backout 22954706/23116276 - needs more work
authorMike Sullivan <Mike.Sullivan@Oracle.COM>
Sat, 14 May 2016 15:38:32 -0700
changeset 5986 bab15c34f645
parent 5985 6b195cad32d4
child 5987 c070fc9ea447
backout 22954706/23116276 - needs more work
components/krb5/Makefile
components/krb5/Solaris/libkadm5clnt.mapfile-vers
components/krb5/krb5-kdc.p5m
components/krb5/krb5-message-files.p5m
components/krb5/krb5.license
components/krb5/krb5.p5m
components/krb5/patches/024-smb-compat.patch
components/krb5/patches/028-rpc-gss.patch
components/krb5/patches/029-kadmin_disable_anonymity.patch
components/krb5/patches/032-pam-krb5.patch
components/krb5/patches/035-multi-master.patch
components/krb5/patches/036-verify-nofail.patch
components/krb5/patches/045-correct_err_code_for_bad_QOP.patch
components/krb5/patches/046-creds_usage_mismatch_err_code.patch
components/krb5/patches/051-fopenF.patch
components/krb5/patches/061-ccache-nounlink.patch
components/krb5/patches/064-enable-debug-compile.patch
components/krb5/patches/066-sanitize_context_ptr.patch
components/krb5/patches/067-iprop-double-free-fix.patch
--- a/components/krb5/Makefile	Fri May 13 18:08:27 2016 -0700
+++ b/components/krb5/Makefile	Sat May 14 15:38:32 2016 -0700
@@ -18,35 +18,28 @@
 #
 # CDDL HEADER END
 #
-
-#
 # Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
 #
-BUILD_BITS= 64_and_32
+
 include ../../make-rules/shared-macros.mk
 
 COMPONENT_NAME=		Kerberos
-# Encoding rule for MAJOR: MIT KerberosV5 x.y[.z] => MAJOR x
-# Encoding rule for MINOR: MIT KerberosV5 x.y[.z] => MINOR $MAJOR.y
-# Encoding rule for MICRO: MIT KerberosV5 x.y[.z] => MICRO $MINOR[.z]
-COMPONENT_MAJOR=	1
-COMPONENT_MINOR=	$(COMPONENT_MAJOR).14
-COMPONENT_MICRO=	$(COMPONENT_MINOR).2
-
-COMPONENT_VERSION=		$(COMPONENT_MICRO)
-IPS_COMPONENT_VERSION=	$(COMPONENT_VERSION).0
-
+COMPONENT_MINOR=	1.13
+COMPONENT_VERSION=	1.13.3
 COMPONENT_PROJECT_URL=	http://web.mit.edu/kerberos/
 COMPONENT_SRC=		krb5-$(COMPONENT_VERSION)
+COMPONENT_ARCHIVE=	$(COMPONENT_SRC).tar.gz
 COMPONENT_ARCHIVE_HASH=	\
-	sha256:6bcad7e6778d1965e4ce4af21d2efdc15b274c5ce5c69031c58e4c954cda8b27
+	sha256:5d4af08ead9b7a1e9493cfd65e821234f151a46736e1ce586f886c8a8e65fabe
 COMPONENT_ARCHIVE_URL=	\
 	$(COMPONENT_PROJECT_URL)dist/krb5/$(COMPONENT_MINOR)/$(COMPONENT_ARCHIVE)
 COMPONENT_BUGDB=	utility/kerberos
 
-TPNO=		27916
+TPNO=	26018
 
-include $(WS_MAKE_RULES)/common.mk
+include $(WS_MAKE_RULES)/prep.mk
+include $(WS_MAKE_RULES)/configure.mk
+include $(WS_MAKE_RULES)/lint-libraries.mk
 
 LINT_FLAGS += -I$(PROTOUSRINCDIR) -I$(PROTOUSRINCDIR)/kerberosv5 -I$(COMPONENT_DIR)/Solaris
 
@@ -57,6 +50,11 @@
 PUBLISH_STAMP=
 endif
 
+include $(WS_MAKE_RULES)/ips.mk
+
+# Encoding rules for IPS: MIT KerberosV5 <x>.<y>[.<z>] => IPS <x>.<y>.[<z>|0].0
+IPS_COMPONENT_VERSION=	1.13.3.0
+
 # The configure script is not at the top of the source directory.
 CONFIGURE_SCRIPT=	$(SOURCE_DIR)/src/configure
 
@@ -72,6 +70,11 @@
 # If you make changes to LDFLAGS, check krb5-config and 052-krb5-config.patch.
 LDFLAGS += -lc $(LD_Z_DEFS)
 
+CONFIGURE_ENV += LDFLAGS="$(LDFLAGS)"
+CONFIGURE_ENV += CFLAGS="$(CFLAGS)"
+CONFIGURE_ENV += CXXFLAGS="$(CXXFLAGS)"
+CONFIGURE_ENV += CPPFLAGS="$(CPPFLAGS)"
+CONFIGURE_ENV += PKG_CONFIG_PATH="$(PKG_CONFIG_PATH)"
 CONFIGURE_ENV += DEFKTNAME="FILE:$(ETCDIR)/krb5/krb5.keytab"
 CONFIGURE_ENV += DEFCKTNAME="FILE:/var/user/%{username}/client.keytab"
 
@@ -81,6 +84,9 @@
 CONFIGURE_OPTIONS.32 += --libexecdir=$(USRLIBDIR)
 CONFIGURE_OPTIONS.64 += --libexecdir=$(USRLIBDIR)/$(MACH64)
 CONFIGURE_OPTIONS += --includedir=$(USRINCDIR)/kerberosv5
+# to avoid executing subprocesses from /usr/[s]bin/$(MACH64):
+CONFIGURE_OPTIONS += --bindir=$(USRBINDIR)
+CONFIGURE_OPTIONS += --sbindir=$(USRSBINDIR)
 CONFIGURE_OPTIONS += --with-crypto-impl=openssl
 CONFIGURE_OPTIONS += --with-ldap
 CONFIGURE_OPTIONS += --with-prng-alg=os
@@ -182,6 +188,16 @@
 	$(CP) $(BUILD_DIR)/$(MACH64)/lib/libkadm5clnt.so.1 \
 		$(PROTO_DIR)$(USRLIBDIR)/$(MACH64);
 
+ASLR_MODE = $(ASLR_ENABLE)
+
+# common targets
+build:	$(BUILD_32_and_64)
+
+install:	$(INSTALL_32_and_64)
+
+# build does this always
+test:	$(TEST_32_and_64)
+
 REQUIRED_PACKAGES += developer/test/dejagnu
 REQUIRED_PACKAGES += library/libedit
 REQUIRED_PACKAGES += library/openldap
@@ -189,7 +205,7 @@
 REQUIRED_PACKAGES += network/dns/bind
 REQUIRED_PACKAGES += service/security/kerberos-5
 REQUIRED_PACKAGES += shell/ksh93
-REQUIRED_PACKAGES += system/core-os
+REQUIRED_PACKAGES += system/library
 REQUIRED_PACKAGES += system/library/math
 REQUIRED_PACKAGES += system/library/security/gss
 
--- a/components/krb5/Solaris/libkadm5clnt.mapfile-vers	Fri May 13 18:08:27 2016 -0700
+++ b/components/krb5/Solaris/libkadm5clnt.mapfile-vers	Sat May 14 15:38:32 2016 -0700
@@ -18,7 +18,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
 #
 
 $mapfile_version 2
@@ -26,22 +26,22 @@
 STUB_OBJECT;
 SYMBOL_VERSION SUNWprivate_1.1 {
     global:
-	free_srv_names	{ TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 };
-	kadm5_chpass_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 };
-	kadm5_chpass_principal_util { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 };
-	kadm5_create_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 };
-	kadm5_destroy	{ TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 };
-	kadm5_free_principal_ent { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 };
-	kadm5_get_adm_host_srv_names { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 };
-	kadm5_get_cpw_host_srv_names { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 };
-	kadm5_get_master { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 };
-	kadm5_get_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 };
-	kadm5_init_krb5_context { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 };
-	kadm5_init_with_password { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 };
-	kadm5_init_with_password_mm { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 };
-	kadm5_init_with_skey { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 };
-	kadm5_init_with_skey_mm { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 };
-	kadm5_modify_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 };
+	free_srv_names	{ TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
+	kadm5_chpass_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
+	kadm5_chpass_principal_util { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
+	kadm5_create_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
+	kadm5_destroy	{ TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
+	kadm5_free_principal_ent { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
+	kadm5_get_adm_host_srv_names { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
+	kadm5_get_cpw_host_srv_names { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
+	kadm5_get_master { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
+	kadm5_get_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
+	kadm5_init_krb5_context { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
+	kadm5_init_with_password { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
+	kadm5_init_with_password_mm { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
+	kadm5_init_with_skey { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
+	kadm5_init_with_skey_mm { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
+	kadm5_modify_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 };
 
     local:
 	*;
--- a/components/krb5/krb5-kdc.p5m	Fri May 13 18:08:27 2016 -0700
+++ b/components/krb5/krb5-kdc.p5m	Sat May 14 15:38:32 2016 -0700
@@ -21,7 +21,7 @@
 # Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
 #
 
-<transform file path=usr.*/man/.+ -> default mangler.man.stability "pass-through committed">
+<transform file path=usr.*/man/.+ -> default mangler.man.stability uncommitted>
 set name=pkg.fmri \
     value=pkg:/security/kerberos-5/[email protected]$(IPS_COMPONENT_VERSION),$(BUILD_VERSION)
 set name=pkg.summary value="Kerberos V5 Key Distribution Center (KDC)"
@@ -33,39 +33,91 @@
 set name=info.classification value=org.opensolaris.category.2008:System/Security
 set name=info.source-url value=$(COMPONENT_ARCHIVE_URL)
 set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
-set name=org.opensolaris.arc-caseid value=PSARC/2015/144 value=PSARC/2016/244
+set name=org.opensolaris.arc-caseid value=PSARC/2015/144
 set name=org.opensolaris.consolidation value=$(CONSOLIDATION)
-file Solaris/kadmin.xml path=lib/svc/manifest/network/security/kadmin.xml \
+file Solaris/kadmin.xml \
+    path=lib/kerberos5/$(COMPONENT_VERSION)/svc/manifest/network/security/kadmin.xml \
     restart_fmri=svc:/system/manifest-import:default
 file Solaris/krb5_prop.xml \
-    path=lib/svc/manifest/network/security/krb5_prop.xml \
+    path=lib/kerberos5/$(COMPONENT_VERSION)/svc/manifest/network/security/krb5_prop.xml \
+    restart_fmri=svc:/system/manifest-import:default
+file Solaris/krb5kdc.xml \
+    path=lib/kerberos5/$(COMPONENT_VERSION)/svc/manifest/network/security/krb5kdc.xml \
     restart_fmri=svc:/system/manifest-import:default
-file Solaris/krb5kdc.xml path=lib/svc/manifest/network/security/krb5kdc.xml \
-    restart_fmri=svc:/system/manifest-import:default
+link path=lib/svc/manifest/network/security/kadmin.xml \
+    target=../../../../kerberos5/$(COMPONENT_VERSION)/svc/manifest/network/security/kadmin.xml \
+    mediator=kerberos5 mediator-implementation=MIT
+link path=lib/svc/manifest/network/security/krb5_prop.xml \
+    target=../../../../kerberos5/$(COMPONENT_VERSION)/svc/manifest/network/security/krb5_prop.xml \
+    mediator=kerberos5 mediator-implementation=MIT
+link path=lib/svc/manifest/network/security/krb5kdc.xml \
+    target=../../../../kerberos5/$(COMPONENT_VERSION)/svc/manifest/network/security/krb5kdc.xml \
+    mediator=kerberos5 mediator-implementation=MIT
+file usr/sbin/kadmin.local \
+    path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kadmin.local
+file usr/sbin/kadmind \
+    path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kadmind
+file usr/sbin/kdb5_ldap_util \
+    path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kdb5_ldap_util
+file usr/sbin/kdb5_util \
+    path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kdb5_util
+file usr/sbin/kprop path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kprop
+file usr/sbin/kpropd \
+    path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kpropd
+file usr/sbin/kproplog \
+    path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kproplog
+file usr/sbin/krb5kdc \
+    path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/krb5kdc
+file src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif \
+    path=usr/kerberos5/$(COMPONENT_VERSION)/share/lib/ldif/kerberos.ldif
+file src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema \
+    path=usr/kerberos5/$(COMPONENT_VERSION)/share/lib/ldif/kerberos.schema
 dir  path=usr/lib/$(MACH64)/krb5/plugins/kdb
 file path=usr/lib/$(MACH64)/krb5/plugins/kdb/db2.so
 file path=usr/lib/$(MACH64)/krb5/plugins/kdb/kldap.so
 link path=usr/lib/$(MACH64)/libkdb_ldap.so target=libkdb_ldap.so.1.0
 link path=usr/lib/$(MACH64)/libkdb_ldap.so.1 target=libkdb_ldap.so.1.0
 file path=usr/lib/$(MACH64)/libkdb_ldap.so.1.0
+link path=usr/lib/krb5/kadmind \
+    target=../../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kadmind \
+    mediator=kerberos5 mediator-implementation=MIT
+link path=usr/lib/krb5/kprop \
+    target=../../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kprop \
+    mediator=kerberos5 mediator-implementation=MIT
+link path=usr/lib/krb5/kpropd \
+    target=../../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kpropd \
+    mediator=kerberos5 mediator-implementation=MIT
+link path=usr/lib/krb5/krb5kdc \
+    target=../../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/krb5kdc \
+    mediator=kerberos5 mediator-implementation=MIT
 dir  path=usr/lib/krb5/plugins/kdb
 file path=usr/lib/krb5/plugins/kdb/db2.so
 file path=usr/lib/krb5/plugins/kdb/kldap.so
-link path=usr/lib/libkdb_ldap.so target=libkdb_ldap.so.1.0
-link path=usr/lib/libkdb_ldap.so.1 target=libkdb_ldap.so.1.0
+link path=usr/lib/libkdb_ldap.so target=libkdb_ldap.so.1.0 mediator=kerberos5 \
+    mediator-implementation=MIT
+link path=usr/lib/libkdb_ldap.so.1 target=libkdb_ldap.so.1.0 \
+    mediator=kerberos5 mediator-implementation=MIT
 file path=usr/lib/libkdb_ldap.so.1.0
-file usr/sbin/kadmin.local path=usr/sbin/$(MACH64)/kadmin.local
-file usr/sbin/kadmind path=usr/sbin/$(MACH64)/kadmind
-file usr/sbin/kdb5_ldap_util path=usr/sbin/$(MACH64)/kdb5_ldap_util
-file usr/sbin/kdb5_util path=usr/sbin/$(MACH64)/kdb5_util
-file usr/sbin/kprop path=usr/sbin/$(MACH64)/kprop
-file usr/sbin/kpropd path=usr/sbin/$(MACH64)/kpropd
-file usr/sbin/kproplog path=usr/sbin/$(MACH64)/kproplog
-file usr/sbin/krb5kdc path=usr/sbin/$(MACH64)/krb5kdc
-file src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif \
-    path=usr/share/lib/ldif/kerberos.ldif
-file src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema \
-    path=usr/share/lib/ldif/kerberos.schema
+link path=usr/sbin/kadmin.local \
+    target=../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kadmin.local \
+    mediator=kerberos5 mediator-implementation=MIT
+link path=usr/sbin/kdb5_ldap_util \
+    target=../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kdb5_ldap_util \
+    mediator=kerberos5 mediator-implementation=MIT
+link path=usr/sbin/kdb5_util \
+    target=../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kdb5_util \
+    mediator=kerberos5 mediator-implementation=MIT
+link path=usr/sbin/kprop target=../lib/krb5/kprop mediator=kerberos5 \
+    mediator-implementation=MIT
+link path=usr/sbin/kproplog \
+    target=../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kproplog \
+    mediator=kerberos5 mediator-implementation=MIT
+link path=usr/share/lib/ldif/kerberos.ldif \
+    target=../../../kerberos5/$(COMPONENT_VERSION)/share/lib/ldif/kerberos.ldif \
+    mediator=kerberos5 mediator-implementation=MIT
+link path=usr/share/lib/ldif/kerberos.schema \
+    target=../../../kerberos5/$(COMPONENT_VERSION)/share/lib/ldif/kerberos.schema \
+    mediator=kerberos5 mediator-implementation=MIT
 file path=usr/share/man/man5/kadm5.acl.5
 file path=usr/share/man/man5/kdc.conf.5
 file path=usr/share/man/man8/kadmin.local.8
--- a/components/krb5/krb5-message-files.p5m	Fri May 13 18:08:27 2016 -0700
+++ b/components/krb5/krb5-message-files.p5m	Sat May 14 15:38:32 2016 -0700
@@ -29,7 +29,7 @@
     value="translatable message content for KerberosV5"
 set name=com.oracle.info.tpno value=$(TPNO)
 set name=info.classification value=org.opensolaris.category.2008:System/Security
-set name=org.opensolaris.arc-caseid value=PSARC/2015/144 value=PSARC/2016/244
+set name=org.opensolaris.arc-caseid value=PSARC/2015/144
 set name=org.opensolaris.consolidation value=$(CONSOLIDATION)
 file src/po/mit-krb5.pot path=usr/share/applications/mit-krb5.pot
 license krb5.license license="BSD, BSD-like (KerberosV5)"
--- a/components/krb5/krb5.license	Fri May 13 18:08:27 2016 -0700
+++ b/components/krb5/krb5.license	Sat May 14 15:38:32 2016 -0700
@@ -1,4 +1,4 @@
-Copyright (C) 1985-2016 by the Massachusetts Institute of Technology.
+Copyright (C) 1985-2015 by the Massachusetts Institute of Technology.
 
