PSARC/2015/144 Kerberos 1.13 Delivery to Userland
authorWill Fiveash <will.fiveash@oracle.com>
Wed, 24 Feb 2016 10:43:57 -0600
changeset 5490 9bf0bc57423a
parent 5489 a5031bb8b66d
child 5491 b7c228ef56e3
PSARC/2015/144 Kerberos 1.13 Delivery to Userland 19153034 Add MIT Kerberos to the Userland Consolidation
components/krb5/Makefile
components/krb5/Solaris/g_utils.c
components/krb5/Solaris/getuid.c
components/krb5/Solaris/kadm5.acl
components/krb5/Solaris/kadm_host_srv_names.c
components/krb5/Solaris/kadmin.xml
components/krb5/Solaris/kdc.conf
components/krb5/Solaris/kpropd.acl
components/krb5/Solaris/krb5.conf
components/krb5/Solaris/krb5_prop.xml
components/krb5/Solaris/krb5kdc.xml
components/krb5/Solaris/kt_findrealm.c
components/krb5/Solaris/kt_solaris.c
components/krb5/Solaris/kt_solaris.h
components/krb5/Solaris/libgss.mapfile-vers
components/krb5/Solaris/libgss_stubs.c
components/krb5/Solaris/libkadm5clnt.mapfile-vers
components/krb5/Solaris/libkrb5.mapfile-vers
components/krb5/Solaris/man/gss_accept_sec_context.3gss
components/krb5/Solaris/man/gss_acquire_cred.3gss
components/krb5/Solaris/man/gss_add_cred.3gss
components/krb5/Solaris/man/gss_add_oid_set_member.3gss
components/krb5/Solaris/man/gss_auth_rules.5
components/krb5/Solaris/man/gss_canonicalize_name.3gss
components/krb5/Solaris/man/gss_compare_name.3gss
components/krb5/Solaris/man/gss_context_time.3gss
components/krb5/Solaris/man/gss_create_empty_oid_set.3gss
components/krb5/Solaris/man/gss_delete_sec_context.3gss
components/krb5/Solaris/man/gss_display_name.3gss
components/krb5/Solaris/man/gss_display_status.3gss
components/krb5/Solaris/man/gss_duplicate_name.3gss
components/krb5/Solaris/man/gss_export_name.3gss
components/krb5/Solaris/man/gss_export_sec_context.3gss
components/krb5/Solaris/man/gss_get_mic.3gss
components/krb5/Solaris/man/gss_import_name.3gss
components/krb5/Solaris/man/gss_import_sec_context.3gss
components/krb5/Solaris/man/gss_indicate_mechs.3gss
components/krb5/Solaris/man/gss_init_sec_context.3gss
components/krb5/Solaris/man/gss_inquire_context.3gss
components/krb5/Solaris/man/gss_inquire_cred.3gss
components/krb5/Solaris/man/gss_inquire_cred_by_mech.3gss
components/krb5/Solaris/man/gss_inquire_mechs_for_name.3gss
components/krb5/Solaris/man/gss_inquire_names_for_mech.3gss
components/krb5/Solaris/man/gss_oid_to_str.3gss
components/krb5/Solaris/man/gss_process_context_token.3gss
components/krb5/Solaris/man/gss_release_buffer.3gss
components/krb5/Solaris/man/gss_release_cred.3gss
components/krb5/Solaris/man/gss_release_name.3gss
components/krb5/Solaris/man/gss_release_oid.3gss
components/krb5/Solaris/man/gss_release_oid_set.3gss
components/krb5/Solaris/man/gss_store_cred.3gss
components/krb5/Solaris/man/gss_str_to_oid.3gss
components/krb5/Solaris/man/gss_test_oid_set_member.3gss
components/krb5/Solaris/man/gss_unwrap.3gss
components/krb5/Solaris/man/gss_verify_mic.3gss
components/krb5/Solaris/man/gss_wrap.3gss
components/krb5/Solaris/man/gss_wrap_size_limit.3gss
components/krb5/Solaris/man/ja_JP.UTF-8/kerberos.5
components/krb5/Solaris/man/ja_JP.UTF-8/krb5envvar.5
components/krb5/Solaris/man/kerberos.5
components/krb5/Solaris/man/krb5envvar.5
components/krb5/Solaris/man/libgss.3lib
components/krb5/Solaris/man/libkrb5.3lib
components/krb5/Solaris/man/zh_CN.UTF-8/kerberos.5
components/krb5/Solaris/man/zh_CN.UTF-8/krb5envvar.5
components/krb5/Solaris/mech
components/krb5/Solaris/missing_interfaces.c
components/krb5/Solaris/privacy_allowed.c
components/krb5/Solaris/prof_solaris.c
components/krb5/Solaris/prof_solaris.h
components/krb5/Solaris/rc_mem.c
components/krb5/Solaris/rc_mem.h
components/krb5/Solaris/safechown.c
components/krb5/Solaris/util_ordering.c
components/krb5/krb5-kdc.p5m
components/krb5/krb5-message-files.p5m
components/krb5/krb5.license
components/krb5/krb5.p5m
components/krb5/patches/010-qop.patch
components/krb5/patches/011-libgss_hack.patch
components/krb5/patches/012-libgss_filter.patch
components/krb5/patches/014-init_ccache.patch
components/krb5/patches/016-solaris_paths.patch
components/krb5/patches/017-use-openldap-lib.patch
components/krb5/patches/018-krb5_keyblock-ABI.patch
components/krb5/patches/019-log-rotation.patch
components/krb5/patches/020-libkrb5-makefile.patch
components/krb5/patches/021-dump-ok.patch
components/krb5/patches/022-case-ins-compare.patch
components/krb5/patches/023-mem-rcache.patch
components/krb5/patches/024-smb-compat.patch
components/krb5/patches/025-ktwarnd.patch
components/krb5/patches/026-inappropriate_assert.patch
components/krb5/patches/027-add_admin_sname_princ.patch
components/krb5/patches/028-rpc-gss.patch
components/krb5/patches/029-kadmin_disable_anonymity.patch
components/krb5/patches/030-force_dns_hostname_canon.patch
components/krb5/patches/031-kinit-support.patch
components/krb5/patches/032-pam-krb5.patch
components/krb5/patches/033-pkinit-pin.patch
components/krb5/patches/034-migrate.patch
components/krb5/patches/035-multi-master.patch
components/krb5/patches/036-verify-nofail.patch
components/krb5/patches/037-root-defcred.patch
components/krb5/patches/038-krb5-conf.patch
components/krb5/patches/039-15699628.patch
components/krb5/patches/041-move_macros.patch
components/krb5/patches/045-correct_err_code_for_bad_QOP.patch
components/krb5/patches/046-creds_usage_mismatch_err_code.patch
components/krb5/patches/047-dejagnu.patch
components/krb5/patches/048-dns-fix.patch
components/krb5/patches/049-kpropd_no_retries.patch
components/krb5/patches/050-libverto_memleak.patch
components/krb5/patches/051-fopenF.patch
components/krb5/patches/052-krb5-config.patch
components/krb5/patches/053-kernel-mech.patch
components/krb5/patches/054-trailing-comments.patch
components/krb5/patches/055-register_gsscred.patch
components/krb5/patches/057-des-md5-fix.patch
components/krb5/patches/058-man-pages.patch
components/krb5/patches/059-man-pages-fix-paths.patch
components/krb5/patches/060-header-files-cleanup.patch
components/krb5/patches/061-ccache-nounlink.patch
components/krb5/patches/062-ldap-fixes.patch
components/krb5/patches/063-disable-rev-dns-lookup.patch
components/krb5/patches/064-enable-debug-compile.patch
components/krb5/patches/065-no_MD5_in_rcache.patch
components/krb5/patches/066-sanitize_context_ptr.patch
components/krb5/patches/067-iprop-double-free-fix.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Makefile	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,201 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
+#
+
+include ../../make-rules/shared-macros.mk
+
+COMPONENT_NAME=		Kerberos
+COMPONENT_MINOR=	1.13
+COMPONENT_VERSION=	1.13.3
+COMPONENT_PROJECT_URL=	http://web.mit.edu/kerberos/
+COMPONENT_SRC=		krb5-$(COMPONENT_VERSION)
+COMPONENT_ARCHIVE=	$(COMPONENT_SRC).tar.gz
+COMPONENT_ARCHIVE_HASH=	\
+	sha256:5d4af08ead9b7a1e9493cfd65e821234f151a46736e1ce586f886c8a8e65fabe
+COMPONENT_ARCHIVE_URL=	\
+	$(COMPONENT_PROJECT_URL)dist/krb5/$(COMPONENT_MINOR)/$(COMPONENT_ARCHIVE)
+COMPONENT_BUGDB=	utility/kerberos
+
+TPNO=	26018
+
+include $(WS_MAKE_RULES)/prep.mk
+include $(WS_MAKE_RULES)/configure.mk
+include $(WS_MAKE_RULES)/ips.mk
+
+# Encoding rules for IPS: MIT KerberosV5 <x>.<y>[.<z>] => IPS <x>.<y>.[<z>|0].0
+IPS_COMPONENT_VERSION=	1.13.3.0
+
+# The configure script is not at the top of the source directory.
+CONFIGURE_SCRIPT=	$(SOURCE_DIR)/src/configure
+
+# We need to enable large file support and build PIC for our shared libraries
+CFLAGS += $(CPP_LARGEFILES) $(CC_PIC)
+
+# Include openldap headers instead of obsolete mozilla ldap headers.
+CPPFLAGS += -I$(USRINCDIR)/openldap
+
+# Temporary solution until we can fix this upstream with MIT, which currently
+# depends on implicit binding of libc.  Here we explicitly link with libc to
+# satisfy this dependency.
+# If you make changes to LDFLAGS, check krb5-config and 052-krb5-config.patch.
+LDFLAGS += -lc -z defs
+
+CONFIGURE_ENV += LDFLAGS="$(LDFLAGS)"
+CONFIGURE_ENV += CFLAGS="$(CFLAGS)"
+CONFIGURE_ENV += CXXFLAGS="$(CXXFLAGS)"
+CONFIGURE_ENV += CPPFLAGS="$(CPPFLAGS)"
+CONFIGURE_ENV += PKG_CONFIG_PATH="$(PKG_CONFIG_PATH)"
+CONFIGURE_ENV += DEFKTNAME="FILE:$(ETCDIR)/krb5/krb5.keytab"
+CONFIGURE_ENV += DEFCKTNAME="FILE:/var/user/%{username}/client.keytab"
+
+# Other CONFIGURE_OPTIONS assignments coming from make-rules/configure.mk
+CONFIGURE_OPTIONS += --sysconfdir=$(ETCDIR)
+CONFIGURE_OPTIONS += --localstatedir=/var
+CONFIGURE_OPTIONS.32 += --libexecdir=$(USRLIBDIR)
+CONFIGURE_OPTIONS.64 += --libexecdir=$(USRLIBDIR)/$(MACH64)
+CONFIGURE_OPTIONS += --includedir=$(USRINCDIR)/kerberosv5
+# to avoid executing subprocesses from /usr/[s]bin/$(MACH64):
+CONFIGURE_OPTIONS += --bindir=$(USRBINDIR)
+CONFIGURE_OPTIONS += --sbindir=$(USRSBINDIR)
+CONFIGURE_OPTIONS += --with-crypto-impl=openssl
+CONFIGURE_OPTIONS += --with-ldap
+CONFIGURE_OPTIONS += --with-prng-alg=os
+CONFIGURE_OPTIONS += --with-tcl=$(USRDIR)
+CONFIGURE_OPTIONS += --without-system-verto
+
+COMPONENT_PRE_CONFIGURE_ACTION = \
+	cd $(SOURCE_DIR)/src/ && $(SOURCE_DIR)/src/util/reconf
+
+PROTOULD = $(PROTOUSRLIBDIR)
+
+COMPONENT_TEST_ARGS += LD_LIBRARY_PATH="$(PROTOULD):$(PROTOULD)/$(MACH64):"
+
+# MIT's test suite is not well suited for master results processing/filtering
+# but since the test implementation will return failure to the uland build,
+# this is good enough.  The following disables master results processing.
+COMPONENT_TEST_CREATE_TRANSFORMS=
+COMPONENT_TEST_PERFORM_TRANSFORM=
+COMPONENT_TEST_COMPARE=
+
+# We don't ship Solaris specific files as patches to ease maintenance.
+# We rather copy the files to the right directories.
+COMPONENT_PREP_ACTION= \
+	$(CP) Solaris/getuid.c $(SOURCE_DIR)/src/lib/krb5/os/; \
+	$(CP) Solaris/g_utils.c $(SOURCE_DIR)/src/lib/gssapi/mechglue/; \
+	$(CP) Solaris/kadm_host_srv_names.c $(SOURCE_DIR)/src/lib/kadm5/; \
+	$(CP) Solaris/kt_findrealm.c $(SOURCE_DIR)/src/lib/krb5/keytab/; \
+	$(CP) Solaris/kt_solaris.c $(SOURCE_DIR)/src/lib/krb5/keytab/; \
+	$(CP) Solaris/kt_solaris.h $(SOURCE_DIR)/src/lib/krb5/keytab/; \
+	$(CP) Solaris/libgss_stubs.c $(SOURCE_DIR)/src/lib/gssapi/mechglue/; \
+	$(CP) Solaris/missing_interfaces.c $(SOURCE_DIR)/src/lib/krb5/; \
+	$(CP) Solaris/privacy_allowed.c $(SOURCE_DIR)/src/lib/krb5/; \
+	$(CP) Solaris/prof_solaris.c $(SOURCE_DIR)/src/lib/krb5/; \
+	$(CP) Solaris/prof_solaris.h $(SOURCE_DIR)/src/lib/krb5/; \
+	$(CP) Solaris/rc_mem.c $(SOURCE_DIR)/src/lib/krb5/rcache; \
+	$(CP) Solaris/rc_mem.h $(SOURCE_DIR)/src/lib/krb5/rcache; \
+	$(CP) Solaris/safechown.c $(SOURCE_DIR)/src/lib/krb5/os; \
+	$(CP) Solaris/util_ordering.c $(SOURCE_DIR)/src/lib/gssapi/generic
+
+# We move xdr_alloc.c and supporting dyn code from libgssrpc directly
+# into libkadm5srv_mit. kadmind is the only consumer anyway.
+SRCLIB=$(SOURCE_DIR)/src/lib
+COMPONENT_PREP_ACTION += ;\
+	$(CP) $(SRCLIB)/rpc/xdr_alloc.c $(SRCLIB)/kadm5/srv/; \
+	$(CP) $(SRCLIB)/rpc/dyn.c $(SRCLIB)/kadm5/srv/; \
+	$(CP) $(SRCLIB)/rpc/dyn.h $(SRCLIB)/kadm5/srv/; \
+	$(CP) $(SRCLIB)/rpc/dynP.h $(SRCLIB)/kadm5/srv/; \
+	$(CP) $(SRCLIB)/rpc/dyntest.c $(SRCLIB)/kadm5/srv/; \
+
+# Common flags used to create the filter libs below
+FILTLIBFLAGS = -G -Bdirect -z defs -z text
+
+$(BUILD_32): COMPONENT_POST_BUILD_ACTION= \
+	$(CC) -o $(BUILD_DIR)/$(MACH32)/lib/libgss.so.1 \
+	    -hlibgss.so.1 $(FILTLIBFLAGS) -lc \
+	    -M$(COMPONENT_DIR)/Solaris/libgss.mapfile-vers \
+	    -R$(USRLIBDIR)/krb5 \
+	    -z discard-unused=dependencies \
+	    -L $(BUILD_DIR)/$(MACH32)/lib -lkrb5support \
+	    $(BUILD_DIR)/$(MACH32)/lib/gssapi/mechglue/libgss_stubs.o && \
+	$(CC) -o $(BUILD_DIR)/$(MACH32)/lib/libkrb5.so.1 \
+	    -hlibkrb5.so.1 $(FILTLIBFLAGS) \
+	    -M$(COMPONENT_DIR)/Solaris/libkrb5.mapfile-vers \
+	    $(BUILD_DIR)/$(MACH32)/lib/krb5/missing_interfaces.o \
+	    $(BUILD_DIR)/$(MACH32)/lib/krb5/privacy_allowed.o && \
+	$(LD) -o $(BUILD_DIR)/$(MACH32)/lib/libkadm5clnt.so.1 \
+	    -hlibkadm5clnt.so.1 $(FILTLIBFLAGS) \
+	    -M$(COMPONENT_DIR)/Solaris/libkadm5clnt.mapfile-vers;
+
+$(BUILD_64): COMPONENT_POST_BUILD_ACTION= \
+	$(CC) -m64 -o $(BUILD_DIR)/$(MACH64)/lib/libgss.so.1 \
+	    -hlibgss.so.1 $(FILTLIBFLAGS) -lc \
+	    -M$(COMPONENT_DIR)/Solaris/libgss.mapfile-vers \
+	    -R$(USRLIBDIR)/krb5/$(MACH64) \
+	    -z discard-unused=dependencies \
+	    -L $(BUILD_DIR)/$(MACH64)/lib -lkrb5support \
+	    $(BUILD_DIR)/$(MACH64)/lib/gssapi/mechglue/libgss_stubs.o && \
+	$(CC) -m64 -o $(BUILD_DIR)/$(MACH64)/lib/libkrb5.so.1 \
+	    -hlibkrb5.so.1 $(FILTLIBFLAGS) \
+	    -M$(COMPONENT_DIR)/Solaris/libkrb5.mapfile-vers \
+	    $(BUILD_DIR)/$(MACH64)/lib/krb5/missing_interfaces.o \
+	    $(BUILD_DIR)/$(MACH64)/lib/krb5/privacy_allowed.o && \
+	$(LD) -m64 -o $(BUILD_DIR)/$(MACH64)/lib/libkadm5clnt.so.1 \
+	    -hlibkadm5clnt.so.1 $(FILTLIBFLAGS) \
+	    -M$(COMPONENT_DIR)/Solaris/libkadm5clnt.mapfile-vers;
+
+$(INSTALL_32): COMPONENT_POST_INSTALL_ACTION= \
+	$(CP) $(BUILD_DIR)/$(MACH32)/lib/libgss.so.1 \
+		$(PROTO_DIR)$(USRLIBDIR); \
+	$(CP) $(BUILD_DIR)/$(MACH32)/lib/libkrb5.so.1 \
+		$(PROTO_DIR)$(USRLIBDIR); \
+	$(CP) $(BUILD_DIR)/$(MACH32)/lib/libkadm5clnt.so.1 \
+		$(PROTO_DIR)$(USRLIBDIR);
+
+$(INSTALL_64): COMPONENT_POST_INSTALL_ACTION= \
+	$(MKDIR) -p $(PROTO_DIR)$(USRLIBDIR)/$(MACH64); \
+	$(CP) $(BUILD_DIR)/$(MACH64)/lib/libgss.so.1 \
+		$(PROTO_DIR)$(USRLIBDIR)/$(MACH64); \
+	$(CP) $(BUILD_DIR)/$(MACH64)/lib/libkrb5.so.1 \
+		$(PROTO_DIR)$(USRLIBDIR)/$(MACH64); \
+	$(CP) $(BUILD_DIR)/$(MACH64)/lib/libkadm5clnt.so.1 \
+		$(PROTO_DIR)$(USRLIBDIR)/$(MACH64);
+
+ASLR_MODE = $(ASLR_ENABLE)
+
+# common targets
+build:	$(BUILD_32_and_64)
+
+install:	$(INSTALL_32_and_64)
+
+# build does this always
+test:	$(TEST_32_and_64)
+
+REQUIRED_PACKAGES += developer/test/dejagnu
+REQUIRED_PACKAGES += library/libedit
+REQUIRED_PACKAGES += library/openldap
+REQUIRED_PACKAGES += library/security/openssl
+REQUIRED_PACKAGES += service/security/kerberos-5
+REQUIRED_PACKAGES += shell/ksh93
+REQUIRED_PACKAGES += system/library
+REQUIRED_PACKAGES += system/library/math
+REQUIRED_PACKAGES += system/library/security/gss
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/g_utils.c	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,246 @@
+/*
+ * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved.
+ */
+
+#include "mglueP.h"
+#include "gssapiP_krb5.h"
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <strings.h>
+#include <ctype.h>
+#include <errno.h>
+/*
+#include <gssapi/gssapi.h>
+#include <gssapi/gssapi_ext.h>
+*/
+#include <synch.h>
+
+#define	Q_DEFAULT		"default"
+#define	BUFLEN			256
+
+static int qop_num_pair_cnt;
+static const char    QOP_NUM_FILE[] = "/etc/gss/qop";
+static qop_num	qop_num_pairs[MAX_QOP_NUM_PAIRS+1];
+static mutex_t qopfile_lock = DEFAULTMUTEX;
+
+static OM_uint32 __gss_read_qop_file(void);
+
+/*
+ * This routine fetches qop and num from "/etc/gss/qop".
+ * There is a memory leak associated with rereading this file,
+ * because we can't free the qop_num_pairs array when we reread
+ * the file (some callers may have been given these pointers).
+ * In general, this memory leak should be a small one, because
+ * we don't expect the qop file to be changed and reread often.
+ */
+static OM_uint32
+__gss_read_qop_file(void)
+{
+	char 	buf[BUFLEN];	/* one line from the file */
+	char	*name, *next;
+	char	*qopname, *num_str;
+	char 	*line;
+	FILE 	*fp;
+	static int last = 0;
+	struct stat stbuf;
+	OM_uint32 major = GSS_S_COMPLETE;
+
+	(void) mutex_lock(&qopfile_lock);
+	if (stat(QOP_NUM_FILE, &stbuf) != 0 || stbuf.st_mtime < last) {
+		if (!qop_num_pairs[0].qop) {
+			major = GSS_S_FAILURE;
+		}
+		goto done;
+	}
+	last = stbuf.st_mtime;
+
+	fp = fopen(QOP_NUM_FILE, "rF");
+	if (fp == (FILE *)0) {
+		major = GSS_S_FAILURE;
+		goto done;
+	}
+
+	/*
+	 * For each line in the file parse it appropriately.
+	 * File format : qopname	num(int)
+	 * Note that we silently ignore corrupt entries.
+	 */
+	qop_num_pair_cnt = 0;
+	while (!feof(fp)) {
+		line = fgets(buf, BUFLEN, fp);
+		if (line == NULL)
+			break;
+
+		/* Skip comments and blank lines */
+		if ((*line == '#') || (*line == '\n'))
+			continue;
+
+		/* Skip trailing comments */
+		next = strchr(line, '#');
+		if (next)
+			*next = '\0';
+
+		name = &(buf[0]);
+		while (isspace(*name))
+			name++;
+		if (*name == '\0')	/* blank line */
+			continue;
+
+		qopname = name;	/* will contain qop name */
+		while (!isspace(*qopname))
+			qopname++;
+		if (*qopname == '\0') {
+			continue;
+		}
+		next = qopname+1;
+		*qopname = '\0';	/* null terminate qopname */
+		qop_num_pairs[qop_num_pair_cnt].qop = strdup(name);
+		if (qop_num_pairs[qop_num_pair_cnt].qop == NULL)
+			continue;
+
+		name = next;
+		while (isspace(*name))
+			name++;
+		if (*name == '\0') { 	/* end of line, no num */
+			free(qop_num_pairs[qop_num_pair_cnt].qop);
+			continue;
+		}
+		num_str = name;	/* will contain num (n) */
+		while (!isspace(*num_str))
+			num_str++;
+		next = num_str+1;
+		*num_str++ = '\0';	/* null terminate num_str */
+
+		qop_num_pairs[qop_num_pair_cnt].num = (OM_uint32)atoi(name);
+		name = next;
+		while (isspace(*name))
+			name++;
+		if (*name == '\0') { 	/* end of line, no mechanism */
+			free(qop_num_pairs[qop_num_pair_cnt].qop);
+			continue;
+		}
+		num_str = name;	/* will contain mech */
+		while (!isspace(*num_str))
+			num_str++;
+		*num_str = '\0';
+
+		qop_num_pairs[qop_num_pair_cnt].mech = strdup(name);
+		if (qop_num_pairs[qop_num_pair_cnt].mech == NULL) {
+			free(qop_num_pairs[qop_num_pair_cnt].qop);
+			continue;
+		}
+
+		if (qop_num_pair_cnt++ >= MAX_QOP_NUM_PAIRS)
+			break;
+	}
+	(void) fclose(fp);
+done:
+	(void) mutex_unlock(&qopfile_lock);
+	return (major);
+}
+
+OM_uint32
+gssint_qop_to_num(
+	char		*qop,
+	char		*mech,
+	OM_uint32	*num
+)
+{
+	int i;
+	OM_uint32 major = GSS_S_FAILURE;
+
+	if (!num)
+		return (GSS_S_CALL_INACCESSIBLE_WRITE);
+
+	if (qop == NULL || strlen(qop) == 0 ||
+			strcasecmp(qop, Q_DEFAULT) == 0) {
+		*num = GSS_C_QOP_DEFAULT;
+		return (GSS_S_COMPLETE);
+	}
+
+	if ((major = __gss_read_qop_file()) != GSS_S_COMPLETE)
+		return (major);
+
+	for (i = 0; i < qop_num_pair_cnt; i++) {
+		if ((strcasecmp(mech, qop_num_pairs[i].mech) == 0) &&
+		    (strcasecmp(qop, qop_num_pairs[i].qop) == 0)) {
+			*num = qop_num_pairs[i].num;
+			return (GSS_S_COMPLETE);
+		}
+	}
+
+	return (GSS_S_FAILURE);
+}
+
+OM_uint32
+gssint_num_to_qop(
+	char		*mech,
+	OM_uint32	num,
+	char		**qop
+)
+{
+	int i;
+	OM_uint32 major;
+
+	if (!qop)
+		return (GSS_S_CALL_INACCESSIBLE_WRITE);
+	*qop = NULL;
+
+	if (num == GSS_C_QOP_DEFAULT) {
+		*qop = Q_DEFAULT;
+		return (GSS_S_COMPLETE);
+	}
+
+	if (mech == NULL)
+		return (GSS_S_CALL_INACCESSIBLE_READ);
+
+	if ((major = __gss_read_qop_file()) != GSS_S_COMPLETE)
+		return (major);
+
+	for (i = 0; i < qop_num_pair_cnt; i++) {
+		if ((strcasecmp(mech, qop_num_pairs[i].mech) == 0) &&
+		    (num == qop_num_pairs[i].num)) {
+			*qop = qop_num_pairs[i].qop;
+			return (GSS_S_COMPLETE);
+		}
+	}
+	return (GSS_S_FAILURE);
+}
+
+/*
+ * For a given mechanism pass back qop information about it in a buffer
+ * of size MAX_QOPS_PER_MECH+1.
+ */
+OM_uint32
+gssint_get_mech_info(
+	char		*mech,
+	char		**qops
+)
+{
+	int i, cnt = 0;
+	OM_uint32 major = GSS_S_COMPLETE;
+
+	if (!qops)
+		return (GSS_S_CALL_INACCESSIBLE_WRITE);
+	*qops = NULL;
+
+	if (!mech)
+		return (GSS_S_CALL_INACCESSIBLE_READ);
+
+	if ((major = __gss_read_qop_file()) != GSS_S_COMPLETE)
+		return (major);
+
+	for (i = 0; i < qop_num_pair_cnt; i++) {
+		if (strcmp(mech, qop_num_pairs[i].mech) == 0) {
+		    if (cnt >= MAX_QOPS_PER_MECH) {
+			return (GSS_S_FAILURE);
+		    }
+		    qops[cnt++] = qop_num_pairs[i].qop;
+		}
+	}
+	qops[cnt] = NULL;
+	return (GSS_S_COMPLETE);
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/getuid.c	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 2007, 2015, Oracle and/or its affiliates. All rights reserved.
+ */
+
+#include	<sys/types.h>
+#include	<unistd.h>
+#include	<dlfcn.h>
+#include	"k5-int.h"
+
+#define		KRB5_UID	"app_krb5_user_uid"
+
+/*
+ * mech_krb5 makes various calls to getuid().  When employed by gssd(1M) and
+ * ktkt_warnd(1M), app_krb5_user_uid() is used to select a given user's
+ * credential cache, rather than the id of the process.
+ */
+uid_t
+krb5_getuid()
+{
+	static uid_t	(*gptr)() = NULL;
+	void		*handle;
+
+	if (gptr == NULL) {
+		/*
+		 * Specifically look for app_krb5_user_uid() in the application,
+		 * and don't fall into an exhaustive search through all of the
+		 * process dependencies.  This interface is suplied from
+		 * gssd(1M) and ktkt_warnd(1M).
+		 */
+		if (((handle = dlopen(0, (RTLD_LAZY | RTLD_FIRST))) == NULL) ||
+		    ((gptr = (uid_t (*)())dlsym(handle, KRB5_UID)) == NULL)) {
+			/*
+			 * Fall back to the default getuid(), which is probably
+			 * libc.
+			 */
+			gptr = &getuid;
+		}
+	}
+
+	/*
+	 * Return the appropriate uid.  Note, if a default getuid() couldn't
+	 * be found, the getuid assignment would have failed to relocate, and
+	 * hence this module would fail to load.
+	 */
+	return ((*gptr)());
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/kadm5.acl	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,24 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+#
+
+*/[email protected]___default_realm___ *
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/kadm_host_srv_names.c	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,245 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+/*
+ * Copyright (c) 1998, 2015, Oracle and/or its affiliates. All rights reserved.
+ */
+
+/*
+ * lib/kad5/kadm_host_srv_names.c
+ */
+
+#include <k5-int.h>
+#include "admin.h"
+#include <stdio.h>
+#include "fake-addrinfo.h"
+/* HACK!!! need struct serverlist*/
+#include "../krb5/os/os-proto.h"
+
+/* HACK!!! */
+#define	KADM5_ADMIN_HOST_SERVICE	"kadmin"
+#define	KADM5_CHANGEPW_HOST_SERVICE	"changepw"
+
+extern krb5_error_code
+k5_locate_kadmin(krb5_context context, const krb5_data *realm,
+		                 struct serverlist *serverlist);
+
+extern krb5_error_code
+locate_kpasswd(krb5_context context, const krb5_data *realm,
+	       struct serverlist *serverlist, krb5_boolean no_udp);
+
+/*
+ * Find the admin server for the given realm. If the realm is null or
+ * the empty string, find the admin server for the default realm.
+ * Returns 0 on succsess (KADM5_OK). It is the callers responsibility to
+ * free the storage allocated to the admin server, master.
