| author | Mike Sullivan <Mike.Sullivan@Oracle.COM> |
| Sat, 14 May 2016 15:38:32 -0700 | |
| changeset 5986 | bab15c34f645 |
| parent 5985 | 6b195cad32d4 |
| child 5987 | c070fc9ea447 |
--- a/components/krb5/Makefile Fri May 13 18:08:27 2016 -0700 +++ b/components/krb5/Makefile Sat May 14 15:38:32 2016 -0700 @@ -18,35 +18,28 @@ # # CDDL HEADER END # - -# # Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved. # -BUILD_BITS= 64_and_32 + include ../../make-rules/shared-macros.mk COMPONENT_NAME= Kerberos -# Encoding rule for MAJOR: MIT KerberosV5 x.y[.z] => MAJOR x -# Encoding rule for MINOR: MIT KerberosV5 x.y[.z] => MINOR $MAJOR.y -# Encoding rule for MICRO: MIT KerberosV5 x.y[.z] => MICRO $MINOR[.z] -COMPONENT_MAJOR= 1 -COMPONENT_MINOR= $(COMPONENT_MAJOR).14 -COMPONENT_MICRO= $(COMPONENT_MINOR).2 - -COMPONENT_VERSION= $(COMPONENT_MICRO) -IPS_COMPONENT_VERSION= $(COMPONENT_VERSION).0 - +COMPONENT_MINOR= 1.13 +COMPONENT_VERSION= 1.13.3 COMPONENT_PROJECT_URL= http://web.mit.edu/kerberos/ COMPONENT_SRC= krb5-$(COMPONENT_VERSION) +COMPONENT_ARCHIVE= $(COMPONENT_SRC).tar.gz COMPONENT_ARCHIVE_HASH= \ - sha256:6bcad7e6778d1965e4ce4af21d2efdc15b274c5ce5c69031c58e4c954cda8b27 + sha256:5d4af08ead9b7a1e9493cfd65e821234f151a46736e1ce586f886c8a8e65fabe COMPONENT_ARCHIVE_URL= \ $(COMPONENT_PROJECT_URL)dist/krb5/$(COMPONENT_MINOR)/$(COMPONENT_ARCHIVE) COMPONENT_BUGDB= utility/kerberos -TPNO= 27916 +TPNO= 26018 -include $(WS_MAKE_RULES)/common.mk +include $(WS_MAKE_RULES)/prep.mk +include $(WS_MAKE_RULES)/configure.mk +include $(WS_MAKE_RULES)/lint-libraries.mk LINT_FLAGS += -I$(PROTOUSRINCDIR) -I$(PROTOUSRINCDIR)/kerberosv5 -I$(COMPONENT_DIR)/Solaris @@ -57,6 +50,11 @@ PUBLISH_STAMP= endif +include $(WS_MAKE_RULES)/ips.mk + +# Encoding rules for IPS: MIT KerberosV5 <x>.<y>[.<z>] => IPS <x>.<y>.[<z>|0].0 +IPS_COMPONENT_VERSION= 1.13.3.0 + # The configure script is not at the top of the source directory. CONFIGURE_SCRIPT= $(SOURCE_DIR)/src/configure @@ -72,6 +70,11 @@ # If you make changes to LDFLAGS, check krb5-config and 052-krb5-config.patch. LDFLAGS += -lc $(LD_Z_DEFS) +CONFIGURE_ENV += LDFLAGS="$(LDFLAGS)" +CONFIGURE_ENV += CFLAGS="$(CFLAGS)" +CONFIGURE_ENV += CXXFLAGS="$(CXXFLAGS)" +CONFIGURE_ENV += CPPFLAGS="$(CPPFLAGS)" +CONFIGURE_ENV += PKG_CONFIG_PATH="$(PKG_CONFIG_PATH)" CONFIGURE_ENV += DEFKTNAME="FILE:$(ETCDIR)/krb5/krb5.keytab" CONFIGURE_ENV += DEFCKTNAME="FILE:/var/user/%{username}/client.keytab" @@ -81,6 +84,9 @@ CONFIGURE_OPTIONS.32 += --libexecdir=$(USRLIBDIR) CONFIGURE_OPTIONS.64 += --libexecdir=$(USRLIBDIR)/$(MACH64) CONFIGURE_OPTIONS += --includedir=$(USRINCDIR)/kerberosv5 +# to avoid executing subprocesses from /usr/[s]bin/$(MACH64): +CONFIGURE_OPTIONS += --bindir=$(USRBINDIR) +CONFIGURE_OPTIONS += --sbindir=$(USRSBINDIR) CONFIGURE_OPTIONS += --with-crypto-impl=openssl CONFIGURE_OPTIONS += --with-ldap CONFIGURE_OPTIONS += --with-prng-alg=os @@ -182,6 +188,16 @@ $(CP) $(BUILD_DIR)/$(MACH64)/lib/libkadm5clnt.so.1 \ $(PROTO_DIR)$(USRLIBDIR)/$(MACH64); +ASLR_MODE = $(ASLR_ENABLE) + +# common targets +build: $(BUILD_32_and_64) + +install: $(INSTALL_32_and_64) + +# build does this always +test: $(TEST_32_and_64) + REQUIRED_PACKAGES += developer/test/dejagnu REQUIRED_PACKAGES += library/libedit REQUIRED_PACKAGES += library/openldap @@ -189,7 +205,7 @@ REQUIRED_PACKAGES += network/dns/bind REQUIRED_PACKAGES += service/security/kerberos-5 REQUIRED_PACKAGES += shell/ksh93 -REQUIRED_PACKAGES += system/core-os +REQUIRED_PACKAGES += system/library REQUIRED_PACKAGES += system/library/math REQUIRED_PACKAGES += system/library/security/gss