 All rights reserved.
 
--- a/components/krb5/krb5.p5m	Fri May 13 18:08:27 2016 -0700
+++ b/components/krb5/krb5.p5m	Sat May 14 15:38:32 2016 -0700
@@ -21,7 +21,7 @@
 # Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
 #
 
-<transform file path=usr.*/man/.+ -> default mangler.man.stability "pass-through committed">
+<transform file path=usr.*/man/.+ -> default mangler.man.stability uncommitted>
 set name=pkg.fmri \
     value=pkg:/security/[email protected]$(IPS_COMPONENT_VERSION),$(BUILD_VERSION)
 set name=pkg.summary value="Kerberos V5 Support"
@@ -32,24 +32,42 @@
 set name=info.classification value=org.opensolaris.category.2008:System/Security
 set name=info.source-url value=$(COMPONENT_ARCHIVE_URL)
 set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
-set name=org.opensolaris.arc-caseid value=PSARC/2015/144 value=PSARC/2016/244
+set name=org.opensolaris.arc-caseid value=PSARC/2015/144
 set name=org.opensolaris.consolidation value=$(CONSOLIDATION)
 dir  path=etc/gss/mech.d group=sys
-file path=usr/bin/k5srvutil
-file path=usr/bin/kadmin
-file path=usr/bin/kdestroy
-file path=usr/bin/kinit
-file path=usr/bin/klist
-file path=usr/bin/kpasswd
-file path=usr/bin/krb5-config
+link path=usr/bin/kdestroy \
+    target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kdestroy \
+    mediator=kerberos5 mediator-implementation=MIT
+link path=usr/bin/kinit \
+    target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kinit \
+    mediator=kerberos5 mediator-implementation=MIT
+link path=usr/bin/klist \
+    target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/klist \
+    mediator=kerberos5 mediator-implementation=MIT
+link path=usr/bin/kpasswd \
+    target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kpasswd \
+    mediator=kerberos5 mediator-implementation=MIT
+link path=usr/bin/krb5-config \
+    target=../kerberos5/$(COMPONENT_VERSION)/bin/krb5-config \
+    mediator=kerberos5 mediator-implementation=MIT
 file path=usr/bin/kswitch
-file path=usr/bin/ktutil
-file path=usr/bin/kvno
-file path=usr/include/kerberosv5/com_err.h
+link path=usr/bin/ktutil \
+    target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/ktutil \
+    mediator=kerberos5 mediator-implementation=MIT
+link path=usr/bin/kvno \
+    target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kvno \
+    mediator=kerberos5 mediator-implementation=MIT
+link path=usr/include/gssapi/gssapi.h \
+    target=../../kerberos5/$(COMPONENT_VERSION)/include/gssapi/gssapi.h \
+    mediator=kerberos5 mediator-implementation=MIT
+link path=usr/include/gssapi/gssapi_ext.h \
+    target=../../kerberos5/$(COMPONENT_VERSION)/include/gssapi/gssapi_ext.h \
+    mediator=kerberos5 mediator-implementation=MIT
+link path=usr/include/kerberosv5/com_err.h \
+    target=../../kerberos5/$(COMPONENT_VERSION)/include/kerberosv5/com_err.h \
+    mediator=kerberos5 mediator-implementation=MIT
 dir  path=usr/include/kerberosv5/gssapi
 file path=usr/include/kerberosv5/gssapi.h
-file path=usr/include/kerberosv5/gssapi/gssapi.h
-file path=usr/include/kerberosv5/gssapi/gssapi_ext.h
 file path=usr/include/kerberosv5/gssapi/gssapi_generic.h
 file path=usr/include/kerberosv5/gssapi/gssapi_krb5.h
 file path=usr/include/kerberosv5/gssapi/mechglue.h
@@ -60,7 +78,9 @@
 file path=usr/include/kerberosv5/kdb.h
 file path=usr/include/kerberosv5/krad.h
 dir  path=usr/include/kerberosv5/krb5
-file path=usr/include/kerberosv5/krb5.h
+link path=usr/include/kerberosv5/krb5.h \
+    target=../../kerberos5/$(COMPONENT_VERSION)/include/kerberosv5/krb5.h \
+    mediator=kerberos5 mediator-implementation=MIT
 file path=usr/include/kerberosv5/krb5/ccselect_plugin.h
 file path=usr/include/kerberosv5/krb5/clpreauth_plugin.h
 file path=usr/include/kerberosv5/krb5/hostrealm_plugin.h
@@ -75,13 +95,49 @@
 dir  path=usr/include/kerberosv5/private
 dir  path=usr/include/kerberosv5/private/krb5
 dir  path=usr/include/kerberosv5/private/krb5/keytab
-file Solaris/private/krb5/keytab/kt_solaris.h \
-    path=usr/include/kerberosv5/private/krb5/keytab/kt_solaris.h
+link path=usr/include/kerberosv5/private/krb5/keytab/kt_solaris.h \
+    target=../../../../../kerberos5/$(COMPONENT_VERSION)/include/kerberosv5/private/krb5/keytab/kt_solaris.h \
+    mediator=kerberos5 mediator-implementation=MIT
 file Solaris/private/krb5/prof_solaris.h \
     path=usr/include/kerberosv5/private/krb5/prof_solaris.h
 file path=usr/include/kerberosv5/profile.h
 file path=usr/include/kerberosv5/verto-module.h
 file path=usr/include/kerberosv5/verto.h
+file usr/bin/k5srvutil \
+    path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/k5srvutil
+file usr/bin/kadmin path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kadmin
+file usr/bin/kdestroy \
+    path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kdestroy
+file usr/bin/kinit path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kinit
+file usr/bin/klist path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/klist
+file usr/bin/kpasswd \
+    path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kpasswd
+file usr/bin/ktutil path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/ktutil
+file usr/bin/kvno path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kvno
+file usr/bin/krb5-config path=usr/kerberos5/$(COMPONENT_VERSION)/bin/krb5-config
+file usr/include/kerberosv5/gssapi/gssapi.h \
+    path=usr/kerberos5/$(COMPONENT_VERSION)/include/gssapi/gssapi.h
+file usr/include/kerberosv5/gssapi/gssapi_ext.h \
+    path=usr/kerberos5/$(COMPONENT_VERSION)/include/gssapi/gssapi_ext.h
+file usr/include/kerberosv5/com_err.h \
+    path=usr/kerberos5/$(COMPONENT_VERSION)/include/kerberosv5/com_err.h
+file usr/include/kerberosv5/krb5.h \
+    path=usr/kerberos5/$(COMPONENT_VERSION)/include/kerberosv5/krb5.h
+file Solaris/private/krb5/keytab/kt_solaris.h \
+    path=usr/kerberos5/$(COMPONENT_VERSION)/include/kerberosv5/private/krb5/keytab/kt_solaris.h
+file usr/lib/$(MACH64)/libgss.so.1 \
+    path=usr/kerberos5/$(COMPONENT_VERSION)/lib/$(MACH64)/libgss.so.1
+file usr/lib/$(MACH64)/libkadm5clnt.so.1 \
+    path=usr/kerberos5/$(COMPONENT_VERSION)/lib/$(MACH64)/libkadm5clnt.so.1
+file usr/lib/$(MACH64)/libkrb5.so.1 \
+    path=usr/kerberos5/$(COMPONENT_VERSION)/lib/$(MACH64)/libkrb5.so.1
+file usr/lib/krb5/plugins/preauth/pkinit.so \
+    path=usr/kerberos5/$(COMPONENT_VERSION)/lib/krb5/plugins/preauth/pkinit.so
+file usr/lib/libgss.so.1 path=usr/kerberos5/$(COMPONENT_VERSION)/lib/libgss.so.1
+file usr/lib/libkadm5clnt.so.1 \
+    path=usr/kerberos5/$(COMPONENT_VERSION)/lib/libkadm5clnt.so.1
+file usr/lib/libkrb5.so.1 \
+    path=usr/kerberos5/$(COMPONENT_VERSION)/lib/libkrb5.so.1
 dir  path=usr/lib/$(MACH64)/krb5
 dir  path=usr/lib/$(MACH64)/krb5/plugins
 dir  path=usr/lib/$(MACH64)/krb5/plugins/authdata
@@ -94,29 +150,40 @@
 link path=usr/lib/$(MACH64)/libcom_err.so target=libcom_err.so.3.0
 link path=usr/lib/$(MACH64)/libcom_err.so.3 target=libcom_err.so.3.0
 file path=usr/lib/$(MACH64)/libcom_err.so.3.0
-file path=usr/lib/$(MACH64)/libgss.so.1
+link path=usr/lib/$(MACH64)/libgss.so target=libgssapi_krb5.so.2.2 \
+    mediator=kerberos5 mediator-implementation=MIT
+link path=usr/lib/$(MACH64)/libgss.so.1 \
+    target=../../kerberos5/$(COMPONENT_VERSION)/lib/$(MACH64)/libgss.so.1 \
+    mediator=kerberos5 mediator-implementation=MIT
 link path=usr/lib/$(MACH64)/libgssapi_krb5.so target=libgssapi_krb5.so.2.2
 link path=usr/lib/$(MACH64)/libgssapi_krb5.so.2 target=libgssapi_krb5.so.2.2
 file path=usr/lib/$(MACH64)/libgssapi_krb5.so.2.2
 link path=usr/lib/$(MACH64)/libk5crypto.so target=libk5crypto.so.3.1
 link path=usr/lib/$(MACH64)/libk5crypto.so.3 target=libk5crypto.so.3.1
 file path=usr/lib/$(MACH64)/libk5crypto.so.3.1
-file path=usr/lib/$(MACH64)/libkadm5clnt.so.1
-link path=usr/lib/$(MACH64)/libkadm5clnt_mit.so target=libkadm5clnt_mit.so.10.0
-link path=usr/lib/$(MACH64)/libkadm5clnt_mit.so.10 \
-    target=libkadm5clnt_mit.so.10.0
-file path=usr/lib/$(MACH64)/libkadm5clnt_mit.so.10.0
+link path=usr/lib/$(MACH64)/libkadm5clnt.so target=libkadm5clnt_mit.so \
+    mediator=kerberos5 mediator-implementation=MIT
+link path=usr/lib/$(MACH64)/libkadm5clnt.so.1 \
+    target=../../kerberos5/$(COMPONENT_VERSION)/lib/$(MACH64)/libkadm5clnt.so.1 \
+    mediator=kerberos5 mediator-implementation=MIT
+link path=usr/lib/$(MACH64)/libkadm5clnt_mit.so target=libkadm5clnt_mit.so.9.0
+link path=usr/lib/$(MACH64)/libkadm5clnt_mit.so.9 target=libkadm5clnt_mit.so.9.0
+file path=usr/lib/$(MACH64)/libkadm5clnt_mit.so.9.0
 link path=usr/lib/$(MACH64)/libkadm5srv.so target=libkadm5srv_mit.so
-link path=usr/lib/$(MACH64)/libkadm5srv_mit.so target=libkadm5srv_mit.so.10.0
-link path=usr/lib/$(MACH64)/libkadm5srv_mit.so.10 target=libkadm5srv_mit.so.10.0
-file path=usr/lib/$(MACH64)/libkadm5srv_mit.so.10.0
+link path=usr/lib/$(MACH64)/libkadm5srv_mit.so target=libkadm5srv_mit.so.9.0
+link path=usr/lib/$(MACH64)/libkadm5srv_mit.so.9 target=libkadm5srv_mit.so.9.0
+file path=usr/lib/$(MACH64)/libkadm5srv_mit.so.9.0
 link path=usr/lib/$(MACH64)/libkdb5.so target=libkdb5.so.8.0
 link path=usr/lib/$(MACH64)/libkdb5.so.8 target=libkdb5.so.8.0
 file path=usr/lib/$(MACH64)/libkdb5.so.8.0
 link path=usr/lib/$(MACH64)/libkrad.so target=libkrad.so.0.0
 link path=usr/lib/$(MACH64)/libkrad.so.0 target=libkrad.so.0.0
 file path=usr/lib/$(MACH64)/libkrad.so.0.0
-file path=usr/lib/$(MACH64)/libkrb5.so.1
+link path=usr/lib/$(MACH64)/libkrb5.so target=libkrb5.so.3.3 \
+    mediator=kerberos5 mediator-implementation=MIT
+link path=usr/lib/$(MACH64)/libkrb5.so.1 \
+    target=../../kerberos5/$(COMPONENT_VERSION)/lib/$(MACH64)/libkrb5.so.1 \
+    mediator=kerberos5 mediator-implementation=MIT
 link path=usr/lib/$(MACH64)/libkrb5.so.3 target=libkrb5.so.3.3
 file path=usr/lib/$(MACH64)/libkrb5.so.3.3
 link path=usr/lib/$(MACH64)/libkrb5support.so target=libkrb5support.so.0.1
@@ -145,33 +212,49 @@
 dir  path=usr/lib/krb5/plugins/libkrb5
 dir  path=usr/lib/krb5/plugins/preauth
 file path=usr/lib/krb5/plugins/preauth/otp.so
-file path=usr/lib/krb5/plugins/preauth/pkinit.so
+link path=usr/lib/krb5/plugins/preauth/pkinit.so \
+    target=../../../../kerberos5/$(COMPONENT_VERSION)/lib/krb5/plugins/preauth/pkinit.so \
+    mediator=kerberos5 mediator-implementation=MIT
 dir  path=usr/lib/krb5/plugins/tls
 file path=usr/lib/krb5/plugins/tls/k5tls.so
 link path=usr/lib/libcom_err.so target=libcom_err.so.3.0
 link path=usr/lib/libcom_err.so.3 target=libcom_err.so.3.0
 file path=usr/lib/libcom_err.so.3.0
-file path=usr/lib/libgss.so.1
+link path=usr/lib/libgss.so target=libgssapi_krb5.so.2.2 mediator=kerberos5 \
+    mediator-implementation=MIT
+link path=usr/lib/libgss.so.1 \
+    target=../kerberos5/$(COMPONENT_VERSION)/lib/libgss.so.1 \
+    mediator=kerberos5 mediator-implementation=MIT
 link path=usr/lib/libgssapi_krb5.so target=libgssapi_krb5.so.2.2
 link path=usr/lib/libgssapi_krb5.so.2 target=libgssapi_krb5.so.2.2
 file path=usr/lib/libgssapi_krb5.so.2.2
 link path=usr/lib/libk5crypto.so target=libk5crypto.so.3.1
 link path=usr/lib/libk5crypto.so.3 target=libk5crypto.so.3.1
 file path=usr/lib/libk5crypto.so.3.1
-file path=usr/lib/libkadm5clnt.so.1
-link path=usr/lib/libkadm5clnt_mit.so target=libkadm5clnt_mit.so.10.0
-link path=usr/lib/libkadm5clnt_mit.so.10 target=libkadm5clnt_mit.so.10.0
-file path=usr/lib/libkadm5clnt_mit.so.10.0
-link path=usr/lib/libkadm5srv_mit.so target=libkadm5srv_mit.so.10.0
-link path=usr/lib/libkadm5srv_mit.so.10 target=libkadm5srv_mit.so.10.0
-file path=usr/lib/libkadm5srv_mit.so.10.0
+link path=usr/lib/libkadm5clnt.so target=libkadm5clnt_mit.so \
+    mediator=kerberos5 mediator-implementation=MIT
+link path=usr/lib/libkadm5clnt.so.1 \
+    target=../kerberos5/$(COMPONENT_VERSION)/lib/libkadm5clnt.so.1 \
+    mediator=kerberos5 mediator-implementation=MIT
+link path=usr/lib/libkadm5clnt_mit.so target=libkadm5clnt_mit.so.9.0
+link path=usr/lib/libkadm5clnt_mit.so.9 target=libkadm5clnt_mit.so.9.0
+file path=usr/lib/libkadm5clnt_mit.so.9.0
+link path=usr/lib/libkadm5srv.so target=libkadm5srv_mit.so mediator=kerberos5 \
+    mediator-implementation=MIT
+link path=usr/lib/libkadm5srv_mit.so target=libkadm5srv_mit.so.9.0
+link path=usr/lib/libkadm5srv_mit.so.9 target=libkadm5srv_mit.so.9.0
+file path=usr/lib/libkadm5srv_mit.so.9.0
 link path=usr/lib/libkdb5.so target=libkdb5.so.8.0
 link path=usr/lib/libkdb5.so.8 target=libkdb5.so.8.0
 file path=usr/lib/libkdb5.so.8.0
 link path=usr/lib/libkrad.so target=libkrad.so.0.0
 link path=usr/lib/libkrad.so.0 target=libkrad.so.0.0
 file path=usr/lib/libkrad.so.0.0
-file path=usr/lib/libkrb5.so.1
+link path=usr/lib/libkrb5.so target=libkrb5.so.3.3 mediator=kerberos5 \
+    mediator-implementation=MIT
+link path=usr/lib/libkrb5.so.1 \
+    target=../kerberos5/$(COMPONENT_VERSION)/lib/libkrb5.so.1 \
+    mediator=kerberos5 mediator-implementation=MIT
 link path=usr/lib/libkrb5.so.3 target=libkrb5.so.3.3
 file path=usr/lib/libkrb5.so.3.3
 link path=usr/lib/libkrb5support.so target=libkrb5support.so.0.1
@@ -201,6 +284,12 @@
 file path=usr/lib/pkgconfig/krb5.pc
 file path=usr/lib/pkgconfig/mit-krb5-gssapi.pc
 file path=usr/lib/pkgconfig/mit-krb5.pc
+link path=usr/sbin/k5srvutil \
+    target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/k5srvutil \
+    mediator=kerberos5 mediator-implementation=MIT
+link path=usr/sbin/kadmin \
+    target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kadmin \
+    mediator=kerberos5 mediator-implementation=MIT
 dir  path=usr/share/et
 file path=usr/share/et/et_c.awk
 file path=usr/share/et/et_h.awk
@@ -208,119 +297,266 @@
 dir  path=usr/share/examples/krb5
 file path=usr/share/examples/krb5/services.append
 file path=usr/share/locale/en_US/LC_MESSAGES/mit-krb5.mo
-file Solaris/man/libgss.3lib path=usr/share/man/3lib/libgss.3lib
-file Solaris/man/libkrb5.3lib path=usr/share/man/3lib/libkrb5.3lib \
-    mangler.man.stability="pass-through uncommitted"
+link path=usr/share/man/3lib/libgss.3lib target=./libgss.mit.3lib \
+    mediator=kerberos5 mediator-implementation=MIT
+file Solaris/man/libgss.3lib path=usr/share/man/3lib/libgss.mit.3lib
+link path=usr/share/man/3lib/libkrb5.3lib target=./libkrb5.mit.3lib \
+    mediator=kerberos5 mediator-implementation=MIT
+file Solaris/man/libkrb5.3lib path=usr/share/man/3lib/libkrb5.mit.3lib
+link path=usr/share/man/ja_JP.UTF-8/man5/kerberos.5 target=./kerberos.mit.5 \
+    mediator=kerberos5 mediator-implementation=MIT
 file Solaris/man/ja_JP.UTF-8/kerberos.5 \
-    path=usr/share/man/ja_JP.UTF-8/man5/kerberos.5
+    path=usr/share/man/ja_JP.UTF-8/man5/kerberos.mit.5
+link path=usr/share/man/ja_JP.UTF-8/man5/krb5envvar.5 \
+    target=./krb5envvar.mit.5 mediator=kerberos5 mediator-implementation=MIT
 file Solaris/man/ja_JP.UTF-8/krb5envvar.5 \
-    path=usr/share/man/ja_JP.UTF-8/man5/krb5envvar.5 \
-    mangler.man.stability="pass-through uncommitted"
+    path=usr/share/man/ja_JP.UTF-8/man5/krb5envvar.mit.5
+link path=usr/share/man/ja_JP.UTF-8/man7/krb5_auth_rules.7 \
+    target=./krb5_auth_rules.mit.7 mediator=kerberos5 \
+    mediator-implementation=MIT
 file Solaris/man/ja_JP.UTF-8/krb5_auth_rules.7 \
-    path=usr/share/man/ja_JP.UTF-8/man7/krb5_auth_rules.7
+    path=usr/share/man/ja_JP.UTF-8/man7/krb5_auth_rules.mit.7
 file path=usr/share/man/man1/k5srvutil.1
 file path=usr/share/man/man1/kadmin.1
-file path=usr/share/man/man1/kdestroy.1
-file path=usr/share/man/man1/kinit.1
-file path=usr/share/man/man1/klist.1
-file path=usr/share/man/man1/kpasswd.1
-file path=usr/share/man/man1/krb5-config.1 \
-    mangler.man.stability="pass-through uncommitted"
+link path=usr/share/man/man1/kdestroy.1 target=./kdestroy.mit.1 \
+    mediator=kerberos5 mediator-implementation=MIT
+file usr/share/man/man1/kdestroy.1 path=usr/share/man/man1/kdestroy.mit.1
+link path=usr/share/man/man1/kinit.1 target=./kinit.mit.1 mediator=kerberos5 \
+    mediator-implementation=MIT
+file usr/share/man/man1/kinit.1 path=usr/share/man/man1/kinit.mit.1
+link path=usr/share/man/man1/klist.1 target=./klist.mit.1 mediator=kerberos5 \
+    mediator-implementation=MIT
+file usr/share/man/man1/klist.1 path=usr/share/man/man1/klist.mit.1
+link path=usr/share/man/man1/kpasswd.1 target=./kpasswd.mit.1 \
+    mediator=kerberos5 mediator-implementation=MIT
+file usr/share/man/man1/kpasswd.1 path=usr/share/man/man1/kpasswd.mit.1
+link path=usr/share/man/man1/krb5-config.1 target=./krb5-config.mit.1 \
+    mediator=kerberos5 mediator-implementation=MIT
+file usr/share/man/man1/krb5-config.1 path=usr/share/man/man1/krb5-config.mit.1
 file path=usr/share/man/man1/kswitch.1
-file path=usr/share/man/man1/ktutil.1
-file path=usr/share/man/man1/kvno.1