+ */
+kadm5_ret_t
+kadm5_get_master(krb5_context context, const char *realm, char **master)
+{
+    kadm5_ret_t		ret = KADM5_OK;
+    char		*def_realm = NULL;
+    krb5_error_code	code;
+    struct serverlist	serverlist = SERVERLIST_INIT;
+    struct server_entry	*entry;
+    krb5_data		krealm;
+
+    if (realm == 0 || *realm == '\0')
+	krb5_get_default_realm(context, &def_realm);
+
+    krealm = string2data(def_realm ? def_realm : (char *) realm);
+
+    code = k5_locate_server(context, &krealm, &serverlist,
+				locate_service_kadmin, TRUE);
+    if (code == 0) {
+	entry = &serverlist.servers[0];
+	*master = strdup(entry->hostname);
+	if (*master == NULL)
+	    ret = ENOMEM;
+    } else
+	ret = KADM5_NO_SRV;
+			
+    if (def_realm != NULL)
+	krb5_free_default_realm(context, def_realm);
+
+    k5_free_serverlist(&serverlist);
+
+    return (ret);
+}
+
+void
+free_srv_names(char **srv_names)
+{
+    int i;
+
+    if (srv_names == NULL)
+        return;
+    
+    for (i = 0; srv_names[i] != NULL; i++) {
+        free(srv_names[i]);
+    }
+
+    free(srv_names);
+}
+
+/*
+ * Get the host base service name for the admin principal. Returns
+ * KADM5_OK on success. Caller must call free_srv_names() on
+ * host_service_names.
+ */
+kadm5_ret_t
+kadm5_get_adm_host_srv_names(krb5_context context,
+			    const char *realm, char ***host_service_names)
+{
+    kadm5_ret_t ret;
+    char **tmp_srv_names;
+    struct serverlist sl = SERVERLIST_INIT;
+    int i;
+    krb5_data realm_data;
+
+    /* get list of admin servers */
+    if (realm == NULL)
+        return (EINVAL);
+    realm_data.magic = KV5M_DATA;
+    realm_data.data = (char *) realm;
+    realm_data.length = strlen(realm);
+    if (ret = k5_locate_kadmin(context, (const krb5_data *) &realm_data, &sl))
+        return (ret);
+
+    /* + 1 for array terminator */
+    tmp_srv_names = calloc(sl.nservers + 1, sizeof (char *));
+    if (tmp_srv_names == NULL) {
+        k5_free_serverlist(&sl);
+        return (ENOMEM);
+    }
+
+    for (i = 0; i < sl.nservers; i++) {
+        tmp_srv_names[i] = malloc(strlen(KADM5_ADMIN_HOST_SERVICE) +
+                                  strlen(sl.servers[i].hostname) + 2);
+        if (tmp_srv_names[i] == NULL) {
+            free_srv_names(tmp_srv_names);
+            k5_free_serverlist(&sl);
+            return (ENOMEM);
+        }
+        sprintf(tmp_srv_names[i], "%[email protected]%s", KADM5_ADMIN_HOST_SERVICE,
+                sl.servers[i].hostname);
+    }
+
+    k5_free_serverlist(&sl);
+    *host_service_names = tmp_srv_names;
+    return (KADM5_OK);
+}
+
+/*
+ * Get the host base service name for the changepw principal. Returns
+ * KADM5_OK on success. Caller must call free_srv_names() on
+ * host_service_names.
+ */
+kadm5_ret_t
+kadm5_get_cpw_host_srv_names(krb5_context context,
+			    const char *realm, char ***host_service_names)
+{
+    kadm5_ret_t ret;
+    char **tmp_srv_names;
+    struct serverlist sl = SERVERLIST_INIT;
+    int i;
+    krb5_data realm_data;
+
+    /* get list of admin servers */
+    if (realm == NULL)
+        return (EINVAL);
+    realm_data.magic = KV5M_DATA;
+    realm_data.data = (char *) realm;
+    realm_data.length = strlen(realm);
+    if (ret = locate_kpasswd(context, (const krb5_data *) &realm_data, &sl, 0))
+        return (ret);
+
+    /* + 1 for array terminator */
+    tmp_srv_names = calloc(sl.nservers + 1, sizeof (char *));
+    if (tmp_srv_names == NULL) {
+        k5_free_serverlist(&sl);
+        return (ENOMEM);
+    }
+
+    for (i = 0; i < sl.nservers; i++) {
+        tmp_srv_names[i] = malloc(strlen(KADM5_CHANGEPW_HOST_SERVICE) +
+                                  strlen(sl.servers[i].hostname) + 2);
+        if (tmp_srv_names[i] == NULL) {
+            free_srv_names(tmp_srv_names);
+            k5_free_serverlist(&sl);
+            return (ENOMEM);
+        }
+        sprintf(tmp_srv_names[i], "%[email protected]%s", KADM5_CHANGEPW_HOST_SERVICE,
+                sl.servers[i].hostname);
+    }
+
+    k5_free_serverlist(&sl);
+    *host_service_names = tmp_srv_names;
+    return (KADM5_OK);
+}
+
+/*
+ * Get the host base service name for the kiprop principal. Returns
+ * KADM5_OK on success. Caller must free the storage allocated
+ * for host_service_name.
+ */
+kadm5_ret_t
+kadm5_get_kiprop_host_srv_names(krb5_context context,
+                               const char *realm,
+                               char ***host_service_names)
+{
+    kadm5_ret_t ret;
+    char **tmp_srv_names;
+    struct serverlist sl = SERVERLIST_INIT;
+    int i;
+    krb5_data realm_data;
+
+    /* get list of admin servers */
+    if (realm == NULL)
+        return (EINVAL);
+    realm_data.magic = KV5M_DATA;
+    realm_data.data = (char *) realm;
+    realm_data.length = strlen(realm);
+    if (ret = k5_locate_kadmin(context, (const krb5_data *) &realm_data, &sl))
+        return (ret);
+
+    /* + 1 for array terminator */
+    tmp_srv_names = calloc(sl.nservers + 1, sizeof (char *));
+    if (tmp_srv_names == NULL) {
+        k5_free_serverlist(&sl);
+        return (ENOMEM);
+    }
+
+    for (i = 0; i < sl.nservers; i++) {
+        tmp_srv_names[i] = malloc(strlen(KADM5_KIPROP_HOST_SERVICE) +
+                                  strlen(sl.servers[i].hostname) + 2);
+        if (tmp_srv_names[i] == NULL) {
+            free_srv_names(tmp_srv_names);
+            k5_free_serverlist(&sl);
+            return (ENOMEM);
+        }
+        sprintf(tmp_srv_names[i], "%[email protected]%s", KADM5_KIPROP_HOST_SERVICE,
+                sl.servers[i].hostname);
+    }
+
+    k5_free_serverlist(&sl);
+    *host_service_names = tmp_srv_names;
+    return (KADM5_OK);
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/kadmin.xml	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,95 @@
+<?xml version="1.0"?>
+<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
+<!--
+
+ CDDL HEADER START
+
+ The contents of this file are subject to the terms of the
+ Common Development and Distribution License (the "License").
+ You may not use this file except in compliance with the License.
+
+ You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ or http://www.opensolaris.org/os/licensing.
+ See the License for the specific language governing permissions
+ and limitations under the License.
+
+ When distributing Covered Code, include this CDDL HEADER in each
+ file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ If applicable, add the following below this CDDL HEADER, with the
+ fields enclosed by brackets "[]" replaced with your own identifying
+ information: Portions Copyright [yyyy] [name of copyright owner]
+
+ CDDL HEADER END
+
+ Copyright (c) 2004, 2015, Oracle and/or its affiliates. All rights reserved.
+
+	NOTE:  This service manifest is not editable; its contents will
+	be overwritten by package or patch operations, including
+	operating system upgrade.  Make customizations in a different
+	file.
+
+	Service manifest for the Kerberos administration daemon
+-->
+
+<service_bundle type='manifest' name='SUNWkrbr:kadmin'>
+
+<service
+	name='network/security/kadmin'
+	type='service'
+	version='1'>
+
+	<create_default_instance enabled='false' />
+
+	<single_instance/>
+
+	<dependency
+		name='dns'
+		grouping='require_all'
+		restart_on='error'
+		type='service'>
+		<service_fmri value='svc:/network/dns/client' />
+	</dependency>
+
+	<dependency
+		name='rpcbind'
+		grouping='require_all'
+		restart_on='restart'
+		type='service'>
+		<service_fmri value='svc:/network/rpc/bind' />
+	</dependency>
+
+	<exec_method
+		type='method'
+		name='start'
+		exec='/usr/lib/krb5/kadmind'
+		timeout_seconds='60'>
+		<method_context>
+			<method_credential
+				user='root'
+				group='root'
+				privileges='basic,!file_link_any,!proc_info,!proc_session,file_dac_search,file_dac_write,net_privaddr,proc_audit'
+			/>
+		</method_context>
+	</exec_method>
+
+	<exec_method
+		type='method'
+		name='stop'
+		exec=':kill'
+		timeout_seconds='60' />
+
+	<stability value='Unstable' />
+
+	<template>
+		<common_name>
+			<loctext xml:lang='C'>
+			Kerberos administration daemon </loctext>
+		</common_name>
+		<documentation>
+			<manpage title='kadmind' section='1M'
+			    manpath='/usr/share/man' />
+		</documentation>
+        </template>
+</service>
+
+</service_bundle>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/kdc.conf	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,37 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# 
+# Copyright (c) 2008, Oracle and/or its affiliates. All rights reserved.
+#
+
+[kdcdefaults]
+	kdc_ports = 88,750
+
+[realms]
+	___default_realm___ = {
+		profile = /etc/krb5/krb5.conf
+		database_name = /var/krb5/principal
+		acl_file = /etc/krb5/kadm5.acl
+		kadmind_port = 749
+		max_life = 8h 0m 0s
+		max_renewable_life = 7d 0h 0m 0s
+		default_principal_flags = +preauth
+	}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/kpropd.acl	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,23 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+#
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/krb5.conf	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,66 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# 
+# Copyright (c) 2007, Oracle and/or its affiliates. All rights reserved.
+#
+
+# krb5.conf template
+# In order to complete this configuration file
+# you will need to replace the __<name>__ placeholders
+# with appropriate values for your network and uncomment the
+# appropriate entries.
+#
+[libdefaults]
+#        default_realm = ___default_realm___
+
+[realms]
+#        ___default_realm___ = {
+#                kdc = ___master_kdc___
+#                kdc = ___slave_kdc1___
+#                kdc = ___slave_kdc2___
+#                kdc = ___slave_kdcN___
+#                admin_server = ___master_kdc___
+#        }
+
+[domain_realm]
+#	___domainname___ = ___default_realm___
+
+[logging]
+        default = FILE:/var/krb5/kdc.log
+        kdc = FILE:/var/krb5/kdc.log
+	kdc_rotate = {
+
+# How often to rotate kdc.log. Logs will get rotated no more
+# often than the period, and less often if the KDC is not used
+# frequently.
+
+		period = 1d
+
+# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)
+
+		versions = 10
+	}
+
+[appdefaults]
+	kinit = {
+		renewable = true
+		forwardable= true
+	}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/krb5_prop.xml	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,95 @@
+<?xml version='1.0'?>
+<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
+<!--
+
+ CDDL HEADER START
+
+ The contents of this file are subject to the terms of the
+ Common Development and Distribution License (the "License").
+ You may not use this file except in compliance with the License.
+
+ You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ or http://www.opensolaris.org/os/licensing.
+ See the License for the specific language governing permissions
+ and limitations under the License.
+
+ When distributing Covered Code, include this CDDL HEADER in each
+ file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ If applicable, add the following below this CDDL HEADER, with the
+ fields enclosed by brackets "[]" replaced with your own identifying
+ information: Portions Copyright [yyyy] [name of copyright owner]
+
+ CDDL HEADER END
+
+ Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved.
+
+	NOTE:  This service manifest is not editable; its contents will
+	be overwritten by package or patch operations, including
+	operating system upgrade.  Make customizations in a different
+	file.
+
+	Service manifest for the krb5_prop service.
+
+	kpropd can run in two modes, incremental and nonincremental:
+		the new mode of incremental propagation
+			actively polls for updates from the master KDC
+
+		the old mode of nonincremental
+			passively receives full propagations from the master KDC
+
+	refer to kdc.conf(4) to configure incremental or nonincremental modes
+-->
+
+<service_bundle type='manifest' name='SUNWkdcr:kpropd'>
+
+<service
+	name='network/security/krb5_prop'
+	type='service'
+	version='1'>
+
+	<create_default_instance enabled='false' />
+
+	<dependency
+		name='dns'
+		grouping='require_all'
+		restart_on='error'
+		type='service'>
+		<service_fmri value='svc:/network/dns/client' />
+	</dependency>
+
+	<exec_method
+		type='method'
+		name='start'
+		exec='/usr/lib/krb5/kpropd -S'
+		timeout_seconds='60'>
+		<method_context>
+			<method_credential
+				user='root'
+				group='other'
+				privileges='basic,!file_link_any,!proc_info,!proc_session,net_privaddr'
+			/>	
+		</method_context>
+	</exec_method>
+
+	<exec_method
+		type='method'
+		name='stop'
+		exec=':kill'
+		timeout_seconds='60' />
+
+	<stability value='Unstable' />
+
+	<template>
+		<common_name>
+			<loctext xml:lang='C'>
+			Kerberos propagation daemon for slave KDCs
+			</loctext>
+		</common_name>
+		<documentation>
+			<manpage title='kpropd' section='1M'
+			    manpath='/usr/share/man' />
+		</documentation>
+	</template>
+</service>
+
+</service_bundle>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/krb5kdc.xml	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,88 @@
+<?xml version="1.0"?>
+<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
+<!--
+ CDDL HEADER START
+
+ The contents of this file are subject to the terms of the
+ Common Development and Distribution License (the "License").
+ You may not use this file except in compliance with the License.
+
+ You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ or http://www.opensolaris.org/os/licensing.
+ See the License for the specific language governing permissions
+ and limitations under the License.
+
+ When distributing Covered Code, include this CDDL HEADER in each
+ file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ If applicable, add the following below this CDDL HEADER, with the
+ fields enclosed by brackets "[]" replaced with your own identifying
+ information: Portions Copyright [yyyy] [name of copyright owner]
+
+ CDDL HEADER END
+
+ Copyright (c) 2004, 2015, Oracle and/or its affiliates. All rights reserved.
+
+	NOTE:  This service manifest is not editable; its contents will
+	be overwritten by package or patch operations, including
+	operating system upgrade.  Make customizations in a different
+	file.
+
+	Service manifest for the Kerberos key distribution center
+-->
+
+<service_bundle type='manifest' name='SUNWkrbr:krb5kdc'>
+
+<service
+	name='network/security/krb5kdc'
+	type='service'
+	version='1'>
+
+	<create_default_instance enabled='false' />
+
+	<single_instance/>
+
+	<dependency
+		name='dns'
+		grouping='require_all'
+		restart_on='error' 
+		type='service'>
+		<service_fmri value='svc:/network/dns/client' />
+	</dependency>
+
+	<exec_method
+		type='method'
+		name='start'
+		exec='/usr/lib/krb5/krb5kdc'
+		timeout_seconds='60'>
+		<method_context>
+			<method_credential
+				user='root'
+				group='root'
+				privileges='basic,!file_link_any,!proc_info,!proc_session,file_dac_search,net_privaddr,proc_audit'
+			/>
+		</method_context>
+	</exec_method>
+
+	<exec_method
+		type='method'
+		name='stop'
+		exec=':kill'
+		timeout_seconds='60' />
+
+	<stability value='Unstable' />
+
+	<template>
+		<common_name>
+			<loctext xml:lang='C'>
+			Kerberos key distribution center
+			</loctext>
+		</common_name>
+		<documentation>
+			<manpage title='krb5kdc' section='1M'
+			    manpath='/usr/share/man' />
+		</documentation>
+	</template>
+
+</service>
+
+</service_bundle>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/kt_findrealm.c	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,65 @@
+/*
+ * Copyright (c) 2009, 2015, Oracle and/or its affiliates. All rights reserved.
+ */
+/*
+ * Solaris Kerberos:
+ * Iterate through a keytab (keytab) looking for an entry which matches
+ * the components of a principal (princ) but match on any realm. When a
+ * suitable entry is found return the entry's realm.
+ */
+
+#include "k5-int.h"
+
+krb5_error_code krb5_kt_find_realm(krb5_context context, krb5_keytab keytab,
+    krb5_principal princ, krb5_data *realm) {
+
+	krb5_kt_cursor cur;
+	krb5_keytab_entry ent;
+	krb5_boolean match;
+	krb5_data tmp_realm;
+	krb5_error_code ret, ret2;
+
+	ret = krb5_kt_start_seq_get(context, keytab, &cur);
+	if (ret != 0) {
+		return (ret);
+	}
+
+	while ((ret = krb5_kt_next_entry(context, keytab, &ent, &cur)) == 0) {
+		/* For the comparison the realms should be the same. */
+		memcpy(&tmp_realm, &ent.principal->realm, sizeof (krb5_data));
+		memcpy(&ent.principal->realm, &princ->realm,
+		    sizeof (krb5_data));
+
+		match = krb5_principal_compare(context, ent.principal, princ);
+
+		/* Copy the realm back */
+		memcpy(&ent.principal->realm, &tmp_realm, sizeof (krb5_data));
+
+		if (match) {
+			/*
+			 * A suitable entry was found in the keytab.
+			 * Copy its realm
+			 */
+			ret = krb5int_copy_data_contents(context,
+			    &ent.principal->realm, realm);
+			if (ret) {
+				krb5_kt_free_entry(context, &ent);
+				krb5_kt_end_seq_get(context, keytab, &cur);
+				return (ret);
+			}
+
+			krb5_kt_free_entry(context, &ent);
+			break;
+		}
+
+		krb5_kt_free_entry(context, &ent);
+	}
+
+	ret2 = krb5_kt_end_seq_get(context, keytab, &cur);
+
+	if (ret == KRB5_KT_END) {
+		return (KRB5_KT_NOTFOUND);
+	}
+
+	return (ret ? ret : ret2);
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/kt_solaris.c	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,496 @@
+/*
+ * Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
+ */
+
+/*
+ * kt_solaris.c is to provide set of keytab interfaces contracted with SMB team.
+ */
+
+#include "k5-int.h"
+#include <errno.h>
+#include <netdb.h>
+#include <strings.h>
+#include <stdio.h>
+#include <assert.h>
+#include <ctype.h>
+#include "kt_solaris.h"
+
+#define	AES128		ENCTYPE_AES128_CTS_HMAC_SHA1_96
+#define	AES256		ENCTYPE_AES256_CTS_HMAC_SHA1_96
+#define	DES3		ENCTYPE_DES3_CBC_SHA1
+#define	AES_ENTRIES	2
+#define	HOST_TRUNC	15
+#define	SVC_ENTRIES	4
+
+static krb5_error_code
+k5_kt_open(krb5_context ctx, krb5_keytab *kt)
+{
+	krb5_error_code code;
+	char		buf[MAX_KEYTAB_NAME_LEN], ktstr[MAX_KEYTAB_NAME_LEN];
+
+	memset(buf, 0, sizeof (buf));
+	memset(ktstr, 0, sizeof (ktstr));
+
+	if ((code = krb5_kt_default_name(ctx, buf, sizeof (buf))) != 0)
+		return (code);
+
+	/*
+	 * The default is file type w/o the write.  If it's anything besides
+	 * FILE or WRFILE then we bail as quickly as possible.
+	 */
+	if (strncmp(buf, "FILE:", strlen("FILE:")) == 0)
+		(void) snprintf(ktstr, sizeof (ktstr), "WR%s", buf);
+	else if (strncmp(buf, "WRFILE:", strlen("WRFILE:")) == 0)
+		(void) snprintf(ktstr, sizeof (ktstr), "%s", buf);
+	else
+		return (EINVAL);
+
+	return (krb5_kt_resolve(ctx, ktstr, kt));
+}
+
+static krb5_error_code
+k5_kt_add_entry(krb5_context ctx, krb5_keytab kt, const krb5_principal princ,
+    const krb5_principal svc_princ, krb5_enctype enctype, krb5_kvno kvno,
+    const char *pw)
+{
+	krb5_keytab_entry entry;
+	krb5_data password, salt;
+	krb5_keyblock key;
+	krb5_error_code code;
+
+	memset(&entry, 0, sizeof (entry));
+	memset(&key, 0, sizeof (krb5_keyblock));
+
+	password.length = strlen(pw);
+	password.data = (char *)pw;
+
+	if ((code = krb5_principal2salt(ctx, svc_princ, &salt)) != 0) {
+		return (code);
+	}
+
+	if ((krb5_c_string_to_key(ctx, enctype, &password, &salt, &key)) != 0)
+		goto cleanup;
+
+	entry.key = key;
+	entry.vno = kvno;
+	entry.principal = princ;
+
+	code = krb5_kt_add_entry(ctx, kt, &entry);
+
+cleanup:
+
+	free(salt.data);
+	krb5_free_keyblock_contents(ctx, &key);
+
+	return (code);
+}
+
+/*
+ * krb5_error_code k5_kt_add_ad_entries(krb5_context ctx, char **sprincs_str,
+ * krb5_kvno kvno, uint_t flags, char *password)
+ *
+ * Adds keys to the keytab file for a default set of service principals for
+ * the specified host (or local host) in an Active Directory environment.
+ *
+ * where ctx is the pointer passed back from krb5_init_context
+ * where sprincs_str is an array of service principal names to be added
+ * to the keytab file, terminated by a NULL pointer
+ * where domain is the domain used to fully qualify the hostname for
+ * constructing the salt in the string-to-key function.
+ * where kvno is the key version number of the set of service principal
+ * keys to be added
+ * where flags is the set of conditions that affects the key table entries
+ * current set of defined flags:
+ *
+ * 	encryption type
+ * 	---------------
+ *  	0x00000001  K5_KT_FLAG_AES_SUPPORT (core set + AES-256-128 keys added)
+ *
+ * where password is the password that will be used to derive the key for
+ * the associated service principals in the keytab file
+ * where hostname is the unqualified hostname of the system that will be used to
+ * derive the key salt. If NULL is specified, this function will use the hostname
+ * of the local system.
+ *
+ * Note: this function is used for adding service principals to the
+ * local /etc/krb5/krb5.keytab (unless KRB5_KTNAME has been set to something
+ * different, see krb5envvar(5)) file when the client belongs to an AD domain.
+ * The keytab file is populated differently for an AD domain as the various
+ * service principals share the same key material, unlike MIT based
+ * implementations.
+ *
+ * Note: For encryption types; the union of the enc type flag and the
+ * capabilities of the client is used to determine the enc type set to
+ * populate the keytab file.
+ *
+ * Note: The keys are not created for any AES enctypes UNLESS the
+ * K5_KT_FLAG_AES_SUPPORT flag is set and permitted_enctypes has the AES
+ * enctypes enabled.
+ *
+ * Note: In Active Directory environments the salt is constructed by truncating
+ * the host name to 15 characters and only use the host svc princ as the salt,
+ * e.g. host/<str15>.<domain>@<realm>.  The realm name is determined by parsing
+ * sprincs_str.  The local host name to construct is determined by calling
+ * gethostname(3C).  If AD environments construct salts differently in the
+ * future or this function is expanded outside of AD environments one could
+ * derive the salt by sending an initial authentication exchange.
+ *
+ * Note: The kvno was previously determined by performing an LDAP query of the
+ * computer account's msDS-KeyVersionNumber attribute.  If the schema changes
+ * in the future or this function is expanded outside of AD environments then
+ * one could derive the principal's kvno by requesting a service ticket.
+ */
+krb5_error_code
+k5_kt_add_ad_entries(krb5_context ctx, char **sprincs_str, char *domain,
+    krb5_kvno kvno, uint_t flags, char *password, char *hostname)
+{
+	krb5_principal	princ = NULL, salt = NULL, f_princ = NULL;
+	krb5_keytab	kt = NULL;
+	krb5_enctype	*enctypes = NULL, *tenctype, penctype = 0;
+	char		**tprinc, *ptr, *token, *t_host = NULL, *realm;
+	char		localname[MAXHOSTNAMELEN];
+	krb5_error_code	code;
+	krb5_boolean	similar;
+	uint_t		t_len;
+
+	assert(ctx != NULL && sprincs_str != NULL && *sprincs_str != NULL);
+	assert(password != NULL && domain != NULL);
+
+	if ((code = krb5_parse_name(ctx, *sprincs_str, &f_princ)) != 0)
+		return (code);
+	if (krb5_princ_realm(ctx, f_princ)->length == 0) {
+		code = EINVAL;
+		goto cleanup;
+	}
+	realm = krb5_princ_realm(ctx, f_princ)->data;
+
+	if (hostname == NULL) {
+		if (gethostname(localname, MAXHOSTNAMELEN) != 0) {
+			code = errno;
+			goto cleanup;
+		}
+		token = localname;
+
+		/*
+		 * Local host name could be fully qualified and/or in upper
+		 * case, but usually and appropriately not.
+		 */
+		if ((ptr = strchr(token, '.')) != NULL)
+			ptr = '\0';
+		for (ptr = token; *ptr; ptr++)
+			*ptr = tolower(*ptr);
+	} else {
+		token = hostname;
+	}
+
+	/*
+	 * Windows servers currently truncate the host name to 15 characters
+	 * and only use the host svc princ as the salt, e.g.
+	 * host/[email protected]
+	 */
+	t_len = snprintf(NULL, 0, "host/%.*s.%[email protected]%s", HOST_TRUNC, token, domain,
+	    realm) + 1;
+	if ((t_host = malloc(t_len)) == NULL) {
+		code = ENOMEM;
+		goto cleanup;
+	}
+	(void) snprintf(t_host, t_len, "host/%.*s.%[email protected]%s", HOST_TRUNC, token,
+	    domain, realm);
+
+	if ((code = krb5_parse_name(ctx, t_host, &salt)) != 0)
+		goto cleanup;
+
+	if ((code = k5_kt_open(ctx, &kt)) != 0)
+		goto cleanup;
+
+	code = krb5_get_permitted_enctypes(ctx, &enctypes);
+	if (code != 0 || *enctypes == NULL)
+		goto cleanup;
+
+	for (tprinc = sprincs_str; *tprinc; tprinc++) {
+
+		if ((code = krb5_parse_name(ctx, *tprinc, &princ)) != 0)
+			goto cleanup;
+
+		for (tenctype = enctypes; *tenctype; tenctype++) {
+			if ((!(flags & K5_KT_FLAG_AES_SUPPORT) &&
+			    (*tenctype == AES128 || *tenctype == AES256)) ||
+			    (*tenctype == DES3)) {
+				continue;
+			}
+
+			if (penctype) {
+				code = krb5_c_enctype_compare(ctx, *tenctype,
+				    penctype, &similar);
+				if (code != 0)
+					goto cleanup;
+				else if (similar)
+					continue;
+			}
+
+			code = k5_kt_add_entry(ctx, kt, princ, salt, *tenctype,
+			    kvno, password);
+			if (code != 0)
+				goto cleanup;
+
+			penctype = *tenctype;
+		}
+
+		krb5_free_principal(ctx, princ);
+		princ = NULL;
+		penctype = NULL;
+	}
+
+cleanup:
+
+	if (f_princ != NULL)
+		krb5_free_principal(ctx, f_princ);
+	if (salt != NULL)
+		krb5_free_principal(ctx, salt);
+	if (t_host != NULL)
+		free(t_host);
+	if (kt != NULL)
+		(void) krb5_kt_close(ctx, kt);
+	if (enctypes != NULL)
+		krb5_free_enctypes(ctx, enctypes);
+	if (princ != NULL)
+		krb5_free_principal(ctx, princ);
+
+	return (code);
+}
+
+#define	PRINCIPAL	0
+#define	REALM		1
+
+static krb5_error_code
+k5_kt_remove_by_key(krb5_context ctx, char *key, uint_t type)
+{
+	krb5_error_code		code;
+	krb5_kt_cursor		cursor;
+	krb5_keytab_entry	entry;
+	krb5_keytab		kt = NULL;
+	krb5_principal		svc_princ = NULL;
+	krb5_principal_data	realm_data;
+	boolean_t		found = FALSE;
+
+	assert(ctx != NULL && key != NULL);
+
+	if (type == REALM) {
+		krb5_princ_realm(ctx, &realm_data)->length = strlen(key);
+		krb5_princ_realm(ctx, &realm_data)->data = key;
+	} else if (type == PRINCIPAL) {
+		if ((code = krb5_parse_name(ctx, key, &svc_princ)) != 0)
+			goto cleanup;
+	} else
+		return (EINVAL);
+
+	if ((code = k5_kt_open(ctx, &kt)) != 0)
+		goto cleanup;
+
+	if ((code = krb5_kt_start_seq_get(ctx, kt, &cursor)) != 0)
+		goto cleanup;
+
+	while ((code = krb5_kt_next_entry(ctx, kt, &entry, &cursor)) == 0) {
+		if (type == PRINCIPAL && krb5_principal_compare(ctx, svc_princ,
+		    entry.principal)) {
+			found = TRUE;
+		} else if (type == REALM && krb5_realm_compare(ctx, &realm_data,
+		    entry.principal)) {
+			found = TRUE;
+		}
+
+		if (found == TRUE) {
+			code = krb5_kt_end_seq_get(ctx, kt, &cursor);
+			if (code != 0) {
+				krb5_kt_free_entry(ctx, &entry);
+				goto cleanup;
+			}
+
+			code = krb5_kt_remove_entry(ctx, kt, &entry);
+			if (code != 0) {
+				krb5_kt_free_entry(ctx, &entry);
+				goto cleanup;
+			}
+
+			code = krb5_kt_start_seq_get(ctx, kt, &cursor);
+			if (code != 0) {
+				krb5_kt_free_entry(ctx, &entry);
+				goto cleanup;
+			}
+
+			found = FALSE;
+		}
+
+		krb5_kt_free_entry(ctx, &entry);
+	}
+
+	if (code && code != KRB5_KT_END)
+		goto cleanup;
+
+	code = krb5_kt_end_seq_get(ctx, kt, &cursor);
+
+cleanup:
+
+	if (svc_princ != NULL)
+		krb5_free_principal(ctx, svc_princ);
+	if (kt != NULL)
+		(void) krb5_kt_close(ctx, kt);
+
+	return (code);
+}
+
+/*
+ * krb5_error_code k5_kt_remove_by_realm(krb5_context ctx, char *realm)
+ *
+ * Removes all key entries in the keytab file that match the exact realm name
+ * specified.
