com/krb5/krb5/commit/c0e16bb2f654038ad81602e89851f232916da051 -# Patch source: in-house -# -diff -pur old/src/lib/gssapi/krb5/store_cred.c new/src/lib/gssapi/krb5/store_cred.c ---- old/src/lib/gssapi/krb5/store_cred.c 2015-06-12 08:13:27.399201700 -0700 -+++ new/src/lib/gssapi/krb5/store_cred.c 2015-06-12 08:17:35.570611897 -0700 -@@ -241,7 +241,10 @@ krb5_gss_store_cred_into(OM_uint32 *mino - if (lifetime == 0) - return GSS_S_CREDENTIALS_EXPIRED; - -- if (actual_usage != GSS_C_INITIATE && actual_usage != GSS_C_BOTH) { -+ if (actual_usage == GSS_C_ACCEPT) { -+ *minor_status = G_STORE_ACCEPTOR_CRED_NOSUPP; -+ return GSS_S_FAILURE; -+ } else if (actual_usage != GSS_C_INITIATE && actual_usage != GSS_C_BOTH) { - *minor_status = G_BAD_USAGE; - return GSS_S_FAILURE; - }
--- a/components/krb5/patches/051-fopenF.patch Tue May 10 22:37:01 2016 -0700 +++ b/components/krb5/patches/051-fopenF.patch Wed May 11 20:33:52 2016 -0700 @@ -787,9 +787,9 @@ if (!logfile) { perror(*argv); diff -ur krb5-1.13.2/src/util/profile/prof_file.c krb5-1.13.2.fopen/src/util/profile/prof_file.c ---- krb5-1.13.2/src/util/profile/prof_file.c 2015-05-08 18:27:02.000000000 -0500 -+++ krb5-1.13.2.fopen/src/util/profile/prof_file.c 2015-08-11 13:56:49.450805045 -0500 -@@ -123,7 +123,7 @@ +--- old/src/util/profile/prof_file.c 2016-03-31 16:44:53.634245353 -0700 ++++ patched/src/util/profile/prof_file.c 2016-03-31 20:07:34.843286876 -0700 +@@ -126,7 +126,7 @@ static int rw_access(const_profile_files */ FILE *f; @@ -798,7 +798,7 @@ if (f) { fclose(f); return 1; -@@ -147,7 +147,7 @@ +@@ -150,7 +150,7 @@ static int r_access(const_profile_filesp */ FILE *f; @@ -807,16 +807,16 @@ if (f) { fclose(f); return 1; -@@ -346,7 +346,7 @@ - } +@@ -355,7 +355,7 @@ errcode_t profile_update_file_data_locke #endif - errno = 0; -- f = fopen(data->filespec, "r"); -+ f = fopen(data->filespec, "rF"); - if (f == NULL) { - retval = errno; - if (retval == 0) -@@ -411,7 +411,7 @@ + if (!isdir) { + errno = 0; +- f = fopen(data->filespec, "r"); ++ f = fopen(data->filespec, "rF"); + if (f == NULL) + return (errno != 0) ? errno : ENOENT; + set_cloexec_file(f); +@@ -423,7 +423,7 @@ static errcode_t write_data_to_file(prf_ errno = 0;
--- a/components/krb5/patches/061-ccache-nounlink.patch Tue May 10 22:37:01 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,269 +0,0 @@ -# -# This patch modifies the MIT implementation of krb5_fcc_initialize() so -# it doesn't call unlink() on an existing ccache file. This modification -# was done a long time ago in Solaris to workaround a race condition -# brought on by the interaction between Solaris pam_krb5 and MIT's -# implementation of krb5_fcc_initialize(). Given there are better ways of -# fixing the race condition we will not give this patch to MIT however a -# proper race condition fix would take prohibitively long to implement -# hence this patch. When pam_krb5 is modified to better deal with the -# ccache file and RFE 22229031 regarding ktkt_warnd is implemented then -# this patch can be removed. -# Patch source: in-house -# - -diff -Naru old/src/lib/krb5/ccache/cc_file.c new/src/lib/krb5/ccache/cc_file.c ---- old/src/lib/krb5/ccache/cc_file.c 2015-05-08 16:27:02.000000000 -0700 -+++ new/src/lib/krb5/ccache/cc_file.c 2015-11-16 15:54:02.138183303 -0800 -@@ -64,6 +64,10 @@ - #include "k5-int.h" - #include "cc-int.h" - -+/* Solaris Kerberos */ -+#include <syslog.h> -+#include <ctype.h> -+ - #include <stdio.h> - #include <errno.h> - -@@ -71,6 +75,11 @@ - #include <unistd.h> - #endif - -+/* Solaris Kerberos */ -+/* How long to block if flock fails with EAGAIN */ -+#define LOCK_RETRIES 100 -+#define WAIT_LENGTH 20 /* in milliseconds */ -+ - extern const krb5_cc_ops krb5_cc_file_ops; - - krb5_error_code krb5_change_cache(void); -@@ -85,6 +94,7 @@ - #define FCC_OPEN_AND_ERASE 1 - #define FCC_OPEN_RDWR 2 - #define FCC_OPEN_RDONLY 3 -+#define FCC_OPEN_AND_ERASE_NOUNLINK 255 /* Solaris Kerberos */ - - #define FCC_TAG_DELTATIME 1 - -@@ -524,6 +534,130 @@ - ((SIZE) < BUFSIZE ? (abort(),0) : setbuf(FILE, BUF)) - #endif - -+/* Solaris Kerberos */ -+static krb5_error_code -+krb5_fcc_open_nounlink(char *filename, int open_flag, int *ret_fd, int *new) -+{ -+ struct stat lres; -+ struct stat fres; -+ int error; -+ uid_t uid, euid; -+ int fd; -+ int newfile = 0; -+ -+ *ret_fd = -1; -+ /* -+ * Solaris Kerberos -+ * If we are opening in NOUNLINK mode, we have to check that the -+ * existing file, if any, is not a symlink. If it is, we try to -+ * delete and re-create it. -+ */ -+ error = lstat(filename, &lres); -+ if (error == -1 && errno != ENOENT) { -+ syslog(LOG_ERR, "lstat failed for %s [%m]", filename); -+ return (-1); -+ } -+ -+ if (error == 0 && !S_ISREG(lres.st_mode)) { -+ syslog(LOG_WARNING, "%s is not a plain file!", filename); -+ syslog(LOG_WARNING, "trying to unlink %s", filename); -+ if (unlink(filename) != 0) { -+ syslog(LOG_ERR, "could not unlink %s [%m]", filename); -+ return (-1); -+ } -+ } -+ -+ fd = THREEPARAMOPEN(filename, open_flag | O_NONBLOCK | O_NOFOLLOW, 0600); -+ if (fd == -1) { -+ if (errno == ENOENT) { -+ fd = THREEPARAMOPEN(filename, open_flag | O_EXCL | O_CREAT, -+ 0600); -+ if (fd != -1) { -+ newfile = 1; -+ } else { -+ /* If the file got created after the open we must retry */ -+ if (errno == EEXIST) -+ return (0); -+ } -+ } else if (errno == EACCES) { -+ /* -+ * We failed since the file existed with wrong permissions. -+ * Let's try to unlink it and if that succeeds retry. -+ */ -+ syslog(LOG_WARNING, "Insufficient permissions on %s", filename); -+ syslog(LOG_WARNING, "trying to unlink %s", filename); -+ if (unlink(filename) != 0) { -+ syslog(LOG_ERR, "could not unlink %s [%m]", filename); -+ return (-1); -+ } -+ return (0); -+ } -+ } -+ /* If we still don't have a valid fd, we stop trying */ -+ if (fd == -1) -+ return (-1); -+ -+ /* -+ * Solaris Kerberos -+ * If the file was not created now with a O_CREAT | O_EXCL open, -+ * we have opened an existing file. We should check if the file -+ * owner is us, if not, unlink and retry. If unlink fails we log -+ * the error and return. -+ */ -+ if (!newfile) { -+ if (fstat(fd, &fres) == -1) { -+ syslog(LOG_ERR, "lstat failed for %s [%m]", filename); -+ close(fd); -+ return (-1); -+ } -+ /* Check if this is the same file we lstat'd earlier */ -+ if (lres.st_dev != fres.st_dev || lres.st_ino != fres.st_ino) { -+ syslog(LOG_ERR, "%s changed between stat and open!", filename); -+ close(fd); -+ return (-1); -+ } -+ -+ /* -+ * Solaris Kerberos -+ * Check if the cc filename uid matches owner of file. -+ * Expects cc file to be in the form of /tmp/krb5cc_<uid>, -+ * else skip this check. -+ */ -+ if (strncmp(filename, "/tmp/krb5cc_", strlen("/tmp/krb5cc_")) == 0) { -+ uid_t fname_uid; -+ char *uidstr = strchr(filename, '_'); -+ char *s = NULL; -+ -+ /* make sure we have some non-null char after '_' */ -+ if (!