+link path=usr/share/man/man1/ktutil.1 target=./ktutil.mit.1 mediator=kerberos5 \
+    mediator-implementation=MIT
+file usr/share/man/man1/ktutil.1 path=usr/share/man/man1/ktutil.mit.1
+link path=usr/share/man/man1/kvno.1 target=./kvno.mit.1 mediator=kerberos5 \
+    mediator-implementation=MIT
+file usr/share/man/man1/kvno.1 path=usr/share/man/man1/kvno.mit.1
+link path=usr/share/man/man3gss/gss_accept_sec_context.3gss \
+    target=./gss_accept_sec_context.mit.3gss mediator=kerberos5 \
+    mediator-implementation=MIT
 file Solaris/man/gss_accept_sec_context.3gss \
-    path=usr/share/man/man3gss/gss_accept_sec_context.3gss
+    path=usr/share/man/man3gss/gss_accept_sec_context.mit.3gss
+link path=usr/share/man/man3gss/gss_acquire_cred.3gss \
+    target=./gss_acquire_cred.mit.3gss mediator=kerberos5 \
+    mediator-implementation=MIT
 file Solaris/man/gss_acquire_cred.3gss \
-    path=usr/share/man/man3gss/gss_acquire_cred.3gss
-file Solaris/man/gss_add_cred.3gss path=usr/share/man/man3gss/gss_add_cred.3gss
+    path=usr/share/man/man3gss/gss_acquire_cred.mit.3gss
+link path=usr/share/man/man3gss/gss_add_cred.3gss \
+    target=./gss_add_cred.mit.3gss mediator=kerberos5 \
+    mediator-implementation=MIT
+file Solaris/man/gss_add_cred.3gss \
+    path=usr/share/man/man3gss/gss_add_cred.mit.3gss
+link path=usr/share/man/man3gss/gss_add_oid_set_member.3gss \
+    target=./gss_add_oid_set_member.mit.3gss mediator=kerberos5 \
+    mediator-implementation=MIT
 file Solaris/man/gss_add_oid_set_member.3gss \
-    path=usr/share/man/man3gss/gss_add_oid_set_member.3gss
+    path=usr/share/man/man3gss/gss_add_oid_set_member.mit.3gss
+link path=usr/share/man/man3gss/gss_canonicalize_name.3gss \
+    target=./gss_canonicalize_name.mit.3gss mediator=kerberos5 \
+    mediator-implementation=MIT
 file Solaris/man/gss_canonicalize_name.3gss \
-    path=usr/share/man/man3gss/gss_canonicalize_name.3gss
+    path=usr/share/man/man3gss/gss_canonicalize_name.mit.3gss
+link path=usr/share/man/man3gss/gss_compare_name.3gss \
+    target=./gss_compare_name.mit.3gss mediator=kerberos5 \
+    mediator-implementation=MIT
 file Solaris/man/gss_compare_name.3gss \
-    path=usr/share/man/man3gss/gss_compare_name.3gss
+    path=usr/share/man/man3gss/gss_compare_name.mit.3gss
+link path=usr/share/man/man3gss/gss_context_time.3gss \
+    target=./gss_context_time.mit.3gss mediator=kerberos5 \
+    mediator-implementation=MIT
 file Solaris/man/gss_context_time.3gss \
-    path=usr/share/man/man3gss/gss_context_time.3gss
+    path=usr/share/man/man3gss/gss_context_time.mit.3gss
+link path=usr/share/man/man3gss/gss_create_empty_oid_set.3gss \
+    target=./gss_create_empty_oid_set.mit.3gss mediator=kerberos5 \
+    mediator-implementation=MIT
 file Solaris/man/gss_create_empty_oid_set.3gss \
-    path=usr/share/man/man3gss/gss_create_empty_oid_set.3gss
+    path=usr/share/man/man3gss/gss_create_empty_oid_set.mit.3gss
+link path=usr/share/man/man3gss/gss_delete_sec_context.3gss \
+    target=./gss_delete_sec_context.mit.3gss mediator=kerberos5 \
+    mediator-implementation=MIT
 file Solaris/man/gss_delete_sec_context.3gss \
-    path=usr/share/man/man3gss/gss_delete_sec_context.3gss
+    path=usr/share/man/man3gss/gss_delete_sec_context.mit.3gss
+link path=usr/share/man/man3gss/gss_display_name.3gss \
+    target=./gss_display_name.mit.3gss mediator=kerberos5 \
+    mediator-implementation=MIT
 file Solaris/man/gss_display_name.3gss \
-    path=usr/share/man/man3gss/gss_display_name.3gss
+    path=usr/share/man/man3gss/gss_display_name.mit.3gss
+link path=usr/share/man/man3gss/gss_display_status.3gss \
+    target=./gss_display_status.mit.3gss mediator=kerberos5 \
+    mediator-implementation=MIT
 file Solaris/man/gss_display_status.3gss \
-    path=usr/share/man/man3gss/gss_display_status.3gss
+    path=usr/share/man/man3gss/gss_display_status.mit.3gss
+link path=usr/share/man/man3gss/gss_duplicate_name.3gss \
+    target=./gss_duplicate_name.mit.3gss mediator=kerberos5 \
+    mediator-implementation=MIT
 file Solaris/man/gss_duplicate_name.3gss \
-    path=usr/share/man/man3gss/gss_duplicate_name.3gss
+    path=usr/share/man/man3gss/gss_duplicate_name.mit.3gss
+link path=usr/share/man/man3gss/gss_export_name.3gss \
+    target=./gss_export_name.mit.3gss mediator=kerberos5 \
+    mediator-implementation=MIT
 file Solaris/man/gss_export_name.3gss \
-    path=usr/share/man/man3gss/gss_export_name.3gss
+    path=usr/share/man/man3gss/gss_export_name.mit.3gss
+link path=usr/share/man/man3gss/gss_export_sec_context.3gss \
+    target=./gss_export_sec_context.mit.3gss mediator=kerberos5 \
+    mediator-implementation=MIT
 file Solaris/man/gss_export_sec_context.3gss \
-    path=usr/share/man/man3gss/gss_export_sec_context.3gss
-file Solaris/man/gss_get_mic.3gss path=usr/share/man/man3gss/gss_get_mic.3gss
+    path=usr/share/man/man3gss/gss_export_sec_context.mit.3gss
+link path=usr/share/man/man3gss/gss_get_mic.3gss target=./gss_get_mic.mit.3gss \
+    mediator=kerberos5 mediator-implementation=MIT
+file Solaris/man/gss_get_mic.3gss \
+    path=usr/share/man/man3gss/gss_get_mic.mit.3gss
+link path=usr/share/man/man3gss/gss_import_name.3gss \
+    target=./gss_import_name.mit.3gss mediator=kerberos5 \
+    mediator-implementation=MIT
 file Solaris/man/gss_import_name.3gss \
-    path=usr/share/man/man3gss/gss_import_name.3gss
+    path=usr/share/man/man3gss/gss_import_name.mit.3gss
+link path=usr/share/man/man3gss/gss_import_sec_context.3gss \
+    target=./gss_import_sec_context.mit.3gss mediator=kerberos5 \
+    mediator-implementation=MIT
 file Solaris/man/gss_import_sec_context.3gss \
-    path=usr/share/man/man3gss/gss_import_sec_context.3gss
+    path=usr/share/man/man3gss/gss_import_sec_context.mit.3gss
+link path=usr/share/man/man3gss/gss_indicate_mechs.3gss \
+    target=./gss_indicate_mechs.mit.3gss mediator=kerberos5 \
+    mediator-implementation=MIT
 file Solaris/man/gss_indicate_mechs.3gss \
-    path=usr/share/man/man3gss/gss_indicate_mechs.3gss
+    path=usr/share/man/man3gss/gss_indicate_mechs.mit.3gss
+link path=usr/share/man/man3gss/gss_init_sec_context.3gss \
+    target=./gss_init_sec_context.mit.3gss mediator=kerberos5 \
+    mediator-implementation=MIT
 file Solaris/man/gss_init_sec_context.3gss \
-    path=usr/share/man/man3gss/gss_init_sec_context.3gss
+    path=usr/share/man/man3gss/gss_init_sec_context.mit.3gss
+link path=usr/share/man/man3gss/gss_inquire_context.3gss \
+    target=./gss_inquire_context.mit.3gss mediator=kerberos5 \
+    mediator-implementation=MIT
 file Solaris/man/gss_inquire_context.3gss \
-    path=usr/share/man/man3gss/gss_inquire_context.3gss
+    path=usr/share/man/man3gss/gss_inquire_context.mit.3gss
+link path=usr/share/man/man3gss/gss_inquire_cred.3gss \
+    target=./gss_inquire_cred.mit.3gss mediator=kerberos5 \
+    mediator-implementation=MIT
 file Solaris/man/gss_inquire_cred.3gss \
-    path=usr/share/man/man3gss/gss_inquire_cred.3gss
+    path=usr/share/man/man3gss/gss_inquire_cred.mit.3gss
+link path=usr/share/man/man3gss/gss_inquire_cred_by_mech.3gss \
+    target=./gss_inquire_cred_by_mech.mit.3gss mediator=kerberos5 \
+    mediator-implementation=MIT
 file Solaris/man/gss_inquire_cred_by_mech.3gss \
-    path=usr/share/man/man3gss/gss_inquire_cred_by_mech.3gss
+    path=usr/share/man/man3gss/gss_inquire_cred_by_mech.mit.3gss
+link path=usr/share/man/man3gss/gss_inquire_mechs_for_name.3gss \
+    target=./gss_inquire_mechs_for_name.mit.3gss mediator=kerberos5 \
+    mediator-implementation=MIT
 file Solaris/man/gss_inquire_mechs_for_name.3gss \
-    path=usr/share/man/man3gss/gss_inquire_mechs_for_name.3gss
+    path=usr/share/man/man3gss/gss_inquire_mechs_for_name.mit.3gss
+link path=usr/share/man/man3gss/gss_inquire_names_for_mech.3gss \
+    target=./gss_inquire_names_for_mech.mit.3gss mediator=kerberos5 \
+    mediator-implementation=MIT
 file Solaris/man/gss_inquire_names_for_mech.3gss \
-    path=usr/share/man/man3gss/gss_inquire_names_for_mech.3gss
+    path=usr/share/man/man3gss/gss_inquire_names_for_mech.mit.3gss
+link path=usr/share/man/man3gss/gss_oid_to_str.3gss \
+    target=./gss_oid_to_str.mit.3gss mediator=kerberos5 \
+    mediator-implementation=MIT
 file Solaris/man/gss_oid_to_str.3gss \
-    path=usr/share/man/man3gss/gss_oid_to_str.3gss
+    path=usr/share/man/man3gss/gss_oid_to_str.mit.3gss
+link path=usr/share/man/man3gss/gss_process_context_token.3gss \
+    target=./gss_process_context_token.mit.3gss mediator=kerberos5 \
+    mediator-implementation=MIT
 file Solaris/man/gss_process_context_token.3gss \
-    path=usr/share/man/man3gss/gss_process_context_token.3gss
+    path=usr/share/man/man3gss/gss_process_context_token.mit.3gss
+link path=usr/share/man/man3gss/gss_release_buffer.3gss \
+    target=./gss_release_buffer.mit.3gss mediator=kerberos5 \
+    mediator-implementation=MIT
 file Solaris/man/gss_release_buffer.3gss \
-    path=usr/share/man/man3gss/gss_release_buffer.3gss
+    path=usr/share/man/man3gss/gss_release_buffer.mit.3gss
+link path=usr/share/man/man3gss/gss_release_cred.3gss \
+    target=./gss_release_cred.mit.3gss mediator=kerberos5 \
+    mediator-implementation=MIT
 file Solaris/man/gss_release_cred.3gss \
-    path=usr/share/man/man3gss/gss_release_cred.3gss
+    path=usr/share/man/man3gss/gss_release_cred.mit.3gss
+link path=usr/share/man/man3gss/gss_release_name.3gss \
+    target=./gss_release_name.mit.3gss mediator=kerberos5 \
+    mediator-implementation=MIT
 file Solaris/man/gss_release_name.3gss \
-    path=usr/share/man/man3gss/gss_release_name.3gss
+    path=usr/share/man/man3gss/gss_release_name.mit.3gss
+link path=usr/share/man/man3gss/gss_release_oid.3gss \
+    target=./gss_release_oid.mit.3gss mediator=kerberos5 \
+    mediator-implementation=MIT
 file Solaris/man/gss_release_oid.3gss \
-    path=usr/share/man/man3gss/gss_release_oid.3gss
+    path=usr/share/man/man3gss/gss_release_oid.mit.3gss
+link path=usr/share/man/man3gss/gss_release_oid_set.3gss \
+    target=./gss_release_oid_set.mit.3gss mediator=kerberos5 \
+    mediator-implementation=MIT
 file Solaris/man/gss_release_oid_set.3gss \
-    path=usr/share/man/man3gss/gss_release_oid_set.3gss
+    path=usr/share/man/man3gss/gss_release_oid_set.mit.3gss
+link path=usr/share/man/man3gss/gss_store_cred.3gss \
+    target=./gss_store_cred.mit.3gss mediator=kerberos5 \
+    mediator-implementation=MIT
 file Solaris/man/gss_store_cred.3gss \
-    path=usr/share/man/man3gss/gss_store_cred.3gss
+    path=usr/share/man/man3gss/gss_store_cred.mit.3gss
+link path=usr/share/man/man3gss/gss_str_to_oid.3gss \
+    target=./gss_str_to_oid.mit.3gss mediator=kerberos5 \
+    mediator-implementation=MIT
 file Solaris/man/gss_str_to_oid.3gss \
-    path=usr/share/man/man3gss/gss_str_to_oid.3gss
+    path=usr/share/man/man3gss/gss_str_to_oid.mit.3gss
+link path=usr/share/man/man3gss/gss_test_oid_set_member.3gss \
+    target=./gss_test_oid_set_member.mit.3gss mediator=kerberos5 \
+    mediator-implementation=MIT
 file Solaris/man/gss_test_oid_set_member.3gss \
-    path=usr/share/man/man3gss/gss_test_oid_set_member.3gss
-file Solaris/man/gss_unwrap.3gss path=usr/share/man/man3gss/gss_unwrap.3gss
+    path=usr/share/man/man3gss/gss_test_oid_set_member.mit.3gss
+link path=usr/share/man/man3gss/gss_unwrap.3gss target=./gss_unwrap.mit.3gss \
+    mediator=kerberos5 mediator-implementation=MIT
+file Solaris/man/gss_unwrap.3gss path=usr/share/man/man3gss/gss_unwrap.mit.3gss
+link path=usr/share/man/man3gss/gss_verify_mic.3gss \
+    target=./gss_verify_mic.mit.3gss mediator=kerberos5 \
+    mediator-implementation=MIT
 file Solaris/man/gss_verify_mic.3gss \
-    path=usr/share/man/man3gss/gss_verify_mic.3gss
-file Solaris/man/gss_wrap.3gss path=usr/share/man/man3gss/gss_wrap.3gss
+    path=usr/share/man/man3gss/gss_verify_mic.mit.3gss
+link path=usr/share/man/man3gss/gss_wrap.3gss target=./gss_wrap.mit.3gss \
+    mediator=kerberos5 mediator-implementation=MIT
+file Solaris/man/gss_wrap.3gss path=usr/share/man/man3gss/gss_wrap.mit.3gss
+link path=usr/share/man/man3gss/gss_wrap_size_limit.3gss \
+    target=./gss_wrap_size_limit.mit.3gss mediator=kerberos5 \
+    mediator-implementation=MIT
 file Solaris/man/gss_wrap_size_limit.3gss \
-    path=usr/share/man/man3gss/gss_wrap_size_limit.3gss
-file Solaris/man/libgss.3lib path=usr/share/man/man3lib/libgss.3lib
-file Solaris/man/libkrb5.3lib path=usr/share/man/man3lib/libkrb5.3lib \
-    mangler.man.stability="pass-through uncommitted"
+    path=usr/share/man/man3gss/gss_wrap_size_limit.mit.3gss
+file Solaris/man/libgss.3lib path=usr/share/man/man3lib/libgss.mit.3lib
+file Solaris/man/libkrb5.3lib path=usr/share/man/man3lib/libkrb5.mit.3lib
 file path=usr/share/man/man5/.k5identity.5
 file path=usr/share/man/man5/.k5login.5
-file Solaris/man/gss_auth_rules.5 path=usr/share/man/man5/gss_auth_rules.5
+link path=usr/share/man/man5/gss_auth_rules.5 target=./gss_auth_rules.mit.5 \
+    mediator=kerberos5 mediator-implementation=MIT
+file Solaris/man/gss_auth_rules.5 path=usr/share/man/man5/gss_auth_rules.mit.5
 file path=usr/share/man/man5/k5identity.5
 file path=usr/share/man/man5/k5login.5
-file Solaris/man/kerberos.5 path=usr/share/man/man5/kerberos.5
+link path=usr/share/man/man5/kerberos.5 target=./kerberos.mit.5 \
+    mediator=kerberos5 mediator-implementation=MIT
+file Solaris/man/kerberos.5 path=usr/share/man/man5/kerberos.mit.5
 file path=usr/share/man/man5/krb5.conf.5
-file Solaris/man/krb5envvar.5 path=usr/share/man/man5/krb5envvar.5 \
-    mangler.man.stability="pass-through uncommitted"
-file Solaris/man/krb5_auth_rules.7 path=usr/share/man/man7/krb5_auth_rules.7
+link path=usr/share/man/man5/krb5envvar.5 target=./krb5envvar.mit.5 \
+    mediator=kerberos5 mediator-implementation=MIT
+file Solaris/man/krb5envvar.5 path=usr/share/man/man5/krb5envvar.mit.5
+link path=usr/share/man/man7/krb5_auth_rules.7 target=./krb5_auth_rules.mit.7 \
+    mediator=kerberos5 mediator-implementation=MIT
+file Solaris/man/krb5_auth_rules.7 path=usr/share/man/man7/krb5_auth_rules.mit.7
+link path=usr/share/man/zh_CN.UTF-8/man5/kerberos.5 target=./kerberos.mit.5 \
+    mediator=kerberos5 mediator-implementation=MIT
 file Solaris/man/zh_CN.UTF-8/kerberos.5 \
-    path=usr/share/man/zh_CN.UTF-8/man5/kerberos.5
+    path=usr/share/man/zh_CN.UTF-8/man5/kerberos.mit.5
+link path=usr/share/man/zh_CN.UTF-8/man5/krb5envvar.5 \
+    target=./krb5envvar.mit.5 mediator=kerberos5 mediator-implementation=MIT
 file Solaris/man/zh_CN.UTF-8/krb5envvar.5 \
-    path=usr/share/man/zh_CN.UTF-8/man5/krb5envvar.5 \
-    mangler.man.stability="pass-through uncommitted"
+    path=usr/share/man/zh_CN.UTF-8/man5/krb5envvar.mit.5
+link path=usr/share/man/zh_CN.UTF-8/man7/krb5_auth_rules.7 \
+    target=./krb5_auth_rules.mit.7 mediator=kerberos5 \
+    mediator-implementation=MIT
 file Solaris/man/zh_CN.UTF-8/krb5_auth_rules.7 \
-    path=usr/share/man/zh_CN.UTF-8/man7/krb5_auth_rules.7
+    path=usr/share/man/zh_CN.UTF-8/man7/krb5_auth_rules.mit.7
 dir  path=var/krb5/rcache group=sys mode=1777
 dir  path=var/krb5/rcache/root group=sys mode=0700 revert-tag=clone-archive=*
 license krb5.license license="BSD, BSD-like (KerberosV5)"
--- a/components/krb5/patches/024-smb-compat.patch	Fri May 13 18:08:27 2016 -0700
+++ b/components/krb5/patches/024-smb-compat.patch	Sat May 14 15:38:32 2016 -0700
@@ -4,6 +4,7 @@
 # stress testing.  The CRs in order:
 #
 # 15580724 SUNBT6868908 Solaris acceptors should have returned KRB5KRB_AP_...
+# 15648322 SUNBT6959251 coredump in gss_release_name+0x36
 # 20416772 spnego_gss_accept_sec_context issue with incorrect KRB OID
 # 16005842 Should retry SMB authentication upgrade to account for network...
 # 15579598 SUNBT6867208 Windows client cannot recover from KRB5KRB_AP_ERR_SKEW..
@@ -67,15 +68,13 @@
          code -= ERROR_TABLE_BASE_krb5;
          if (code < 0 || code > KRB_ERR_MAX)
              code = 60 /* KRB_ERR_GENERIC */;
-
-diff -pur new/src/lib/gssapi/spnego/spnego_mech.c patched/src/lib/gssapi/spnego/spnego_mech.c
---- new/src/lib/gssapi/spnego/spnego_mech.c	2016-02-29 11:50:13.000000000 -0800
-+++ patched/src/lib/gssapi/spnego/spnego_mech.c	2016-03-18 21:55:31.131280297 -0700
[email protected]@ -191,7 +190,14 @@ static const gss_OID_set_desc spnego_oid
+diff -ur krb5-1.13.3.023-mem-rcache.patch/src/lib/gssapi/spnego/spnego_mech.c krb5-1.13.3/src/lib/gssapi/spnego/spnego_mech.c
+--- krb5-1.13.3.023-mem-rcache.patch/src/lib/gssapi/spnego/spnego_mech.c
++++ krb5-1.13.3/src/lib/gssapi/spnego/spnego_mech.c
[email protected]@ -190,6 +190,13 @@
  };
  const gss_OID_set_desc * const gss_mech_set_spnego = spnego_oidsets+0;
  