+ *
+ * where ctx is the pointer passed back from krb5_init_context
+ * where realm is the realm name that is matched for any keytab entries
+ * to be removed
+ *
+ * Note: if there are no entries matching realm then 0 (success) is returned
+ */
+krb5_error_code
+k5_kt_remove_by_realm(krb5_context ctx, char *realm)
+{
+
+	return (k5_kt_remove_by_key(ctx, realm, REALM));
+}
+
+/*
+ * krb5_error_code k5_kt_remove_by_svcprinc(krb5_context ctx, char *sprinc_str)
+ *
+ * Removes all key entries in the keytab file that match the exact service
+ * principal name specified.
+ *
+ * where ctx is the pointer passed back from krb5_init_context
+ * where sprinc_str is the service principal name that is matched for any
+ * keytab entries to be removed
+ *
+ * Note: if there are no entries matching sprinc_str then 0 (success) is
+ * returned
+ */
+krb5_error_code
+k5_kt_remove_by_svcprinc(krb5_context ctx, char *sprinc_str)
+{
+
+	return (k5_kt_remove_by_key(ctx, sprinc_str, PRINCIPAL));
+}
+
+/*
+ * krb5_error_code k5_kt_validate(krb5_context ctx, char *sprinc_str,
+ * uint_t flags, boolean_t *valid)
+ *
+ * The validate function determines that the service principal exists and that
+ * it has a valid set of encryption types for said principal.
+ *
+ * where ctx is the pointer passed back from krb5_init_context
+ * where sprinc_str is the principal to be validated in the keytab file
+ * where flags is the set of conditions that affects the key table entries
+ * that the function considers valid
+ * 	current set of defined flags:
+ *
+ *	encryption type
+ *	---------------
+ *	0x00000001 K5_KT_FLAG_AES_SUPPORT (core set + AES-256-128 keys are
+ *		valid)
+ *
+ * where valid is a boolean that is set if the sprinc_str is correctly
+ * populated in the keytab file based on the flags set else valid is unset.
+ *
+ * Note: The validate function assumes that only one set of keys exists for
+ * a corresponding service principal, of key version number (kvno) n.  It would
+ * consider more than one kvno set as invalid.  This is from the fact that AD
+ * clients will attempt to refresh credential caches if KRB5KRB_AP_ERR_MODIFIED
+ * is returned by the acceptor when the requested kvno is not found within the
+ * keytab file.
+ */
+krb5_error_code
+k5_kt_ad_validate(krb5_context ctx, char *sprinc_str, uint_t flags,
+    boolean_t *valid)
+{
+	krb5_error_code		code;
+	krb5_kt_cursor		cursor;
+	krb5_keytab_entry	entry;
+	krb5_keytab		kt = NULL;
+	krb5_principal		svc_princ = NULL;
+	krb5_enctype		*enctypes = NULL, *tenctype, penctype = 0;
+	boolean_t		ck_aes = FALSE;
+	uint_t			aes_count = 0, kt_entries = 0;
+	krb5_boolean		similar;
+
+	assert(ctx != NULL && sprinc_str != NULL && valid != NULL);
+
+	*valid = FALSE;
+	ck_aes = flags & K5_KT_FLAG_AES_SUPPORT;
+
+	if ((code = krb5_parse_name(ctx, sprinc_str, &svc_princ)) != 0)
+		goto cleanup;
+
+	if ((code = k5_kt_open(ctx, &kt)) != 0)
+		goto cleanup;
+
+	code = krb5_get_permitted_enctypes(ctx, &enctypes);
+	if (code != 0 || *enctypes == NULL)
+		goto cleanup;
+
+	if ((code = krb5_kt_start_seq_get(ctx, kt, &cursor)) != 0)
+		goto cleanup;
+
+	while ((code = krb5_kt_next_entry(ctx, kt, &entry, &cursor)) == 0) {
+		if (krb5_principal_compare(ctx, svc_princ, entry.principal)) {
+
+			for (tenctype = enctypes; *tenctype; tenctype++) {
+				if (penctype) {
+					code = krb5_c_enctype_compare(ctx,
+					    *tenctype, penctype, &similar);
+					if (code != 0) {
+						krb5_kt_free_entry(ctx, &entry);
+						goto cleanup;
+					} else if (similar)
+						continue;
+				}
+
+				if ((*tenctype != DES3) &&
+				    (entry.key.enctype == *tenctype)) {
+					kt_entries++;
+				}
+
+				penctype = *tenctype;
+			}
+
+			if ((entry.key.enctype == AES128) ||
+			    (entry.key.enctype == AES256)) {
+				aes_count++;
+			}
+		}
+
+		krb5_kt_free_entry(ctx, &entry);
+	}
+
+	if (code && code != KRB5_KT_END)
+		goto cleanup;
+
+	if ((code = krb5_kt_end_seq_get(ctx, kt, &cursor)))
+		goto cleanup;
+
+	if (ck_aes == TRUE) {
+		if ((kt_entries != SVC_ENTRIES) || (aes_count != AES_ENTRIES))
+			goto cleanup;
+	} else if (kt_entries != (SVC_ENTRIES - AES_ENTRIES))
+		goto cleanup;
+
+	*valid = TRUE;
+
+cleanup:
+
+	if (svc_princ != NULL)
+		krb5_free_principal(ctx, svc_princ);
+	if (kt != NULL)
+		(void) krb5_kt_close(ctx, kt);
+	if (enctypes != NULL)
+		krb5_free_enctypes(ctx, enctypes);
+
+	return (code);
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/kt_solaris.h	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,33 @@
+/*
+ * Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
+ */
+
+/*
+ * Solaris Kerberos
+ * This is a private header file, therefore the interfaces that this file
+ * declares are subject to change without prior notice.
+ */
+
+#ifndef	_KT_SOLARIS_H
+#define	_KT_SOLARIS_H
+
+#ifdef	__cplusplus
+extern "C" {
+#endif
+
+#define	K5_KT_FLAG_AES_SUPPORT	1
+
+krb5_error_code k5_kt_add_ad_entries(krb5_context, char **, char *, krb5_kvno,
+    uint_t, char *, char *);
+
+krb5_error_code k5_kt_remove_by_realm(krb5_context, char *);
+
+krb5_error_code k5_kt_remove_by_svcprinc(krb5_context, char *);
+
+krb5_error_code k5_kt_ad_validate(krb5_context, char *, uint_t, boolean_t *);
+
+#ifdef	__cplusplus
+}
+#endif
+
+#endif /* _KT_SOLARIS_H */
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/libgss.mapfile-vers	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,155 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright (c) 2006, 2015, Oracle and/or its affiliates. All rights reserved.
+#
+
+$mapfile_version 2
+
+STUB_OBJECT;
+SYMBOL_VERSION SUNWpublic {
+    global:
+	gss_get_name_attribute { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_acquire_cred_impersonate_name { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_set_name_attribute { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_inquire_name { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gssspi_mech_invoke { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_delete_name_attribute { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+} SUNW_1.3;
+
+SYMBOL_VERSION SUNW_1.3 {
+    global:
+	gss_add_buffer_set_member { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	GSS_C_INQ_SSPI_SESSION_KEY	{ TYPE = DATA; FILTER = libgssapi_krb5.so.2.2; SIZE = addrsize };
+	gss_create_empty_buffer_set { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_inquire_sec_context_by_oid { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_release_buffer_set { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+} SUNW_1.2;
+
+SYMBOL_VERSION SUNW_1.2 {
+    global:
+	gss_accept_sec_context { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_acquire_cred_with_password { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_acquire_cred { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_add_cred_with_password { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_add_cred { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_add_oid_set_member { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	GSS_C_NT_ANONYMOUS		{ TYPE = DATA; FILTER = libgssapi_krb5.so.2.2; SIZE = addrsize };
+	GSS_C_NT_EXPORT_NAME		{ TYPE = DATA; FILTER = libgssapi_krb5.so.2.2; SIZE = addrsize };
+	GSS_C_NT_HOSTBASED_SERVICE	{ TYPE = DATA; FILTER = libgssapi_krb5.so.2.2; SIZE = addrsize };
+	GSS_C_NT_MACHINE_UID_NAME	{ TYPE = DATA; FILTER = libgssapi_krb5.so.2.2; SIZE = addrsize };
+	GSS_C_NT_STRING_UID_NAME	{ TYPE = DATA; FILTER = libgssapi_krb5.so.2.2; SIZE = addrsize };
+	GSS_C_NT_USER_NAME		{ TYPE = DATA; FILTER = libgssapi_krb5.so.2.2; SIZE = addrsize };
+	gss_canonicalize_name { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_compare_name { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_context_time { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_create_empty_oid_set { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_delete_sec_context { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_display_name { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_display_status { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_duplicate_name { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_export_name { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_export_sec_context { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_get_mic { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_import_name { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_import_sec_context { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_indicate_mechs { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_init_sec_context { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_inquire_context { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_inquire_cred_by_mech { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_inquire_cred { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_inquire_mechs_for_name { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_inquire_names_for_mech { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_process_context_token { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_release_buffer { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_release_cred { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_release_name { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_release_oid_set { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_release_oid { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_seal { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_sign { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_store_cred { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_test_oid_set_member { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_unseal { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_unwrap { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_verify_mic { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_verify { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_wrap_size_limit { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+	gss_wrap { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+} SUNW_1.1;
+
+# Due to mistakes made early in the history of this library, there are
+# no SUNW_1.1 symbols, but the version is now kept as a placeholder.
+# Don't add any symbols to this version.
+
+SYMBOL_VERSION SUNW_1.1 {
+    global:
+	SUNW_1.1;
+};
+
+SYMBOL_VERSION SUNWprivate_1.1 {
+    global:
+        __gss_get_kmodName;
+        gssint_get_kmodName { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+        __gss_get_mech_info;
+        gssint_get_mech_info { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+        __gss_get_mech_type;
+        gssint_get_mech_type { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+        __gss_get_mechanism;
+        gssint_get_mechanism { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+        __gss_get_mechanisms;
+        gssint_get_mechanisms { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+        __gss_get_modOptions;
+        gssint_get_modOptions { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+        __gss_mech_to_oid;
+        gssint_mech_to_oid { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+        __gss_num_to_qop;
+        gssint_num_to_qop { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+        __gss_oid_to_mech;
+        gssint_oid_to_mech { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+        __gss_qop_to_num;
+        gssint_qop_to_num { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+        __gss_userok;
+        gss_authorize_localname { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+        der_length_size;
+        gssint_der_length_size { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+        generic_gss_copy_oid { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+        generic_gss_release_oid { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+        get_der_length;
+        gssint_get_der_length { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+        gss_get_group_info { TYPE = FUNCTION; FILTER = libgsscred.so.1 };
+        gss_nt_exported_name { TYPE = DATA; FILTER = libgssapi_krb5.so.2.2; SIZE = addrsize };
+        gss_nt_service_name { TYPE = DATA; FILTER = libgssapi_krb5.so.2.2; SIZE = addrsize };
+        gss_nt_service_name_v2 { TYPE = DATA; FILTER = libgssapi_krb5.so.2.2; SIZE = addrsize };
+        gss_oid_to_str { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+        gss_str_to_oid { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+        gsscred_expname_to_unix_cred_ext { TYPE = FUNCTION; FILTER = libgsscred.so.1 };
+        gsscred_expname_to_unix_cred { TYPE = FUNCTION; FILTER = libgsscred.so.1 };
+        gsscred_name_to_unix_cred_ext { TYPE = FUNCTION; FILTER = libgsscred.so.1 };
+        gsscred_name_to_unix_cred { TYPE = FUNCTION; FILTER = libgsscred.so.1 };
+        gsscred_set_options { TYPE = FUNCTION; FILTER = libgsscred.so.1 };
+        gssint_copy_oid_set { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+        put_der_length;
+        gssint_put_der_length { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+        generic_gss_add_oid_set_member { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+        gss_pname_to_uid { TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+    local:
+	*;
+};
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/libgss_stubs.c	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,98 @@
+/*
+ * Copyright (c) 2014, 2015, Oracle and/or its affiliates. All rights reserved.
+ */
+
+#include "mglueP.h"
+
+OM_uint32
+__gss_mech_to_oid(const char *mechStr, gss_OID* oid) {
+	return (gssint_mech_to_oid(mechStr, oid));
+}
+
+const char *
+__gss_oid_to_mech(const gss_OID oid) {
+	return (gssint_oid_to_mech(oid));
+}
+
+OM_uint32
+__gss_get_mechanisms(char *mechArray[], int arrayLen) {
+	return (gssint_get_mechanisms(mechArray, arrayLen));
+}
+
+char *
+__gss_get_kmodName(const gss_OID oid) {
+	return (gssint_get_kmodName(oid));
+}
+
+gss_mechanism
+__gss_get_mechanism(const gss_OID oid) {
+	return (gssint_get_mechanism(oid));
+}
+
+char *
+__gss_get_modOptions(const gss_OID oid) {
+	return (gssint_get_modOptions(oid));
+}
+
+OM_uint32
+__gss_get_mech_type(gss_OID OID, gss_buffer_t token) {
+	return (gssint_get_mech_type(OID, token));
+}
+
+unsigned int
+der_length_size(unsigned int len) {
+	return (gssint_der_length_size(len));
+}
+
+int
+get_der_length(unsigned char **buf, unsigned int buf_len, unsigned int *bytes) {
+	return (gssint_get_der_length(buf, buf_len, bytes));
+}
+
+int
+put_der_length(unsigned int length, unsigned char **buf, unsigned int max_len) {
+	return (gssint_put_der_length(length, buf, max_len));
+}
+
+OM_uint32
+__gss_get_mech_info(char *mech, char **qops) {
+	return (gssint_get_mech_info(mech, qops));
+}
+
+OM_uint32
+__gss_num_to_qop(char *mech, OM_uint32 num, char **qop) {
+	return (gssint_num_to_qop(mech, num, qop));
+}
+
+OM_uint32
+__gss_qop_to_num(char *qop, char *mech, OM_uint32 *num) {
+	return (gssint_qop_to_num(qop, mech, num));
+}
+
+/*
+ * Wrapper __gss_userok -> gss_authorize_localname
+ */
+OM_uint32
+__gss_userok(OM_uint32 *minor, const gss_name_t name, const char *user,
+	    int *user_ok) {
+	OM_uint32 ret, dummy_minor;
+	gss_buffer_desc user_buf;
+	gss_name_t user_name;
+
+	*user_ok = 0;
+
+	user_buf.value = (void *)user;
+	user_buf.length = strlen(user);
+
+	ret = gss_import_name(minor, &user_buf, GSS_C_NT_USER_NAME, &user_name);
+	if (GSS_ERROR(ret))
+		return (ret);
+
+	ret = gss_authorize_localname(minor, name, user_name);
+	if (ret == GSS_S_COMPLETE)
+		*user_ok = 1;
+
+	(void) gss_release_name(&dummy_minor, &user_name);
+
+	return (ret);
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/libkadm5clnt.mapfile-vers	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,48 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+#
+
+$mapfile_version 2
+
+STUB_OBJECT;
+SYMBOL_VERSION SUNWprivate_1.1 {
+    global:
+	free_srv_names	{ TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
+	kadm5_chpass_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
+	kadm5_chpass_principal_util { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
+	kadm5_create_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
+	kadm5_destroy	{ TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
+	kadm5_free_principal_ent { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
+	kadm5_get_adm_host_srv_names { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
+	kadm5_get_cpw_host_srv_names { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
+	kadm5_get_master { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
+	kadm5_get_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
+	kadm5_init_krb5_context { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
+	kadm5_init_with_password { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
+	kadm5_init_with_password_mm { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
+	kadm5_init_with_skey { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
+	kadm5_init_with_skey_mm { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
+	kadm5_modify_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
+
+    local:
+	*;
+};
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/libkrb5.mapfile-vers	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,388 @@
+#
+# Copyright (c) 2006, 2015, Oracle and/or its affiliates. All rights reserved.
+#
+
+$mapfile_version 2
+
+STUB_OBJECT;
+
+#
+# This is a mapfile that defines a filter over multiple MIT kerberos libraries so 
+# that the filter library can provide all the dependencies needed by kerberos 
+# related components staying in ON.
+#
+# New functions can be added as needed.
+#
+
+SYMBOL_VERSION SUNWprivate {
+    global:
+
+        krb5_os_init_context;
+        krb5_privacy_allowed;
+        mit_des_fixup_key_parity;
+        com_err			{ TYPE = FUNCTION; FILTER = libcom_err.so.3.0 };
+        com_err_va		{ TYPE = FUNCTION; FILTER = libcom_err.so.3.0 };
+        error_message		{ TYPE = FUNCTION; FILTER = libcom_err.so.3.0 };
+        krb5_c_encrypt		{ TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 };
+        krb5_c_decrypt		{ TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 };
+        krb5_c_encrypt_length	{ TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 };
+        krb5_c_block_size	{ TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 };
+        krb5_c_init_state	{ TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 };
+        krb5_c_free_state	{ TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 };
+        krb5_c_make_random_key	{ TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 };
+        krb5_c_random_make_octets { TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 };
+        krb5_c_string_to_key	{ TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 };
+        krb5_c_string_to_key_with_params {
+		TYPE = FUNCTION;
+		FILTER = libk5crypto.so.3.1;
+	};
+        krb5_c_enctype_compare	{ TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 };
+        krb5_c_make_checksum	{ TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 };
+        krb5_c_verify_checksum	{ TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 };
+        krb5_c_checksum_length	{ TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 };
+        krb5_c_keyed_checksum_types { TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 };
+        krb5_c_valid_enctype	{ TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 };
+        krb5_c_valid_cksumtype	{ TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 };
+        krb5_c_is_coll_proof_cksum { TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 };
+        krb5_c_is_keyed_cksum	{ TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 };
+        krb5_cc_gen_new		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_cc_initialize	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_cc_destroy		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_cc_close		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_cc_store_cred	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_cc_retrieve_cred	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_cc_get_name	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_cc_get_principal	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_cc_start_seq_get	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_cc_next_cred	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_cc_end_seq_get	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_cc_remove_cred	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_cc_set_flags	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_cc_get_type	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_kt_get_type	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_kt_get_name	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_kt_close		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_kt_get_entry	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_kt_start_seq_get	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_kt_next_entry	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_kt_end_seq_get	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_init_context	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_init_secure_context { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+	krb5_free_context	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_set_default_tgs_enctypes {
+		TYPE = FUNCTION;
+		FILTER = libkrb5.so.3.3;
+	};
+        krb5_get_permitted_enctypes { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_is_thread_safe	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_free_tgt_creds	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_get_credentials	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_get_credentials_validate {
+		TYPE = FUNCTION;
+		FILTER = libkrb5.so.3.3;
+	};
+        krb5_get_credentials_renew { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_mk_req		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_mk_req_extended	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_mk_rep		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_rd_rep		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_mk_error		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_rd_error		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_rd_safe		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_rd_priv		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_parse_name		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_unparse_name	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_unparse_name_ext	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_set_principal_realm { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_address_search	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_address_compare	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_address_order	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_realm_compare	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_principal_compare	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_init_keyblock	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_copy_keyblock	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_copy_keyblock_contents { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_copy_creds		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_copy_data		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_copy_principal	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_copy_addresses	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_copy_ticket	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_copy_authdata	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_copy_authenticator	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_copy_checksum	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_get_server_rcache	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_build_principal_ext { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_build_principal	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_kt_resolve		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_kt_default_name	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_kt_default		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_free_keytab_entry_contents	{
+		TYPE = FUNCTION;
+		FILTER = libkrb5.so.3.3;
+	};
+        krb5_kt_remove_entry	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_kt_add_entry	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_principal2salt	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_cc_resolve		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_cc_default_name	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_cc_set_default_name { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_cc_default		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_cc_copy_creds	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_free_principal	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_free_authenticator	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_free_addresses	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_free_authdata	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_free_ticket	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_free_error		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_free_creds		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_free_cred_contents	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_free_checksum	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_free_checksum_contents { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_free_keyblock	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_free_keyblock_contents { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_free_ap_rep_enc_part { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_free_data		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_free_data_contents	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_free_unparsed_name	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_free_cksumtypes	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_us_timeofday	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_timeofday		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_os_localaddr	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_get_default_realm	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_set_default_realm	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_free_default_realm	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_sname_to_principal	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_change_password	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_set_password	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_set_password_using_ccache {
+		TYPE = FUNCTION;
+		FILTER = libkrb5.so.3.3;
+	};
+        krb5_get_profile	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_rd_req		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_kt_read_service_key { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_mk_safe		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_mk_priv		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_sendauth		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_recvauth		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_recvauth_version	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_mk_ncred		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_mk_1cred		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_rd_cred		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_fwd_tgt_creds	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_auth_con_init	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_auth_con_free	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_auth_con_setflags	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_auth_con_getflags	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_auth_con_set_checksum_func	{
+		TYPE = FUNCTION;
+		FILTER = libkrb5.so.3.3;
+	};
+        krb5_auth_con_get_checksum_func	{
+		TYPE = FUNCTION;
+		FILTER = libkrb5.so.3.3;
+	 };
+        krb5_auth_con_setaddrs	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_auth_con_getaddrs	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_auth_con_setports	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_auth_con_setuseruserkey {
+		TYPE = FUNCTION;
+		FILTER = libkrb5.so.3.3;
+	};
+        krb5_auth_con_getkey	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_auth_con_getsendsubkey { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_auth_con_getrecvsubkey { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_auth_con_setsendsubkey { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_auth_con_setrecvsubkey { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_auth_con_getlocalseqnumber	{
+		TYPE = FUNCTION;
+		FILTER = libkrb5.so.3.3;
+	};
+        krb5_auth_con_getremoteseqnumber {
+		TYPE = FUNCTION;
+		FILTER = libkrb5.so.3.3;
+	};
+        krb5_auth_con_setrcache	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_auth_con_getrcache	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_auth_con_getauthenticator {
+		TYPE = FUNCTION;
+		FILTER = libkrb5.so.3.3;
+	};
+        krb5_read_password	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_aname_to_localname	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_get_host_realm	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_free_host_realm	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_kuserok		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_auth_con_genaddrs	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_set_real_time	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_string_to_enctype	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_string_to_salttype	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_string_to_cksumtype { TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 };
+        krb5_string_to_timestamp { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_string_to_deltat	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_enctype_to_string	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_salttype_to_string	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_cksumtype_to_string { TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 };
+        krb5_timestamp_to_string { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_timestamp_to_sfstring { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_deltat_to_string	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_prompter_posix	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_get_init_creds_opt_init {
+		TYPE = FUNCTION;
+		FILTER = libkrb5.so.3.3;
+	};
+        krb5_get_init_creds_opt_set_tkt_life {
+		TYPE = FUNCTION;
+		FILTER = libkrb5.so.3.3;
+	};
+        krb5_get_init_creds_opt_set_renew_life {
+		TYPE = FUNCTION;
+		FILTER = libkrb5.so.3.3;
+	};
+        krb5_get_init_creds_opt_set_forwardable {
+		TYPE = FUNCTION;
+		FILTER = libkrb5.so.3.3;
+	};
+        krb5_get_init_creds_opt_set_proxiable {
+		TYPE = FUNCTION;
+		FILTER = libkrb5.so.3.3;
+	};
+        krb5_get_init_creds_opt_set_etype_list {
+		TYPE = FUNCTION;
+		FILTER = libkrb5.so.3.3;
+	};
+        krb5_get_init_creds_opt_set_address_list { 
+		TYPE = FUNCTION;
+		FILTER = libkrb5.so.3.3;
+	};
+        krb5_get_init_creds_opt_set_preauth_list {
+		TYPE = FUNCTION; 
+		FILTER = libkrb5.so.3.3;
+	};
+        krb5_get_init_creds_opt_set_salt {
+		TYPE = FUNCTION;
+		 FILTER = libkrb5.so.3.3;
+	};
+        krb5_get_init_creds_password { 
+		TYPE = FUNCTION;
+		FILTER = libkrb5.so.3.3;
+	};
+        krb5_get_init_creds_keytab { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_verify_init_creds_opt_init	{
+		TYPE = FUNCTION;
+		FILTER = libkrb5.so.3.3;
+	};
+        krb5_verify_init_creds_opt_set_ap_req_nofail {
+		TYPE = FUNCTION;
+		FILTER = libkrb5.so.3.3;
+	};
+        krb5_verify_init_creds	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_get_validated_creds { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_get_renewed_creds	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_decode_ticket	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_appdefault_string	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_appdefault_boolean	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_get_prompt_types	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_string_to_key	{ TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 };
+        krb5_use_enctype	{ TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 };
+        krb5_pac_add_buffer	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_pac_free		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_pac_get_buffer	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_pac_get_types	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_pac_init		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_pac_parse		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_pac_verify		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+	krb5_decode_authdata_container {
+		TYPE = FUNCTION;
+		FILTER = libkrb5.so.3.3;
+	};
+	krb5_encode_authdata_container {
+		TYPE = FUNCTION;
+		FILTER = libkrb5.so.3.3;
+	};
+        kwarn_del_warning	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        kwarn_add_warning	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_is_config_principal {
+		TYPE = FUNCTION;
+		FILTER = libkrb5.so.3.3;
+	};
+        krb5_get_tgs_ktypes	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        profile_get_options_boolean {
+		TYPE = FUNCTION;
+		FILTER = libkrb5.so.3.3;
+	};
+        krb5_read_message	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        k5_os_init_context	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_write_message	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_set_config_files	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        profile_get_options_string {
+		TYPE = FUNCTION;
+		FILTER = libkrb5.so.3.3;
+	};
+        krb5_net_read		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_set_error_message	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        krb5_rc_close		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        k5_des_fixup_key_parity{ TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 };
+        k5_profile_add_realm_entry	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        k5_profile_validate	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        k5_profile_remove_realm	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        k5_profile_set_libdefaults	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        k5_kt_remove_by_svcprinc	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        k5_kt_remove_by_realm	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        k5_kt_add_ad_entries	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        k5_kt_ad_validate	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        k5_profile_get_default_realm	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        k5_profile_validate_get_error_msg	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+        gsskrb5_extract_authz_data_from_sec_context	{ TYPE = FUNCTION; FILTER = libgssapi_krb5.so.2.2 };
+        krb5_string_to_key	{ TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 };
+        krb5_use_enctype	{ TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 };
+	krb5_checksum_size	{ TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 };
+	krb5_kt_free_entry 	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+	krb5_auth_con_getlocalsubkey {
+		TYPE = FUNCTION;
+		FILTER = libkrb5.so.3.3;
+	};
+	krb5_auth_con_getremotesubkey { 
+		TYPE = FUNCTION;
+		FILTER = libkrb5.so.3.3;
+	};
+	krb5_set_default_tgs_ktypes { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+	krb5_free_enctypes	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+	krb5_free_ap_req	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+	krb5_free_ap_rep	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+	krb5_free_cred		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+	krb5_decrypt_tkt_part	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+	krb5_get_error_message	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+	krb5_free_error_message	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+	krb5_clear_error_message { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+	valid_cksumtype		{ TYPE = FUNCTION; FILTER = libk5crypto.so.3.1 };
+	decode_krb5_ap_req	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+	encode_krb5_ap_req	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+	krb5_rc_get_lifespan	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+	krb5_rc_initialize	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+	krb5_rc_default		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+	krb5_rc_destroy		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+	krb5_auth_con_set_req_cksumtype{
+		TYPE = FUNCTION;
+		FILTER = libkrb5.so.3.3;
+	};
+	k5_profile_abandon	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+	k5_profile_init		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+	k5_profile_add_domain_mapping {
+		TYPE = FUNCTION;
+		FILTER = libkrb5.so.3.3;
+	};
+	k5_profile_release	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+	krb5_rc_destroy		{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+	profile_free_list	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+	k5_profile_add_realm	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+	get_expiry_times	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+	k5_get_init_creds_password { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+	krb5_free_kdc_rep	{ TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+	krb5_get_init_creds_opt_alloc { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+	krb5_get_init_creds_opt_free { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+	krb5_get_init_creds_opt_set_pa { TYPE = FUNCTION; FILTER = libkrb5.so.3.3 };
+
+    local:
+	*;
+};
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_accept_sec_context.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,503 @@
+'\" te
+.\" Copyright (c) 2006, 2013, Oracle and/or its affiliates. All rights reserved.