*++uidstr) -+ goto out; -+ -+ /* make sure the uid part is all digits */ -+ for (s = uidstr; *s; s++) -+ if (!isdigit(*s)) -+ goto out; -+ -+ fname_uid = (uid_t) atoi(uidstr); -+ if (fname_uid != fres.st_uid) { -+ close(fd); -+ syslog(LOG_WARNING, "%s owned by %d instead of %d", -+ filename, fres.st_uid, fname_uid); -+ syslog(LOG_WARNING, "trying to unlink %s", filename); -+ if (unlink(filename) != 0) { -+ syslog(LOG_ERR, "could not unlink %s [%m]", filename); -+ return (-1); -+ } -+ return (0); -+ } -+ } -+ } -+ -+out: -+ *new = newfile; -+ *ret_fd = fd; -+ return (0); -+} -+ - /* Open and lock the cache file. If mode is FCC_OPEN_AND_ERASE, initialize it - * with a header. Call with the mutex locked. */ - static krb5_error_code -@@ -538,6 +672,10 @@ - int f, open_flag, lock_flag, cnt; - char buf[1024]; - -+ /* Solaris Kerberos */ -+ int retries = 0; -+ int newfile = 0; -+ - k5_cc_mutex_assert_locked(context, &data->lock); - invalidate_cache(data); - -@@ -549,6 +687,10 @@ - } - - switch (mode) { -+ /* Solaris Kerberos */ -+ case FCC_OPEN_AND_ERASE_NOUNLINK: -+ open_flag = O_RDWR; -+ break; - case FCC_OPEN_AND_ERASE: - unlink(data->filename); - open_flag = O_CREAT | O_EXCL | O_TRUNC | O_RDWR; -@@ -562,7 +704,21 @@ - break; - } - -+fcc_retry: -+ /* -+ * Solaris Kerberos -+ * If we are opening in NOUNLINK mode, check whether we are opening a -+ * symlink or a file owned by some other user and take preventive action. -+ */ -+ newfile = 0; -+ if (mode == FCC_OPEN_AND_ERASE_NOUNLINK) { -+ ret = krb5_fcc_open_nounlink(data->filename, open_flag, -+ &f, &newfile); -+ if (ret == 0 && f == -1) -+ goto fcc_retry; -+ } else { - f = THREEPARAMOPEN(data->filename, open_flag | O_BINARY, 0600); -+ } - if (f == NO_FILE) { - if (errno == ENOENT) { - ret = KRB5_FCC_NOFILE; -@@ -584,10 +740,26 @@ - ret = krb5_lock_file(context, f, lock_flag); - if (ret) { - (void)close(f); -+ if (ret == EAGAIN && retries++ < LOCK_RETRIES) { -+ /* Solaris Kerberos wait some time before retrying */ -+ if (poll(NULL, 0, WAIT_LENGTH) == 0) -+ goto fcc_retry; -+ } -+ syslog(LOG_ERR, "Failed to lock %s [%m]", data->filename); - return ret; - } - -- if (mode == FCC_OPEN_AND_ERASE) { -+ if (mode == FCC_OPEN_AND_ERASE || mode == FCC_OPEN_AND_ERASE_NOUNLINK) { -+ /* -+ * Solaris Kerberos -+ * If this file was not created, we have to flush existing data. -+ * This will happen only if we are doing an ERASE_NOUNLINK open. -+ */ -+ if (newfile == 0 && (ftruncate(f, 0) == -1)) { -+ syslog(LOG_ERR, "ftruncate failed for %s [%m]", data->filename); -+ close(f); -+ return (interpret_errno(context, errno)); -+ } - /* write the version number */ - store_16_be(context->fcc_default_format, fcc_fvno); - data->version = context->fcc_default_format; -@@ -755,14 +927,16 @@ - - k5_cc_mutex_lock(context, &data->lock); - -- MAYBE_OPEN(context, id, FCC_OPEN_AND_ERASE); -+ MAYBE_OPEN(context, id, FCC_OPEN_AND_ERASE_NOUNLINK); - -+#if 0 - #if defined(HAVE_FCHMOD) || defined(HAVE_CHMOD) - #ifdef HAVE_FCHMOD - st = fchmod(data->fd, S_IRUSR | S_IWUSR); - #else - st = chmod(data->filename, S_IRUSR | S_IWUSR); - #endif -+#endif - if (st == -1) { - ret = interpret_errno(context, errno); - MAYBE_CLOSE(context, id, ret);