- static int make_NegHints(OM_uint32 *, gss_buffer_t *);
 +/* encoded OID octet string for NTLMSSP security mechanism */
 +#define GSS_MECH_NTLMSSP_OID_LENGTH 10
 +#define GSS_MECH_NTLMSSP_OID "\053\006\001\004\001\202\067\002\002\012"
@@ -83,10 +82,19 @@
 +	GSS_MECH_NTLMSSP_OID_LENGTH, GSS_MECH_NTLMSSP_OID
 +};
 +
+ static int make_NegHints(OM_uint32 *, spnego_gss_cred_id_t, gss_buffer_t *);
  static int put_neg_hints(unsigned char **, gss_buffer_t, unsigned int);
  static OM_uint32
- acc_ctx_hints(OM_uint32 *, gss_ctx_id_t *, spnego_gss_cred_id_t,
[email protected]@ -1325,6 +1387,7 @@ acc_ctx_new(OM_uint32 *minor_status,
[email protected]@ -1237,7 +1244,7 @@
+ 					&hintNameBuf,
+ 					&hintNameType);
+ 	if (major_status != GSS_S_COMPLETE) {
+-		gss_release_name(&minor, &hintName);
++		gss_release_name(&minor, &hintKerberosName);
+ 		return (major_status);
+ 	}
+ 	gss_release_name(&minor, &hintKerberosName);
[email protected]@ -1380,6 +1387,7 @@
  	gss_buffer_desc der_mechTypes;
  	gss_OID mech_wanted;
  	spnego_gss_ctx_id_t sc = NULL;
@@ -94,7 +102,7 @@
  
  	ret = GSS_S_DEFECTIVE_TOKEN;
  	der_mechTypes.length = 0;
[email protected]@ -1348,6 +1411,24 @@ acc_ctx_new(OM_uint32 *minor_status,
[email protected]@ -1403,6 +1411,24 @@
  		goto cleanup;
  	}
  	/*
@@ -119,15 +127,15 @@
  	 * Select the best match between the list of mechs
  	 * that the initiator requested and the list that
  	 * the acceptor will support.
[email protected]@ -3072,6 +3163,7 @@ static OM_uint32
[email protected]@ -3136,6 +3162,7 @@
+ 	int		found = 0;
+ 	OM_uint32 major_status = GSS_S_COMPLETE, tmpmin;
  	gss_OID_set mechs, goodmechs;
-	gss_OID_set_desc except_attrs;
-	gss_OID_desc attr_oids[2];
 +	char *msinterop = getenv("MS_INTEROP");
  
-	attr_oids[0] = *GSS_C_MA_DEPRECATED;
-	attr_oids[1] = *GSS_C_MA_NOT_DFLT_MECH;
[email protected]@ -3108,6 +3177,15 @@ get_available_mechs(OM_uint32 *minor_sta
+ 	major_status = gss_indicate_mechs(minor_status, &mechs);
+ 
[email protected]@ -3150,6 +3177,15 @@
  		return (major_status);
  	}
  
@@ -143,7 +151,7 @@
  	for (i = 0; i < mechs->count && major_status == GSS_S_COMPLETE; i++) {
  		if ((mechs->elements[i].length
  		    != spnego_mechanism.mech_type.length) ||
[email protected]@ -3123,6 +3201,25 @@ get_available_mechs(OM_uint32 *minor_sta
[email protected]@ -3165,6 +3201,25 @@
  		}
  	}
  
@@ -169,7 +177,7 @@
  	/*
  	 * If the caller wanted a list of creds returned,
  	 * trim the list of mechanisms down to only those
[email protected]@ -3698,9 +3795,17 @@ negotiate_mech(gss_OID_set supported, gs
[email protected]@ -3740,9 +3795,17 @@
  	for (i = 0; i < received->count; i++) {
  		gss_OID mech_oid = &received->elements[i];
  
--- a/components/krb5/patches/028-rpc-gss.patch	Fri May 13 18:08:27 2016 -0700
+++ b/components/krb5/patches/028-rpc-gss.patch	Sat May 14 15:38:32 2016 -0700
@@ -1897,9 +1897,9 @@
  RELDIR=kadm5/clnt
  
  ##DOSBUILDTOP = ..\..\..
-diff -pur new/src/lib/kadm5/clnt/client_init.c patched.1/src/lib/kadm5/clnt/client_init.c
---- no-028/src/lib/kadm5/clnt/client_init.c	2016-03-28 14:39:09.439503108 -0600
-+++ 028/src/lib/kadm5/clnt/client_init.c	2016-03-28 14:40:49.154436988 -0600
+diff -pur old/src/lib/kadm5/clnt/client_init.c new/src/lib/kadm5/clnt/client_init.c
+--- old/src/lib/kadm5/clnt/client_init.c
++++ new/src/lib/kadm5/clnt/client_init.c
 @@ -44,12 +44,12 @@
  #include <iprop_hdr.h>
  #include "iprop.h"
@@ -1915,7 +1915,7 @@
  
  enum init_type { INIT_PASS, INIT_SKEY, INIT_CREDS, INIT_ANONYMOUS };
  
[email protected]@ -138,9 +138,385 @@ kadm5_init_with_skey(krb5_context contex
[email protected]@ -138,9 +138,379 @@ kadm5_init_with_skey(krb5_context contex
                      server_handle);
  }
  
@@ -2096,7 +2096,6 @@
 +	enum clnt_stat rpc_err_code;
 +	char *server;
 +	int port;
-+	struct timeval timeout;
 +
 +        /* service name is service/host */
 +        server = strpbrk(service_name, "/");
@@ -2158,11 +2157,6 @@
 +	if (iprop_svc)
 +		free(iprop_svc);
 +
-+	/* Set a one-hour timeout. */
-+	timeout.tv_sec = 3600;
-+	timeout.tv_usec = 0;
-+	(void)clnt_control(handle->clnt, CLSET_TIMEOUT, &timeout);
-+
 +	handle->lhandle->clnt = handle->clnt;
 +
 +	/* now that handle->clnt is set, we can check the handle */
@@ -2302,14 +2296,7 @@
           kadm5_config_params *params_in, krb5_ui_4 struct_version,
           krb5_ui_4 api_version, char **db_args, void **server_handle)
  {
[email protected]@ -152,13 +528,13 @@ init_any(krb5_context context, char *cli
-     rpcvers_t rpc_vers;
-     krb5_ccache ccache;
-     krb5_principal client = NULL, server = NULL;
--    struct timeval timeout;
- 
-     kadm5_server_handle_t handle;
-     kadm5_config_params params_local;
[email protected]@ -158,6 +528,7 @@ init_any(krb5_context context, char *cli
  
      int code = 0;
      generic_ret *r;
@@ -2317,7 +2304,7 @@
  
      initialize_ovk_error_table();
  /*      initialize_adb_error_table(); */
[email protected]@ -226,105 +602,27 @@ init_any(krb5_context context, char *cli
[email protected]@ -225,99 +596,27 @@ init_any(krb5_context context, char *cli
      if (code)
          goto error;
  
@@ -2366,12 +2353,6 @@
 +        strncpy(svcname, svcname_in, sizeof(svcname));
 +        svcname[sizeof(svcname)-1] = '\0';
      }
- 
--    /* Set a one-hour timeout. */
--    timeout.tv_sec = 3600;
--    timeout.tv_usec = 0;
--    (void)clnt_control(handle->clnt, CLSET_TIMEOUT, &timeout);
--
 -    handle->client_socket = fd;
 -    handle->lhandle->clnt = handle->clnt;
 -    handle->lhandle->client_socket = fd;
@@ -2379,7 +2360,7 @@
 -    /* now that handle->clnt is set, we can check the handle */
 -    if ((code = _kadm5_check_handle((void *) handle)))
 -        goto error;
--
+ 
 -    /*
 -     * The RPC connection is open; establish the GSS-API
 -     * authentication context.
@@ -2438,7 +2419,7 @@
          goto error;
      }
  
[email protected]@ -364,31 +662,17 @@ cleanup:
[email protected]@ -357,31 +656,17 @@ cleanup:
      return code;
  }
  
@@ -2472,7 +2453,7 @@
      /*
       * Acquire a service ticket for [email protected] for client, using password
       * pass (which could be NULL), and create a ccache to store them in.  If
[email protected]@ -426,12 +710,6 @@ get_init_creds(kadm5_server_handle_t han
[email protected]@ -419,12 +704,6 @@ get_init_creds(kadm5_server_handle_t han
  
      code = gic_iter(handle, init_type, ccache, client, pass, svcname, realm,
                      server_out);
@@ -2485,7 +2466,7 @@
      /* Improved error messages */
      if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) code = KADM5_BAD_PASSWORD;
      if (code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN)
[email protected]@ -698,6 +976,26 @@ rpc_auth(kadm5_server_handle_t handle, k
[email protected]@ -691,6 +970,26 @@ rpc_auth(kadm5_server_handle_t handle, k
           gss_cred_id_t gss_client_creds, gss_name_t gss_target)
  {
      OM_uint32 gssstat, minor_stat;
@@ -2512,7 +2493,7 @@
      struct rpc_gss_sec sec;
  