+.TH gss_accept_sec_context 3GSS "22 May 2006" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_accept_sec_context \- accept a security context initiated by a peer application
+.SH SYNOPSIS
+.LP
+.nf
+cc [ \fIflag\fR\&.\|.\|. ] \fIfile\fR\&.\|.\|. \fB-lgss\fR [ \fIlibrary\fR\&.\|.\|. ]
+#include <gssapi/gssapi.h>
+
+\fBOM_uint32\fR \fBgss_accept_sec_context\fR(\fBOM_uint32 *\fR\fIminor_status\fR,
+     \fBgss_ctx_id_t *\fR\fIcontext_handle\fR,
+     \fBconst gss_cred_id_t\fR \fIacceptor_cred_handle\fR,
+     \fBconst gss_buffer_t\fR \fIinput_token\fR,
+     \fBconst gss_channel_bindings_t\fR \fIinput_chan_bindings\fR,
+     \fBconst gss_name_t *\fR \fIsrc_name\fR, \fBgss_OID *\fR \fImech_type\fR,
+     \fBgss_buffer_t\fR \fIoutput_token\fR, \fBOM_uint32 *\fR\fIret_flags\fR,
+     \fBOM_uint32 *\fR \fItime_rec\fR, \fBgss_cred_id_t *\fR\fIdelegated_cred_handle\fR);
+.fi
+
+.SH PARAMETERS
+.sp
+.LP
+The parameter descriptions for \fBgss_accept_sec_context()\fR follow:
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.sp .6
+.RS 4n
+The status code returned by the underlying mechanism.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIcontext_handle\fR\fR
+.ad
+.sp .6
+.RS 4n
+The context handle to return to the initiator. This should be set to \fBGSS_C_NO_CONTEXT\fR before the loop begins.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIacceptor_cred_handle\fR\fR
+.ad
+.sp .6
+.RS 4n
+The handle for the credentials acquired by the acceptor, typically through \fBgss_acquire_cred()\fR. It may be initialized to \fBGSS_C_NO_CREDENTIAL\fR to indicate a default credential to use. If no default credential is defined, the function returns \fBGSS_C_NO_CRED\fR.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIinput_token_buffer\fR\fR
+.ad
+.sp .6
+.RS 4n
+Token received from the context initiative.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIinput_chan_bindings\fR\fR
+.ad
+.sp .6
+.RS 4n
+Optional application-specified bindings. Allows application to securely bind channel identification information to the security context. Set to \fBGSS_C_NO_CHANNEL_BINDINGS\fR if you do not want to use channel bindings.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIsrc_name\fR\fR
+.ad
+.sp .6
+.RS 4n
+The authenticated name of the context initiator. After use, this name should be deallocated by passing it to \fBgss_release_name()\fR. See \fBgss_release_name\fR(3GSS). If not required, specify \fBNULL\fR.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fImech_type\fR\fR
+.ad
+.sp .6
+.RS 4n
+The security mechanism used. Set to \fBNULL\fR if it does not matter which mechanism is used.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIoutput_token\fR\fR
+.ad
+.sp .6
+.RS 4n
+The token to send to the acceptor. Initialize it to \fBGSS_C_NO_BUFFER\fR before the function is called (or its length field set to zero). If the length is zero, no token need be sent.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIret_flags\fR\fR
+.ad
+.sp .6
+.RS 4n
+Contains various independent flags, each of which indicates that the context supports a specific service option. If not needed, specify \fBNULL\fR. Test the returned bit-mask \fIret_flags\fR value against its symbolic name to determine if the given option is supported by the context. \fIret_flags\fR may contain one of the following values: 
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_C_DELEG_FLAG\fR\fR
+.ad
+.sp .6
+.RS 4n
+If true, delegated credentials are available by means of the \fIdelegated_cred_handle\fR parameter. If false, no credentials were delegated.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_C_MUTUAL_FLAG\fR\fR
+.ad
+.sp .6
+.RS 4n
+If true, a remote peer asked for mutual authentication. If false, no remote peer asked for mutual authentication.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_C_REPLAY_FLAG\fR\fR
+.ad
+.sp .6
+.RS 4n
+If true, replay of protected messages will be detected. If false, replayed messages will not be detected.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_C_SEQUENCE_FLAG\fR\fR
+.ad
+.sp .6
+.RS 4n
+If true, out of sequence protected messages will be detected. If false, they will not be detected.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_C_CONF_FLAG\fR\fR
+.ad
+.sp .6
+.RS 4n
+If true, confidentiality service may be invoked by calling the \fBgss_wrap()\fR routine. If false, no confidentiality service is available by means of \fBgss_wrap()\fR. \fBgss_wrap()\fR will provide message encapsulation, data-origin authentication and integrity services only.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_C_INTEG_FLAG\fR\fR
+.ad
+.sp .6
+.RS 4n
+If true, integrity service may be invoked by calling either the \fBgss_get_mic\fR(3GSS) or the \fBgss_wrap\fR(3GSS) routine. If false, per-message integrity service is not available.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_C_ANON_FLAG\fR\fR
+.ad
+.sp .6
+.RS 4n
+If true, the initiator does not wish to be authenticated. The \fIsrc_name\fR parameter, if requested, contains an anonymous internal name. If false, the initiator has been authenticated normally.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_C_PROT_READY_FLAG\fR\fR
+.ad
+.sp .6
+.RS 4n
+If true, the protection services specified by the states of \fBGSS_C_CONF_FLAG\fR and \fBGSS_C_INTEG_FLAG\fR are available if the accompanying major status return value is either \fBGSS_S_COMPLETE\fR or \fBGSS_S_CONTINUE_NEEDED\fR. If false, the protection services are available only if the accompanying major status return value is \fBGSS_S_COMPLETE\fR.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_C_TRANS_FLAG\fR\fR
+.ad
+.sp .6
+.RS 4n
+If true, the resultant security context may be transferred to other processes by means of a call to \fBgss_export_sec_context\fR(3GSS). If false, the security context cannot be transferred.
+.RE
+
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fItime_rec\fR\fR
+.ad
+.sp .6
+.RS 4n
+The number of sections for which the context will remain valid. Specify \fBNULL\fR if not required.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIdelegated_cred_handle\fR\fR
+.ad
+.sp .6
+.RS 4n
+The credential value for credentials received from the context's initiator. It is valid only if the initiator has requested that the acceptor act as a proxy: that is, if the \fIret_flag\fR argument resolves to \fBGSS_C_DELEG_FLAG\fR.
+.RE
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBgss_accept_sec_context()\fR function allows a remotely initiated security context between the application and a remote peer to be established. The routine may return an \fIoutput_token\fR, which should be transferred to the peer application, where the peer application will present it to \fBgss_init_sec_context()\fR. See \fBgss_init_sec_context\fR(3GSS). If no token need be sent, \fBgss_accept_sec_context()\fR will indicate this by setting the length field of the \fIoutput_token\fR argument to zero. To complete the context establishment, one or more reply tokens may be required from the peer application; if so, \fBgss_accept_sec_context()\fR will return a status flag of \fBGSS_S_CONTINUE_NEEDED\fR, in which case it should be called again when the reply token is received from the peer application, passing the token to \fBgss_accept_sec_context()\fR by means of the \fIinput_token\fR parameters.
+.sp
+.LP
+Portable applications should be constructed to use the token length and return status to determine whether to send or to wait for a token.
+.sp
+.LP
+Whenever \fBgss_accept_sec_context()\fR returns a major status that includes the value \fBGSS_S_CONTINUE_NEEDED\fR, the context is not fully established, and the following restrictions apply to the output parameters:
+.RS +4
+.TP
+.ie t \(bu
+.el o
+The value returned by means of the \fItime_rec\fR parameter is undefined.
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+Unless the accompanying \fIret_flags\fR parameter contains the bit \fBGSS_C_PROT_READY_FLAG\fR, which indicates that per-message services may be applied in advance of a successful completion status, the value returned by the \fImech_type\fR parameter may be undefined until \fBgss_accept_sec_context()\fR returns a major status value of \fBGSS_S_COMPLETE\fR.
+.RE
+.sp
+.LP
+The values of the \fBGSS_C_DELEG_FLAG\fR, \fBGSS_C_MUTUAL_FLAG\fR, \fBGSS_C_REPLAY_FLAG\fR, \fBGSS_C_SEQUENCE_FLAG\fR, \fBGSS_C_CONF_FLAG\fR, \fBGSS_C_INTEG_FLAG\fR and \fBGSS_C_ANON_FLAG\fR bits returned by means of the \fIret_flags\fR parameter are values that would be valid if context establishment were to succeed. 
+.sp
+.LP
+The values of the \fBGSS_C_PROT_READY_FLAG\fR and \fBGSS_C_TRANS_FLAG\fR bits within \fIret_flags\fR indicate the actual state at the time \fBgss_accept_sec_context()\fR returns, whether or not the context is fully established. However, applications should not rely on this behavior, as \fBGSS_C_PROT_READY_FLAG\fR was not defined in Version 1 of the \fBGSS-API\fR. Instead, applications should be prepared to use per-message services after a successful context establishment, based upon the \fBGSS_C_INTEG_FLAG\fR and \fBGSS_C_CONF_FLAG\fR values.
+.sp
+.LP
+All other bits within the \fIret_flags\fR argument are set to zero.
+.sp
+.LP
+While \fBgss_accept_sec_context()\fR returns \fBGSS_S_CONTINUE_NEEDED\fR, the values returned by means of the the \fIret_flags\fR argument indicate the services available from the established context. If the initial call of \fBgss_accept_sec_context()\fR fails, no context object is created, and the value of the \fIcontext_handle\fR parameter is set to \fBGSS_C_NO_CONTEXT\fR. In the event of a failure on a subsequent call, the security context and the \fIcontext_handle\fR parameter are left untouched for the application to delete using \fBgss_delete_sec_context\fR(3GSS). During context establishment, the informational status bits \fBGSS_S_OLD_TOKEN\fR and \fBGSS_S_DUPLICATE_TOKEN\fR indicate fatal errors; \fBGSS-API\fR mechanisms always return them in association with a  routine error of \fBGSS_S_FAILURE\fR. This pairing requirement did not exist in version 1 of the \fBGSS-API\fR specification, so applications that wish to run over version 1 implementations must special-case these codes.
+.SH ERRORS
+.sp
+.LP
+\fBgss_accept_sec_context()\fR may return the following status codes:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.RS 30n
+.rt  
+Successful completion.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_CONTINUE_NEEDED\fR\fR
+.ad
+.RS 30n
+.rt  
+A token from the peer application is required to complete the context, and that \fBgss_accept_sec_context()\fR must be called again with that token.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_DEFECTIVE_TOKEN\fR\fR
+.ad
+.RS 30n
+.rt  
+Consistency checks performed on the \fIinput_token\fR failed.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_DEFECTIVE_CREDENTIAL\fR\fR
+.ad
+.RS 30n
+.rt  
+Consistency checks performed on the credential failed.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_NO_CRED\fR\fR
+.ad
+.RS 30n
+.rt  
+The supplied credentials were not valid for context acceptance, or the credential handle did not reference any credentials.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_CREDENTIALS_EXPIRED\fR\fR
+.ad
+.RS 30n
+.rt  
+The referenced credentials have expired.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_BAD_BINDINGS\fR\fR
+.ad
+.RS 30n
+.rt  
+The \fIinput_token\fR contains different channel bindings than those specified by means of the \fIinput_chan_bindings\fR parameter.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_NO_CONTEXT\fR\fR
+.ad
+.RS 30n
+.rt  
+The supplied context handle did not refer to a valid context.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_BAD_SIG\fR\fR
+.ad
+.RS 30n
+.rt  
+The \fIinput_token\fR contains an invalid \fBMIC\fR.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_OLD_TOKEN\fR\fR
+.ad
+.RS 30n
+.rt  
+The \fIinput_token\fR was too old. This is a fatal error while establishing context.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_DUPLICATE_TOKEN\fR\fR
+.ad
+.RS 30n
+.rt  
+The \fIinput_token\fR is valid, but it is duplicate of a token already processed. This is a fatal error while establishing context.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_BAD_MECH\fR\fR
+.ad
+.RS 30n
+.rt  
+The token received specified a mechanism that is not supported by the implementation or the provided credential.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.RS 30n
+.rt  
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.SH EXAMPLES
+.LP
+\fBExample 1 \fRInvoking \fBgss_accept_sec_context()\fR Within a Loop
+.sp
+.LP
+A typical portable caller should always invoke \fBgss_accept_sec_context()\fR within a loop:
+
+.sp
+.in +2
+.nf
+gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT;
+
+do {
+   receive_token_from_peer(input_token);
+   maj_stat = gss_accept_sec_context(&min_stat,
+                                     &context_hdl,
+                                     cred_hdl,
+                                     input_token,
+                                     input_bindings,
+                                     &client_name,
+                                     &mech_type,
+                                     output_token,
+                                     &ret_flags,
+                                     &time_rec,
+                                     &deleg_cred);
+   if (GSS_ERROR(maj_stat)) {
+      report_error(maj_stat, min_stat);
+   };
+   if (output_token->length != 0) {
+      send_token_to_peer(output_token);
+      gss_release_buffer(&min_stat, output_token);
+   };
+   if (GSS_ERROR(maj_stat)) {
+      if (context_hdl != GSS_C_NO_CONTEXT)
+         gss_delete_sec_context(&min_stat,
+                                &context_hdl,
+                                GSS_C_NO_BUFFER);
+      break;
+   };
+} while (maj_stat & GSS_S_CONTINUE_NEEDED);
+
+/* Check client_name authorization */
+\&...
+
+(void) gss_release_name(&min_stat, &client_name);
+
+/* Use and/or store delegated credential */
+\&...
+
+(void) gss_release_cred(&min_stat, &deleg_cred);
+.fi
+.in -2
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5) for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+MT-LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBgss_delete_sec_context\fR(3GSS), \fBgss_export_sec_context\fR(3GSS), \fBgss_get_mic\fR(3GSS), \fBgss_init_sec_context\fR(3GSS), \fBgss_release_cred\fR(3GSS), \fBgss_release_name\fR(3GSS), \fBgss_store_cred\fR(3GSS), \fBgss_wrap\fR(3GSS), \fBattributes\fR(5)
+.sp
+.LP
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_acquire_cred.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,231 @@
+'\" te
+.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+.TH gss_acquire_cred 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_acquire_cred \- acquire a handle for a pre-existing credential by name
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR  [ \fIlibrary\fR... ] 
+#include <gssapi/gssapi.h>
+
+\fBOM_uint32\fR \fBgss_acquire_cred\fR(\fBOM_uint32 *\fR\fIminor_status\fR,
+     \fBconst gss_name_t\fR \fIdesired_name\fR, \fBOM_uint32\fR \fItime_req\fR,
+     \fBconst gss_OID_set\fR \fIdesired_mech\fR, \fBgss_cred_usage_t\fR \fIcred_usage\fR,
+     \fBgss_cred_id_t *\fR\fIoutput_cred_handle\fR, \fBgss_OID_set *\fR\fIactual_mechs\fR,
+     \fBOM_uint32 *\fR\fItime_rec\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBgss_acquire_cred()\fR function allows an application to acquire a handle for a pre-existing credential by name. This routine is not intended as a function to login to the network; a function for login to the network would involve creating new credentials rather than merely acquiring a handle to existing credentials.
+.sp
+.LP
+If \fIdesired_name\fR is \fBGSS_C_NO_NAME\fR, the call is interpreted as a request for a credential handle that will invoke default behavior when passed to \fBgss_init_sec_context\fR(3GSS) (if \fIcred_usage\fR is \fBGSS_C_INITIATE\fR or \fBGSS_C_BOTH\fR) or \fBgss_accept_sec_context\fR(3GSS) (if \fIcred_usage\fR is \fBGSS_C_ACCEPT\fR or \fBGSS_C_BOTH\fR). 
+.sp
+.LP
+Normally \fBgss_acquire_cred()\fR returns a credential that is valid only for the mechanisms requested by the \fIdesired_mechs\fR argument. However, if multiple mechanisms can share a single credential element, the function returns all the mechanisms for which the credential is valid in the \fIactual_mechs\fR argument.
+.sp
+.LP
+\fBgss_acquire_cred()\fR is intended to be used primarily by context  acceptors, since the \fBGSS-API\fR routines obtain initiator credentials through the system login process. Accordingly, you may not acquire \fBGSS_C_INITIATE\fR or \fBGSS_C_BOTH\fR credentials by means of \fBgss_acquire_cred()\fR for any name other than \fBGSS_C_NO_NAME\fR. Alternatively, you may acquire \fBGSS_C_INITIATE\fR or \fBGSS_C_BOTH\fR credentials for a name produced when \fBgss_inquire_cred\fR(3GSS) is applied to a valid credential, or when \fBgss_inquire_context\fR(3GSS) is applied to an active context. 
+.sp
+.LP
+If credential acquisition is time-consuming for a mechanism, the mechanism may choose to delay the actual acquisition until the credential is required, for example, by \fBgss_init_sec_context\fR(3GSS) or by \fBgss_accept_sec_context\fR(3GSS).  Such mechanism-specific implementations are, however, invisible to the calling application; thus a call of \fBgss_inquire_cred\fR(3GSS) immediately following the call of \fBgss_acquire_cred()\fR will return valid credential data and incur the overhead of a deferred credential acquisition.  
+.SH PARAMETERS
+.sp
+.LP
+The parameter descriptions for \fBgss_acquire_cred()\fR follow:
+.sp
+.ne 2
+.mk
+.na
+\fB\fIdesired_name\fR\fR
+.ad
+.RS 22n
+.rt  
+The name of the principal for which a credential should be acquired.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fItime_req\fR\fR
+.ad
+.RS 22n
+.rt  
+The number of seconds that credentials remain valid. Specify \fBGSS_C_INDEFINITE\fR  to request that the credentials have the maximum permitted lifetime
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIdesired_mechs\fR\fR
+.ad
+.RS 22n
+.rt  
+The set of underlying security mechanisms that may be used.  \fBGSS_C_NO_OID_SET\fR may be used to obtain a default.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIcred_usage\fR\fR
+.ad
+.RS 22n
+.rt  
+A flag that indicates how this credential should be used. If the flag is \fBGSS_C_ACCEPT\fR, then credentials will be used only to accept security credentials. \fBGSS_C_INITIATE\fR indicates that credentials will be used only to initiate security credentials. If the flag is \fBGSS_C_BOTH\fR, then credentials may be used either to initiate or accept security contexts. 
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIoutput_cred_handle\fR\fR
+.ad
+.RS 22n
+.rt  
+The returned credential handle.  Resources associated with this credential handle must be released by the application after use with a call to \fBgss_release_cred\fR(3GSS)
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIactual_mechs\fR\fR
+.ad
+.RS 22n
+.rt  
+The set of mechanisms for which the credential is valid.  Storage associated with the returned \fBOID\fR-set must be released by the application after use with a call to  \fBgss_release_oid_set\fR(3GSS).  Specify \fBNULL\fR if not required.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fItime_rec\fR\fR
+.ad
+.RS 22n
+.rt  
+Actual number of seconds for which the returned credentials will remain valid. Specify \fBNULL\fR if not required.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.RS 22n
+.rt  
+Mechanism specific status code.
+.RE
+
+.SH ERRORS
+.sp
+.LP
+\fBgss_acquire_cred()\fR may return the following status code:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.RS 29n
+.rt  
+Successful completion.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_BAD_MECH\fR\fR
+.ad
+.RS 29n
+.rt  
+An unavailable mechanism has been requested.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_BAD_NAMETYPE\fR\fR
+.ad
+.RS 29n
+.rt  
+The type contained within the \fIdesired_name\fR parameter is not supported.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_BAD_NAME\fR\fR
+.ad
+.RS 29n
+.rt  
+The value supplied for \fIdesired_name\fR parameter is ill formed.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_CREDENTIALS_EXPIRED\fR\fR
+.ad
+.RS 29n
+.rt  
+The credentials could not be acquired because they have expired.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_NO_CRED\fR\fR
+.ad
+.RS 29n
+.rt  
+No credentials were found for the specified name.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.RS 29n
+.rt  
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined.  The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5)  for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+MT-LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBgss_accept_sec_context\fR(3GSS), \fBgss_init_sec_context\fR(3GSS), \fBgss_inquire_context\fR(3GSS), \fBgss_inquire_cred\fR(3GSS), \fBgss_release_cred\fR(3GSS), \fBgss_release_oid_set\fR(3GSS), \fBattributes\fR(5)
+.sp
+.LP
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_add_cred.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,307 @@
+'\" te
+.\" Copyright (c) 2007, 2015, Oracle and/or its affiliates. All rights reserved.
+.TH gss_add_cred 3GSS "30 Jun 2005" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_add_cred \- add a credential-element to a credential
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR [ \fIlibrary\fR... ]
+#include <gssapi/gssapi.h>
+
+\fBOM_uint32\fR \fBgss_add_cred\fR(\fBOM_uint32 *\fR\fIminor_status\fR,
+     \fBconst gss_cred_id_t\fR \fIinput_cred_handle\fR,
+     \fBconst gss_name_t\fR \fIdesired_name\fR,
+     \fBconst gss_OID\fR \fIdesired_mech\fR,
+     \fBgss_cred_usage_t\fR \fIcred_usage\fR,
+     \fBOM_uint32\fR \fIinitiator_time_req\fR,
+     \fBOM_uint32\fR \fIacceptor_time_req\fR,
+     \fBgss_cred_id_t *\fR\fIoutput_cred_handle\fR,
+     \fBgss_OID_set *\fR\fIactual_mechs\fR,
+     \fBOM_uint32 *\fR\fIinitiator_time_rec\fR,
+     \fBOM_uint32 *\fR\fIacceptor_time_rec\fR);
+.fi
+
+.SH PARAMETERS
+.sp
+.LP
+The parameter descriptions for \fBgss_add_cred()\fR follow:
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.RS 22n
+.rt  
+Mechanism specific status code.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIinput_cred_handle\fR\fR
+.ad
+.RS 22n
+.rt  
+Credential to which the credential-element is added. If \fBGSS_C_NO_CREDENTIAL\fR is specified, the function composes the new credential based on default behavior. While the credential-handle is not modified by \fBgss_add_cred()\fR, the underlying credential is modified if \fIoutput_credential_handle\fR is \fBNULL\fR.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIdesired_name\fR\fR
+.ad
+.RS 22n
+.rt  
+Name of the principal for which a credential should be acquired.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIdesired_mech\fR\fR
+.ad
+.RS 22n
+.rt  
+Underlying security mechanism with which the credential can be used. GSS_C_NULL_OID can be used to obtain a default.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIcred_usage\fR\fR
+.ad
+.RS 22n
+.rt  
+Flag that indicates how a credential is used to initiate or accept security credentials. If the flag is \fBGSS_C_ACCEPT\fR, the credentials are used only to accept security credentials. If the flag is \fBGSS_C_INITIATE\fR, the credentials are used only to initiate security credentials. If the flag is GSS_C_BOTH, the credentials can be used to either initiate or accept security contexts.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIinitiator_time_req\fR\fR
+.ad
+.RS 22n
+.rt  
+Number of seconds that the credential may remain valid for initiating security contexts. This argument is ignored if the composed credentials are of the \fBGSS_C_ACCEPT\fR type. Specify \fBGSS_C_INDEFINITE\fR to request that the credentials have the maximum permitted initiator lifetime.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIacceptor_time_req\fR\fR
+.ad
+.RS 22n
+.rt  
+Number of seconds that the credential may remain valid for accepting security contexts. This argument is ignored if the composed credentials are of the \fBGSS_C_INITIATE\fR type. Specify \fBGSS_C_INDEFINITE\fR to request that the credentials have the maximum permitted initiator lifetime.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIoutput_cred_handle\fR\fR
+.ad
+.RS 22n
+.rt  
+Returned credential handle that contains the new credential-element and all the credential-elements from \fIinput_cred_handle\fR. If a valid pointer to a \fBgss_cred_id_t\fR is supplied for this parameter, \fBgss_add_cred()\fR creates a new credential handle that contains all credential-elements from \fIinput_cred_handle\fR and the newly acquired credential-element. If \fBNULL\fR is specified for this parameter, the newly acquired credential-element is added to the credential identified by \fIinput_cred_handle\fR.
+.sp
+The resources associated with any credential handle returned by means of this parameter must be released by the application after use by a call to \fBgss_release_cred\fR(3GSS).
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIactual_mechs\fR\fR
+.ad
+.RS 22n
+.rt  
+Complete set of mechanisms for which the new credential is valid. Storage for the returned \fBOID\fR-set must be freed by the application after use by a call to \fBgss_release_oid_set\fR(3GSS). Specify \fBNULL\fR if this parameter is not required.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIinitiator_time_rec\fR\fR
+.ad
+.RS 22n
+.rt  
+Actual number of seconds for which the returned credentials remain valid for initiating contexts using the specified mechanism. If a mechanism does not support expiration of credentials, the value \fBGSS_C_INDEFINITE\fR is returned. Specify \fBNULL\fR if this parameter is not required.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIacceptor_time_rec\fR\fR
+.ad
+.RS 22n
+.rt  
+Actual number of seconds for which the returned credentials remain valid for accepting security contexts using the specified mechanism. If a mechanism does not support expiration of credentials, the value \fBGSS_C_INDEFINITE\fR is returned. Specify \fBNULL\fR if this parameter is not required.
+.RE
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBgss_add_cred()\fR function adds a credential-element to a credential. The credential-element is identified by the name of the principal to which it refers. This function is not intended as a function to login to the network. A function for login to the network would involve creating new mechanism-specific authentication data, rather than acquiring a handle to existing data.
+.sp
+.LP
+If the value of \fIdesired_name\fR is \fBGSS_C_NO_NAME\fR, the call is interpreted as a request to add a credential-element to invoke default behavior when passed to \fBgss_init_sec_context\fR(3GSS) if the value of \fIcred_usage\fR is \fBGSS_C_INITIATE\fR or \fBGSS_C_BOTH\fR. The call is also interpreted as a request to add a credential-element to the invoke default behavior when passed to \fBgss_accept_sec_context\fR(3GSS) if the value of \fIcred_usage\fR is \fBGSS_C_ACCEPT\fR or \fBGSS_C_BOTH\fR.
+.sp
+.LP
+The \fBgss_add_cred()\fR function is expected to be used primarily by context acceptors. The \fBGSS-API\fR provides mechanism-specific ways to obtain \fBGSS-API\fR initiator credentials through the system login process. Consequently, the \fBGSS-API\fR does not support acquiring \fBGSS_C_INITIATE\fR or \fBGSS_C_BOTH\fR credentials by means of \fBgss_acquire_cred\fR(3GSS) for any name other than the following:
+.RS +4
+.TP
+.ie t \(bu
+.el o
+\fBGSS_C_NO_NAME\fR
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+Name produced by \fBgss_inquire_cred\fR(3GSS) applied to a valid credential
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+Name produced by \fBgss_inquire_context\fR(3GSS) applied to an active context
+.RE
+.sp
+.LP
+If credential acquisition is time consuming for a mechanism, the mechanism can choose to delay the actual acquisition until the credential is required by \fBgss_init_sec_context\fR(3GSS), for example, or by \fBgss_accept_sec_context\fR(3GSS). Such mechanism-specific implementation decisions are invisible to the calling application. A call to \fBgss_inquire_cred\fR(3GSS) immediately following the call \fBgss_add_cred()\fR returns valid credential data as well as incurring the overhead of deferred credential acquisition.
+.sp
+.LP
+The \fBgss_add_cred()\fR function can be used either to compose a new credential that contains all credential-elements of the original in addition to the newly-acquired credential-element. The function can also be used to add the new credential-element to an existing credential. If the value of the \fIoutput_cred_handle\fR parameter is \fBNULL\fR, the new credential-element is added to the credential identified by \fIinput_cred_handle\fR. If a valid pointer is specified for the \fIoutput_cred_handle\fR parameter, a new credential handle is created.
+.sp
+.LP
+If the value of \fIinput_cred_handle\fR is \fBGSS_C_NO_CREDENTIAL\fR, the \fBgss_add_cred()\fR function composes a credential and sets the \fIoutput_cred_handle\fR parameter based on the default behavior. The call has the same effect as a call first made by the application to \fBgss_acquire_cred\fR(3GSS) to specify the same usage and to pass \fBGSS_C_NO_NAME\fR as the \fIdesired_name\fR parameter. Such an application call obtains an explicit credential handle that incorporates the default behaviors, then passes the credential handle to \fBgss_add_cred()\fR, and finally calls \fBgss_release_cred\fR(3GSS) on the first credential handle.
+.sp
+.LP
+If the value of the \fIinput_cred_handle\fR parameter is \fBGSS_C_NO_CREDENTIAL\fR, a non-\fBNULL\fR value must be supplied for the \fIoutput_cred_handle\fR parameter.
+.SH RETURN VALUES
+.sp
+.LP
+The \fBgss_add_cred()\fR function can return the following status codes:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.RS 29n
+.rt  
+Successful completion.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_BAD_MECH\fR\fR
+.ad
+.RS 29n
+.rt  
+An unavailable mechanism has been requested.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_BAD_NAMETYPE\fR\fR
+.ad
+.RS 29n
+.rt  
+The type contained within the \fIdesired_name\fR parameter is not supported.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_BAD_NAME\fR\fR
+.ad
+.RS 29n
+.rt  
+The value supplied for \fIdesired_name\fR parameter is ill formed.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_DUPLICATE_ELEMENT\fR\fR
+.ad
+.RS 29n
+.rt  
+The credential already contains an element for the requested mechanism that has overlapping usage and validity period.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_CREDENTIALS_EXPIRED\fR\fR
+.ad
+.RS 29n
+.rt  
+The credentials could not be added because they have expired.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_NO_CRED\fR\fR
+.ad
+.RS 29n
+.rt  
+No credentials were found for the specified name.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.RS 29n
+.rt  
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5) for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+MT-LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBgss_accept_sec_context\fR(3GSS), \fBgss_acquire_cred\fR(3GSS), \fBgss_init_sec_context\fR(3GSS), \fBgss_inquire_context\fR(3GSS), \fBgss_inquire_cred\fR(3GSS), \fBgss_release_cred\fR(3GSS), \fBgss_release_oid_set\fR(3GSS), \fBlibgss\fR(3LIB), \fBattributes\fR(5)
+.sp
+.LP
+\fI\fR
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_add_oid_set_member.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,109 @@
+'\" te
+.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+.TH gss_add_oid_set_member 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_add_oid_set_member \- add an object identifier to an object identifier set
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR  [ \fIlibrary\fR... ] 
+#include <gssapi/gssapi.h>
+
+\fBOM_uint32\fR \fBgss_add_oid_set_member\fR(\fBOM_uint32 *\fR\fIminor_status\fR,
+     \fBconst gss_OID\fR \fImember_oid\fR, \fBgss_OID_set *\fR\fIoid_set\fR);
+.fi
+
+.SH PARAMETERS
+.sp
+.LP
+The parameter descriptions for \fBgss_add_oid_set_member()\fR follow:
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.RS 16n
+.rt  
+A mechanism specific status code.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fImember_oid\fR\fR
+.ad
+.RS 16n
+.rt  
+Object identifier to be copied into the set.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIoid_set\fR\fR
+.ad
+.RS 16n
+.rt  
+Set in which the object identifier should be inserted.
+.RE
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBgss_add_oid_set_member()\fR function adds an object identifier to an object identifier set. You should use this function in conjunction with \fBgss_create_empty_oid_set\fR(3GSS) when constructing a set of mechanism \fBOID\fRs for input to \fBgss_acquire_cred\fR(3GSS). The \fIoid_set\fR parameter must refer to an \fBOID\fR-set created by \fBGSS-API\fR, that is, a set returned by \fBgss_create_empty_oid_set\fR(3GSS). 
+.sp
+.LP
+The \fBGSS-API\fR creates a copy of the \fImember_oid\fR and inserts this copy into the set, expanding the storage allocated to the \fBOID\fR-set elements array, if necessary.  New members are always added to the end of the OID set's elements. If the \fImember_oid\fR is already present, the \fIoid_set\fR should remain unchanged.
+.SH ERRORS
+.sp
+.LP
+The \fBgss_add_oid_set_member()\fR function can return the following status codes:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.sp .6
+.RS 4n
+Successful completion.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.sp .6
+.RS 4n
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined.  The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5)  for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+MT-LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBgss_acquire_cred\fR(3GSS), \fBgss_create_empty_oid_set\fR(3GSS), \fBattributes\fR(5)
+.sp
+.LP
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_auth_rules.5	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,60 @@
+'\" te
+.\"  Copyright (c) 2004, Sun Microsystems, Inc.  All Rights Reserved
+.TH gss_auth_rules 5 "13 Apr 2004" "SunOS 5.12" "Standards, Environments, and Macros"
+.SH NAME
+gss_auth_rules \- overview of GSS authorization
+.SH DESCRIPTION
+.sp
+.LP
+The establishment of the veracity of a user's credentials requires both authentication (Is this an authentic user?) and authorization (Is this authentic user, in fact, authorized?).