--- a/components/krb5/patches/064-enable-debug-compile.patch Tue May 10 22:37:01 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,25 +0,0 @@ -# -# This patch fixes a minor issue where the hostrealm plugin test program will -# not compile non-optimized. There is a MIT ticket which they intend on -# fixing: Ticket #8326 hostrealm code won't compile in debug mode using Solaris -# Studio C -# Patch source: in-house -# -diff -ur krb5-1.13.2/src/plugins/hostrealm/test/Makefile.in krb5-1.13.2.debug-build/src/plugins/hostrealm/test/Makefile.in ---- krb5-1.13.2/src/plugins/hostrealm/test/Makefile.in -+++ krb5-1.13.2.debug-build/src/plugins/hostrealm/test/Makefile.in -@@ -5,9 +5,10 @@ - LIBMAJOR=0 - LIBMINOR=0 - RELDIR=../plugins/hostrealm/test --# Depends on libkrb5 --SHLIB_EXPDEPS= $(KRB5_DEPLIB) --SHLIB_EXPLIBS= $(KRB5_LIB) -+# Depends on libkrb5 and libkrb5support when building non-optimized with -+# certain compilers. -+SHLIB_EXPDEPS= $(KRB5_DEPLIB) $(SUPPORT_DEPLIB) -+SHLIB_EXPLIBS= $(KRB5_LIB) $(SUPPORT_LIB) - - STLIBOBJS=main.o - -
--- a/components/krb5/patches/066-sanitize_context_ptr.patch Tue May 10 22:37:01 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,34 +0,0 @@ -# Sanitize context pointer in gss_export_sec_context -# -# After 4f35b27 context pointer in gss_export_sec_context() is first -# dereferenced before arguments are sanitized in val_exp_sec_ctx_args(). -# With context == NULL the new code segfaults instead of failing -# gracefully. -# -# Revert this part of 4f35b27 and only dereference context if not NULL. -# -# Patch submitted upstream: -# https://github.com/krb5/krb5/pull/382 -# Patch source: in-house -# - -diff -pur old/src/lib/gssapi/mechglue/g_exp_sec_context.c new/src/lib/gssapi/mechglue/g_exp_sec_context.c ---- old/src/lib/gssapi/mechglue/g_exp_sec_context.c -+++ new/src/lib/gssapi/mechglue/g_exp_sec_context.c -@@ -79,7 +79,7 @@ gss_buffer_t interprocess_token; - { - OM_uint32 status; - OM_uint32 length; -- gss_union_ctx_id_t ctx = (gss_union_ctx_id_t) *context_handle; -+ gss_union_ctx_id_t ctx; - gss_mechanism mech; - gss_buffer_desc token = GSS_C_EMPTY_BUFFER; - char *buf; -@@ -94,6 +94,7 @@ gss_buffer_t interprocess_token; - * call it. - */ - -+ ctx = (gss_union_ctx_id_t) *context_handle; - mech = gssint_get_mechanism (ctx->mech_type); - if (!mech) - return GSS_S_BAD_MECH;
--- a/components/krb5/patches/067-iprop-double-free-fix.patch Tue May 10 22:37:01 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,26 +0,0 @@ -# Fix a potential but unlikely to occur double free() in a couple places in ipropd_svc.c. -# This has been reported to MIT who will be fixing this via pull request -# https://github.com/krb5/krb5/pull/396 . -# Patch source: in-house - -diff -ur krb5-1.13.3/src/kadmin/server/ipropd_svc.c krb5-1.13.3.memleak/src/kadmin/server/ipropd_svc.c ---- krb5-1.13.3/src/kadmin/server/ipropd_svc.c -+++ krb5-1.13.3.memleak/src/kadmin/server/ipropd_svc.c -@@ -160,8 +160,6 @@ - client_name = buf_to_string(&client_desc); - service_name = buf_to_string(&service_desc); - if (client_name == NULL || service_name == NULL) { -- free(client_name); -- free(service_name); - krb5_klog_syslog(LOG_ERR, - _("%s: out of memory recording principal names"), - whoami); -@@ -288,8 +286,6 @@ - client_name = buf_to_string(&client_desc); - service_name = buf_to_string(&service_desc); - if (client_name == NULL || service_name == NULL) { -- free(client_name); -- free(service_name); - DPRINT("%s: out of memory\n", whoami); - krb5_klog_syslog(LOG_ERR, - _("%s: out of memory recording principal names"),