      /* Allow unauthenticated option for testing. */
[email protected]@ -732,6 +1030,7 @@ rpc_auth(kadm5_server_handle_t handle, k
[email protected]@ -725,6 +1024,7 @@ rpc_auth(kadm5_server_handle_t handle, k
                                                 GSS_C_MUTUAL_FLAG
                                                 | GSS_C_REPLAY_FLAG,
                                                 0, NULL, NULL, NULL);
@@ -2520,6 +2501,7 @@
  }
  
  kadm5_ret_t
+diff -pur old/src/lib/kadm5/clnt/client_principal.c new/src/lib/kadm5/clnt/client_principal.c
 --- old/src/lib/kadm5/clnt/client_principal.c
 +++ new/src/lib/kadm5/clnt/client_principal.c
 @@ -5,7 +5,7 @@
@@ -2955,10 +2937,10 @@
                         (caddr_t)&vers, (xdrproc_t)xdr_kdb_fullresync_result_t,
                         (caddr_t)&clnt_res, full_resync_timeout);
      if (status == RPC_PROCUNAVAIL) {
-diff -pur new/src/tests/misc/Makefile.in patched.1/src/tests/misc/Makefile.in
---- new/src/tests/misc/Makefile.in	2016-02-29 11:50:13.000000000 -0800
-+++ patched.1/src/tests/misc/Makefile.in	2016-03-19 08:15:59.222125882 -0700
[email protected]@ -12,19 +12,17 @@ SRCS=\
+diff -pur old/src/tests/misc/Makefile.in new/src/tests/misc/Makefile.in
+--- old/src/tests/misc/Makefile.in
++++ new/src/tests/misc/Makefile.in
[email protected]@ -12,18 +12,16 @@ SRCS=\
  	$(srcdir)/test_cxx_krb5.cpp \
  	$(srcdir)/test_cxx_k5int.cpp \
  	$(srcdir)/test_cxx_gss.cpp \
@@ -2969,16 +2951,15 @@
  
 -check:: test_getpw test_chpw_message test_cxx_krb5 test_cxx_gss test_cxx_rpc test_cxx_k5int test_cxx_kadm5
 +check:: test_getpw test_chpw_message test_cxx_krb5 test_cxx_gss test_cxx_k5int test_cxx_kadm5
- 	$(RUN_TEST) ./test_getpw
- 	$(RUN_TEST) ./test_chpw_message
- 	$(RUN_TEST) ./test_cxx_krb5
- 	$(RUN_TEST) ./test_cxx_k5int
- 	$(RUN_TEST) ./test_cxx_gss
--	$(RUN_TEST) ./test_cxx_rpc
- 	$(RUN_TEST) ./test_cxx_kadm5
+ 	$(RUN_SETUP) $(VALGRIND) ./test_getpw
+ 	$(RUN_SETUP) $(VALGRIND) ./test_chpw_message
+ 	$(RUN_SETUP) $(VALGRIND) ./test_cxx_krb5
+ 	$(RUN_SETUP) $(VALGRIND) ./test_cxx_k5int
+ 	$(RUN_SETUP) $(VALGRIND) ./test_cxx_gss
+-	$(RUN_SETUP) $(VALGRIND) ./test_cxx_rpc
+ 	$(RUN_SETUP) $(VALGRIND) ./test_cxx_kadm5
  
  test_getpw: $(OUTPRE)test_getpw.$(OBJEXT) $(SUPPORT_DEPLIB)
- 	$(CC_LINK) $(ALL_CFLAGS) -o test_getpw $(OUTPRE)test_getpw.$(OBJEXT) $(SUPPORT_LIB)
 @@ -41,18 +39,15 @@ test_cxx_k5int: $(OUTPRE)test_cxx_k5int.
  	$(CXX_LINK) $(ALL_CXXFLAGS) -o test_cxx_k5int $(OUTPRE)test_cxx_k5int.$(OBJEXT) $(KRB5_BASE_LIBS) $(LIBS)
  test_cxx_gss: $(OUTPRE)test_cxx_gss.$(OBJEXT)
@@ -3000,9 +2981,9 @@
 +	$(RM) test_getpw test_chpw_message test_cxx_krb5 test_cxx_gss test_cxx_k5int test_cxx_kadm5 *.o
  
 diff -pur old/src/tests/t_iprop.py new/src/tests/t_iprop.py
---- old/src/tests/t_iprop.py	2016-02-29 11:50:13.000000000 -0800
-+++ new/src/tests/t_iprop.py	2016-04-08 11:08:10.225701596 -0700
[email protected]@ -1,44 +1,35 @@
+--- old/src/tests/t_iprop.py
++++ new/src/tests/t_iprop.py
[email protected]@ -1,50 +1,35 @@
  #!/usr/bin/python
  
  import os
@@ -3016,7 +2997,7 @@
 -def wait_for_prop(kpropd, full_expected, expected_old, expected_new):
 +def wait_for_prop(kpropd, full_expected):
      output('*** Waiting for sync from kpropd\n')
--    full_seen = sleep_seen = False
+-    full_seen = sleep_seen = prodded_after_dump = False
 -    old_sno = new_sno = -1
 +    full_seen = False
      while True:
@@ -3052,14 +3033,19 @@
 -            sleep_seen = True
          if 'load process for full propagation completed' in line:
              full_seen = True
+-        if sleep_seen and full_seen and not prodded_after_dump:
+-            # Prod the kpropd parent into getting incrementals after
+-            # it finishes a DB load.  This will be unnecessary if
+-            # kpropd is simplified to use a single process.
 +            # kpropd's child process has finished a DB load; make the parent
 +            # do another iprop request.  This will be unnecessary if kpropd
 +            # is simplified to use a single process.
-+            kpropd.send_signal(signal.SIGUSR1)
+             kpropd.send_signal(signal.SIGUSR1)
+-            prodded_after_dump = True
  
          # Detect some failure conditions.
          if 'Still waiting for full resync' in line:
[email protected]@ -54,98 +45,28 @@ def wait_for_prop(kpropd, full_expected,
[email protected]@ -60,92 +45,28 @@ def wait_for_prop(kpropd, full_expected,
          if 'invalid return' in line:
              fail('kadmind returned invalid result')
  
@@ -3109,13 +3095,7 @@
 -        m = re.match(r'\tUpdate principal : (.*)$', line)
 -        if m:
 -            eprinc = entries[ser - first]
--            if eprinc == None:
--                fail('Expected dummy update entry %d' % ser)
--            elif m.group(1) != eprinc:
--                fail('Expected princ %s in update entry %d' % (eprinc, ser))
--        if line == '\tDummy entry':
--            eprinc = entries[ser - first]
--            if eprinc != None:
+-            if m.group(1) != eprinc:
 -                fail('Expected princ %s in update entry %d' % (eprinc, ser))
 -
 -# slave1 will receive updates from master, and slave2 will receive
@@ -3178,8 +3158,11 @@
  
  ulog = os.path.join(realm.testdir, 'db.ulog')
  if not os.path.exists(ulog):
[email protected]@ -155,234 +76,114 @@ if not os.path.exists(ulog):
[email protected]@ -153,209 +74,117 @@ if not os.path.exists(ulog):
+ 
+ # Create the principal used to authenticate kpropd to kadmind.
  kiprop_princ = 'kiprop/' + hostname
++realm.addprinc(kiprop_princ)
  realm.extract_keytab(kiprop_princ, realm.keytab)
  
 -# Create the initial slave1 and slave2 databases.
@@ -3194,7 +3177,7 @@
 -# Reinitialize the master ulog so we know exactly what to expect in
 -# it.
 -realm.run([kproplog, '-R'])
--check_ulog(1, 1, 1, [None])
+-check_ulog(0, 0, 0, [])
 +# Make some changes to the master db.
 +realm.addprinc('wakawaka')
 +# Add a principal enough to make realloc likely, but not enough to grow
@@ -3204,24 +3187,24 @@
 +longname = cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + c
 +realm.addprinc(longname)
 +realm.addprinc('w')
-+realm.run([kadminl, 'modprinc', '-allow_tix', 'w'])
-+realm.run([kadminl, 'modprinc', '+allow_tix', 'w'])
++realm.run_kadminl('modprinc -allow_tix w')
++realm.run_kadminl('modprinc +allow_tix w')
  
 -# Make some changes to the master DB.
 -realm.addprinc(pr1)
 -realm.addprinc(pr3)
 -realm.addprinc(pr2)
--realm.run([kadminl, 'modprinc', '-allow_tix', pr2])
--realm.run([kadminl, 'modprinc', '+allow_tix', pr2])
--check_ulog(6, 1, 6, [None, pr1, pr3, pr2, pr2, pr2])
+-realm.run_kadminl('modprinc -allow_tix ' + pr2)
+-realm.run_kadminl('modprinc +allow_tix ' + pr2)
+-check_ulog(5, 1, 5, [pr1, pr3, pr2, pr2, pr2])
 -
 -# Start kpropd for slave1 and get a full dump from master.
 -kpropd1 = realm.start_kpropd(slave1, ['-d'])
--wait_for_prop(kpropd1, True, 1, 6)
--out = realm.run([kadminl, 'listprincs'], env=slave1)
+-wait_for_prop(kpropd1, True, 0, 5)
+-out = realm.run_kadminl('listprincs', slave1)
 -if pr1 not in out or pr2 not in out or pr3 not in out:
 -    fail('slave1 does not have all principals from master')
--check_ulog(1, 6, 6, [None], slave1)
+-check_ulog(0, 0, 5, [], slave1)
 +check_serial(realm, '7')
 +
 +# Set up the kpropd acl file.
@@ -3233,23 +3216,23 @@
 +# Start kpropd and get a full dump from master.
 +kpropd = realm.start_kpropd(slave, ['-d'])
 +wait_for_prop(kpropd, True)
-+out = realm.run([kadminl, 'listprincs'], env=slave)
++out = realm.run_kadminl('listprincs', slave)
 +if longname not in out or 'wakawaka' not in out or '[email protected]' not in out:
 +    fail('Slave does not have all principals from master')
  
  # Make a change and check that it propagates incrementally.
--realm.run([kadminl, 'modprinc', '-allow_tix', pr2])
--check_ulog(7, 1, 7, [None, pr1, pr3, pr2, pr2, pr2, pr2])
+-realm.run_kadminl('modprinc -allow_tix ' + pr2)
+-check_ulog(6, 1, 6, [pr1, pr3, pr2, pr2, pr2, pr2])
 -kpropd1.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd1, False, 6, 7)
--check_ulog(2, 6, 7, [None, pr2], slave1)
--out = realm.run([kadminl, 'getprinc', pr2], env=slave1)
-+realm.run([kadminl, 'modprinc', '-allow_tix', 'w'])
+-wait_for_prop(kpropd1, False, 5, 6)
+-check_ulog(1, 6, 6, [pr2], slave1)
+-out = realm.run_kadminl('getprinc ' + pr2, slave1)
++realm.run_kadminl('modprinc -allow_tix w')
 +check_serial(realm, '8')
 +kpropd.send_signal(signal.SIGUSR1)
 +wait_for_prop(kpropd, False)
 +check_serial(realm, '8', slave)
-+out = realm.run([kadminl, 'getprinc', 'w'], env=slave)
++out = realm.run_kadminl('getprinc w', slave)
  if 'Attributes: DISALLOW_ALL_TIX' not in out:
 -    fail('slave1 does not have modification from master')
 +    fail('Slave does not have modification from master')
@@ -3271,26 +3254,26 @@
 -kpropd2 = realm.start_server([kpropd, '-d', '-D', '-P', slave2_kprop_port,
 -                              '-f', slave2_in_dump_path, '-p', kdb5_util,
 -                              '-a', acl_file, '-A', hostname], 'ready', slave2)
--wait_for_prop(kpropd2, True, 1, 7)
--check_ulog(1, 7, 7, [None], slave2)
--out = realm.run([kadminl, 'listprincs'], env=slave1)
+-wait_for_prop(kpropd2, True, 0, 6)
+-check_ulog(0, 0, 6, [], slave2)
+-out = realm.run_kadminl('listprincs', slave1)
 -if pr1 not in out or pr2 not in out or pr3 not in out:
 -    fail('slave2 does not have all principals from slave1')
 -
 -# Make another change and check that it propagates incrementally to
 -# both slaves.
--realm.run([kadminl, 'modprinc', '-maxrenewlife', '22 hours', pr1])
--check_ulog(8, 1, 8, [None, pr1, pr3, pr2, pr2, pr2, pr2, pr1])
+-realm.run_kadminl('modprinc -maxrenewlife "22 hours" ' + pr1)
+-check_ulog(7, 1, 7, [pr1, pr3, pr2, pr2, pr2, pr2, pr1])
 -kpropd1.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd1, False, 7, 8)
--check_ulog(3, 6, 8, [None, pr2, pr1], slave1)
--out = realm.run([kadminl, 'getprinc', pr1], env=slave1)
+-wait_for_prop(kpropd1, False, 6, 7)
+-check_ulog(2, 6, 7, [pr2, pr1], slave1)
+-out = realm.run_kadminl('getprinc ' + pr1, slave1)
 -if 'Maximum renewable life: 0 days 22:00:00\n' not in out:
 -    fail('slave1 does not have modification from master')
 -kpropd2.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd2, False, 7, 8)
--check_ulog(2, 7, 8, [None, pr1], slave2)
--out = realm.run([kadminl, 'getprinc', pr1], env=slave2)
+-wait_for_prop(kpropd2, False, 6, 7)
+-check_ulog(1, 7, 7, [pr1], slave2)
+-out = realm.run_kadminl('getprinc ' + pr1, slave2)
 -if 'Maximum renewable life: 0 days 22:00:00\n' not in out:
 -    fail('slave2 does not have modification from slave1')
 -
@@ -3299,34 +3282,34 @@
 -# slave2 should still be in sync with slave1 after the resync, so make
 -# sure it doesn't take a full resync.
 -realm.run([kproplog, '-R'], slave1)
--check_ulog(1, 1, 1, [None], slave1)
+-check_ulog(0, 0, 0, [], slave1)
 -kpropd1.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd1, True, 1, 8)
--check_ulog(3, 6, 8, [None, pr2, pr1], slave1)
+-wait_for_prop(kpropd1, True, 0, 7)
+-check_ulog(2, 6, 7, [pr2, pr1], slave1)
 -kpropd2.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd2, False, 8, 8)
--check_ulog(2, 7, 8, [None, pr1], slave2)
+-wait_for_prop(kpropd2, False, 7, 7)
+-check_ulog(1, 7, 7, [pr1], slave2)
 -
 -# Make another change and check that it propagates incrementally to
 -# both slaves.
 +# Make another change and check that it propagates incrementally.
- realm.run([kadminl, 'modprinc', '+allow_tix', 'w'])
--check_ulog(9, 1, 9, [None, pr1, pr3, pr2, pr2, pr2, pr2, pr1, pr2])
+ realm.run_kadminl('modprinc +allow_tix w')
+-check_ulog(8, 1, 8, [pr1, pr3, pr2, pr2, pr2, pr2, pr1, pr2])
 -kpropd1.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd1, False, 8, 9)
--check_ulog(4, 6, 9, [None, pr2, pr1, pr2], slave1)
--out = realm.run([kadminl, 'getprinc', pr2], env=slave1)
+-wait_for_prop(kpropd1, False, 7, 8)
+-check_ulog(3, 6, 8, [pr2, pr1, pr2], slave1)
+-out = realm.run_kadminl('getprinc ' + pr2, slave1)
 +check_serial(realm, '9')
 +kpropd.send_signal(signal.SIGUSR1)
 +wait_for_prop(kpropd, False)
 +check_serial(realm, '9', slave)
-+out = realm.run([kadminl, 'getprinc', 'w'], env=slave)
++out = realm.run_kadminl('getprinc w', slave)
  if 'Attributes:\n' not in out:
 -    fail('slave1 does not have modification from master')
 -kpropd2.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd2, False, 8, 9)
--check_ulog(3, 7, 9, [None, pr1, pr2], slave2)
--out = realm.run([kadminl, 'getprinc', pr2], env=slave2)
+-wait_for_prop(kpropd2, False, 7, 8)
+-check_ulog(2, 7, 8, [pr1, pr2], slave2)
+-out = realm.run_kadminl('getprinc ' + pr2, slave2)
 +    fail('Slave does not have modification from master')
 +
 +# Reset the ulog on the slave side to force a full resync to the slave.
@@ -3337,111 +3320,116 @@
 +check_serial(realm, '9', slave)
 +
 +# Make another change and check that it propagates incrementally.
-+realm.run([kadminl, 'modprinc', '+allow_tix', 'w'])
++realm.run_kadminl('modprinc +allow_tix w')
 +check_serial(realm, '10')
 +kpropd.send_signal(signal.SIGUSR1)
 +wait_for_prop(kpropd, False)
 +check_serial(realm, '10', slave)
-+out = realm.run([kadminl, 'getprinc', 'w'], env=slave)
++out = realm.run_kadminl('getprinc w', slave)
  if 'Attributes:\n' not in out:
 -    fail('slave2 does not have modification from slave1')
 +    fail('Slave has different state from master')
  