+.sp
+.LP
+When a user makes use of Generic Security Services (GSS) versions of the \fBftp\fR or \fBssh\fR clients to connect to a server, the user is not necessarily authorized, even if his claimed GSS identity is authenticated, Authentication merely establishes that the user is who he says he is to the GSS mechanism's authentication system. Authorization is then required: it determines whether the GSS identity is permitted to access the specified Solaris user account.
+.sp
+.LP
+The GSS authorization rules are as follows:
+.RS +4
+.TP
+.ie t \(bu
+.el o
+If the mechanism of the connection has a set of authorization rules, then use those rules. For example, if the mechanism is Kerberos, then use the \fBkrb5_auth_rules\fR(5), so that authorization is consistent between raw Kerberos applications and GSS/Kerberos applications.
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+If the mechanism of the connection does not have a set of authorization rules, then authorization is successful if the remote user's \fBgssname\fR matches the local user's \fBgssname\fR exactly, as compared by \fBgss_compare_name\fR(3GSS).
+.RE
+.SH FILES
+.sp
+.ne 2
+.mk
+.na
+\fB\fB/etc/passwd\fR\fR
+.ad
+.RS 15n
+.rt  
+System account file. This information may also be in a directory service. See \fBpasswd\fR(4).
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5) for a description of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+Interface StabilityCommitted
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBftp\fR(1), \fBssh\fR(1), \fBgsscred\fR(1M), \fBgss_compare_name\fR(3GSS), \fBpasswd\fR(4), \fBattributes\fR(5), \fBkrb5_auth_rules\fR(5)
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_canonicalize_name.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,151 @@
+'\" te
+.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+.TH gss_canonicalize_name 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_canonicalize_name \- convert an internal name to a mechanism name
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [\fIflag \&.\|.\|.\fR] \fIfile\fR\&.\|.\|. \fB-lgss\fR [\fIlibrary \&.\|.\|.\fR] 
+#include <gssapi/gssapi.h>
+
+\fBOM_uint32\fR \fBgss_canonicalize_name\fR(\fBOM_uint32 *\fR\fIminor_status\fR,
+     \fBconst gss_name_t\fR \fIinput_name\fR,\fBconst gss_OID\fR \fImech_type\fR,
+     \fBgss_name_t *\fR\fIoutput_name\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBgss_canonicalize_name()\fR function generates a canonical mechanism name from an arbitrary internal name.  The mechanism name is the name that would be returned to a context acceptor on successful authentication of a context where the initiator used the \fIinput_name\fR in a successful call to \fBgss_acquire_cred\fR(3GSS), specifying an OID set containing \fImech_type\fR as its only member, followed by a call to \fBgss_init_sec_context\fR(3GSS), specifying \fImech_type\fR as the authentication mechanism.
+.SH PARAMETERS
+.sp
+.LP
+The parameter descriptions for \fBgss_canonicalize_name()\fR follow:
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.RS 16n
+.rt  
+Mechanism-specific status code.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIinput_name\fR\fR
+.ad
+.RS 16n
+.rt  
+The name for which a canonical form is desired.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fImech_type\fR\fR
+.ad
+.RS 16n
+.rt  
+The authentication mechanism for which the canonical form of the name is desired.  The desired mechanism must be specified explicitly; no default is provided.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIoutput_name\fR\fR
+.ad
+.RS 16n
+.rt  
+The resultant canonical name.  Storage associated with this name must be freed by the application after use with a call to \fBgss_release_name\fR(3GSS).
+.RE
+
+.SH ERRORS
+.sp
+.LP
+The \fBgss_canonicalize_name()\fR function may return the status codes:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.RS 22n
+.rt  
+Successful completion.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_BAD_MECH\fR\fR
+.ad
+.RS 22n
+.rt  
+The identified mechanism is not supported.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_BAD_NAMETYPE\fR\fR
+.ad
+.RS 22n
+.rt  
+The provided internal name contains no elements that could be processed by the specified mechanism.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_BAD_NAME\fR\fR
+.ad
+.RS 22n
+.rt  
+The provided internal name was ill-formed.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.RS 22n
+.rt  
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined.  The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5) for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+MT-LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBgss_acquire_cred\fR(3GSS), \fBgss_init_sec_context\fR(3GSS), \fBgss_release_name\fR(3GSS), \fBattributes\fR(5)
+.sp
+.LP
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_compare_name.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,143 @@
+'\" te
+.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+.TH gss_compare_name 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_compare_name \- compare two internal-form names
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [\fIflag \&.\|.\|.\fR]  \fIfile\fR\&.\|.\|. \fB-lgss\fR [\fIlibrary \&.\|.\|.\fR] 
+#include <gssapi/gssapi.h>
+
+\fBOM_uint32\fR \fBgss_compare_name\fR(\fBOM_uint32 *\fR\fIminor_status\fR,
+     \fBconst gss_name_t\fR \fIname1\fR,\fBconst gss_name_t\fR \fIname2\fR,
+     \fBint *\fR\fIname_equal\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBgss_compare_name()\fR function allows an application to compare two internal-form names to determine whether they refer to the same entity.
+.sp
+.LP
+If either name presented to \fBgss_compare_name()\fR denotes an anonymous principal, the routines indicate that the two names do not refer to the same identity.
+.SH PARAMETERS
+.sp
+.LP
+The parameter descriptions for \fBgss_compare_name()\fR follow:
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.RS 16n
+.rt  
+Mechanism-specific status code.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIname1\fR\fR
+.ad
+.RS 16n
+.rt  
+Internal-form name.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIname2\fR\fR
+.ad
+.RS 16n
+.rt  
+Internal-form name.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIname_equal\fR\fR
+.ad
+.RS 16n
+.rt  
+If non-zero, the names refer to same entity. If 0, the names refer to different entities. Strictly, the names are not known to refer to the same identity.
+.RE
+
+.SH ERRORS
+.sp
+.LP
+The \fBgss_compare_name()\fR function may return the following status codes:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.RS 22n
+.rt  
+Successful completion.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_BAD_NAMETYPE\fR\fR
+.ad
+.RS 22n
+.rt  
+The two names were of incomparable types.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_BAD_NAME\fR\fR
+.ad
+.RS 22n
+.rt  
+One or both of \fIname1\fR or \fIname2\fR was ill-formed.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.RS 22n
+.rt  
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined.  The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5) for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+MT-LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBattributes\fR(5)
+.sp
+.LP
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_context_time.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,128 @@
+'\" te
+.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+.TH gss_context_time 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_context_time \- determine how long a context will remain valid
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR  [ \fIlibrary\fR... ] 
+#include <gssapi/gssapi.h>
+
+\fBOM_uint32\fR \fBgss_context_time\fR(\fBOM_uint32 *\fR\fIminor_status\fR,
+     \fBgss_ctx_id_t *\fR\fIcontext_handle\fR,\fBOM_uint32 *\fR\fItime_rec\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBgss_context_time()\fR function determines the number of seconds for which the specified context will remain valid.
+.SH PARAMETERS
+.sp
+.LP
+The parameter descriptions for \fBgss_context_time()\fR are as follows:
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.RS 18n
+.rt  
+A mechanism-specific status code.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIcontext_handle\fR\fR
+.ad
+.RS 18n
+.rt  
+A read-only value. Identifies the context to be interrogated.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fItime_rec\fR\fR
+.ad
+.RS 18n
+.rt  
+Modifies the number of seconds that the context remains valid.  If the context has already expired, returns zero.
+.RE
+
+.SH ERRORS
+.sp
+.LP
+The \fBgss_context_time()\fR function returns one of the following status codes:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.RS 25n
+.rt  
+Successful completion.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_CONTEXT_EXPIRED\fR\fR
+.ad
+.RS 25n
+.rt  
+The context has already expired.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_NO_CONTEXT\fR\fR
+.ad
+.RS 25n
+.rt  
+The \fIcontext_handle\fR parameter did not identify a valid context.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.RS 25n
+.rt  
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined.  The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5) for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+MT LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBgss_init_sec_context\fR(3GSS), \fBgss_accept_sec_context\fR(3GSS), \fBgss_delete_sec_context\fR(3GSS), \fBgss_process_context_token\fR(3GSS), \fBgss_inquire_context\fR(3GSS), \fBgss_wrap_size_limit\fR(3GSS), \fBgss_export_sec_context\fR(3GSS), \fBgss_import_sec_context\fR(3GSS), \fBattributes\fR(5)
+.sp
+.LP
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_create_empty_oid_set.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,95 @@
+'\" te
+.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+.TH gss_create_empty_oid_set 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_create_empty_oid_set \- create an object-identifier set containing no object identifiers
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR  [ \fIlibrary\fR... ] 
+#include <gssapi/gssapi.h>
+
+\fBOM_uint32\fR \fBgss_create_empty_oid_set\fR(\fBOM_uint32 *\fR\fIminor_status\fR,
+     \fBgss_OID_set *\fR\fIoid_set\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBgss_create_empty_oid_set()\fR function creates an object-identifier set containing no object identifiers to which members may be subsequently added using the \fBgss_add_oid_set_member\fR(3GSS) function.  These functions can be used to construct sets of mechanism object identifiers for input to \fBgss_acquire_cred\fR(3GSS).
+.SH PARAMETERS
+.sp
+.LP
+The parameter descriptions for \fBgss_create_empty_oid_set()\fR follow:
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.RS 16n
+.rt  
+Mechanism-specific status code
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIoid_set\fR\fR
+.ad
+.RS 16n
+.rt  
+Empty object identifier set. The function will allocate the \fBgss_OID_set_desc\fR object, which the  application must free after use with a call to \fBgss_release_oid_set\fR(3GSS).
+.RE
+
+.SH ERRORS
+.sp
+.LP
+The \fBgss_create_empty_oid_set()\fR function may return the following status codes:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.RS 18n
+.rt  
+Successful completion
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.RS 18n
+.rt  
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined.  The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5)  for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+MT-LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBgss_acquire_cred\fR(3GSS), \fBgss_add_oid_set_member\fR(3GSS), \fBgss_release_oid_set\fR(3GSS), \fBattributes\fR(5)
+.sp
+.LP
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_delete_sec_context.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,123 @@
+'\" te
+.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+.TH gss_delete_sec_context 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_delete_sec_context \- delete a GSS-API security context
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR  [ \fIlibrary\fR... ] 
+#include <gssapi/gssapi.h>
+
+\fBOM_uint32\fR \fBgss_delete_sec_context\fR(\fBOM_uint32 *\fR\fIminor_status\fR,
+     \fBgss_ctx_id_t *\fR\fIcontext_handle\fR,\fBgss_buffer_t\fR \fIoutput_token\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+Use the \fBgss_delete_sec_context()\fR function to delete a security context.  The \fBgss_delete_sec_context()\fR function will delete the local data structures associated with the specified security context.  You may not obtain further security services that use the context specified by \fIcontext_handle\fR.
+.sp
+.LP
+In addition to deleting established security contexts, \fBgss_delete_sec_context()\fR will delete any half-built security contexts that result from incomplete sequences of calls to \fBgss_init_sec_context\fR(3GSS) and  \fBgss_accept_sec_context\fR(3GSS). 
+.sp
+.LP
+The Solaris implementation of the \fBGSS-API\fR retains the \fIoutput_token\fR parameter for compatibility with version 1 of the \fBGSS-API\fR.  Both peer applications should invoke \fBgss_delete_sec_context()\fR, passing the value \fBGSS_C_NO_BUFFER\fR to the \fIoutput_token\fR parameter; this indicates that no token is required.  If the application passes a valid buffer to \fBgss_delete_sec_context()\fR, it will return a zero-length token, indicating that no token should be transferred by the application.
+.SH PARAMETERS
+.sp
+.LP
+The parameter descriptions for \fBgss_delete_sec_context()\fR follow:
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.RS 18n
+.rt  
+A mechanism specific status code.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIcontext_handle\fR\fR
+.ad
+.RS 18n
+.rt  
+Context handle identifying specific context to delete. After deleting the context, the \fBGSS-API\fR will set \fIcontext_handle\fR to  \fBGSS_C_NO_CONTEXT\fR.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIoutput_token\fR\fR
+.ad
+.RS 18n
+.rt  
+A token to be sent to remote applications that instructs them to delete the context. 
+.RE
+
+.SH ERRORS
+.sp
+.LP
+\fBgss_delete_sec_context()\fR may return the following status codes:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.RS 20n
+.rt  
+Successful completion.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_NO_CONTEXT\fR\fR
+.ad
+.RS 20n
+.rt  
+No valid context was supplied.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.RS 20n
+.rt  
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined.  The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5)  for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+MT-LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBgss_accept_sec_context\fR(3GSS), \fBgss_init_sec_context\fR(3GSS), \fBattributes\fR(5)
+.sp
+.LP
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_display_name.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,135 @@
+'\" te
+.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+.TH gss_display_name 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_display_name \- convert internal-form name to text
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [\fIflag \&.\|.\|.\fR]  \fIfile\fR\&.\|.\|. \fB-lgss\fR [\fIlibrary \&.\|.\|.\fR] 
+#include <gssapi/gssapi.h>
+
+\fBOM_uint32\fR \fBgss_display_name\fR(\fBOM_uint32 *\fR\fIminor_status\fR,
+     \fBconst gss_name_t\fR \fIinput_name\fR,\ \fBgss_buffer_t\fR \fIoutput_name_buffer\fR,
+     \fBgss_OID *\fR\fIoutput_name_type\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBgss_display_name()\fR function allows an application to obtain a textual representation of an opaque internal-form  name for display purposes.
+.sp
+.LP
+If \fIinput_name\fR denotes an anonymous principal, the \fBGSS-API\fR returns the \fBgss_OID\fR value \fBGSS_C_NT_ANONYMOUS\fR as the \fIoutput_name_type\fR, and a textual name that is syntactically distinct from all valid supported printable names in \fIoutput_name_buffer\fR.
+.sp
+.LP
+If \fIinput_name\fR was created by a call to \fBgss_import_name\fR(3GSS), specifying \fBGSS_C_NO_OID\fR as the name-type, the GSS-API returns \fBGSS_C_NO_OID\fR by means of the \fIoutput_name_type\fR parameter.
+.SH PARAMETERS
+.sp
+.LP
+The parameter descriptions for \fBgss_display_name()\fR follow:
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.RS 22n
+.rt  
+Mechanism-specific status code.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIinput_name\fR\fR
+.ad
+.RS 22n
+.rt  
+Name in internal form.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIoutput_name_buffer\fR\fR
+.ad
+.RS 22n
+.rt  
+Buffer to receive textual name string. The application must free storage associated with this name after use with a call to \fBgss_release_buffer\fR(3GSS).
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIoutput_name_type\fR\fR
+.ad
+.RS 22n
+.rt  
+The type of the returned name.  The returned \fBgss_OID\fR will be a pointer into static storage and should be treated as read-only by the caller. In particular, the application should not attempt to free it. Specify \fINULL\fR if this parameter is not required.
+.RE
+
+.SH ERRORS
+.sp
+.LP
+The \fBgss_display_name()\fR function may return the following status codes:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.RS 18n
+.rt  
+Successful completion.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_BAD_NAME\fR\fR
+.ad
+.RS 18n
+.rt  
+The \fIinput_name\fR was ill-formed.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.RS 18n
+.rt  
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined.  The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5) for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+MT-LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBgss_import_name\fR(3GSS), \fBgss_release_buffer\fR(3GSS), \fBattributes\fR(5)
+.sp
+.LP
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_display_status.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,169 @@
+'\" te
+.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+.TH gss_display_status 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_display_status \- convert a GSS-API status code to text
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR  [ \fIlibrary\fR... ] 
+#include <gssapi/gssapi.h>
+
+\fBOM_uint32\fR \fBgss_display_status\fR(\fBOM_uint32 *\fR\fIminor_status\fR,
+     \fBOM_uint32\fR \fIstatus value\fR,\fBint\fR \fIstatus type\fR,
+     \fBconst gss_OID\fR \fImech_type\fR, \fBOM_uint32 *\fR\fImessage_context\fR,
+     \fBgss_buffer_t\fR \fIstatus string\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBgss_display_status()\fR function enables an application to obtain a textual representation of a \fBGSS-API\fR status code for display to the user or for logging purposes.  Because some status values may indicate multiple conditions, applications may need to call \fBgss_display_status()\fR multiple times, with each call generating a single text string.
+.sp
+.LP
+The \fImessage_context\fR parameter is used by \fBgss_acquire_cred()\fR to store state information on error messages that are extracted from a given \fIstatus_value\fR. The \fImessage_context\fR parameter must be initialized to 0 by the application prior to the first call, and \fBgss_display_status()\fR will return a non-zero value in this parameter if there are further messages to extract. 
+.sp
+.LP
+The \fImessage_context\fR parameter contains all state information required  by \fBgss_display_status()\fR to extract further messages from the \fIstatus_value\fR.  If a non-zero value is returned in this parameter, the application is not required to call \fBgss_display_status()\fR again unless subsequent messages are desired.
+.SH PARAMETERS
+.sp
+.LP
+The parameter descriptions for \fBgss_display_status()\fR follow:
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.RS 19n
+.rt  
+Status code returned by the underlying mechanism.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIstatus_value\fR\fR
+.ad
+.RS 19n
+.rt  
+Status value to be converted.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIstatus_type\fR\fR
+.ad
+.RS 19n
+.rt  
+If the value is \fBGSS_C_GSS_CODE\fR, \fIstatus_value\fR is a \fBGSS-API\fR status code. If the value is \fBGSS_C_MECH_CODE\fR, then \fIstatus_value\fR is a mechanism status code.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fImech_type\fR\fR
+.ad
+.RS 19n
+.rt  
+Underlying mechanism that is used to interpret a minor status value. Supply \fBGSS_C_NO_OID\fR to obtain the system default.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fImessage_context\fR\fR
+.ad
+.RS 19n
+.rt  
+Should be initialized to zero prior to the first call. On return from \fBgss_display_status()\fR, a non-zero \fIstatus_value\fR parameter indicates that additional messages may be extracted from the status code by means of subsequent calls to \fBgss_display_status()\fR, passing the same \fIstatus_value\fR, \fIstatus_type\fR, \fImech_type\fR, and \fImessage_context\fRparameters.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIstatus_string\fR\fR
+.ad
+.RS 19n
+.rt  
+Textual representation of the \fIstatus_value\fR. Storage associated with this parameter must be freed by the application after use with a call to \fBgss_release_buffer\fR(3GSS).
+.RE
+
+.SH ERRORS
+.sp
+.LP
+The \fBgss_display_status()\fR function may return the following status codes:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.RS 20n
+.rt  
+Successful completion.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_BAD_MECH\fR\fR
+.ad
+.RS 20n
+.rt  
+Indicates that translation in accordance with an unsupported mechanism type was requested.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_BAD_STATUS\fR\fR
+.ad
+.RS 20n
+.rt  
+The status value was not recognized, or the status type was neither \fBGSS_C_GSS_CODE\fR nor \fBGSS_C_MECH_CODE\fR.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.RS 20n
+.rt  
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined.  The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5)  for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+MT-LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBgss_acquire_cred\fR(3GSS), \fBgss_release_buffer\fR(3GSS), \fBattributes\fR(5)
+.sp
+.LP
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_duplicate_name.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,117 @@
+'\" te
+.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+.TH gss_duplicate_name 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_duplicate_name \- create a copy of an internal name
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [\fIflag \&.\|.\|.\fR]  \fIfile\fR\&.\|.\|. \fB-lgss\fR [\fIlibrary \&.\|.\|.\fR] 
+#include <gssapi/gssapi.h>
+
+\fBOM_uint32\fR \fBgss_duplicate_name\fR(\fBOM_uint32 *\fR\fIminor_status\fR,
+     \fBconst gss_name_t\fR \fIsrc_name\fR,\fBgss_name_t *\fR\fIdest_name\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBgss_duplicate_name()\fR function creates an exact duplicate of the existing internal name \fIsrc_name\fR.  The new \fIdest_name\fR will be independent of the \fIsrc_name\fR. The \fIsrc_name\fR and \fIdest_name\fR must both be released, and the release of one does not affect the validity of the other.
+.SH PARAMETERS
+.sp
+.LP
+The parameter descriptions for \fBgss_duplicate_name()\fR follow:
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.RS 16n
+.rt  
+A mechanism-specific status code.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIsrc_name\fR\fR
+.ad
+.RS 16n
+.rt  
+Internal name to be duplicated.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIdest_name\fR\fR
+.ad
+.RS 16n
+.rt  
+The resultant copy of \fIsrc_name\fR.  Storage associated with this name must be freed by the application after use with a call to \fBgss_release_name\fR(3GSS).
+.RE
+
+.SH ERRORS
+.sp
+.LP
+The \fBgss_duplicate_name()\fR function may return the following status codes:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.RS 18n
+.rt  
+Successful completion.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_BAD_NAME\fR\fR
+.ad
+.RS 18n
+.rt  
+The \fIsrc_name\fR parameter was ill-formed.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.RS 18n
+.rt  
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined.  The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5) for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+MT-LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBgss_release_name\fR(3GSS), \fBattributes\fR(5)
+.sp
+.LP
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_export_name.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,117 @@
+'\" te
+.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+.TH gss_export_name 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_export_name \- convert a mechanism name to export form
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [\fIflag \&.\|.\|.\fR] \fIfile\fR\&.\|.\|. \fB-lgss\fR [\fIlibrary \&.\|.\|.\fR] 
+#include <gssapi/gssapi.h>
+
+\fBOM_uint32\fR \fBgss_export_name\fR(\fBOM_uint32 *\fR\fIminor_status\fR,
+     \fBconst gss_name_t\fR \fIinput_name\fR,\fBgss_buffer_t\fR \fIexported_name\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBgss_export_name()\fR function allows a \fBGSS-API\fR internal name to be converted into a mechanism-specific name. The function produces a canonical contiguous string representation of a mechanism name, suitable for direct comparison, with \fBmemory\fR(3C), or for use in authorization functions, matching entries in an access-control list.  The \fIinput_name\fR parameter must specify a valid mechanism name, that is, an internal name generated by \fBgss_accept_sec_context\fR(3GSS) or by \fBgss_canonicalize_name\fR(3GSS).
+.SH PARAMETERS
+.sp
+.LP
+The parameter descriptions for \fBgss_export_name()\fR follow: 
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.RS 17n
+.rt  
+A mechanism-specific status code.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIinput_name\fR\fR
+.ad
+.RS 17n
+.rt  
+The mechanism name to be exported.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIexported_name\fR\fR
+.ad
+.RS 17n
+.rt  
+The canonical contiguous string form of \fIinput_name\fR. Storage associated with this string must freed by the application after use with \fBgss_release_buffer\fR(3GSS).
+.RE
+
+.SH ERRORS
+.sp
+.LP
+The \fBgss_export_name()\fR function may return the following status codes:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.RS 21n
+.rt  
+Successful completion.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_NAME_NOT_MN\fR\fR
+.ad
+.RS 21n
+.rt  
+The provided internal name was not a mechanism name.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.RS 21n
+.rt  
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined.  The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5)  for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+MT-LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBgss_accept_sec_context\fR(3GSS), \fBgss_canonicalize_name\fR(3GSS), \fBgss_release_buffer\fR(3GSS)\fBmemory\fR(3C), \fBattributes\fR(5)
+.sp
+.LP
+\fI\fR
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_export_sec_context.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,148 @@
+'\" te
+.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+.TH gss_export_sec_context 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_export_sec_context \- transfer a security context to another process
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR  [ \fIlibrary\fR... ] 
+#include <gssapi/gssapi.h>
+
+\fBOM_uint32\fR \fBgss_export_sec_context\fR(\fBOM_uint32 *\fR\fIminor_status\fR,
+     \fBgss_ctx_id_t *\fR\fIcontext_handle\fR,\fBgss_buffer_t\fR \fIinterprocess_token\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBgss_export_sec_context()\fR function generates an interprocess token for transfer to another process within an end system. \fBgss_export_sec_context()\fR and \fBgss_import_sec_context()\fR allow a security context to be transferred between processes on a single machine. 
+.sp
+.LP
+The \fBgss_export_sec_context()\fR function supports the sharing of work between multiple processes. This routine is typically used by the context-acceptor, in an application where a single process receives incoming connection requests and accepts security contexts over them, then passes the established context to one or more other processes for message exchange. \fBgss_export_sec_context()\fR deactivates the security context for the calling process and creates an interprocess token which, when passed to \fBgss_import_sec_context()\fR in another process, reactivates the context in the second process. Only a single instantiation of a given context can be active at any one time; a subsequent attempt by a context exporter to access the exported security context will fail.
+.sp
+.LP
+The interprocess token may contain security-sensitive information, for example cryptographic keys.  While mechanisms are encouraged to either avoid placing such sensitive information within interprocess tokens or to encrypt the token before returning it to the application, in a typical object-library \fBGSS-API\fR implementation, this might not be possible. Thus, the application must take care to protect the interprocess token and ensure that any process to which the token is transferred is trustworthy. If creation of the interprocess token is successful, the \fBGSS-API\fR deallocates all process-wide resources associated with the security context and sets the context_handle to \fBGSS_C_NO_CONTEXT\fR. In the event of an error that makes it impossible to complete the export of the security context, the function does not return an interprocess token and leaves the security context referenced by the \fIcontext_handle\fR parameter untouched.
+.sp
+.LP
+Sun's implementation of \fBgss_export_sec_context()\fR does not encrypt the interprocess token. The interprocess token is serialized before it is transferred to another process.
+.SH PARAMETERS
+.sp
+.LP
+The parameter descriptions for \fBgss_export_sec_context()\fR are as follows:
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.RS 22n
+.rt  
+A mechanism-specific status code.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIcontext_handle\fR\fR
+.ad
+.RS 22n
+.rt  
+Context handle identifying the context to transfer.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIinterprocess_token\fR\fR
+.ad
+.RS 22n
+.rt  
+Token to be transferred to target process. Storage associated with this token must be freed by the application after use with a call to \fBgss_release_buffer\fR(3GSS).
+.RE
+
+.SH ERRORS
+.sp
+.LP
+\fBgss_export_sec_context()\fR returns one of the following status codes:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.RS 25n
+.rt  
+Successful completion.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_CONTEXT_EXPIRED\fR\fR
+.ad
+.RS 25n
+.rt  
+The context has expired.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_NO_CONTEXT\fR\fR
+.ad
+.RS 25n
+.rt  
+The context was invalid.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_UNAVAILABLE\fR\fR
+.ad
+.RS 25n
+.rt  
+The operation is not supported.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.RS 25n
+.rt  
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined.  The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5) for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+MT LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBgss_accept_sec_context\fR(3GSS), \fBgss_import_sec_context\fR(3GSS), \fBgss_init_sec_context\fR(3GSS), \fBgss_release_buffer\fR(3GSS), \fBattributes\fR(5)
+.sp
+.LP
+\fI\fR
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_get_mic.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,165 @@
+'\" te
+.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+.TH gss_get_mic 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_get_mic \- calculate a cryptographic message
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR  [ \fIlibrary\fR... ] 
+#include <gssapi/gssapi.h>
+
+\fBOM_uint32\fR \fBgss_get_mic\fR(\fBOM_uint32 *\fR\fIminor_status\fR,
+     \fBconst gss_ctx_id_t\fR \fIcontext_handle\fR, \fBgss_qop_t\fR \fIqop_req\fR,
+     \fBconst gss_buffer_t\fR \fImessage_buffer\fR, \fBgss_buffer_t\fR \fImsg_token\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBgss_get_mic()\fR function generates a cryptographic \fBMIC\fR for the supplied message, and places the \fBMIC\fR in a token for transfer to the peer application. The \fIqop_req\fR parameter allows a choice between several cryptographic algorithms, if supported by the chosen mechanism.
+.sp
+.LP
+Since some application-level protocols may wish to use tokens emitted by \fBgss_wrap\fR(3GSS) to provide secure framing, the \fBGSS-API\fR allows \fBMIC\fRs to be derived from zero-length messages.
+.SH PARAMETERS
+.sp
+.LP
+The parameter descriptions for \fBgss_get_mic()\fR follow:
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.RS 18n
+.rt  
+The status code returned by the underlying mechanism.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIcontext_handle\fR\fR
+.ad
+.RS 18n
+.rt  
+Identifies the context on which the message will be sent.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIqop_req\fR\fR
+.ad
+.RS 18n
+.rt  
+Specifies the requested quality of protection. Callers are encouraged, on portability grounds, to accept the default quality of protection offered by the chosen mechanism, which may be requested by specifying \fBGSS_C_QOP_DEFAULT\fR for this parameter. If an unsupported protection strength is requested, \fBgss_get_mic()\fR will return a \fImajor_status\fR of \fBGSS_S_BAD_QOP\fR.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fImessage_buffer\fR\fR
+.ad
+.RS 18n
+.rt  
+The message to be protected.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fImsg_token\fR\fR
+.ad
+.RS 18n
+.rt  
+The buffer to receive the token. Storage associated with this message must be freed by the application after use with a call to \fBgss_release_buffer\fR(3GSS).
+.RE
+
+.SH ERRORS
+.sp
+.LP
+\fBgss_get_mic()\fR may return the following status codes:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.RS 25n
+.rt  
+Successful completion.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_CONTEXT_EXPIRED\fR\fR
+.ad
+.RS 25n
+.rt  
+The context has already expired.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_NO_CONTEXT\fR\fR
+.ad
+.RS 25n
+.rt  
+The \fIcontext_handle\fR parameter did not identify a valid context.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_BAD_QOP\fR\fR
+.ad
+.RS 25n
+.rt  
+The specified \fBQOP\fR is not supported by the mechanism.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.RS 25n
+.rt  
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined.  The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5)  for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+MT-LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBgss_release_buffer\fR(3GSS), \fBgss_wrap\fR(3GSS), \fBattributes\fR(5)
+.sp
+.LP
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_import_name.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,151 @@
+'\" te
+.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+.TH gss_import_name 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_import_name \- convert a contiguous string name to GSS_API internal format
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [\fIflag \&.\|.\|.\fR]  \fIfile\fR\&.\|.\|. \fB-lgss\fR [\fIlibrary \&.\|.\|.\fR] 
+#include <gssapi/gssapi.h>
+
+\fBOM_uint32\fR \fBgss_import_name\fR(\fBOM_uint32 *\fR \fIminor_status\fR,
+     \fBconst gss_buffer_t\fR \fIinput_name_buffer\fR, \fBconst gss_OID\fR \fIinput_name_type\fR,
+     \fBgss_name_t *\fR\fIoutput_name\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBgss_import_name()\fR function converts a contiguous string name to internal form. In general, the internal name returned by means of the \fIoutput_name\fR parameter will not be a mechanism name; the exception to this is if the \fIinput_name_type\fR indicates that the contiguous string provided by means of the \fIinput_name_buffer\fR parameter is of type \fBGSS_C_NT_EXPORT_NAME\fR, in which case, the returned internal name will be a mechanism name for the mechanism that exported the name.