  # Create a policy and check that it propagates via full resync.
- realm.run([kadminl, 'addpol', '-minclasses', '2', 'testpol'])
--check_ulog(1, 1, 1, [None])
+ realm.run_kadminl('addpol -minclasses 2 testpol')
+-check_ulog(0, 0, 0, [])
 -kpropd1.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd1, True, 9, 1)
--check_ulog(1, 1, 1, [None], slave1)
--out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1)
+-wait_for_prop(kpropd1, True, 8, 0)
+-check_ulog(0, 0, 0, [], slave1)
+-out = realm.run_kadminl('getpol testpol', slave1)
 +check_serial(realm, 'None')
 +kpropd.send_signal(signal.SIGUSR1)
 +wait_for_prop(kpropd, True)
 +check_serial(realm, 'None', slave)
-+out = realm.run([kadminl, 'getpol', 'testpol'], env=slave)
++out = realm.run_kadminl('getpol testpol', slave)
  if 'Minimum number of password character classes: 2' not in out:
 -    fail('slave1 does not have policy from master')
 -kpropd2.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd2, True, 9, 1)
--check_ulog(1, 1, 1, [None], slave2)
--out = realm.run([kadminl, 'getpol', 'testpol'], env=slave2)
+-wait_for_prop(kpropd2, True, 8, 0)
+-check_ulog(0, 0, 0, [], slave2)
+-out = realm.run_kadminl('getpol testpol', slave2)
 -if 'Minimum number of password character classes: 2' not in out:
 -    fail('slave2 does not have policy from slave1')
 +    fail('Slave does not have policy from master')
  
  # Modify the policy and test that it also propagates via full resync.
- realm.run([kadminl, 'modpol', '-minlength', '17', 'testpol'])
--check_ulog(1, 1, 1, [None])
+ realm.run_kadminl('modpol -minlength 17 testpol')
+-check_ulog(0, 0, 0, [])
 -kpropd1.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd1, True, 1, 1)
--check_ulog(1, 1, 1, [None], slave1)
--out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1)
+-wait_for_prop(kpropd1, True, 0, 0)
+-check_ulog(0, 0, 0, [], slave1)
+-out = realm.run_kadminl('getpol testpol', slave1)
 -if 'Minimum password length: 17' not in out:
 -    fail('slave1 does not have policy change from master')
 -kpropd2.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd2, True, 1, 1)
--check_ulog(1, 1, 1, [None], slave2)
--out = realm.run([kadminl, 'getpol', 'testpol'], env=slave2)
+-wait_for_prop(kpropd2, True, 0, 0)
+-check_ulog(0, 0, 0, [], slave2)
+-out = realm.run_kadminl('getpol testpol', slave2)
 +check_serial(realm, 'None')
 +kpropd.send_signal(signal.SIGUSR1)
 +wait_for_prop(kpropd, True)
 +check_serial(realm, 'None', slave)
-+out = realm.run([kadminl, 'getpol', 'testpol'], env=slave)
++out = realm.run_kadminl('getpol testpol', slave)
  if 'Minimum password length: 17' not in out:
 -    fail('slave2 does not have policy change from slave1')
 +    fail('Slave does not have policy change from master')
  
  # Delete the policy and test that it propagates via full resync.
--realm.run([kadminl, 'delpol', 'testpol'])
--check_ulog(1, 1, 1, [None])
+ realm.run_kadminl('delpol -force testpol')
+-check_ulog(0, 0, 0, [])
 -kpropd1.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd1, True, 1, 1)
--check_ulog(1, 1, 1, [None], slave1)
--out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1, expected_code=1)
-+realm.run([kadminl, 'delpol', '-force', 'testpol'])
+-wait_for_prop(kpropd1, True, 0, 0)
+-check_ulog(0, 0, 0, [], slave1)
+-out = realm.run_kadminl('getpol testpol', slave1)
 +check_serial(realm, 'None')
 +kpropd.send_signal(signal.SIGUSR1)
 +wait_for_prop(kpropd, True)
 +check_serial(realm, 'None', slave)
-+out = realm.run([kadminl, 'getpol', 'testpol'], env=slave, expected_code=1)
++out = realm.run_kadminl('getpol testpol', slave)
  if 'Policy does not exist' not in out:
 -    fail('slave1 did not get policy deletion from master')
 -kpropd2.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd2, True, 1, 1)
--check_ulog(1, 1, 1, [None], slave2)
--out = realm.run([kadminl, 'getpol', 'testpol'], env=slave2, expected_code=1)
+-wait_for_prop(kpropd2, True, 0, 0)
+-check_ulog(0, 0, 0, [], slave2)
+-out = realm.run_kadminl('getpol testpol', slave2)
 -if 'Policy does not exist' not in out:
 -    fail('slave2 did not get policy deletion from slave1')
 -
--# Modify a principal on the master and test that it propagates incrementally.
--realm.run([kadminl, 'modprinc', '-maxlife', '10 minutes', pr1])
--check_ulog(2, 1, 2, [None, pr1])
+-# Modify a principal on the master and test that it propagates via
+-# full resync.  (The master's ulog does not remember the timestamp it
+-# had at serial number 0, so it does not know that an incremental
+-# propagation is possible.)
+-realm.run_kadminl('modprinc -maxlife "10 minutes" ' + pr1)
+-check_ulog(1, 1, 1, [pr1])
 -kpropd1.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd1, False, 1, 2)
--check_ulog(2, 1, 2, [None, pr1], slave1)
--out = realm.run([kadminl, 'getprinc', pr1], env=slave1)
+-wait_for_prop(kpropd1, True, 0, 1)
+-check_ulog(0, 0, 1, [], slave1)
+-out = realm.run_kadminl('getprinc ' + pr1, slave1)
 -if 'Maximum ticket life: 0 days 00:10:00' not in out:
 -    fail('slave1 does not have modification from master')
 -kpropd2.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd2, False, 1, 2)
--check_ulog(2, 1, 2, [None, pr1], slave2)
--out = realm.run([kadminl, 'getprinc', pr1], env=slave2)
+-wait_for_prop(kpropd2, True, 0, 1)
+-check_ulog(0, 0, 1, [], slave2)
+-out = realm.run_kadminl('getprinc ' + pr1, slave2)
 -if 'Maximum ticket life: 0 days 00:10:00' not in out:
 -    fail('slave2 does not have modification from slave1')
 -
--# Delete a principal and test that it propagates incrementally.
--realm.run([kadminl, 'delprinc', pr3])
--check_ulog(3, 1, 3, [None, pr1, pr3])
+-# Delete a principal and test that it propagates incrementally to
+-# slave1.  slave2 needs another full resync because slave1 no longer
+-# has serial number 1 in its ulog after processing its first
+-# incremental update.
+-realm.run_kadminl('delprinc -force ' + pr3)
+-check_ulog(2, 1, 2, [pr1, pr3])
 -kpropd1.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd1, False, 2, 3)
--check_ulog(3, 1, 3, [None, pr1, pr3], slave1)
--out = realm.run([kadminl, 'getprinc', pr3], env=slave1, expected_code=1)
+-wait_for_prop(kpropd1, False, 1, 2)
+-check_ulog(1, 2, 2, [pr3], slave1)
+-out = realm.run_kadminl('getprinc ' + pr3, slave1)
 -if 'Principal does not exist' not in out:
 -    fail('slave1 does not have principal deletion from master')
 -kpropd2.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd2, False, 2, 3)
--check_ulog(3, 1, 3, [None, pr1, pr3], slave2)
--out = realm.run([kadminl, 'getprinc', pr3], env=slave2, expected_code=1)
+-wait_for_prop(kpropd2, True, 1, 2)
+-check_ulog(0, 0, 2, [], slave2)
+-out = realm.run_kadminl('getprinc ' + pr3, slave2)
 -if 'Principal does not exist' not in out:
 -    fail('slave2 does not have principal deletion from slave1')
 +    fail('Slave did not get policy deletion from master')
@@ -3451,46 +3439,13 @@
 +# XXX Note that we only have one slave in this test, so we can't really
 +# test this.
  realm.run([kproplog, '-R'])
--check_ulog(1, 1, 1, [None])
+-check_ulog(0, 0, 0, [])
 -kpropd1.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd1, True, 3, 1)
--check_ulog(1, 1, 1, [None], slave1)
+-wait_for_prop(kpropd1, True, 2, 0)
+-check_ulog(0, 0, 0, [], slave1)
 -kpropd2.send_signal(signal.SIGUSR1)
--wait_for_prop(kpropd2, True, 3, 1)
--check_ulog(1, 1, 1, [None], slave2)
--
--# Stop the kprop daemons so we can test kpropd -t.
--stop_daemon(kpropd1)
--stop_daemon(kpropd2)
--
--# Test the case where no updates are needed.
--out = realm.run_kpropd_once(slave1, ['-d'])
--if 'KDC is synchronized' not in out:
--    fail('Expected synchronized from kpropd -t')
--check_ulog(1, 1, 1, [None], slave1)
--
--# Make a change on the master and fetch it incrementally.
--realm.run([kadminl, 'modprinc', '-maxlife', '5 minutes', pr1])
--check_ulog(2, 1, 2, [None, pr1])
--out = realm.run_kpropd_once(slave1, ['-d'])
--if 'Got incremental updates (sno=2 ' not in out:
--    fail('Expected full dump and synchronized from kpropd -t')
--check_ulog(2, 1, 2, [None, pr1], slave1)
--out = realm.run([kadminl, 'getprinc', pr1], env=slave1)
--if 'Maximum ticket life: 0 days 00:05:00' not in out:
--    fail('slave1 does not have modification from master after kpropd -t')
--
--# Propagate a policy change via full resync.
--realm.run([kadminl, 'addpol', '-minclasses', '3', 'testpol'])
--check_ulog(1, 1, 1, [None])
--out = realm.run_kpropd_once(slave1, ['-d'])
--if ('Full propagation transfer finished' not in out or
--    'KDC is synchronized' not in out):
--    fail('Expected full dump and synchronized from kpropd -t')
--check_ulog(1, 1, 1, [None], slave1)
--out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1)
--if 'Minimum number of password character classes: 3' not in out:
--    fail('slave1 does not have policy from master after kpropd -t')
+-wait_for_prop(kpropd2, True, 2, 0)
+-check_ulog(0, 0, 0, [], slave2)
 +check_serial(realm, 'None')
 +kpropd.send_signal(signal.SIGUSR1)
 +wait_for_prop(kpropd, True)
@@ -3534,15 +3489,3 @@
                                   '-c', self.kadmin_ccache] + flags)
  
      def run_kadmin(self, query, **keywords):
-/usr/gnu/bin/diff -pur old/src/tests/t_ccache.py new/src/tests/t_ccache.py
---- old/src/tests/t_ccache.py     2016-04-08 09:50:18.104351949 -0700
-+++ new/src/tests/t_ccache.py 2016-04-08 09:48:10.841275532 -0700
[email protected]@ -51,7 +51,7 @@ realm.kinit(realm.user_princ, password('
- realm.run([klist, '-s'])
- realm.kinit(realm.user_princ, password('user'), ['-l', '-1s'])
- realm.run([klist, '-s'], expected_code=1)
--realm.kinit(realm.user_princ, password('user'), ['-S', 'kadmin/admin'])
-+realm.kinit(realm.user_princ, password('user'), ['-S', 'kadmin/changepw'])
- realm.run([klist, '-s'])
- realm.run([kdestroy])
- realm.run([klist, '-s'], expected_code=1)
--- a/components/krb5/patches/029-kadmin_disable_anonymity.patch	Fri May 13 18:08:27 2016 -0700
+++ b/components/krb5/patches/029-kadmin_disable_anonymity.patch	Sat May 14 15:38:32 2016 -0700
@@ -24,8 +24,8 @@
      }
  
      while ((optchar = getopt(argc, argv,
--                             "+x:r:p:knq:w:d:s:mc:t:e:ON")) != EOF) {
-+                             "+x:r:p:kq:w:d:s:mc:t:e:ON")) != EOF) {
+-                             "x:r:p:knq:w:d:s:mc:t:e:ON")) != EOF) {
++                             "x:r:p:kq:w:d:s:mc:t:e:ON")) != EOF) {
          switch (optchar) {
          case 'x':
              db_args_size++;
@@ -64,31 +64,35 @@
  Use \fIcredentials_cache\fP as the credentials cache.  The
  cache should contain a service ticket for the \fBkadmin/ADMINHOST\fP
 diff -pur old/src/tests/t_pkinit.py new/src/tests/t_pkinit.py
---- new/src/tests/t_pkinit.py   2016-02-29 11:50:13.000000000 -0800
-+++ patched.1/src/tests/t_pkinit.py     2016-03-19 08:15:59.287791038 -0700
[email protected]@ -73,15 +73,16 @@ if '97:' in out:
-     fail('auth indicators seen in anonymous PKINIT ticket')
+--- old/src/tests/t_pkinit.py	2015-02-11 19:16:43.000000000 -0800
++++ new/src/tests/t_pkinit.py	2015-03-05 09:09:09.690228292 -0800
[email protected]@ -72,17 +72,18 @@ realm.klist('WELLKNOWN/[email protected]
+ realm.run([kvno, realm.host_princ])
  
  # Test anonymous kadmin.
 -f = open(os.path.join(realm.testdir, 'acl'), 'a')
 -f.write('WELLKNOWN/[email protected]:ANONYMOUS a *')
 -f.close()
 -realm.start_kadmind()
--realm.run([kadmin, '-n', 'addprinc', '-pw', 'test', 'testadd'])
--out = realm.run([kadmin, '-n', 'getprinc', 'testadd'], expected_code=1)
+-out = realm.run([kadmin, '-n', '-q', 'addprinc -pw test testadd'])
+-if 'created.' not in out:
+-    fail('Could not create principal with anonymous kadmin')
+-out = realm.run([kadmin, '-n', '-q', 'getprinc testadd'])
 -if "Operation requires ``get'' privilege" not in out:
 -    fail('Anonymous kadmin has too much privilege')
 -realm.stop_kadmind()
++sys.stderr.write("Anonymous pkinit support in kadmin disabled, skipping...\n");
 +#f = open(os.path.join(realm.testdir, 'acl'), 'a')
 +#f.write('WELLKNOWN/[email protected]:ANONYMOUS a *')
 +#f.close()
 +#realm.start_kadmind()
-+#realm.run([kadmin, '-n', 'addprinc', '-pw', 'test', 'testadd'])
-+#out = realm.run([kadmin, '-n', 'getprinc', 'testadd'], expected_code=1)
++#out = realm.run([kadmin, '-n', '-q', 'addprinc -pw test testadd'])
++#if 'created.' not in out:
++#    fail('Could not create principal with anonymous kadmin')
++#out = realm.run([kadmin, '-n', '-q', 'getprinc testadd'])
 +#if "Operation requires ``get'' privilege" not in out:
 +#    fail('Anonymous kadmin has too much privilege')
 +#realm.stop_kadmind()
-+sys.stderr.write("Anonymous pkinit support in kadmin disabled, skipping...\n");
  
  # Test with anonymous restricted; FAST should work but kvno should fail.
  r_env = realm.special_env('restrict', True, kdc_conf=restrictive_kdc_conf)
--- a/components/krb5/patches/032-pam-krb5.patch	Fri May 13 18:08:27 2016 -0700
+++ b/components/krb5/patches/032-pam-krb5.patch	Sat May 14 15:38:32 2016 -0700
@@ -14,8 +14,8 @@
 # Patch source: in-house
 #
 diff -pur old/src/lib/kadm5/clnt/client_init.c new/src/lib/kadm5/clnt/client_init.c
---- no-032/src/lib/kadm5/clnt/client_init.c	2016-03-28 14:25:17.265078167 -0600
-+++ 032/src/lib/kadm5/clnt/client_init.c	2016-03-28 14:27:42.301681052 -0600
+--- old/src/lib/kadm5/clnt/client_init.c	2015-04-30 01:12:10.579373279 -0600
++++ new/src/lib/kadm5/clnt/client_init.c	2015-05-26 23:38:41.638267439 -0600
 @@ -299,7 +299,7 @@ _kadm5_initialize_rpcsec_gss_handle(kadm
  {
  	int code = 0;
@@ -25,9 +25,9 @@
  	char *iprop_svc;
  	boolean_t iprop_enable = B_FALSE;
  	char mech[] = "kerberos_v5";
[email protected]@ -317,15 +317,13 @@ _kadm5_initialize_rpcsec_gss_handle(kadm
[email protected]@ -316,15 +316,13 @@ _kadm5_initialize_rpcsec_gss_handle(kadm
+ 	char *server;
  	int port;
- 	struct timeval timeout;
  
 -        /* service name is service/host */
 -        server = strpbrk(service_name, "/");
@@ -44,7 +44,7 @@
  
  	iprop_svc = strdup(KIPROP_SVC_NAME);
  	if (iprop_svc == NULL)
[email protected]@ -516,7 +514,7 @@ cleanup:
[email protected]@ -510,7 +508,7 @@ cleanup:
  
  static kadm5_ret_t
  init_any(krb5_context context, char *client_name, enum init_type init_type,
@@ -53,7 +53,7 @@
           kadm5_config_params *params_in, krb5_ui_4 struct_version,
           krb5_ui_4 api_version, char **db_args, void **server_handle)
  {
[email protected]@ -534,7 +532,6 @@ init_any(krb5_context context, char *cli
[email protected]@ -528,7 +526,6 @@ init_any(krb5_context context, char *cli
  
      int code = 0;
      generic_ret *r;
@@ -61,7 +61,7 @@
  
      initialize_ovk_error_table();
  /*      initialize_adb_error_table(); */
[email protected]@ -603,15 +600,19 @@ init_any(krb5_context context, char *cli
[email protected]@ -597,15 +594,19 @@ init_any(krb5_context context, char *cli
          goto error;
  
      /* NULL svcname means use host-based. */
@@ -88,7 +88,7 @@
      }
  
      /* Get credentials. */
[email protected]@ -666,14 +667,52 @@ cleanup:
[email protected]@ -660,14 +661,52 @@ cleanup:
  static kadm5_ret_t
  get_init_creds(kadm5_server_handle_t handle, krb5_principal client,
                 enum init_type init_type, char *pass, krb5_ccache ccache_in,
@@ -142,7 +142,7 @@
       * Acquire a service ticket for [email protected] for client, using password
       * pass (which could be NULL), and create a ccache to store them in.  If
       * INIT_CREDS, use the ccache we were provided instead.
[email protected]@ -708,7 +747,7 @@ get_init_creds(kadm5_server_handle_t han
[email protected]@ -702,7 +741,7 @@ get_init_creds(kadm5_server_handle_t han
      }
      handle->lhandle->cache_name = handle->cache_name;
  
--- a/components/krb5/patches/035-multi-master.patch	Fri May 13 18:08:27 2016 -0700
+++ b/components/krb5/patches/035-multi-master.patch	Sat May 14 15:38:32 2016 -0700
@@ -8,10 +8,10 @@
 # should look at modifying/deleting this patch.
 # Patch source: in-house
 #
-diff -pur new/src/kadmin/cli/kadmin.c old/src/kadmin/cli/kadmin.c
---- old/src/kadmin/cli/kadmin.c	2016-03-31 16:44:43.282366236 -0700
-+++ patched/src/kadmin/cli/kadmin.c	2016-03-31 19:24:20.929551275 -0700
[email protected]@ -255,7 +255,7 @@ kadmin_startup(int argc, char *argv[], c
+diff -u -r old/src/kadmin/cli/kadmin.c new/src/kadmin/cli/kadmin.c
+--- old/src/kadmin/cli/kadmin.c	2015-05-28 15:10:45.129616302 -0500
++++ new/src/kadmin/cli/kadmin.c	2015-05-29 13:32:41.901105712 -0500
[email protected]@ -268,7 +268,7 @@
      char **db_args = NULL;
      int db_args_size = 0;
      char *db_name = NULL;
@@ -20,7 +20,7 @@
  
      memset(&params, 0, sizeof(params));
  
[email protected]@ -370,11 +370,6 @@ kadmin_startup(int argc, char *argv[], c
[email protected]@ -380,11 +380,6 @@
      params.mask |= KADM5_CONFIG_REALM;
      params.realm = def_realm;
  
@@ -32,35 +32,36 @@
      /*
       * Set cc to an open credentials cache, either specified by the -c
       * argument or the default.
[email protected]@ -503,13 +498,14 @@ kadmin_startup(int argc, char *argv[], c
[email protected]@ -515,13 +510,15 @@
      if (ccache_name) {
-         info(_("Authenticating as principal %s with existing "
-                "credentials.\n"), princstr);
+         printf(_("Authenticating as principal %s with existing "
+                  "credentials.\n"), princstr);
 -        retval = kadm5_init_with_creds(context, princstr, cc, svcname, &params,
 +        retval = kadm5_init_with_creds_mm(context, princstr, cc, svcnames,
 +                                       &params,
                                         KADM5_STRUCT_VERSION,
                                         KADM5_API_VERSION_4, db_args, &handle);
      } else if (use_anonymous) {
-         info(_("Authenticating as principal %s with password; "
-                "anonymous requested.\n"), princstr);
+         printf(_("Authenticating as principal %s with password; "
+                  "anonymous requested.\n"), princstr);
 -        retval = kadm5_init_anonymous(context, princstr, svcname, &params,
-+        retval = kadm5_init_anonymous_mm(context, princstr, svcnames, &params,
++        retval = kadm5_init_anonymous_mm(context, princstr, svcnames,
++                                      &params,
                                        KADM5_STRUCT_VERSION,
                                        KADM5_API_VERSION_4, db_args, &handle);
      } else if (use_keytab) {
[email protected]@ -520,17 +516,20 @@ kadmin_startup(int argc, char *argv[], c
-             info(_("Authenticating as principal %s with default keytab.\n"),
-                  princstr);
-         }
[email protected]@ -531,17 +528,20 @@
+         else
+             printf(_("Authenticating as principal %s with default keytab.\n"),
+                    princstr);
 -        retval = kadm5_init_with_skey(context, princstr, keytab_name, svcname,
 +        retval = kadm5_init_with_skey_mm(context, princstr, keytab_name,
 +                                      svcnames,
                                        &params, KADM5_STRUCT_VERSION,
                                        KADM5_API_VERSION_4, db_args, &handle);
      } else {
-         info(_("Authenticating as principal %s with password.\n"),
-              princstr);
+         printf(_("Authenticating as principal %s with password.\n"),
+                princstr);
 -        retval = kadm5_init_with_password(context, princstr, password, svcname,
 +        retval = kadm5_init_with_password_mm(context, princstr, password,
 +                                          svcnames,
@@ -127,10 +128,10 @@
  kadm5_ret_t    kadm5_lock(void *server_handle);
  kadm5_ret_t    kadm5_unlock(void *server_handle);
  kadm5_ret_t    kadm5_flush(void *server_handle);
-/usr/gnu/bin/diff -pur old/src/lib/kadm5/clnt/client_init.c new/src/lib/kadm5/clnt/client_init.c
---- unpatched/src/lib/kadm5/clnt/client_init.c	2016-03-28 00:19:36.988270188 -0600
-+++ patched/src/lib/kadm5/clnt/client_init.c	2016-03-28 13:12:43.769371355 -0600
[email protected]@ -55,7 +55,7 @@ enum init_type { INIT_PASS, INIT_SKEY, I
+diff -u -r old/src/lib/kadm5/clnt/client_init.c new/src/lib/kadm5/clnt/client_init.c
+--- old/src/lib/kadm5/clnt/client_init.c	2015-05-28 15:10:45.192975632 -0500
++++ new/src/lib/kadm5/clnt/client_init.c	2015-06-02 10:33:51.639341637 -0500
[email protected]@ -55,7 +55,7 @@
  
  static kadm5_ret_t
  init_any(krb5_context context, char *client_name, enum init_type init_type,
@@ -139,7 +140,7 @@
           kadm5_config_params *params, krb5_ui_4 struct_version,
           krb5_ui_4 api_version, char **db_args, void **server_handle);
  
[email protected]@ -87,8 +87,25 @@ kadm5_init_with_creds(krb5_context conte
[email protected]@ -87,8 +87,25 @@
                        krb5_ui_4 api_version, char **db_args,
                        void **server_handle)
  {
@@ -166,7 +167,7 @@
                      server_handle);
  }
  
[email protected]@ -99,7 +116,24 @@ kadm5_init_with_password(krb5_context co
[email protected]@ -99,7 +116,24 @@
                           krb5_ui_4 api_version, char **db_args,
                           void **server_handle)
  {
@@ -192,7 +193,7 @@
                      params, struct_version, api_version, db_args,
                      server_handle);
  }
[email protected]@ -110,8 +144,24 @@ kadm5_init_anonymous(krb5_context contex
[email protected]@ -110,8 +144,24 @@
                       krb5_ui_4 struct_version, krb5_ui_4 api_version,
                       char **db_args, void **server_handle)
  {
@@ -218,7 +219,7 @@
                      db_args, server_handle);
  }
  
[email protected]@ -121,7 +171,23 @@ kadm5_init(krb5_context context, char *c
[email protected]@ -121,7 +171,23 @@
             krb5_ui_4 struct_version, krb5_ui_4 api_version, char **db_args,
             void **server_handle)
  {
@@ -243,7 +244,7 @@
                      params, struct_version, api_version, db_args,
                      server_handle);
  }
[email protected]@ -133,8 +199,25 @@ kadm5_init_with_skey(krb5_context contex
[email protected]@ -133,8 +199,25 @@
                       krb5_ui_4 api_version, char **db_args,
                       void **server_handle)
  {
@@ -270,7 +271,7 @@
                      server_handle);
  }
  
[email protected]@ -339,7 +422,7 @@ _kadm5_initialize_rpcsec_gss_handle(kadm
[email protected]@ -338,7 +421,7 @@
  	}
  
  	/*
@@ -279,7 +280,7 @@
  	 *    - if iprop_port is configured, connect to iprop_port
  	 *    - if not, query remote rpc/bind
  	 *    - if that fails, try consuming iprop service on kadmin port
[email protected]@ -512,9 +595,35 @@ cleanup:
[email protected]@ -506,9 +589,35 @@
  	return (code);
  }
  
@@ -316,7 +317,7 @@
           kadm5_config_params *params_in, krb5_ui_4 struct_version,
           krb5_ui_4 api_version, char **db_args, void **server_handle)
  {
[email protected]@ -532,6 +641,10 @@ init_any(krb5_context context, char *cli
[email protected]@ -526,6 +635,10 @@
  
      int code = 0;
      generic_ret *r;
@@ -327,7 +328,7 @@
  
      initialize_ovk_error_table();
  /*      initialize_adb_error_table(); */
[email protected]@ -599,34 +712,56 @@ init_any(krb5_context context, char *cli
[email protected]@ -593,34 +706,56 @@
      if (code)
          goto error;
  
@@ -406,7 +407,7 @@
      *server_handle = (void *) handle;
  
      goto cleanup;
[email protected]@ -659,6 +794,8 @@ cleanup:
[email protected]@ -653,6 +788,8 @@
      krb5_free_principal(handle->context, server);
      if (code)
          free(handle);
@@ -415,7 +416,7 @@
  
      return code;
  }
[email protected]@ -671,46 +808,43 @@ get_init_creds(kadm5_server_handle_t han
[email protected]@ -665,46 +802,43 @@
  {
      kadm5_ret_t code;
      krb5_ccache ccache = NULL;
@@ -493,7 +494,7 @@
  
      /*
       * Acquire a service ticket for [email protected] for client, using password
[email protected]@ -747,7 +881,7 @@ get_init_creds(kadm5_server_handle_t han
[email protected]@ -741,7 +875,7 @@
      }
      handle->lhandle->cache_name = handle->cache_name;
  
--- a/components/krb5/patches/036-verify-nofail.patch	Fri May 13 18:08:27 2016 -0700
+++ b/components/krb5/patches/036-verify-nofail.patch	Sat May 14 15:38:32 2016 -0700
@@ -21,8 +21,8 @@
      if (*argv != NULL)
          check(krb5_parse_name(context, *argv, &princ));
 diff -pur old/src/lib/krb5/krb/t_vfy_increds.py new/src/lib/krb5/krb/t_vfy_increds.py
---- old/src/lib/krb5/krb/t_vfy_increds.py	2016-03-31 16:44:48.483714940 -0700
-+++ patched/src/lib/krb5/krb/t_vfy_increds.py	2016-03-31 19:34:30.816360770 -0700
+--- old/src/lib/krb5/krb/t_vfy_increds.py	2015-05-28 14:42:17.100176857 -0600
++++ new/src/lib/krb5/krb/t_vfy_increds.py	2015-05-28 18:03:03.977698328 -0600
 @@ -53,29 +53,31 @@ realm.run(['./t_vfy_increds'])
  realm.run(['./t_vfy_increds', '-n'])
  
@@ -55,8 +55,8 @@
 -# default (succeeding unless nofail is set), but should verify with it
 +# default (succeeding only when nofail is unset), but should verify with it
  # when it is specifically requested.
- realm.run([kadminl, 'addprinc', '-randkey', realm.nfs_princ])
- realm.run([kadminl, 'ktadd', realm.nfs_princ])
+ realm.run_kadminl('addprinc -randkey ' + realm.nfs_princ)
+ realm.run_kadminl('ktadd ' + realm.nfs_princ)
 -realm.run(['./t_vfy_increds'])
 +realm.run(['./t_vfy_increds'], expected_code=1)
  realm.run(['./t_vfy_increds', '-n'], expected_code=1)
@@ -65,7 +65,7 @@
 @@ -84,7 +86,7 @@ realm.run(['./t_vfy_increds', '-n', real
  # results with the default principal argument, but verification should
  # now fail if we request it specifically.
- realm.run([kadminl, 'change_password', '-randkey', realm.nfs_princ])
+ realm.run_kadminl('change_password -randkey ' + realm.nfs_princ)
 -realm.run(['./t_vfy_increds'])
 +realm.run(['./t_vfy_increds'], expected_code=1)
  realm.run(['./t_vfy_increds', '-n'], expected_code=1)
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/patches/045-correct_err_code_for_bad_QOP.patch	Sat May 14 15:38:32 2016 -0700
@@ -0,0 +1,55 @@
+#
+# This patch fixes krb5_gss_wrap_size_limit return code to comply with
+# RFC 2743.
+#
+# Found by usr/ontest/lib/libgss/gss_api:gss.17.
+#
+# The patch was accepted upstream and will be part of krb5 1.14:
+# https://github.com/krb5/krb5/commit/45ccc1c85f42e4f41f2042df8a51dd7826533029
+# Patch source: in-house
+#
+diff -pur old/src/lib/gssapi/krb5/k5seal.c new/src/lib/gssapi/krb5/k5seal.c
+--- old/src/lib/gssapi/krb5/k5seal.c
++++ new/src/lib/gssapi/krb5/k5seal.c
[email protected]@ -337,7 +337,7 @@ kg_seal(minor_status, context_handle, co
+        them later.  */
+     if (qop_req != 0) {
+         *minor_status = (OM_uint32) G_UNKNOWN_QOP;
+-        return GSS_S_FAILURE;
++        return GSS_S_BAD_QOP;
+     }
+ 
+     ctx = (krb5_gss_ctx_id_rec *) context_handle;
+diff -pur old/src/lib/gssapi/krb5/k5sealiov.c new/src/lib/gssapi/krb5/k5sealiov.c
+--- old/src/lib/gssapi/krb5/k5sealiov.c
++++ new/src/lib/gssapi/krb5/k5sealiov.c
[email protected]@ -277,7 +277,7 @@ kg_seal_iov(OM_uint32 *minor_status,
+ 
+     if (qop_req != 0) {
+         *minor_status = (OM_uint32)G_UNKNOWN_QOP;
+-        return GSS_S_FAILURE;
++        return GSS_S_BAD_QOP;
+     }
+ 
+     ctx = (krb5_gss_ctx_id_rec *)context_handle;
[email protected]@ -342,7 +342,7 @@ kg_seal_iov_length(OM_uint32 *minor_stat
+ 
+     if (qop_req != GSS_C_QOP_DEFAULT) {
+         *minor_status = (OM_uint32)G_UNKNOWN_QOP;
+-        return GSS_S_FAILURE;
++        return GSS_S_BAD_QOP;
+     }
+ 
+     ctx = (krb5_gss_ctx_id_rec *)context_handle;
+diff -pur old/src/lib/gssapi/krb5/wrap_size_limit.c new/src/lib/gssapi/krb5/wrap_size_limit.c
+--- old/src/lib/gssapi/krb5/wrap_size_limit.c
++++ new/src/lib/gssapi/krb5/wrap_size_limit.c
[email protected]@ -91,7 +91,7 @@ krb5_gss_wrap_size_limit(minor_status, c
+     /* only default qop is allowed */
+     if (qop_req != GSS_C_QOP_DEFAULT) {
+         *minor_status = (OM_uint32) G_UNKNOWN_QOP;
+-        return(GSS_S_FAILURE);
++        return(GSS_S_BAD_QOP);
+     }
+ 
+     ctx = (krb5_gss_ctx_id_rec *) context_handle;
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/patches/046-creds_usage_mismatch_err_code.patch	Sat May 14 15:38:32 2016 -0700
@@ -0,0 +1,26 @@
+#
+# In krb5_gss_store_cred_into(), if the credential is acceptor-only, set
+# the minor status to G_STORE_ACCEPTOR_CRED_NOSUPP instead of
+# G_BAD_USAGE.
+#
+# Found by usr/ontest/lib/libgss/gss_api:gss.27.
+#
+# Accepted upstream, will be part of krb5 1.14:
+# https://github.com/krb5/krb5/commit/c0e16bb2f654038ad81602e89851f232916da051
+# Patch source: in-house
+#
+diff -pur old/src/lib/gssapi/krb5/store_cred.c new/src/lib/gssapi/krb5/store_cred.c
+--- old/src/lib/gssapi/krb5/store_cred.c	2015-06-12 08:13:27.399201700 -0700
++++ new/src/lib/gssapi/krb5/store_cred.c	2015-06-12 08:17:35.570611897 -0700
[email protected]@ -241,7 +241,10 @@ krb5_gss_store_cred_into(OM_uint32 *mino
+     if (lifetime == 0)
+         return GSS_S_CREDENTIALS_EXPIRED;
+ 
+-    if (actual_usage != GSS_C_INITIATE && actual_usage != GSS_C_BOTH) {
++    if (actual_usage == GSS_C_ACCEPT) {
++        *minor_status = G_STORE_ACCEPTOR_CRED_NOSUPP;
++        return GSS_S_FAILURE;
++    } else if (actual_usage != GSS_C_INITIATE && actual_usage != GSS_C_BOTH) {
+         *minor_status = G_BAD_USAGE;
+         return GSS_S_FAILURE;
+     }
--- a/components/krb5/patches/051-fopenF.patch	Fri May 13 18:08:27 2016 -0700
+++ b/components/krb5/patches/051-fopenF.patch	Sat May 14 15:38:32 2016 -0700
@@ -787,9 +787,9 @@
                  if (!logfile) {
                      perror(*argv);
 diff -ur krb5-1.13.2/src/util/profile/prof_file.c krb5-1.13.2.fopen/src/util/profile/prof_file.c
---- old/src/util/profile/prof_file.c	2016-03-31 16:44:53.634245353 -0700
-+++ patched/src/util/profile/prof_file.c	2016-03-31 20:07:34.843286876 -0700
[email protected]@ -126,7 +126,7 @@ static int rw_access(const_profile_files
+--- krb5-1.13.2/src/util/profile/prof_file.c	2015-05-08 18:27:02.000000000 -0500
++++ krb5-1.13.2.fopen/src/util/profile/prof_file.c	2015-08-11 13:56:49.450805045 -0500
[email protected]@ -123,7 +123,7 @@
       */
      FILE    *f;
  