+.SH PARAMETERS
+.sp
+.LP
+The parameter descriptions for \fBgss_import_name()\fR follow:
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.RS 21n
+.rt  
+Status code returned by the underlying mechanism.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIinput_name_buffer\fR\fR
+.ad
+.RS 21n
+.rt  
+The \fBgss_buffer_desc\fR structure containing the name to be imported.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIinput_name_type\fR\fR
+.ad
+.RS 21n
+.rt  
+A \fBgss_OID\fR that specifies the format that the \fIinput_name_buffer\fR is in.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIoutput_name\fR\fR
+.ad
+.RS 21n
+.rt  
+The \fBgss_name_t\fR structure to receive the returned name in internal form. Storage associated with this name must be freed by the application after use with a call to \fBgss_release_name()\fR.
+.RE
+
+.SH ERRORS
+.sp
+.LP
+The \fBgss_import_name()\fR function may return the following status codes:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.RS 22n
+.rt  
+The \fBgss_import_name()\fR function completed successfully.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_BAD_NAMETYPE\fR\fR
+.ad
+.RS 22n
+.rt  
+The \fIinput_name_type\fR was unrecognized.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_BAD_NAME\fR\fR
+.ad
+.RS 22n
+.rt  
+The \fIinput_name\fR parameter could not be interpreted as a name of the specified type.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_BAD_MECH\fR\fR
+.ad
+.RS 22n
+.rt  
+The \fIinput_name_type\fR was \fBGSS_C_NT_EXPORT_NAME\fR, but the mechanism contained within the \fIinput_name\fR is not supported.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.RS 22n
+.rt  
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined.  The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5) for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+MT-LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBgss_release_buffer\fR(3GSS), \fBattributes\fR(5)
+.sp
+.LP
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_import_sec_context.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,150 @@
+'\" te
+.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+.TH gss_import_sec_context 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_import_sec_context \- import security context established by another process
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR  [ \fIlibrary\fR... ] 
+#include <gssapi/gssapi.h>
+
+\fBOM_uint32\fR \fBgss_import_sec_context\fR(\fBOM_uint32 *\fR\fIminor_status\fR,
+     \fBconst gss_buffer_t\fR \fIinterprocess_token\fR,\fBgss_ctx_id_t *\fR\fIcontext_handle\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBgss_import_sec_context()\fR function allows a process to import a security context established by another process. A given interprocess token can be imported only once. See \fBgss_export_sec_context\fR(3GSS).
+.SH PARAMETERS
+.sp
+.LP
+The parameter descriptions for \fBgss_import_sec_context()\fR are as follows:
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.RS 22n
+.rt  
+A mechanism-specific status code.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIinterprocess_token\fR\fR
+.ad
+.RS 22n
+.rt  
+Token received from exporting process.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIcontext_handle\fR\fR
+.ad
+.RS 22n
+.rt  
+Context handle of newly reactivated context. Resources associated with this context handle must be released by the application after use with a call to \fBgss_delete_sec_context\fR(3GSS).
+.RE
+
+.SH ERRORS
+.sp
+.LP
+\fBgss_import_sec_context()\fR returns one of the following status codes:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.RS 25n
+.rt  
+Successful completion.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_NO_CONTEXT\fR\fR
+.ad
+.RS 25n
+.rt  
+The token did not contain a valid context reference.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_DEFECTIVE_TOKEN\fR\fR
+.ad
+.RS 25n
+.rt  
+The token was invalid.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_UNAVAILABLE\fR\fR
+.ad
+.RS 25n
+.rt  
+The operation is unavailable.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_UNAUTHORIZED\fR\fR
+.ad
+.RS 25n
+.rt  
+Local policy prevents the import of this context by the current process.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.RS 25n
+.rt  
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined.  The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5) for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+MT LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBgss_accept_sec_context\fR(3GSS), \fBgss_context_time\fR(3GSS), \fBgss_delete_sec_context\fR(3GSS), \fBgss_export_sec_context\fR(3GSS), \fBgss_init_sec_context\fR(3GSS), \fBgss_inquire_context\fR(3GSS), \fBgss_process_context_token\fR(3GSS), \fBgss_wrap_size_limit\fR(3GSS), \fBattributes\fR(5)
+.sp
+.LP
+\fI\fR
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_indicate_mechs.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,95 @@
+'\" te
+.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+.TH gss_indicate_mechs 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_indicate_mechs \- determine available security mechanisms
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR  [ \fIlibrary\fR... ] 
+#include <gssapi/gssapi.h>
+
+\fBOM_uint32\fR \fBgss_indicate_mechs\fR(\fBOM_uint32 *\fR\fIminor_status\fR,
+     \fBgss_OID_set  *\fR\fImech_set\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBgss_indicate_mechs()\fR function enables an application to determine available underlying security mechanisms.
+.SH PARAMETERS
+.sp
+.LP
+The parameter descriptions for \fBgss_indicate_mechs()\fR follow:
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.RS 16n
+.rt  
+A mechanism-specific status code.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fImech_set\fR\fR
+.ad
+.RS 16n
+.rt  
+Set of supported mechanisms. The returned \fBgss_OID_set\fR value will be a dynamically-allocated \fBOID\fR set that should be released by the caller after use with a call to \fBgss_release_oid_set\fR(3GSS). 
+.RE
+
+.SH ERRORS
+.sp
+.LP
+The \fBgss_indicate_mechs()\fR function may return the following status codes:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.RS 18n
+.rt  
+Successful completion.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.RS 18n
+.rt  
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined.  The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5)  for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+MT-LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBgss_release_oid_set\fR(3GSS), \fBattributes\fR(5)
+.sp
+.LP
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_init_sec_context.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,637 @@
+'\" te
+.\" Copyright (c) 2009, 2015, Oracle and/or its affiliates. All rights reserved.
+.TH gss_init_sec_context 3GSS "6 Nov 2009" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_init_sec_context \- initiate a GSS-API security context with a peer application
+.SH SYNOPSIS
+.LP
+.nf
+cc [ \fIflag\fR\&.\|.\|. ] \fIfile\fR\&.\|.\|. \fB-lgss\fR [ \fIlibrary\fR\&.\|.\|. ]
+#include <gssapi/gssapi.h>
+
+\fBOM_uint32\fR \fBgss_init_sec_context\fR(\fBOM_uint32 *\fR\fIminor_status\fR,
+     \fBconst gss_cred_id_t\fR \fIinitiator_cred_handle\fR,
+     \fBgss_ctx_id_t *\fR\fIcontext_handle\fR, \fBconst gss_name_t *\fR\fItarget_name\fR,
+     \fBconst gss_OID\fR \fImech_type\fR, \fBOM_uint32\fR \fIreq_flags\fR,
+     \fBOM_uint32\fR \fItime_req\fR, \fBconst gss_channel_bindings_t\fR \fIinput_chan_bindings\fR,
+     \fBconst gss_buffer_t\fR \fIinput_token\fR, \fBgss_OID *\fR\fIactual_mech_type\fR,
+     \fBgss_buffer_t\fR \fIoutput_token\fR, \fBOM_uint32 *\fR\fIret_flags\fR,
+     \fBOM_uint32 *\fR\fItime_rec\fR);
+.fi
+
+.SH PARAMETERS
+.sp
+.LP
+The parameter descriptions for \fBgss_init_sec_context()\fR follow:
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.sp .6
+.RS 4n
+A mechanism specific status code.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIinitiator_cred_handle\fR\fR
+.ad
+.sp .6
+.RS 4n
+The handle for the credentials claimed. Supply \fBGSS_C_NO_CREDENTIAL\fR to act as a default initiator principal. If no default initiator is defined, the function returns \fBGSS_S_NO_CRED\fR.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIcontext_handle\fR\fR
+.ad
+.sp .6
+.RS 4n
+The context handle for a new context. Supply the value \fBGSS_C_NO_CONTEXT\fR for the first call, and use the value returned in any continuation calls. The resources associated with \fIcontext_handle\fR must be released by the application after use by a call to \fBgss_delete_sec_context\fR(3GSS).
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fItarget_name\fR\fR
+.ad
+.sp .6
+.RS 4n
+The name of the context acceptor.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fImech_type\fR\fR
+.ad
+.sp .6
+.RS 4n
+The object \fBID\fR of the desired mechanism. To obtain a specific default, supply the value \fBGSS_C_NO_OID\fR.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIreq_flags\fR\fR
+.ad
+.sp .6
+.RS 4n
+Contains independent flags, each of which will request that the context support a specific service option. A symbolic name is provided for each flag. Logically-\fBOR\fR the symbolic name to the corresponding required flag to form the bit-mask value. \fIreq_flags\fR may contain one of the following values:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_C_DELEG_FLAG\fR\fR
+.ad
+.sp .6
+.RS 4n
+If true, delegate credentials to a remote peer. Do not delegate the credentials if the value is false.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_C_MUTUAL_FLAG\fR\fR
+.ad
+.sp .6
+.RS 4n
+If true, request that the peer authenticate itself. If false, authenticate to the remote peer only.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_C_REPLAY_FLAG\fR\fR
+.ad
+.sp .6
+.RS 4n
+If true, enable replay detection for messages protected with \fBgss_wrap\fR(3GSS) or \fBgss_get_mic\fR(3GSS). Do not attempt to detect replayed messages if false.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_C_SEQUENCE_FLAG\fR\fR
+.ad
+.sp .6
+.RS 4n
+If true, enable detection of out-of-sequence protected messages. Do not attempt to detect out-of-sequence messages if false.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_C_CONF_FLAG\fR\fR
+.ad
+.sp .6
+.RS 4n
+If true, request that confidential service be made available by means of \fBgss_wrap\fR(3GSS). If false, no per-message confidential service is required.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_C_INTEG_FLAG\fR\fR
+.ad
+.sp .6
+.RS 4n
+If true, request that integrity service be made available by means of \fBgss_wrap\fR(3GSS) or \fBgss_get_mic\fR(3GSS). If false, no per-message integrity service is required.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_C_ANON_FLAG\fR\fR
+.ad
+.sp .6
+.RS 4n
+If true, do not reveal the initiator's identify to the acceptor. If false, authenticate normally.
+.RE
+
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fItime_req\fR\fR
+.ad
+.sp .6
+.RS 4n
+The number of seconds for which the context will remain valid. Supply a zero value to \fItime_req\fR to request a default validity period.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIinput_chan_bindings\fR\fR
+.ad
+.sp .6
+.RS 4n
+Optional application-specified bindings. Allows application to securely bind channel identification information to the security context. Set to \fBGSS_C_NO_CHANNEL_BINDINGS\fR if you do not want to use channel bindings.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIinput_token\fR\fR
+.ad
+.sp .6
+.RS 4n
+Token received from the peer application. On the initial call, supply \fBGSS_C_NO_BUFFER\fR or a pointer to a buffer containing the value \fBGSS_C_EMPTY_BUFFER\fR.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIactual_mech_type\fR\fR
+.ad
+.sp .6
+.RS 4n
+The actual mechanism used. The \fBOID\fR returned by means of this parameter will be pointer to static storage that should be treated as read-only. The application should not attempt to free it. To obtain a specific default, supply the value \fBGSS_C_NO_OID\fR. Specify \fBNULL\fR if the parameter is not required.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIoutput_token\fR\fR
+.ad
+.sp .6
+.RS 4n
+The token to send to the peer application. If the length field of the returned buffer is zero, no token need be sent to the peer application. After use storage associated with this buffer must be freed by the application by a call to \fBgss_release_buffer\fR(3GSS).
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIret_flags\fR\fR
+.ad
+.sp .6
+.RS 4n
+Contains various independent flags, each of which indicates that the context supports a specific service option. If not needed, specify \fBNULL\fR. Test the returned bit-mask \fIret_flags\fR value against its symbolic name to determine if the given option is supported by the context. \fIret_flags\fR may contain one of the following values:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_C_DELEG_FLAG\fR\fR
+.ad
+.sp .6
+.RS 4n
+If true, credentials were delegated to the remote peer. If false, no credentials were delegated.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_C_MUTUAL_FLAG\fR\fR
+.ad
+.sp .6
+.RS 4n
+If true, the remote peer authenticated itself. If false, the remote peer did not authenticate itself.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_C_REPLAY_FLAG\fR\fR
+.ad
+.sp .6
+.RS 4n
+If true, replay of protected messages will be detected. If false, replayed messages will not be detected.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_C_SEQUENCE_FLAG\fR\fR
+.ad
+.sp .6
+.RS 4n
+If true, out of sequence protected messages will be detected. If false, they will not be detected.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_C_CONF_FLAG\fR\fR
+.ad
+.sp .6
+.RS 4n
+If true, confidential service may be invoked by calling the \fBgss_wrap()\fR routine. If false, no confidentiality service is available by means of \fBgss_wrap\fR(3GSS). \fBgss_wrap()\fR will provide message encapsulation, data-origin authentication and integrity services only.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_C_INTEG_FLAG\fR\fR
+.ad
+.sp .6
+.RS 4n
+If true, integrity service may be invoked by calling either the \fBgss_wrap\fR(3GSS) or \fBgss_get_mic\fR(3GSS) routine. If false, per-message integrity service is not available.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_C_ANON_FLAG\fR\fR
+.ad
+.sp .6
+.RS 4n
+If true, the initiator's identity has not been revealed; it will not be revealed if any emitted token is passed to the acceptor. If false, the initiator has been or will be authenticated normally.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_C_PROT_READY_FLAG\fR\fR
+.ad
+.sp .6
+.RS 4n
+If true, the protection services specified by the states of \fBGSS_C_CONF_FLAG\fR and \fBGSS_C_INTEG_FLAG\fR are available if the accompanying major status return value is either \fBGSS_S_COMPLETE\fR or \fBGSS_S_CONTINUE_NEEDED\fR. If false, the protection services are available only if the accompanying major status return value is \fBGSS_S_COMPLETE\fR.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_C_TRANS_FLAG\fR\fR
+.ad
+.sp .6
+.RS 4n
+If true, the resultant security context may be transferred to other processes by means of a call to \fBgss_export_sec_context\fR(3GSS). If false, the security context cannot be transferred.
+.RE
+
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fItime_rec\fR\fR
+.ad
+.sp .6
+.RS 4n
+The number of seconds for which the context will remain valid. Specify \fBNULL\fR if the parameter is not required.
+.RE
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBgss_init_sec_context()\fR function initiates the establishment of a security context between the application and a remote peer. Initially, the \fIinput_token\fR parameter should be specified either as \fBGSS_C_NO_BUFFER\fR, or as a pointer to a \fBgss_buffer_desc\fR object with a \fBlength\fR field that contains a zero value. The routine may return a \fIoutput_token\fR, which should be transferred to the peer application, which will present it to \fBgss_accept_sec_context\fR(3GSS). If no token need be sent, \fBgss_init_sec_context()\fR will indicate this by setting the \fBlength\fR field of the \fIoutput_token\fR argument to zero. To complete context establishment, one or more reply tokens may be required from the peer application; if so, \fBgss_init_sec_context()\fR will return a status code that contains the supplementary information bit \fBGSS_S_CONTINUE_NEEDED\fR. In this case, make another call to \fBgss_init_sec_context()\fR when the reply token is received from the peer application and pass the reply token to \fBgss_init_sec_context()\fR by means of the \fIinput_token\fR parameter.
+.sp
+.LP
+Construct portable applications to use the token length and return status to determine whether to send or wait for a token.
+.sp
+.LP
+Whenever the routine returns a major status that includes the value \fBGSS_S_CONTINUE_NEEDED\fR, the context is not fully established, and the following restrictions apply to the output parameters:
+.RS +4
+.TP
+.ie t \(bu
+.el o
+The value returned by means of the \fItime_rec\fR parameter is undefined. Unless the accompanying \fIret_flags\fR parameter contains the bit \fBGSS_C_PROT_READY_FLAG\fR, which indicates that per-message services may be applied in advance of a successful completion status, the value returned by means of the \fIactual_mech_type\fR parameter is undefined until the routine returns a major status value of \fBGSS_S_COMPLETE\fR.
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+The values of the \fBGSS_C_DELEG_FLAG\fR, \fBGSS_C_MUTUAL_FLAG\fR, \fBGSS_C_REPLAY_FLAG\fR, \fBGSS_C_SEQUENCE_FLAG\fR, \fBGSS_C_CONF_FLAG\fR, \fBGSS_C_INTEG_FLAG\fR and \fBGSS_C_ANON_FLAG\fR bits returned by the \fIret_flags\fR parameter contain values that will be valid if context establishment succeeds. For example, if the application requests a service such as delegation or anonymous authentication by means of the \fIreq_flags\fR argument, and the service is unavailable from the underlying mechanism, \fBgss_init_sec_context()\fR generates a token that will not provide the service, and it indicate by means of the \fIret_flags\fR argument that the service will not be supported. The application may choose to abort context establishment by calling \fBgss_delete_sec_context\fR(3GSS) if it cannot continue without the service, or if the service was merely desired but not mandatory, it may transmit the token and continue context establishment.
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+The values of the \fBGSS_C_PROT_READY_FLAG\fR and \fBGSS_C_TRANS_FLAG\fR bits within \fIret_flags\fR indicate the actual state at the time \fBgss_init_sec_context()\fR returns, whether or not the context is fully established.
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+The \fBGSS-API\fR sets the \fBGSS_C_PROT_READY_FLAG\fR in the final \fIret_flags\fR returned to a caller, for example, when accompanied by a \fBGSS_S_COMPLETE\fR status code. However, applications should not rely on this behavior, as the flag was not defined in Version 1 of the \fBGSS-API\fR.  Instead, applications should determine what per-message services are available after a successful context establishment according to the \fBGSS_C_INTEG_FLAG\fR and \fBGSS_C_CONF_FLAG\fR values.
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+All other bits within the \fIret_flags\fR argument are set to zero.
+.RE
+.sp
+.LP
+If the initial call of \fBgss_init_sec_context()\fR fails, the \fBGSS-API\fR does not create a context object; it leaves the value of the \fIcontext_handle\fR parameter set to \fBGSS_C_NO_CONTEXT\fR to indicate this.  In the event of failure on a subsequent call, the \fBGSS-API\fR leaves the security context untouched for the application to delete using \fBgss_delete_sec_context\fR(3GSS).
+.sp
+.LP
+During context establishment, the informational status bits \fBGSS_S_OLD_TOKEN\fR and \fBGSS_S_DUPLICATE_TOKEN\fR indicate fatal errors, and \fBGSS-API\fR mechanisms should always return them in association with a status code of \fBGSS_S_FAILURE\fR. This pairing requirement was not part of Version 1 of the GSS-API specification, so applications that wish to run on Version 1 implementations must special-case these codes. 
+.SH ERRORS
+.sp
+.LP
+\fBgss_init_sec_context()\fR may return the following status codes:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.sp .6
+.RS 4n
+Successful completion.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_CONTINUE_NEEDED\fR\fR
+.ad
+.sp .6
+.RS 4n
+A token from the peer application is required to complete the context, and \fBgss_init_sec_context()\fR must be called again with that token.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_DEFECTIVE_TOKEN\fR\fR
+.ad
+.sp .6
+.RS 4n
+Consistency checks performed on the \fIinput_token\fR failed.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_DEFECTIVE_CREDENTIAL\fR\fR
+.ad
+.sp .6
+.RS 4n
+Consistency checks performed on the credential failed.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_NO_CRED\fR\fR
+.ad
+.sp .6
+.RS 4n
+The supplied credentials are not valid for context acceptance, or the credential handle does not reference any credentials.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_CREDENTIALS_EXPIRED\fR\fR
+.ad
+.sp .6
+.RS 4n
+The referenced credentials have expired.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_BAD_BINDINGS\fR\fR
+.ad
+.sp .6
+.RS 4n
+The \fIinput_token\fR contains different channel bindings than those specified by means of the \fIinput_chan_bindings\fR parameter.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_BAD_SIG\fR\fR
+.ad
+.sp .6
+.RS 4n
+The \fIinput_token\fR contains an invalid \fBMIC\fR or a \fBMIC\fR that cannot be verified.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_OLD_TOKEN\fR\fR
+.ad
+.sp .6
+.RS 4n
+The \fIinput_token\fR is too old. This is a fatal error while establishing context.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_DUPLICATE_TOKEN\fR\fR
+.ad
+.sp .6
+.RS 4n
+The \fIinput_token\fR is valid, but it is a duplicate of a token already processed. This is a fatal error while establishing context.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_NO_CONTEXT\fR\fR
+.ad
+.sp .6
+.RS 4n
+The supplied context handle does not refer to a valid context.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_BAD_NAMETYPE\fR\fR
+.ad
+.sp .6
+.RS 4n
+The provided \fItarget_name\fR parameter contains an invalid or unsupported \fIname\fR type.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_BAD_NAME\fR\fR
+.ad
+.sp .6
+.RS 4n
+The supplied \fItarget_name\fR parameter is ill-formed.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_BAD_MECH\fR\fR
+.ad
+.sp .6
+.RS 4n
+The token received specifies a mechanism that is not supported by the implementation or the provided credential.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.sp .6
+.RS 4n
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.SH EXAMPLES
+.LP
+\fBExample 1 \fRInvoking \fBgss_init_sec_context()\fR Within a Loop
+.sp
+.LP
+A typical portable caller should always invoke \fBgss_init_sec_context()\fR within a loop:
+
+.sp
+.in +2
+.nf
+int context_established = 0;
+gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT;
+       ...
+input_token->length = 0;
+
+while (!context_established) {
+  maj_stat = gss_init_sec_context(&min_stat,
+                                  cred_hdl,
+                                  &context_hdl,
+                                  target_name,
+                                  desired_mech,
+                                  desired_services,
+                                  desired_time,
+                                  input_bindings,
+                                  input_token,
+                                  &actual_mech,
+                                  output_token,
+                                  &actual_services,
+                                  &actual_time);
+  if (GSS_ERROR(maj_stat)) {
+    report_error(maj_stat, min_stat);
+  };
+
+  if (output_token->length != 0) {
+    send_token_to_peer(output_token);
+    gss_release_buffer(&min_stat, output_token)
+  };
+  if (GSS_ERROR(maj_stat)) {
+
+    if (context_hdl != GSS_C_NO_CONTEXT)
+      gss_delete_sec_context(&min_stat,
+                             &context_hdl,
+                             GSS_C_NO_BUFFER);
+    break;
+  };
+  if (maj_stat & GSS_S_CONTINUE_NEEDED) {
+    receive_token_from_peer(input_token);
+  } else {
+    context_established = 1;
+  };
+};
+.fi
+.in -2
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5) for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+MT-LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBgss_delete_sec_context\fR(3GSS), \fBgss_export_sec_context\fR(3GSS), \fBgss_get_mic\fR(3GSS), \fBgss_wrap\fR(3GSS), \fBattributes\fR(5)
+.sp
+.LP
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_inquire_context.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,285 @@
+'\" te
+.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+.TH gss_inquire_context 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_inquire_context \- obtain information about a security context
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR  [ \fIlibrary\fR... ] 
+#include <gssapi/gssapi.h>
+
+\fBOM_uint32\fR \fBgss_inquire_context\fR(\fBOM_uint32 *\fR\fIminor_status\fR,
+     \fBconst gss_ctx_id_t\fR \fIcontext_handle\fR,\fBgss_name_t *\fR\fIsrc_name\fR,
+     \fBgss_name_t *\fR\fItarg_name\fR, \fBOM_uint32 *\fR\fIlifetime_rec\fR,
+     \fBgss_OID *\fR\fImech_type\fR, \fBOM_uint32 *\fR\fIctx_flags\fR,
+     \fBint *\fR\fIlocally_initiated\fR, \fBint *\fR\fIopen\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBgss_inquire_context()\fR function obtains information about a security context. The caller must already have obtained a handle that refers to the context, although the context need not be fully established.
+.SH PARAMETERS
+.sp
+.LP
+The parameter descriptions for \fBgss_inquire_context()\fR are as follows:
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.RS 21n
+.rt  
+A mechanism-specific status code.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIcontext_handle\fR\fR
+.ad
+.RS 21n
+.rt  
+A handle that refers to the security context.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIsrc_name\fR\fR
+.ad
+.RS 21n
+.rt  
+The name of the context initiator. If the context was established using anonymous authentication, and if the application invoking \fBgss_inquire_context()\fR is the context acceptor, an anonymous name is returned.  Storage associated with this name must be freed by the application after use with a call to \fBgss_release_name()\fR. Specify \fBNULL\fR if the parameter is not required.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fItarg_name\fR\fR
+.ad
+.RS 21n
+.rt  
+The name of the context acceptor. Storage associated with this name must be freed by the application after use with a call to \fBgss_release_name()\fR. If the context acceptor did not authenticate itself, and if the initiator did not specify a target name in its call to \fBgss_init_sec_context()\fR, the value \fBGSS_C_NO_NAME\fR is returned. Specify \fBNULL\fR if the parameter is not required.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIlifetime_rec\fR\fR
+.ad
+.RS 21n
+.rt  
+The number of seconds for which the context will remain valid. If the context has expired, this parameter will be set to zero. Specify \fBNULL\fR if the parameter is not required.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fImech_type\fR\fR
+.ad
+.RS 21n
+.rt  
+The security mechanism providing the context. The returned \fBOID\fR is a pointer to static storage that should be treated as read-only by the application; in particular, the application should not attempt to free it. Specify \fBNULL\fR if the parameter is not required.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIctx_flags\fR\fR
+.ad
+.RS 21n
+.rt  
+Contains various independent flags, each of which indicates that the context supports (or is expected to support, if \fBctx_open\fR is false) a specific service option. If not needed, specify \fBNULL\fR.  Symbolic names are provided for each flag, and the symbolic names corresponding to the required flags should be logically \fBAND\fRed with the \fBret_flags\fR value to test whether a given option is supported by the context.  The flags are:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_C_DELEG_FLAG\fR\fR
+.ad
+.RS 25n
+.rt  
+If true, credentials were delegated from the initiator to the acceptor. If false, no credentials were delegated.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_C_MUTUAL_FLAG\fR\fR
+.ad
+.RS 25n
+.rt  
+If true, the acceptor was authenticated to the initiator. If false, the acceptor did not authenticate itself.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_C_REPLAY_FLAG\fR\fR
+.ad
+.RS 25n
+.rt  
+If true, the replay of protected messages will be detected. If false, replayed messages will not be detected.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_C_SEQUENCE_FLAG\fR\fR
+.ad
+.RS 25n
+.rt  
+If true, out-of-sequence protected messages will be detected. If false, out-of-sequence messages will not be detected.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_C_CONF_FLAG\fR\fR
+.ad
+.RS 25n
+.rt  
+If true, confidential service may be invoked by calling the \fBgss_wrap\fR(3GSS) routine. If false, no confidential service is available through \fBgss_wrap()\fR. \fBgss_wrap()\fR provides message encapsulation, data-origin authentication, and integrity services only.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_C_INTEG_FLAG\fR\fR
+.ad
+.RS 25n
+.rt  
+If true, integrity service can be invoked by calling either the \fBgss_get_mic()\fR or the \fBgss_wrap()\fR routine. If false, per-message integrity service is unavailable.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_C_ANON_FLAG\fR\fR
+.ad
+.RS 25n
+.rt  
+If true, the initiator's identity is not revealed to the acceptor. The \fIsrc_name\fR parameter, if requested, contains an anonymous internal name. If false, the initiator has been authenticated normally.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_C_PROT_READY_FLAG\fR\fR
+.ad
+.RS 25n
+.rt  
+If true, the protection services, as specified by the states of the \fBGSS_C_CONF_FLAG\fR and \fBGSS_C_INTEG_FLAG\fR, are available for use. If false, they are available only if the context is fully established, that is, if the \fIopen\fR parameter is non-zero.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_C_TRANS_FLAG\fR\fR
+.ad
+.RS 25n
+.rt  
+If true, resultant security context can be transferred to other processes through a call to \fBgss_export_sec_context()\fR. If false, the security context is not transferable.
+.RE
+
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIlocally_initiated\fR\fR
+.ad
+.RS 21n
+.rt  
+Non-zero if the invoking application is the context initiator. Specify \fBNULL\fR if the parameter is not required.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIopen\fR\fR
+.ad
+.RS 21n
+.rt  
+Non-zero if the context is fully established; zero if a context-establishment token is expected from the peer application. Specify \fBNULL\fR if the parameter is not required.
+.RE
+
+.SH ERRORS
+.sp
+.LP
+\fBgss_inquire_context()\fR returns one of the following status codes:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.RS 20n
+.rt  
+Successful completion.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_NO_CONTEXT\fR\fR
+.ad
+.RS 20n
+.rt  
+The referenced context could not be accessed.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.RS 20n
+.rt  
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined.  The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5)  for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+MT-LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBgss_accept_sec_context\fR(3GSS), \fBgss_context_time\fR(3GSS), \fBgss_delete_sec_context\fR(3GSS), \fBgss_export_sec_context\fR(3GSS), \fBgss_import_sec_context\fR(3GSS), \fBgss_init_sec_context\fR(3GSS), \fBgss_process_context_token\fR(3GSS), \fBgss_wrap\fR(3GSS), \fBgss_wrap_size_limit\fR(3GSS), \fBattributes\fR(5)
+.sp
+.LP
+\fI\fR
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_inquire_cred.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,174 @@
+'\" te
+.\" Copyright (c) 2004, 2015, Oracle and/or its affiliates. All rights reserved.
+.TH gss_inquire_cred 3GSS "30 Jan 2004" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_inquire_cred \- obtain information about a credential
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR [ \fIlibrary\fR... ]
+#include <gssapi/gssapi.h>
+
+\fBOM_uint32\fR \fBgss_inquire_cred\fR(\fBOM_uint32 *\fR\fIminor_status\fR,
+     \fBconst gss_cred_id_t\fR \fIcred_handle\fR,\fBgss_name_t *\fR\fIname\fR,
+     \fBOM_uint32 *\fR\fIlifetime\fR, \fBgss_cred_usage_t *\fR\fIcred_usage\fR,
+     \fBgss_OID_set *\fR\fImechanisms\fR);
+.fi
+
+.SH PARAMETERS
+.sp
+.LP
+The parameter descriptions for \fBgss_inquire_cred()\fR follow:
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.RS 16n
+.rt  
+Mechanism specific status code.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIcred_handle\fR\fR
+.ad
+.RS 16n
+.rt  
+Handle that refers to the target credential. Specify \fBGSS_C_NO_CREDENTIAL\fR to inquire about the default initiator principal.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIname\fR\fR
+.ad
+.RS 16n
+.rt  
+Name of the identity asserted by the credential. Any storage associated with this name should be freed by the application after use by a call to \fBgss_release_name\fR(3GSS).