@@ -798,7 +798,7 @@
      if (f) {
          fclose(f);
          return 1;
[email protected]@ -150,7 +150,7 @@ static int r_access(const_profile_filesp
[email protected]@ -147,7 +147,7 @@
       */
      FILE    *f;
  
@@ -807,16 +807,16 @@
      if (f) {
          fclose(f);
          return 1;
[email protected]@ -355,7 +355,7 @@ errcode_t profile_update_file_data_locke
[email protected]@ -346,7 +346,7 @@
+     }
  #endif
-     if (!isdir) {
-         errno = 0;
--        f = fopen(data->filespec, "r");
-+        f = fopen(data->filespec, "rF");
-         if (f == NULL)
-             return (errno != 0) ? errno : ENOENT;
-         set_cloexec_file(f);
[email protected]@ -423,7 +423,7 @@ static errcode_t write_data_to_file(prf_
+     errno = 0;
+-    f = fopen(data->filespec, "r");
++    f = fopen(data->filespec, "rF");
+     if (f == NULL) {
+         retval = errno;
+         if (retval == 0)
[email protected]@ -411,7 +411,7 @@
  
      errno = 0;
  
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/patches/061-ccache-nounlink.patch	Sat May 14 15:38:32 2016 -0700
@@ -0,0 +1,269 @@
+#
+# This patch modifies the MIT implementation of krb5_fcc_initialize() so
+# it doesn't call unlink() on an existing ccache file.  This modification
+# was done a long time ago in Solaris to workaround a race condition
+# brought on by the interaction between Solaris pam_krb5 and MIT's
+# implementation of krb5_fcc_initialize().  Given there are better ways of
+# fixing the race condition we will not give this patch to MIT however a
+# proper race condition fix would take prohibitively long to implement
+# hence this patch.  When pam_krb5 is modified to better deal with the
+# ccache file and RFE 22229031 regarding ktkt_warnd is implemented then
+# this patch can be removed.
+# Patch source: in-house
+#
+
+diff -Naru old/src/lib/krb5/ccache/cc_file.c new/src/lib/krb5/ccache/cc_file.c
+--- old/src/lib/krb5/ccache/cc_file.c	2015-05-08 16:27:02.000000000 -0700
++++ new/src/lib/krb5/ccache/cc_file.c	2015-11-16 15:54:02.138183303 -0800
[email protected]@ -64,6 +64,10 @@
+ #include "k5-int.h"
+ #include "cc-int.h"
+ 
++/* Solaris Kerberos */
++#include <syslog.h>
++#include <ctype.h>
++
+ #include <stdio.h>
+ #include <errno.h>
+ 
[email protected]@ -71,6 +75,11 @@
+ #include <unistd.h>
+ #endif
+ 
++/* Solaris Kerberos */
++/* How long to block if flock fails with EAGAIN */
++#define    LOCK_RETRIES    100
++#define    WAIT_LENGTH    20    /* in milliseconds */
++
+ extern const krb5_cc_ops krb5_cc_file_ops;
+ 
+ krb5_error_code krb5_change_cache(void);
[email protected]@ -85,6 +94,7 @@
+ #define FCC_OPEN_AND_ERASE      1
+ #define FCC_OPEN_RDWR           2
+ #define FCC_OPEN_RDONLY         3
++#define	FCC_OPEN_AND_ERASE_NOUNLINK	255    /* Solaris Kerberos */
+ 
+ #define FCC_TAG_DELTATIME       1
+ 
[email protected]@ -524,6 +534,130 @@
+     ((SIZE) < BUFSIZE ? (abort(),0) : setbuf(FILE, BUF))
+ #endif
+ 
++/* Solaris Kerberos */
++static krb5_error_code
++krb5_fcc_open_nounlink(char *filename, int open_flag, int *ret_fd, int *new)
++{
++     struct stat lres;
++     struct stat fres;
++     int error;
++     uid_t uid, euid;
++     int fd;
++     int newfile = 0;
++
++     *ret_fd = -1;
++     /*
++      * Solaris Kerberos
++      * If we are opening in NOUNLINK mode, we have to check that the
++      * existing file, if any, is not a symlink. If it is, we try to
++      * delete and re-create it.
++      */
++     error = lstat(filename, &lres);
++     if (error == -1 && errno != ENOENT) {
++         syslog(LOG_ERR, "lstat failed for %s [%m]", filename);
++         return (-1);
++     }
++
++     if (error == 0 && !S_ISREG(lres.st_mode)) {
++         syslog(LOG_WARNING, "%s is not a plain file!", filename);
++         syslog(LOG_WARNING, "trying to unlink %s", filename);
++         if (unlink(filename) != 0) {
++              syslog(LOG_ERR, "could not unlink %s [%m]", filename);
++              return (-1);
++         }
++     }
++
++     fd = THREEPARAMOPEN(filename, open_flag | O_NONBLOCK | O_NOFOLLOW, 0600);
++     if (fd == -1) {
++         if (errno == ENOENT) {
++              fd = THREEPARAMOPEN(filename, open_flag | O_EXCL | O_CREAT,
++                  0600);
++              if (fd != -1) {
++                  newfile = 1;
++              } else {
++                  /* If the file got created after the open we must retry */
++                  if (errno == EEXIST)
++                      return (0);
++              }
++         } else if (errno == EACCES) {
++            /*
++             * We failed since the file existed with wrong permissions.
++             * Let's try to unlink it and if that succeeds retry.
++             */
++            syslog(LOG_WARNING, "Insufficient permissions on %s", filename);
++            syslog(LOG_WARNING, "trying to unlink %s", filename);
++            if (unlink(filename) != 0) {
++                syslog(LOG_ERR, "could not unlink %s [%m]", filename);
++                return (-1);
++            }
++            return (0);
++        }
++    }
++    /* If we still don't have a valid fd, we stop trying */
++    if (fd == -1)
++        return (-1);
++
++    /*
++     * Solaris Kerberos
++     * If the file was not created now with a O_CREAT | O_EXCL open,
++     * we have opened an existing file. We should check if the file
++     * owner is us, if not, unlink and retry. If unlink fails we log
++     * the error and return.
++     */
++    if (!newfile) {
++        if (fstat(fd, &fres) == -1) {
++            syslog(LOG_ERR, "lstat failed for %s [%m]", filename);
++            close(fd);
++            return (-1);
++        }
++        /* Check if this is the same file we lstat'd earlier */
++        if (lres.st_dev != fres.st_dev || lres.st_ino != fres.st_ino) {
++            syslog(LOG_ERR, "%s changed between stat and open!", filename);
++            close(fd);
++            return (-1);
++        }
++
++        /*
++         * Solaris Kerberos
++         * Check if the cc filename uid matches owner of file.
++         * Expects cc file to be in the form of /tmp/krb5cc_<uid>,
++         * else skip this check.
++         */
++        if (strncmp(filename, "/tmp/krb5cc_", strlen("/tmp/krb5cc_")) == 0) {
++            uid_t fname_uid;
++            char *uidstr = strchr(filename, '_');
++            char *s = NULL;
++
++            /* make sure we have some non-null char after '_' */
++            if (!*++uidstr)
++                goto out;
++
++            /* make sure the uid part is all digits */
++            for (s = uidstr; *s; s++)
++                if (!isdigit(*s))
++                    goto out;
++
++            fname_uid = (uid_t) atoi(uidstr);
++            if (fname_uid != fres.st_uid) {
++                close(fd);
++                syslog(LOG_WARNING, "%s owned by %d instead of %d",
++                    filename, fres.st_uid, fname_uid);
++                syslog(LOG_WARNING, "trying to unlink %s", filename);
++                if (unlink(filename) != 0) {
++                    syslog(LOG_ERR, "could not unlink %s [%m]", filename);
++                    return (-1);
++                }
++                return (0);
++            }
++        }
++    }
++
++out:
++    *new = newfile;
++    *ret_fd = fd;
++    return (0);
++}
++
+ /* Open and lock the cache file.  If mode is FCC_OPEN_AND_ERASE, initialize it
+  * with a header.  Call with the mutex locked. */
+ static krb5_error_code
[email protected]@ -538,6 +672,10 @@
+     int f, open_flag, lock_flag, cnt;
+     char buf[1024];
+ 
++    /* Solaris Kerberos */
++    int retries = 0;
++    int newfile = 0;
++
+     k5_cc_mutex_assert_locked(context, &data->lock);
+     invalidate_cache(data);
+ 
[email protected]@ -549,6 +687,10 @@
+     }
+ 
+     switch (mode) {
++	/* Solaris Kerberos */
++    case FCC_OPEN_AND_ERASE_NOUNLINK:
++        open_flag = O_RDWR;
++        break;
+     case FCC_OPEN_AND_ERASE:
+         unlink(data->filename);
+         open_flag = O_CREAT | O_EXCL | O_TRUNC | O_RDWR;
[email protected]@ -562,7 +704,21 @@
+         break;
+     }
+ 
++fcc_retry:
++    /*
++     * Solaris Kerberos
++     * If we are opening in NOUNLINK mode, check whether we are opening a
++     * symlink or a file owned by some other user and take preventive action.
++     */
++    newfile = 0;
++    if (mode == FCC_OPEN_AND_ERASE_NOUNLINK) {
++     ret = krb5_fcc_open_nounlink(data->filename, open_flag,
++                     &f, &newfile);
++     if (ret == 0 && f == -1)
++          goto fcc_retry;
++    } else {
+     f = THREEPARAMOPEN(data->filename, open_flag | O_BINARY, 0600);
++    }
+     if (f == NO_FILE) {
+         if (errno == ENOENT) {
+             ret = KRB5_FCC_NOFILE;
[email protected]@ -584,10 +740,26 @@
+     ret = krb5_lock_file(context, f, lock_flag);
+     if (ret) {
+         (void)close(f);
++        if (ret == EAGAIN && retries++ < LOCK_RETRIES) {
++            /* Solaris Kerberos wait some time before retrying */
++            if (poll(NULL, 0, WAIT_LENGTH) == 0)
++                goto fcc_retry;
++        }
++        syslog(LOG_ERR, "Failed to lock %s [%m]", data->filename);
+         return ret;
+     }
+ 
+-    if (mode == FCC_OPEN_AND_ERASE) {
++    if (mode == FCC_OPEN_AND_ERASE || mode == FCC_OPEN_AND_ERASE_NOUNLINK) {
++        /*
++         * Solaris Kerberos
++         * If this file was not created, we have to flush existing data.
++         * This will happen only if we are doing an ERASE_NOUNLINK open.
++         */
++        if (newfile == 0 && (ftruncate(f, 0) == -1)) {
++            syslog(LOG_ERR, "ftruncate failed for %s [%m]", data->filename);
++            close(f);
++            return (interpret_errno(context, errno));
++        }
+         /* write the version number */
+         store_16_be(context->fcc_default_format, fcc_fvno);
+         data->version = context->fcc_default_format;
[email protected]@ -755,14 +927,16 @@
+ 
+     k5_cc_mutex_lock(context, &data->lock);
+ 
+-    MAYBE_OPEN(context, id, FCC_OPEN_AND_ERASE);
++    MAYBE_OPEN(context, id, FCC_OPEN_AND_ERASE_NOUNLINK);
+ 
++#if 0
+ #if defined(HAVE_FCHMOD) || defined(HAVE_CHMOD)
+ #ifdef HAVE_FCHMOD
+     st = fchmod(data->fd, S_IRUSR | S_IWUSR);
+ #else
+     st = chmod(data->filename, S_IRUSR | S_IWUSR);
+ #endif
++#endif
+     if (st == -1) {
+         ret = interpret_errno(context, errno);
+         MAYBE_CLOSE(context, id, ret);
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/patches/064-enable-debug-compile.patch	Sat May 14 15:38:32 2016 -0700
@@ -0,0 +1,25 @@
+#
+# This patch fixes a minor issue where the hostrealm plugin test program will
+# not compile non-optimized.  There is a MIT ticket which they intend on
+# fixing: Ticket #8326 hostrealm code won't compile in debug mode using Solaris
+# Studio C 
+# Patch source: in-house
+#
+diff -ur krb5-1.13.2/src/plugins/hostrealm/test/Makefile.in krb5-1.13.2.debug-build/src/plugins/hostrealm/test/Makefile.in
+--- krb5-1.13.2/src/plugins/hostrealm/test/Makefile.in
++++ krb5-1.13.2.debug-build/src/plugins/hostrealm/test/Makefile.in
[email protected]@ -5,9 +5,10 @@
+ LIBMAJOR=0
+ LIBMINOR=0
+ RELDIR=../plugins/hostrealm/test
+-# Depends on libkrb5
+-SHLIB_EXPDEPS= $(KRB5_DEPLIB)
+-SHLIB_EXPLIBS= $(KRB5_LIB)
++# Depends on libkrb5 and libkrb5support when building non-optimized with
++# certain compilers.
++SHLIB_EXPDEPS= $(KRB5_DEPLIB) $(SUPPORT_DEPLIB)
++SHLIB_EXPLIBS= $(KRB5_LIB) $(SUPPORT_LIB)
+ 
+ STLIBOBJS=main.o
+ 
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/patches/066-sanitize_context_ptr.patch	Sat May 14 15:38:32 2016 -0700
@@ -0,0 +1,34 @@
+# Sanitize context pointer in gss_export_sec_context
+# 
+# After 4f35b27 context pointer in gss_export_sec_context() is first
+# dereferenced before arguments are sanitized in val_exp_sec_ctx_args().
+# With context == NULL the new code segfaults instead of failing
+# gracefully.
+# 
+# Revert this part of 4f35b27 and only dereference context if not NULL.
+#
+# Patch submitted upstream:
+# https://github.com/krb5/krb5/pull/382
+# Patch source: in-house
+#
+
+diff -pur old/src/lib/gssapi/mechglue/g_exp_sec_context.c new/src/lib/gssapi/mechglue/g_exp_sec_context.c
+--- old/src/lib/gssapi/mechglue/g_exp_sec_context.c
++++ new/src/lib/gssapi/mechglue/g_exp_sec_context.c
[email protected]@ -79,7 +79,7 @@ gss_buffer_t		interprocess_token;
+ {
+     OM_uint32		status;
+     OM_uint32 		length;
+-    gss_union_ctx_id_t	ctx = (gss_union_ctx_id_t) *context_handle;
++    gss_union_ctx_id_t	ctx;
+     gss_mechanism	mech;
+     gss_buffer_desc	token = GSS_C_EMPTY_BUFFER;
+     char		*buf;
[email protected]@ -94,6 +94,7 @@ gss_buffer_t		interprocess_token;
+      * call it.
+      */
+ 
++    ctx = (gss_union_ctx_id_t) *context_handle;
+     mech = gssint_get_mechanism (ctx->mech_type);
+     if (!mech)
+ 	return GSS_S_BAD_MECH;
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/krb5/patches/067-iprop-double-free-fix.patch	Sat May 14 15:38:32 2016 -0700
@@ -0,0 +1,26 @@
+# Fix a potential but unlikely to occur double free() in a couple places in ipropd_svc.c.
+# This has been reported to MIT who will be fixing this via pull request
+# https://github.com/krb5/krb5/pull/396 .
+# Patch source: in-house
+
+diff -ur krb5-1.13.3/src/kadmin/server/ipropd_svc.c krb5-1.13.3.memleak/src/kadmin/server/ipropd_svc.c
+--- krb5-1.13.3/src/kadmin/server/ipropd_svc.c
++++ krb5-1.13.3.memleak/src/kadmin/server/ipropd_svc.c
[email protected]@ -160,8 +160,6 @@
+ 	client_name = buf_to_string(&client_desc);
+ 	service_name = buf_to_string(&service_desc);
+ 	if (client_name == NULL || service_name == NULL) {
+-	    free(client_name);
+-	    free(service_name);
+ 	    krb5_klog_syslog(LOG_ERR,
+ 			     _("%s: out of memory recording principal names"),
+ 			     whoami);
[email protected]@ -288,8 +286,6 @@
+ 	client_name = buf_to_string(&client_desc);
+ 	service_name = buf_to_string(&service_desc);
+ 	if (client_name == NULL || service_name == NULL) {
+-	    free(client_name);
+-	    free(service_name);
+ 	    DPRINT("%s: out of memory\n", whoami);
+ 	    krb5_klog_syslog(LOG_ERR,
+ 			     _("%s: out of memory recording principal names"),