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIlifetime\fR\fR
+.ad
+.RS 16n
+.rt  
+Number of seconds for which the credential remains valid. If the credential has expired, this parameter will be set to zero. Specify \fBNULL\fR if the parameter is not required.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIcred_usage\fR\fR
+.ad
+.RS 16n
+.rt  
+Flag that indicates how a credential is used. The \fIcred_usage\fR parameter may contain one of the following values: \fBGSS_C_INITIATE\fR, \fBGSS_C_ACCEPT\fR, or \fBGSS_C_BOTH\fR. Specify \fBNULL\fR if this parameter is not required.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fImechanisms\fR\fR
+.ad
+.RS 16n
+.rt  
+Set of mechanisms supported by the credential. Storage for the returned \fBOID\fR-set must be freed by the application after use by a call to \fBgss_release_oid_set\fR(3GSS). Specify \fBNULL\fR if this parameter is not required.
+.RE
+
+.SH DESCRIPTION
+.sp
+.LP
+Use the \fBgss_inquire_cred()\fR function to obtain information about a credential.
+.SH RETURN VALUES
+.sp
+.LP
+The \fBgss_inquire_cred()\fR function can return the following status codes:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.RS 30n
+.rt  
+Successful completion.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_NO_CRED\fR\fR
+.ad
+.RS 30n
+.rt  
+The referenced credentials could not be accessed.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_DEFECTIVE_CREDENTIAL\fR\fR
+.ad
+.RS 30n
+.rt  
+The referenced credentials were invalid.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_CREDENTIALS_EXPIRED\fR\fR
+.ad
+.RS 30n
+.rt  
+The referenced credentials have expired. If the \fIlifetime\fR parameter was not passed as \fBNULL\fR, it will be set to \fB0\fR.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.RS 30n
+.rt  
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5) for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+MT-LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBgss_release_name\fR(3GSS), \fBgss_release_oid_set\fR(3GSS), \fBlibgss\fR(3LIB), \fBattributes\fR(5)
+.sp
+.LP
+\fI\fR
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_inquire_cred_by_mech.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,193 @@
+'\" te
+.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+.TH gss_inquire_cred_by_mech 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_inquire_cred_by_mech \- obtain per-mechanism information about a credential
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR  [ \fIlibrary\fR... ] 
+#include <gssapi/gssapi.h>
+
+\fBOM_uint32\fR \fBgss_inquire_cred_by_mech\fR(\fBOM_uint32 *\fR\fIminor_status\fR,
+     \fBconst gss_cred_id_t\fR \fIcred_handle\fR,\fBconst gss_OID\fR \fImech_type\fR,
+     \fBgss_name_t *\fR\fIname\fR, \fBOM_uint32 *\fR\fIinitiator_lifetime\fR,
+     \fBOM_uint32 *\fR\fIacceptor_lifetime\fR, \fBgss_cred_usage_t *\fR\fIcred_usage\fR);
+.fi
+
+.SH PARAMETERS
+.sp
+.ne 2
+.mk
+.na
+\fB\fIacceptor_lifetime\fR\fR
+.ad
+.RS 22n
+.rt  
+The number of seconds that the credential is capable of accepting security contexts under the specified mechanism. If the credential can no longer be used to accept contexts, or if the credential usage for this mechanism is \fBGSS_C_INITIATE\fR, this parameter will be set to \fB0\fR. Specify \fBNULL\fR if this parameter is not required.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIcred_handle\fR\fR
+.ad
+.RS 22n
+.rt  
+A handle that refers to the target credential. Specify \fBGSS_C_NO_CREDENTIAL\fR to inquire about the default initiator principal.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIcred_usage\fR\fR
+.ad
+.RS 22n
+.rt  
+How the credential may be used with the specified mechanism. The \fIcred_usage\fR parameter may contain one of the following values: \fBGSS_C_INITIATE\fR, \fBGSS_C_ACCEPT\fR, or \fBGSS_C_BOTH\fR. Specify \fBNULL\fR if this parameter is not required.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIinitiator_lifetime\fR\fR
+.ad
+.RS 22n
+.rt  
+The number of seconds that the credential is capable of initiating security contexts under the specified mechanism. If the credential can no longer be used to initiate contexts, or if the credential usage for this mechanism is \fBGSS_C_ACCEPT\fR, this parameter will be set to \fB0\fR. Specify \fBNULL\fR if this parameter is not required.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fImech_type\fR\fR
+.ad
+.RS 22n
+.rt  
+The mechanism for which the information should be returned.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.RS 22n
+.rt  
+A mechanism specific status code.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIname\fR\fR
+.ad
+.RS 22n
+.rt  
+The name whose identity the credential asserts. Any storage associated with this \fIname\fR must be freed by the application after use by a call to \fBgss_release_name\fR(3GSS). 
+.RE
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBgss_inquire_cred_by_mech()\fR function obtains per-mechanism information about a credential.  
+.SH ERRORS
+.sp
+.LP
+The \fBgss_inquire_cred_by_mech()\fR function can return the following status codes:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.RS 30n
+.rt  
+Successful completion.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_CREDENTIALS_EXPIRED\fR\fR
+.ad
+.RS 30n
+.rt  
+The credentials cannot be added because they have expired.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_DEFECTIVE_CREDENTIAL\fR\fR
+.ad
+.RS 30n
+.rt  
+The referenced credentials are invalid.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.RS 30n
+.rt  
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined.  The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_NO_CRED\fR\fR
+.ad
+.RS 30n
+.rt  
+The referenced credentials cannot be accessed.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_UNAVAILABLE\fR\fR
+.ad
+.RS 30n
+.rt  
+The \fBgss_inquire_cred_by_mech()\fR function is not available for the specified mechanism type.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5)  for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+MT-LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBgss_release_name\fR(3GSS), \fBattributes\fR(5)
+.sp
+.LP
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_inquire_mechs_for_name.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,131 @@
+'\" te
+.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+.TH gss_inquire_mechs_for_name 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_inquire_mechs_for_name \- list mechanisms that support the specified name-type
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [\fIflag \&.\|.\|.\fR] \fIfile\fR\&.\|.\|. \fB-lgss\fR [\fIlibrary \&.\|.\|.\fR] 
+#include <gssapi/gssapi.h>
+
+\fBOM_uint32\fR \fBgss_inquire_mechs_for_name\fR(\fBOM_uint32 *\fR\fIminor_status\fR,
+     \fBconst gss_name_t\fR \fIinput_name\fR,\fBgss_OID_set *\fR\fImech_types\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBgss_inquire_mechs_for_name()\fR function returns the set of mechanisms supported by the \fBGSS-API\fR that may be able to process the specified name.  Each mechanism returned will recognize at least one element within the internal name.
+.sp
+.LP
+Some implementations of the \fBGSS-API\fR may perform this test by checking nametype information contained within the passed name and registration information provided by individual mechanisms.  This means that the \fImech_types\fR set returned by the function may indicate that a particular mechanism will understand the name, when in fact the mechanism would refuse to accept the name as input to \fBgss_canonicalize_name\fR(3GSS), \fBgss_init_sec_context\fR(3GSS), \fBgss_acquire_cred\fR(3GSS), or \fBgss_add_cred\fR(3GSS), due to some property of the name itself rather than the name-type. Therefore, this function should be used only as a pre-filter for a call to a subsequent mechanism-specific function.
+.SH PARAMETERS
+.sp
+.LP
+The parameter descriptions for \fBgss_inquire_mechs_for_name()\fR follow in alphabetical order:
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.RS 16n
+.rt  
+Mechanism-specific status code.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIinput_name\fR\fR
+.ad
+.RS 16n
+.rt  
+The name to which the inquiry relates.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fImech_types\fR\fR
+.ad
+.RS 16n
+.rt  
+Set of mechanisms that may support the specified name.  The returned \fBOID\fR set must be freed by the caller after use with a call to \fBgss_release_oid_set\fR(3GSS).
+.RE
+
+.SH ERRORS
+.sp
+.LP
+The \fBgss_inquire_mechs_for_name()\fR function may return the following status codes:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.RS 22n
+.rt  
+Successful completion.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_BAD_NAME\fR\fR
+.ad
+.RS 22n
+.rt  
+The \fIinput_name\fR parameter was ill-formed.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_BAD_NAMETYPE\fR\fR
+.ad
+.RS 22n
+.rt  
+The \fIinput_name\fR parameter contained an invalid or unsupported type of name.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.RS 22n
+.rt  
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined.  The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5) for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+MT-LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBgss_acquire_cred\fR(3GSS), \fBgss_add_cred\fR(3GSS), \fBgss_canonicalize_name\fR(3GSS), \fBgss_init_sec_context\fR(3GSS), \fBgss_release_oid_set\fR(3GSS), \fBattributes\fR(5)
+.sp
+.LP
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_inquire_names_for_mech.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,106 @@
+'\" te
+.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+.TH gss_inquire_names_for_mech 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_inquire_names_for_mech \- list the name-types supported by the specified mechanism
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [\fIflag \&.\|.\|.\fR] \fIfile\fR\&.\|.\|. \fB-lgss\fR [\fIlibrary \&.\|.\|.\fR] 
+#include <gssapi/gssapi.h>
+
+\fBOM_uint32\fR \fBgss_inquire_names_for_mech\fR(\fBOM_uint32 *\fR\fIminor_status\fR,
+     \fBconst gss_OID\fR \fImechanism\fR,\fBgss_OID_set *\fR\fIname_types\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBgss_inquire_names_for_mech()\fR function returns the set of name-types supported by the specified mechanism.
+.SH PARAMETERS
+.sp
+.LP
+The parameter descriptions for \fBgss_inquire_names_for_mech()\fR follow:
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.RS 16n
+.rt  
+A mechanism-specific status code.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fImechanism\fR\fR
+.ad
+.RS 16n
+.rt  
+The mechanism to be interrogated.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIname_types\fR\fR
+.ad
+.RS 16n
+.rt  
+Set of name-types supported by the specified mechanism.  The returned \fBOID\fR set must be freed by the application after use with a call to \fBgss_release_oid_set\fR(3GSS).
+.RE
+
+.SH ERRORS
+.sp
+.LP
+The \fBgss_inquire_names_for_mech()\fR function may return the following values:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.RS 18n
+.rt  
+Successful completion.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.RS 18n
+.rt  
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined.  The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5) for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+MT-LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBgss_release_oid_set\fR(3GSS), \fBattributes\fR(5)
+.sp
+.LP
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_oid_to_str.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,132 @@
+'\" te
+.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+.TH gss_oid_to_str 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_oid_to_str \- convert an OID to a string
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR  [ \fIlibrary\fR... ] 
+#include <gssapi/gssapi.h>
+
+\fB\fR\fBgss_oid_to_str\fR(\fBOM_uint32 *\fR\fIminor_status\fR, \fBconst gss_OID\fR \fIoid\fR,
+     \fBgss_buffer_t\fR\fIoid_str\fR);
+.fi
+
+.SH PARAMETERS
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.RS 16n
+.rt  
+Status code returned by underlying mechanism.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIoid\fR\fR
+.ad
+.RS 16n
+.rt  
+\fBGSS-API\fR \fBOID\fR structure to convert.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIoid_str\fR\fR
+.ad
+.RS 16n
+.rt  
+String to receive converted \fBOID\fR.
+.RE
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBgss_oid_to_str()\fR function converts a \fBGSS-API\fR \fBOID\fR structure to a string. You can use the function to convert the name of a mechanism from an \fBOID\fR to a simple string. This function is a convenience function, as is its complementary function, \fBgss_str_to_oid\fR(3GSS).
+.sp
+.LP
+If an \fBOID\fR must be created, use \fBgss_create_empty_oid_set\fR(3GSS) and \fBgss_add_oid_set_member\fR(3GSS) to create it.  \fBOID\fRs created in this way must be released with \fBgss_release_oid_set\fR(3GSS). However, it is strongly suggested that applications use the default \fBGSS-API\fR mechanism instead of creating an \fBOID\fR for a specific mechanism.
+.SH ERRORS
+.sp
+.LP
+The \fBgss_oid_to_str()\fR function returns one of the following status codes:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_CALL_INACCESSIBLE_READ\fR\fR
+.ad
+.sp .6
+.RS 4n
+A required input parameter could not be read.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_CALL_INACCESSIBLE_WRITE\fR\fR
+.ad
+.sp .6
+.RS 4n
+A required output parameter could not be written.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.sp .6
+.RS 4n
+Successful completion.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.sp .6
+.RS 4n
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined.  The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5)  for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+MT-LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBgss_add_oid_set_member\fR(3GSS), \fBgss_create_empty_oid_set\fR(3GSS), \fBgss_release_oid_set\fR(3GSS), \fBgss_str_to_oid\fR(3GSS), \fBattributes\fR(5)
+.sp
+.LP
+
+.SH WARNINGS
+.sp
+.LP
+This function is included for compatibility only with programs using earlier versions of the \fBGSS-API\fR and should not be used for new programs. Other implementations of the \fBGSS-API\fR might not support this function, so portable programs should not rely on it. Sun might not continue to support this function.
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_process_context_token.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,131 @@
+'\" te
+.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+.TH gss_process_context_token 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_process_context_token \- pass asynchronous token to security service
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR  [ \fIlibrary\fR... ] 
+#include <gssapi/gssapi.h>
+
+\fBOM_uint32\fR \fBgss_process_context_token\fR(\fBOM_uint32 *\fR\fIminor_status\fR,
+     \fBconst gss_ctx_id_t\fR \fIcontext_handle\fR,\fBconst gss_buffer_t\fR \fItoken_buffer\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBgss_process_context_token()\fR function provides a way to pass an asynchronous token to the security service. Most context-level tokens are emitted and processed synchronously by \fBgss_init_sec_context()\fR and \fBgss_accept_sec_context()\fR, and the application is informed as to whether further tokens are expected by the \fBGSS_C_CONTINUE_NEEDED\fR major status bit. Occasionally, a mechanism might need to emit a context-level token at a point when the peer entity is not expecting a token. For example, the initiator's final call to \fBgss_init_sec_context()\fR may emit a token and return a status of \fBGSS_S_COMPLETE\fR, but the acceptor's call to \fBgss_accept_sec_context()\fR might fail. The acceptor's mechanism might want to send a token containing an error indication to the initiator, but the initiator is not expecting a token at this point, believing that the context is fully established. \fBgss_process_context_token()\fR provides a way to pass such a token to the mechanism at any time.
+.sp
+.LP
+This function is provided for compatibility with the \fBGSS-API\fR version 1. Because \fBgss_delete_sec_context()\fR no longer returns a valid \fIoutput_token\fR to be sent to \fBgss_process_context_token()\fR, applications using a newer version of the \fBGSS-API\fR do not need to rely on this function.
+.SH PARAMETERS
+.sp
+.LP
+The parameter descriptions for \fBgss_process_context_token()\fR are as follows:
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.RS 18n
+.rt  
+A mechanism-specific status code.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIcontext_handle\fR\fR
+.ad
+.RS 18n
+.rt  
+Context handle of context on which token is to be processed.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fItoken_buffer\fR\fR
+.ad
+.RS 18n
+.rt  
+Token to process.
+.RE
+
+.SH ERRORS
+.sp
+.LP
+\fBgss_process_context_token()\fR returns one of the following status codes:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.RS 25n
+.rt  
+Successful completion.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_DEFECTIVE_TOKEN\fR\fR
+.ad
+.RS 25n
+.rt  
+Indicates that consistency checks performed on the token failed.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_NO_CONTEXT\fR\fR
+.ad
+.RS 25n
+.rt  
+The \fIcontext_handle\fR did not refer to a valid context.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.RS 25n
+.rt  
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined.  The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5) for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+MT LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBgss_accept_sec_context\fR(3GSS), \fBgss_delete_sec_context\fR(3GSS), \fBgss_init_sec_context\fR(3GSS), \fBattributes\fR(5)
+.sp
+.LP
+\fI\fR
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_release_buffer.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,94 @@
+'\" te
+.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+.TH gss_release_buffer 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_release_buffer \- free buffer storage allocated by a GSS-API function
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR  [ \fIlibrary\fR... ] 
+#include <gssapi/gssapi.h>
+
+\fBOM_uint32\fR \fBgss_release_buffer\fR(\fBOM_uint32 *\fR\fIminor_status\fR, \fBgss_buffer_t\fR\fIbuffer\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+ The \fBgss_release_buffer()\fR function frees buffer storage allocated by a \fBGSS-API\fR function. The \fBgss_release_buffer()\fR function also zeros the length field in the descriptor to which the buffer parameter refers, while the \fBGSS-API\fR function sets the pointer field in the descriptor to \fBNULL\fR. Any buffer object returned by a \fBGSS-API\fR function may be passed to \fBgss_release_buffer()\fR, even if no storage is associated with the buffer.
+.SH PARAMETERS
+.sp
+.LP
+The parameter descriptions for \fBgss_release_buffer()\fR follow:
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.RS 16n
+.rt  
+Mechanism-specific status code.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIbuffer\fR\fR
+.ad
+.RS 16n
+.rt  
+The storage associated with the buffer will be deleted.  The \fBgss_buffer_desc()\fR object will not be freed; however, its length field will be zeroed.
+.RE
+
+.SH ERRORS
+.sp
+.LP
+The \fBgss_release_buffer()\fR function may return the following status codes:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.RS 18n
+.rt  
+Successful completion
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.RS 18n
+.rt  
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined.  The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5)  for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+MT-LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBattributes\fR(5)
+.sp
+.LP
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_release_cred.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,106 @@
+'\" te
+.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+.TH gss_release_cred 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_release_cred \- discard a credential handle
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR  [ \fIlibrary\fR... ] 
+#include <gssapi/gssapi.h>
+
+\fBOM_uint32\fR \fBgss_release_cred\fR(\fBOM_uint32 *\fR\fIminor_status\fR,
+     \fBgss_cred_id_t *\fR\fIcred_handle\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBgss_release_cred()\fR function informs the \fBGSS-API\fR that the specified credential handle is no longer required by the application and frees the associated resources. The \fIcred_handle\fR parameter is set to \fBGSS_C_NO_CREDENTIAL\fR when this call completes successfully.
+.SH PARAMETERS
+.sp
+.LP
+The parameter descriptions for \fBgss_release_cred()\fR follow:
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.RS 16n
+.rt  
+A mechanism specific status code.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIcred_handle\fR\fR
+.ad
+.RS 16n
+.rt  
+An opaque handle that identifies the credential to be released. If \fBGSS_C_NO_CREDENTIAL\fR is specified, the \fBgss_release_cred()\fR function will complete successfully, but it will do nothing.
+.RE
+
+.SH ERRORS
+.sp
+.LP
+\fBgss_release_cred()\fR may return the following status codes:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.RS 18n
+.rt  
+Successful completion.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_NO_CRED\fR\fR
+.ad
+.RS 18n
+.rt  
+The referenced credentials cannot be accessed.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.RS 18n
+.rt  
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined.  The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5)  for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+MT-LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBattributes\fR(5)
+.sp
+.LP
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_release_name.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,105 @@
+'\" te
+.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+.TH gss_release_name 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_release_name \- discard an internal-form name
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [\fIflag \&.\|.\|.\fR] \fIfile\fR\&.\|.\|. \fB-lgss\fR [\fIlibrary \&.\|.\|.\fR] 
+#include <gssapi/gssapi.h
+
+\fBOM_uint32\fR \fBgss_release_name\fR(\fBOM_uint32 *\fR\fIminor_status\fR, \fBgss_name_t *\fR\fIname\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBgss_release_name()\fR function frees \fBGSS-API\fR-allocated storage associated with an internal-form name.  The \fIname\fR is set to \fBGSS_C_NO_NAME\fR on successful completion of this call.
+.SH PARAMETERS
+.sp
+.LP
+The parameter descriptions for \fBgss_release_name()\fR follow:
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.RS 16n
+.rt  
+A mechanism-specific status code.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIname\fR\fR
+.ad
+.RS 16n
+.rt  
+The name to be deleted.
+.RE
+
+.SH ERRORS
+.sp
+.LP
+The \fBgss_release_name()\fR function may return the following status codes:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.RS 18n
+.rt  
+Successful completion.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_BAD_NAME\fR\fR
+.ad
+.RS 18n
+.rt  
+The \fIname\fR parameter did not contain a valid name.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.RS 18n
+.rt  
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined.  The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5) for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+MT-LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBattributes\fR(5)
+.sp
+.LP
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_release_oid.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,101 @@
+'\" te
+.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+.TH gss_release_oid 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_release_oid \- release an object identifier
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR  [ \fIlibrary\fR... ] 
+#include <gssapi/gssapi.h>
+
+\fB\fR\fBgss_release_oid\fR(\fBOM_uint32 *\fR\fIminor_status\fR, \fBconst gss_OID *\fR\fIoid\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBgss_release_oid()\fR function deletes an \fBOID\fR. Such an \fBOID\fR might have been created with \fBgss_str_to_oid()\fR.
+.sp
+.LP
+Since creating and deleting individual \fBOID\fRs is discouraged, it is preferable to use \fBgss_release_oid_set()\fR if it is necessary to deallocate a set of \fBOID\fRs.
+.SH PARAMETERS
+.sp
+.LP
+The parameter descriptions for \fBgss_release_oid()\fR are as follows:
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.RS 16n
+.rt  
+A mechanism-specific status code.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIoid\fR\fR
+.ad
+.RS 16n
+.rt  
+The object identifier of the mechanism to be deleted.
+.RE
+
+.SH ERRORS
+.sp
+.LP
+\fBgss_release_oid()\fR returns one of the following status codes:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.RS 18n
+.rt  
+Successful completion.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.RS 18n
+.rt  
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined.  The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5) for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+MT LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBgss_release_oid_set\fR(3GSS), \fBgss_str_to_oid\fR(3GSS), \fBattributes\fR(5)
+.sp
+.LP
+
+.SH WARNINGS
+.sp
+.LP
+This function is included for compatibility only with programs using earlier versions of the \fBGSS-API\fR and should not be used for new programs. Other implementations of the \fBGSS-API\fR might not support this function, so portable programs should not rely on it. Sun might not continue to support this function.
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_release_oid_set.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,97 @@
+'\" te
+.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+.TH gss_release_oid_set 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_release_oid_set \- free storage associated with a GSS-API-generated gss_OID_set object
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR  [ \fIlibrary\fR... ] 
+#include <gssapi/gssapi.h>
+
+\fBOM_uint32\fR \fBgss_release_oid_set\fR(\fBOM_uint32  *\fR\fIminor_status\fR, \fBgss_OID_set  *\fR\fIset\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBgss_release_oid_set()\fR function frees storage associated with a \fBGSS-API\fR-generated \fBgss_OID_set\fR object. The \fIset\fR parameter must refer to an \fBOID\fR-set that was returned from a \fBGSS-API\fR function. The \fBgss_release_oid_set()\fR function will free the storage associated with each individual member \fBOID\fR, the \fBOID\fR \fIset\fR's elements array, and \fBgss_OID_set_desc\fR.
+.sp
+.LP
+\fBgss_OID_set\fR is set to \fBGSS_C_NO_OID_SET\fR on successful completion of this function.
+.SH PARAMETERS
+.sp
+.LP
+The parameter descriptions for \fBgss_release_oid_set()\fR follow:
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.RS 16n
+.rt  
+A mechanism-specific status code
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIset\fR\fR
+.ad
+.RS 16n
+.rt  
+Storage associated with the \fBgss_OID_set\fR will be deleted 
+.RE
+
+.SH ERRORS
+.sp
+.LP
+The \fBgss_release_oid_set()\fR function may return the following status codes:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.RS 18n
+.rt  
+Successful completion
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.RS 18n
+.rt  
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined.  The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5)  for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+MT-LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBattributes\fR(5)
+.sp
+.LP
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_store_cred.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,224 @@
+'\" te
+.\" Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved.
+.TH gss_store_cred 3GSS "30 Jun 2005" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_store_cred \- store a credential in the current credential store
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR [ \fIlibrary\fR... ]
+#include <gssapi/gssapi.h>
+
+\fBOM_uint32\fR \fBgss_store_cred\fR(\fBOM_uint32 *\fR\fIminor_status\fR,
+     \fBconst gss_cred_id_t\fR \fIinput_cred\fR, \fBconst gss_cred_usage_t\fR \fIcred_usage\fR,
+     \fBconst gss_OID\fR \fIdesired_mech\fR, \fBOM_uint32\fR \fIoverwrite_cred\fR,
+     \fBOM_uint32\fR \fIdefault_cred\fR, \fBgss_OID_set *\fR\fIelements_stored\fR,
+     \fBgss_cred_usage_t *\fR\fIcred_usage_stored\fR);
+.fi
+
+.SH PARAMETERS
+.sp
+.LP
+The parameter descriptions for \fBgss_store_cred()\fR follow:
+.sp
+.ne 2
+.mk
+.na
+\fB\fIinput_cred\fR\fR
+.ad
+.RS 21n
+.rt  
+The credential to be stored.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIcred_usage\fR\fR
+.ad
+.RS 21n
+.rt  
+This parameter specifies whether to store an initiator, an acceptor, or both usage components of a credential.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIdesired_mech\fR\fR
+.ad
+.RS 21n
+.rt  
+The mechanism-specific component of a credential to be stored. If \fBGSS_C_NULL_OID\fR is specified, the \fBgss_store_cred()\fR function attempts to store all the elements of the given \fIinput_cred_handle\fR.
+.sp
+The \fBgss_store_cred()\fR function is not atomic when storing multiple elements of a credential. All delegated credentials, however, contain a single element.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIoverwrite_cred\fR\fR
+.ad
+.RS 21n
+.rt  
+A boolean that indicates whether to overwrite existing credentials in the current store for the same principal as that of the \fIinput_cred_handle\fR. A non-zero value indicates that credentials are overwritten. A zero value indicates that credentials are not overwritten.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIdefault_cred\fR\fR
+.ad
+.RS 21n
+.rt  
+A boolean that indicates whether to set the principal name of the \fIinput_cred_handle\fR parameter as the default of the current credential store. A non-zero value indicates that the principal name is set as the default. A zero value indicates that the principal name is not set as the default. The default principal of a credential store matches \fBGSS_C_NO_NAME\fR as the \fIdesired_name\fR input parameter for \fBgss_store_cred\fR(3GSS).
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIelements_stored\fR\fR
+.ad
+.RS 21n
+.rt  
+The set of mechanism \fBOID\fRs for which \fIinput_cred_handle\fR elements have been stored.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIcred_usage_stored\fR\fR
+.ad
+.RS 21n
+.rt  
+The stored \fIinput_cred_handle\fR usage elements: initiator, acceptor, or both.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.RS 21n
+.rt  
+Minor status code that is specific to one of the following: the mechanism identified by the \fIdesired_mech_element\fR parameter, or the element of a single mechanism in the \fIinput_cred_handle\fR. In all other cases, \fIminor_status\fR has an undefined value on return.
+.RE
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBgss_store_cred()\fR function stores a credential in the the current GSS-API credential store for the calling process. Input credentials can be re-acquired through \fBgss_add_cred\fR(3GSS) and \fBgss_acquire_cred\fR(3GSS).
+.sp
+.LP
+The \fBgss_store_cred()\fR function is specifically intended to make delegated credentials available to a user's login session.
+.sp
+.LP
+The \fBgss_accept_sec_context()\fR function can return a delegated GSS-API credential to its caller. The function does not store delegated credentials to be acquired through \fBgss_add_cred\fR(3GSS). Delegated credentials can be used only by a receiving process unless they are made available for acquisition by calling the \fBgss_store_cred()\fR function.
+.sp
+.LP
+The Solaris Operating System supports a single GSS-API credential store per user. The current GSS-API credential store of a process is determined by its effective UID.
+.sp
+.LP
+In general, acceptor applications should switch the current credential store by changing the effective UID before storing a delegated credential.
+.SH RETURN VALUES
+.sp
+.LP
+The \fBgss_store_cred()\fR can return the following status codes:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.sp .6
+.RS 4n
+Successful completion.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_CREDENTIALS_EXPIRED\fR\fR
+.ad
+.sp .6
+.RS 4n
+The credentials could not be stored because they have expired.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_CALL_INACCESSIBLE_READ\fR\fR
+.ad
+.sp .6
+.RS 4n
+No input credentials were given.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_UNAVAILABLE\fR\fR
+.ad
+.sp .6
+.RS 4n
+The credential store is unavailable.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_DUPLICATE_ELEMENT\fR\fR
+.ad
+.sp .6
+.RS 4n
+The credentials could not be stored because the \fIoverwrite_cred\fR input parameter was set to false (\fB0\fR) and the \fIinput_cred\fR parameter conflicts with a credential in the current credential store.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.sp .6
+.RS 4n
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined. The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5) for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+Interface StabilityUncommitted
+_
+MT-LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBgss_accept_sec_context\fR(3GSS), \fBgss_acquire_cred\fR(3GSS), \fBgss_add_cred\fR(3GSS), \fBgss_init_sec_context\fR(3GSS), \fBgss_inquire_cred\fR(3GSS), \fBgss_release_cred\fR(3GSS), \fBgss_release_oid_set\fR(3GSS), \fBattributes\fR(5)
+.sp
+.LP
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_str_to_oid.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,135 @@
+'\" te
+.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+.TH gss_str_to_oid 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_str_to_oid \- convert a string to an OID
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR  [ \fIlibrary\fR... ] 
+#include <gssapi/gssapi.h>
+
+\fBOM_uint32\fR \fBgss_str_to_oid\fR(\fBOM_uint32 *\fR\fIminor_status\fR,
+     \fBconst gss_buffer_t\fR \fIoid_str\fR,\fBgss_OID *\fR\fIoid\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBgss_str_to_oid()\fR function converts a string to a \fBGSS-API\fR \fBOID\fR structure. You can use the function to convert a simple string to an \fBOID\fR to . This function is a convenience function, as is its complementary function, \fBgss_oid_to_str\fR(3GSS).
+.sp
+.LP
+\fBOID\fRs created with \fBgss_str_to_oid()\fR must be deallocated through \fBgss_release_oid\fR(3GSS), if available. If an \fBOID\fR must be created, use \fBgss_create_empty_oid_set\fR(3GSS) and \fBgss_add_oid_set_member\fR(3GSS) to create it. \fBOID\fRs created in this way must be released with \fBgss_release_oid_set\fR(3GSS). However, it is strongly suggested that applications use the default \fBGSS-API\fR mechanism instead of creating an \fBOID\fR for a specific mechanism.
+.SH PARAMETERS
+.sp
+.LP
+The parameter descriptions for \fBgss_str_to_oid()\fR are as follows:
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.RS 16n
+.rt  
+Status code returned by underlying mechanism.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIoid\fR\fR
+.ad
+.RS 16n
+.rt  
+\fBGSS-API\fR \fBOID\fR structure to receive converted string.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIoid_str\fR\fR
+.ad
+.RS 16n
+.rt  
+String to convert.
+.RE
+
+.SH ERRORS
+.sp
+.LP
+\fBgss_str_to_oid()\fR returns one of the following status codes:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_CALL_INACCESSIBLE_READ\fR\fR
+.ad
+.sp .6
+.RS 4n
+A required input parameter could not be read.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_CALL_INACCESSIBLE_WRITE\fR\fR
+.ad
+.sp .6
+.RS 4n
+A required output parameter could not be written.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.sp .6
+.RS 4n
+Successful completion.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.sp .6
+.RS 4n
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined.  The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5) for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+MT LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBgss_add_oid_set_member\fR(3GSS), \fBgss_create_empty_oid_set\fR(3GSS), \fBgss_oid_to_str\fR(3GSS), \fBgss_release_oid_set\fR(3GSS), \fBattributes\fR(5)
+.sp
+.LP
+
+.SH WARNINGS
+.sp
+.LP
+This function is included for compatibility only with programs using earlier versions of the \fBGSS-API\fR and should not be used for new programs. Other implementations of the \fBGSS-API\fR might not support this function, so portable programs should not rely on it. Sun might not continue to support this function.
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_test_oid_set_member.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,118 @@
+'\" te
+.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+.TH gss_test_oid_set_member 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_test_oid_set_member \- interrogate an object identifier set
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR  [ \fIlibrary\fR... ] 
+#include <gssapi/gssapi.h>
+
+\fBOM_uint32\fR \fBgss_test_oid_set_member\fR(\fBOM_uint32 *\fR\fIminor_status\fR,
+     \fBconst gss_OID\fR \fImember\fR,\fBconst gss_OID_set\fR \fIset\fR,
+     \fBint *\fR\fIpresent\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBgss_test_oid_set_member()\fR function interrogates an object identifier set to determine if a specified object identifier is a member.  This function should be used with \fBOID\fR sets returned by \fBgss_indicate_mechs\fR(3GSS), \fBgss_acquire_cred\fR(3GSS), and \fBgss_inquire_cred\fR(3GSS), but it will also work with user-generated sets.
+.SH PARAMETERS
+.sp
+.LP
+The parameter descriptions for \fBgss_test_oid_set_member()\fR follow:
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.RS 16n
+.rt  
+A mechanism-specific status code
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fImember\fR\fR
+.ad
+.RS 16n
+.rt  
+An object identifier whose presence is to be tested
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIset\fR\fR
+.ad
+.RS 16n
+.rt  
+An object identifier set.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIpresent\fR\fR
+.ad
+.RS 16n
+.rt  
+The value of \fIpresent\fR is non-zero if the specified \fBOID\fR is a member of the set; if not, the value of \fIpresent\fR is zero. 
+.RE
+
+.SH ERRORS
+.sp
+.LP
+The \fBgss_test_oid_set_member()\fR function may return the following status codes:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.RS 18n
+.rt  
+Successful completion
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.RS 18n
+.rt  
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined.  The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5)  for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+MT-LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBgss_acquire_cred\fR(3GSS), \fBgss_indicate_mechs\fR(3GSS), \fBgss_inquire_cred\fR(3GSS), \fBattributes\fR(5)
+.sp
+.LP
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_unwrap.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,233 @@
+'\" te
+.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+.TH gss_unwrap 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_unwrap \- verify a message with attached cryptographic message
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR  [ \fIlibrary\fR... ] 
+#include <gssapi/gssapi.h>
+
+\fBOM_uint32\fR \fBgss_unwrap\fR(\fBOM_uint32 *\fR\fIminor_status\fR,
+     \fBconst gss_ctx_id_t\fR \fIcontext_handle\fR,
+     \fBconst gss_buffer_t\fR \fIinput_message_buffer\fR,
+     \fBgss_buffer_t\fR \fIoutput_message_buffer\fR, \fBint *\fR\fIconf_state\fR,
+     \fBgss_qop_t *\fR\fIqop_state\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBgss_unwrap()\fR function converts a message previously protected by \fBgss_wrap\fR(3GSS) back to a usable form, verifying the embedded \fBMIC\fR. The \fIconf_state\fR parameter indicates whether the message was encrypted; the \fIqop_state\fR parameter indicates the strength of protection that was used to provide the confidentiality and integrity services.
+.sp
+.LP
+Since some application-level protocols may wish to use tokens emitted by \fBgss_wrap\fR(3GSS) to provide secure framing, the \fBGSS-API\fR supports the wrapping and unwrapping of zero-length messages.
+.SH PARAMETERS
+.sp
+.LP
+The parameter descriptions for \fBgss_unwrap()\fR follow:
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.RS 25n
+.rt  
+The status code returned by the underlying mechanism.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIcontext_handle\fR\fR
+.ad
+.RS 25n
+.rt  
+Identifies the context on which the message arrived.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIinput_message_buffer\fR\fR
+.ad
+.RS 25n
+.rt  
+The message to be protected.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIoutput_message_buffer\fR\fR
+.ad
+.RS 25n
+.rt  
+The buffer to receive the unwrapped message. Storage associated with this buffer must be freed by the application after use with a call to \fBgss_release_buffer\fR(3GSS).
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIconf_state\fR\fR
+.ad
+.RS 25n
+.rt  
+If the value of \fIconf_state\fR is non-zero, then confidentiality and integrity protection were used. If the value is zero, only integrity service was used. Specify \fBNULL\fR if this parameter is not required.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIqop_state\fR\fR
+.ad
+.RS 25n
+.rt  
+Specifies the quality of protection provided. Specify \fBNULL\fR if this parameter is not required.
+.RE
+
+.SH ERRORS
+.sp
+.LP
+\fBgss_unwrap()\fR may return the following status codes:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.RS 25n
+.rt  
+Successful completion.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_DEFECTIVE_TOKEN\fR\fR
+.ad
+.RS 25n
+.rt  
+The token failed consistency checks.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_BAD_SIG\fR\fR
+.ad
+.RS 25n
+.rt  
+The \fBMIC\fR was incorrect.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_DUPLICATE_TOKEN\fR\fR
+.ad
+.RS 25n
+.rt  
+The token was valid, and contained a correct \fBMIC\fR for the message, but it had already been processed.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_OLD_TOKEN\fR\fR
+.ad
+.RS 25n
+.rt  
+The token was valid, and contained a correct \fBMIC\fR for the message, but it is too old to check for duplication.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_UNSEQ_TOKEN\fR\fR
+.ad
+.RS 25n
+.rt  
+The token was valid, and contained a correct \fBMIC\fR for the message, but has been verified out of sequence; a later token has already been received.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_GAP_TOKEN\fR\fR
+.ad
+.RS 25n
+.rt  
+The token was valid, and contained a correct \fBMIC\fR for the message, but has been verified out of sequence; an earlier expected token has not yet been received.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_CONTEXT_EXPIRED\fR\fR
+.ad
+.RS 25n
+.rt  
+The context has already expired.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_NO_CONTEXT\fR\fR
+.ad
+.RS 25n
+.rt  
+The \fIcontext_handle\fR parameter did not identify a valid context.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.RS 25n
+.rt  
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined.  The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5)  for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+MT-LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBgss_release_buffer\fR(3GSS), \fBgss_wrap\fR(3GSS), \fBattributes\fR(5)
+.sp
+.LP
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_verify_mic.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,220 @@
+'\" te
+.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+.TH gss_verify_mic 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_verify_mic \- verify integrity of a received message
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR  [ \fIlibrary\fR... ] 
+#include <gssapi/gssapi.h>
+
+\fBOM_uint32\fR \fBgss_verify_mic\fR(\fBOM_uint32 *\fR\fIminor_status\fR,
+     \fBconst gss_ctx_id_t\fR \fIcontext_handle\fR, \fBconst gss_buffer_t\fR \fImessage_buffer\fR,
+     \fBconst gss_buffer_t\fR \fItoken_buffer\fR, \fBgss_qop_t *\fR\fIqop_state\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBgss_verify_mic()\fR function verifies that a cryptographic \fBMIC\fR, contained in the token parameter, fits the supplied message. The \fIqop_state\fR parameter allows a message recipient to determine the strength of protection that was applied to the message.
+.sp
+.LP
+Since some application-level protocols may wish to use tokens emitted by \fBgss_wrap\fR(3GSS) to provide secure framing, the \fBGSS-API\fR supports the calculation and verification of \fBMIC\fRs over zero-length messages.
+.SH PARAMETERS
+.sp
+.LP
+The parameter descriptions for \fBgss_verify_mic()\fR follow:
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.RS 18n
+.rt  
+The status code returned by the underlying mechanism.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIcontext_handle\fR\fR
+.ad
+.RS 18n
+.rt  
+Identifies the context on which the message arrived.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fImessage_buffer\fR\fR
+.ad
+.RS 18n
+.rt  
+The message to be verified.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fItoken_buffer\fR\fR
+.ad
+.RS 18n
+.rt  
+The token associated with the message.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIqop_state\fR\fR
+.ad
+.RS 18n
+.rt  
+Specifies the quality of protection gained from the \fBMIC\fR. Specify \fBNULL\fR if this parameter is not required.
+.RE
+
+.SH ERRORS
+.sp
+.LP
+\fBgss_verify_mic()\fR may return the following status codes:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.RS 25n
+.rt  
+Successful completion.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_DEFECTIVE_TOKEN\fR\fR
+.ad
+.RS 25n
+.rt  
+The token failed consistency checks.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_BAD_SIG\fR\fR
+.ad
+.RS 25n
+.rt  
+The \fBMIC\fR was incorrect.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_DUPLICATE_TOKEN\fR\fR
+.ad
+.RS 25n
+.rt  
+The token was valid and contained a correct \fBMIC\fR for the message, but it had already been processed.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_OLD_TOKEN\fR\fR
+.ad
+.RS 25n
+.rt  
+The token was valid and contained a correct \fBMIC\fR for the message, but it is too old to check for duplication.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_UNSEQ_TOKEN\fR\fR
+.ad
+.RS 25n
+.rt  
+The token was valid and contained a correct \fBMIC\fR for the message, but it has been verified out of sequence; a later token has already been received.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_GAP_TOKEN\fR\fR
+.ad
+.RS 25n
+.rt  
+The token was valid and contained a correct \fBMIC\fR for the message, but it has been verified out of sequence; an earlier expected token has not yet been received.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_CONTEXT_EXPIRED\fR\fR
+.ad
+.RS 25n
+.rt  
+The context has already expired.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_NO_CONTEXT\fR\fR
+.ad
+.RS 25n
+.rt  
+The \fIcontext_handle\fR parameter did not identify a valid context.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.RS 25n
+.rt  
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined.  The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5)  for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+MT-LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBgss_wrap\fR(3GSS), \fBattributes\fR(5)
+.sp
+.LP
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_wrap.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,188 @@
+'\" te
+.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+.TH gss_wrap 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_wrap \- attach a cryptographic message
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR  [ \fIlibrary\fR... ] 
+#include <gssapi/gssapi.h>
+
+\fBOM_uint32\fR \fBgss_wrap\fR(\fBOM_uint32 *\fR\fIminor_status\fR,
+     \fBconst gss_ctx_id_t\fR \fIcontext_handle\fR, \fBint\fR \fIconf_req_flag\fR,
+     \fBgss_qop_t\fR \fIqop_req\fR, \fBconst gss_buffer_t\fR \fIinput_message_buffer\fR,
+     \fBint *\fR\fIconf_state\fR, \fBgss_buffer_t\fR \fIoutput_message_buffer\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBgss_wrap()\fR function attaches a cryptographic \fBMIC\fR and optionally encrypts the specified \fIinput_message\fR. The \fIoutput_message\fR contains both the \fBMIC\fR and the message. The \fIqop_req\fR parameter allows a choice between several cryptographic algorithms, if supported by the chosen mechanism.
+.sp
+.LP
+Since some application-level protocols may wish to use tokens emitted by \fBgss_wrap()\fR to provide secure framing, the \fBGSS-API\fR supports the wrapping of zero-length messages.
+.SH PARAMETERS
+.sp
+.LP
+The parameter descriptions for \fBgss_wrap()\fR follow:
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.RS 25n
+.rt  
+The status code returned by the underlying mechanism.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIcontext_handle\fR\fR
+.ad
+.RS 25n
+.rt  
+Identifies the context on which the message will be sent.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIconf_req_flag\fR\fR
+.ad
+.RS 25n
+.rt  
+If the value of \fIconf_req_flag\fR is non-zero, both confidentiality and integrity services are requested. If the value is zero, then only integrity service is requested.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIqop_req\fR\fR
+.ad
+.RS 25n
+.rt  
+Specifies the required quality of protection. A mechanism-specific default may be requested by setting \fIqop_req\fR to \fBGSS_C_QOP_DEFAULT\fR. If an unsupported protection strength is requested, \fBgss_wrap()\fR will return a \fImajor_status\fR of \fBGSS_S_BAD_QOP\fR.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIinput_message_buffer\fR\fR
+.ad
+.RS 25n
+.rt  
+The message to be protected.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIconf_state\fR\fR
+.ad
+.RS 25n
+.rt  
+If the value of \fIconf_state\fR is non-zero, confidentiality, data origin authentication, and integrity services have been applied. If the value is zero, then integrity services have been applied. Specify \fBNULL\fR if this parameter is not required.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIoutput_message_buffer\fR\fR
+.ad
+.RS 25n
+.rt  
+The buffer to receive the protected message. Storage associated with this message must be freed by the application after use with a call to \fBgss_release_buffer\fR(3GSS).
+.RE
+
+.SH ERRORS
+.sp
+.LP
+\fBgss_wrap()\fR may return the following status codes:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.RS 25n
+.rt  
+Successful completion.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_CONTEXT_EXPIRED\fR\fR
+.ad
+.RS 25n
+.rt  
+The context has already expired.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_NO_CONTEXT\fR\fR
+.ad
+.RS 25n
+.rt  
+The \fIcontext_handle\fR parameter did not identify a valid context.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_BAD_QOP\fR\fR
+.ad
+.RS 25n
+.rt  
+The specified \fBQOP\fR is not supported by the mechanism.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.RS 25n
+.rt  
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined.  The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5)  for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+MT-LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBgss_release_buffer\fR(3GSS), \fBattributes\fR(5)
+.sp
+.LP
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/gss_wrap_size_limit.3gss	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,177 @@
+'\" te
+.\" Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+.TH gss_wrap_size_limit 3GSS "22 Aug 2011" "SunOS 5.12" "Generic Security Services API Library Functions"
+.SH NAME
+gss_wrap_size_limit \- allow application to determine maximum message size with resulting output token of a specified maximum size
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lgss\fR  [ \fIlibrary\fR... ] 
+#include <gssapi/gssapi.h>
+
+\fBOM_uint32\fR \fBgss_process_context_token\fR(\fBOM_uint32 *\fR\fIminor_status\fR,
+     \fBconst gss_ctx_id_t\fR \fIcontext_handle\fR, \fBint\fR  \fIconf_req_flag\fR,
+     \fBgss_qop_t\fR \fIqop_req\fR, \fBOM_uint32\fR \fIreq_output_size\fR,
+     \fBOM_uint32 *\fR\fImax_input_size\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBgss_wrap_size_limit()\fR function allows an application to determine the maximum message size that, if presented to \fBgss_wrap()\fR with the same \fIconf_req_flag\fR and \fIqop_req\fR parameters, results in an output token containing no more than \fIreq_output_size\fR bytes. This call is intended for use by applications that communicate over protocols that impose a maximum message size. It enables the application to fragment messages prior to applying protection. The \fBGSS-API\fR detects invalid \fBQOP\fR values when \fBgss_wrap_size_limit()\fR is called. This routine guarantees only a maximum message size, not the availability of specific \fBQOP\fR values for message protection.
+.sp
+.LP
+Successful completion of \fBgss_wrap_size_limit()\fR does not guarantee that \fBgss_wrap()\fR will be able to protect a message of length \fImax_input_size\fR bytes, since this ability might depend on the availability of system resources at the time that \fBgss_wrap()\fR is called.
+.SH PARAMETERS
+.sp
+.LP
+The parameter descriptions for \fBgss_wrap_size_limit()\fR are as follows:
+.sp
+.ne 2
+.mk
+.na
+\fB\fIminor_status\fR\fR
+.ad
+.RS 19n
+.rt  
+A mechanism-specific status code.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIcontext_handle\fR\fR
+.ad
+.RS 19n
+.rt  
+A handle that refers to the security over which the messages will be sent.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIconf_req_flag\fR\fR
+.ad
+.RS 19n
+.rt  
+Indicates whether \fBgss_wrap()\fR will be asked to apply confidential protection in addition to integrity protection. See \fBgss_wrap\fR(3GSS) for more details.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIqop_req\fR\fR
+.ad
+.RS 19n
+.rt  
+Indicates the level of protection that \fBgss_wrap()\fR will be asked to provide.  See \fBgss_wrap\fR(3GSS) for more details.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIreq_output_size\fR\fR
+.ad
+.RS 19n
+.rt  
+The desired maximum size for tokens emitted by \fBgss_wrap()\fR.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fImax_input_size\fR\fR
+.ad
+.RS 19n
+.rt  
+The maximum input message size that can be presented to \fBgss_wrap()\fR to guarantee that the emitted token will be no larger than \fIreq_output_size\fR bytes.
+.RE
+
+.SH ERRORS
+.sp
+.LP
+\fBgss_wrap_size_limit()\fR returns one of the following status codes:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_COMPLETE\fR\fR
+.ad
+.RS 25n
+.rt  
+Successful completion.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_NO_CONTEXT\fR\fR
+.ad
+.RS 25n
+.rt  
+The referenced context could not be accessed.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_CONTEXT_EXPIRED\fR\fR
+.ad
+.RS 25n
+.rt  
+The context has expired.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_BAD_QOP\fR\fR
+.ad
+.RS 25n
+.rt  
+The specified \fBQOP\fR is not supported by the mechanism.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGSS_S_FAILURE\fR\fR
+.ad
+.RS 25n
+.rt  
+The underlying mechanism detected an error for which no specific \fBGSS\fR status code is defined.  The mechanism-specific status code reported by means of the \fIminor_status\fR parameter details the error condition.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5) for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+MT LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBgss_wrap\fR(3GSS), \fBattributes\fR(5)
+.sp
+.LP
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/ja_JP.UTF-8/kerberos.5	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,117 @@
+'\" te
+.\"  Copyright (c) 2008, Sun Microsystems, Inc. All Rights Reserved
+.TH kerberos 5 "2008 年 10 月 1 日" "SunOS 5.12" "標準、環境、マクロ"
+.SH 名前
+kerberos \- Solaris Kerberos 実装の概要
+.SH 機能説明
+.sp
+.LP
+Solaris Kerberos の実装 (以降、「Kerberos」と短縮する場合もあり) によって、ネットワーク環境内のクライアントが認証されるため、セキュアなトランザクションが可能になります。(クライアントはユーザーまたはネットワークサービスです。)Kerberos では、クライアントの同一性および転送されたデータの信頼性が検証されます。Kerberos は「\fIシングルサインオン\fR」システムです。つまり、ユーザーはセッションの開始時にのみ、パスワードを入力する必要があります。Solaris Kerberos は、\fBMIT\fR で開発された Kerberos(TM) システムに基づいて実装され、異機種混在ネットワーク上で Kerberos V5 システムとの互換性があります。
+.sp
+.LP
+Kerberos は、クライアントを一意に識別し、有効期間に限りがある\fIチケット\fRをクライアントに付与することによって動作します。チケットを所有するクライアントは、権限が付与されているネットワークサービスについて自動的に検証されます。たとえば、有効な Kerberos チケットを持つユーザーは、自分自身の身元を証明しなくても、Kerberos が動作している別のマシンに rlogin できます。各クライアントは一意のチケットを持っているため、身元が保証されます。
+.sp
+.LP
+チケットを入手するには、まずクライアントは \fBkinit\fR(1) コマンドまたは \fBPAM\fR モジュールを使用して、Kerberos セッションを初期化する必要があります。(\fBpam_krb5\fR(5) を参照)。\fBkinit\fR によってパスワードを求めるプロンプトが表示され、\fIKey Distribution Center\fR (\fBKDC\fR) との通信が行なわれます。\fBKDC\fR によって、\fIチケット認可チケット\fR (\fBTGT\fR) が返され、パスワードの確認を求めるプロンプトが表示されます。クライアントがパスワードを確認すると、チケット認可チケットを使用して、特定のネットワークサービスのチケットを取得できます。チケットは透過的に付与されるため、ユーザーが管理について心配する必要はありません。\fBklist\fR(1) コマンドを使用すると、現在のチケットを表示できます。
+.sp
+.LP
+チケットは、インストール時に設定されたシステム\fIポリシー\fRに従って有効になります。たとえば、チケットには有効なデフォルトの有効期間があります。root に属するチケットなどの特権チケットの有効期間が非常に短くなるように、ポリシーに追加指示することもできます。ポリシーでは、いくつかのデフォルトルールを上書きできます。たとえば、クライアントは、デフォルトよりも有効期間が長いまたは短いチケットをリクエストできます。
+.sp
+.LP
+\fBkinit\fR を使用すると、チケットを更新できます。チケットは\fI転送可能\fRでもあるため、あるマシン上で付与されたチケットを別のホスト上で使用できます。\fBkdestroy\fR(1) を使用すると、チケットを破棄できます。\fB\&.logout\fR ファイルに \fBkdestroy\fR への呼び出しを含めることをお勧めします。
+.sp
+.LP
+Kerberos では、クライアントは\fI主体\fRと呼ばれます。主体の形式は次のとおりです: 
+.sp
+.in +2
+.nf
+primary/[email protected]
+.fi
+.in -2
+.sp
+
+.sp
+.ne 2
+.mk
+.na
+\fBプライマリノード\fR
+.ad
+.RS 28n
+.rt  
+ユーザー、ホスト、またはサービス。
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fBインスタンス\fR
+.ad
+.RS 28n
+.rt  
+プライマリの資格です。プライマリがキーワード \fBhost\fR で指定されたホストの場合、インスタンスはそのホストの完全指定ドメイン名です。プライマリがユーザーまたはサービスの場合、インスタンスはオプションです。\fBadmin\fR や \fBroot\fR などの一部のインスタンスは特権です。
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fBレルム\fR
+.ad
+.RS 28n
+.rt  
+Kerberos で、ドメインに相当するものです。実際に、ほとんどの場合でレルムは \fBDNS\fR ドメイン名に直接マップされています。Kerberos レルムでは大文字のみが使用されます。主体名の例については、「使用例」を参照してください。
+.RE
+
+.sp
+.LP
+Kerberos では、ユーザー認証以外にも、General Security Services \fBAPI\fR (\fBGSS-API\fR) を利用した 2 種類のセキュリティーサービスが提供されます: 転送されたデータの有効性を認証する \fIintegrity\fR と、転送されたデータを暗号化する \fIprivacy\fR。開発者は RPCSEC_GSS \fBAPI\fR インタフェースを使用することによって、\fBGSS-API\fR を利用できます (\fBrpcsec_gss\fR(3NSL) を参照)。 
+.SH 使用例
+.LP
+\fB例 1 \fR有効な主体名の例
+.sp
+.LP
+次に、有効な主体名の例を示します:
+
+.sp
+.in +2
+.nf
+	joe
+	joe/admin
+	[email protected]
+	joe/[email protected]
+	rlogin/[email protected]
+	host/[email protected]
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+最初の 4 つのケースは\fIユーザー主体\fRです。最初の 2 つのケースでは、ユーザー \fBjoe\fR がクライアントと同じレルム内にあるため、レルムが指定されていないことが想定されます。\fBjoe\fR と \fBjoe/admin\fR は、同じユーザーに使用されている場合でも、別々の主体であることに注意してください。\fBjoe/admin\fR は、\fBjoe\fR とは別の特権を持っています。5 番目のケースは \fIサービス主体\fR、最後のケースは\fIホスト主体\fRです。ホスト主体には、\fBhost\fR という語が必要です。ホスト主体では、インスタンスは完全指定ホスト名です。\fBadmin\fR および \fBhost\fR という語は予約済みのキーワードであることに注意してください。
+
+.SH 関連項目
+.sp
+.LP
+\fBkdestroy\fR(1)、\fBkinit\fR(1)、\fBklist\fR(1)、\fBkpasswd\fR(1)、\fBkrb5.conf\fR(4)、\fBkrb5envvar\fR(5)
+.sp
+.LP
+\fI『System Administration Guide: Security Services 』\fR
+.SH 注意事項
+.sp
+.LP
+以前のリリースの Solaris オペレーティングシステムでは、Solaris Kerberos の実装は「SEAM (Sun Enterprise Authentication Mechanism)」と呼ばれていました。
+.sp
+.LP
+ユーザー名を入力し、\fBkinit\fR が次のメッセージを返した場合: 
+.sp
+.in +2
+.nf
+Principal unknown (kerberos)
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+Kerberos ユーザーとして登録されていません。システム管理者に問い合わせるか、\fI『System Administration Guide: Security Services』\fRを参照してください。 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/Solaris/man/ja_JP.UTF-8/krb5envvar.5	Wed Feb 24 10:43:57 2016 -0600
@@ -0,0 +1,178 @@
+'\" te
+.\" Copyright (c) 2008, Sun Microsystems, Inc. All Rights Reserved
+.TH krb5envvar 5 "2008 年 2 月 13 日" "SunOS 5.12" "標準、環境、マクロ"
+.SH 名前
+krb5envvar \- Kerberos 環境変数
+.SH 機能説明
+.sp
+.LP
+Kerberos メカニズムには、アプリケーションのニーズを満たすために、さまざまな動作を構成する多数の環境変数が用意されています。Kerberos 機構では、次の環境変数が使用されます:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBKRB5_KTNAME\fR\fR
+.ad
+.sp .6
+.RS 4n
+鍵テーブルファイルの場所を指定するためのメカニズムで使用されます。この変数には、次の値を設定できます:
+.sp
+.in +2
+.nf
+[[\fI<kt type>\fR:]\fI<file name>\fR]
+.fi
+.in -2
+
+ここで、\fI<kt type>\fR には \fBFILE\fR または \fBWRFILE\fR を指定できます。\fBFILE\fR は読み取り操作用、\fBWRFILE\fR は書き込み操作用です。\fI<file name>\fR は、\fBkeytab\fR ファイルの場所です。
+.sp
+r
+.sp
+\fBKRB5_KTNAME\fR が定義されない場合のデフォルト値は次のとおりです:
+.sp
+.in +2
+.nf
+FILE:/etc/krb5/krb5.keytab
+.fi
+.in -2
+
+\fBkeytab\fR ファイルは、永続的に資格を格納するために使用され、一般にサービスデーモンで使用されます。
+.sp
+\fBFILE\fR タイプを指定することは、関連するファイル上の後続操作が呼び出しプロセスで読み取り可能であることが前提となっています。暗号化されていない鍵を取得する必要のある主体のセットでのみファイルが読み取り可能になるように注意してください。
+.sp
+\fBWRFILE\fR タイプは、\fBkadmin\fR(1M) コマンドで使用されます。このタイプを指定すると、管理者は追加のコマンド行引数を使用してファイルの場所を指定しなくても、書き込む代替の \fBkeytab\fR ファイルを指定できます。
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBKRB5CCNAME\fR\fR
+.ad
+.sp .6
+.RS 4n
+資格キャッシュの場所を指定するためのメカニズムで使用されます。この変数には、次の値を設定できます:
+.sp
+.in +2
+.nf
+[[\fI<cc type>\fR:]\fI<file name>\fR]
+.fi
+.in -2
+
+ここで、\fI<cc type>\fR には \fBFILE\fR または \fBMEMORY\fR を指定できます。\fI<file name>\fR は主体の資格キャッシュの場所です。
+.sp
+\fBKRB5CCNAME\fR が定義されない場合のデフォルト値は次のとおりです:
+.sp
+.in +2
+.nf
+FILE:/tmp/krb5cc_\fI<uid>\fR
+.fi
+.in -2
+
+ここで、\fI<uid>\fR はキャッシュファイルを作成したプロセスのユーザー ID です。
+.sp
+資格キャッシュファイルは、主体に付与されているチケットを格納するために使用されます。
+.sp
+\fBFILE\fR タイプを指定することは、関連するファイル上の後続操作が呼び出しプロセスで読み書き可能であることが前提となっています。資格にアクセスする必要のある主体のセットのみがファイルにアクセス可能になるように注意してください。ほかのユーザーが書き込みアクセス権を持っているディレクトリ内に資格ファイルがある場合、そのディレクトリのスティッキービットを設定する必要があります (\fBchmod\fR(1) を参照)。
+.sp
+\fBMEMORY\fR タイプの資格キャッシュは、呼び出しプロセスの存続期間中に一時キャッシュを作成する場合などの特殊なケースでしか使用されません。
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBKRB5RCNAME\fR\fR
+.ad
+.sp .6
+.RS 4n
+リプレイキャッシュのタイプと場所を指定するためのメカニズムで使用されます。この変数には、次の値を設定できます:
+.sp
+.in +2
+.nf
+[[\fI<rc type>\fR:]\fI<file name>\fR]
+.fi
+.in -2
+
+ここで、\fI<rc type>\fR には \fBFILE\fR、\fBMEMORY\fR、または \fBNONE\fR を指定できます。\fI<file name>\fR が関連するのは、リプレイキャッシュファイルタイプを指定する場合のみです。
+.sp
+定義されない場合のデフォルト値は次のとおりです:
+.sp
+.in +2
+.nf
+FILE:/var/krb5/rcache/root/rc_\fI<service>\fR
+.fi
+.in -2
+
+root がプロセスを所有している場合、または:
+.sp
+.in +2
+.nf
+FILE:/var/krb5/rcache/rc_\fI<service>\fR
+.fi
+.in -2
+
+root 以外のユーザーがプロセスを所有している