--- a/components/krb5/Solaris/libkadm5clnt.mapfile-vers Fri May 13 18:08:27 2016 -0700 +++ b/components/krb5/Solaris/libkadm5clnt.mapfile-vers Sat May 14 15:38:32 2016 -0700 @@ -18,7 +18,7 @@ # # CDDL HEADER END # -# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. # $mapfile_version 2 @@ -26,22 +26,22 @@ STUB_OBJECT; SYMBOL_VERSION SUNWprivate_1.1 { global: - free_srv_names { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 }; - kadm5_chpass_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 }; - kadm5_chpass_principal_util { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 }; - kadm5_create_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 }; - kadm5_destroy { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 }; - kadm5_free_principal_ent { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 }; - kadm5_get_adm_host_srv_names { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 }; - kadm5_get_cpw_host_srv_names { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 }; - kadm5_get_master { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 }; - kadm5_get_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 }; - kadm5_init_krb5_context { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 }; - kadm5_init_with_password { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 }; - kadm5_init_with_password_mm { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 }; - kadm5_init_with_skey { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 }; - kadm5_init_with_skey_mm { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 }; - kadm5_modify_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.10.0 }; + free_srv_names { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; + kadm5_chpass_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; + kadm5_chpass_principal_util { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; + kadm5_create_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; + kadm5_destroy { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; + kadm5_free_principal_ent { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; + kadm5_get_adm_host_srv_names { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; + kadm5_get_cpw_host_srv_names { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; + kadm5_get_master { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; + kadm5_get_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; + kadm5_init_krb5_context { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; + kadm5_init_with_password { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; + kadm5_init_with_password_mm { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; + kadm5_init_with_skey { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; + kadm5_init_with_skey_mm { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; + kadm5_modify_principal { TYPE = FUNCTION; FILTER = libkadm5clnt_mit.so.9.0 }; local: *;
--- a/components/krb5/krb5-kdc.p5m Fri May 13 18:08:27 2016 -0700 +++ b/components/krb5/krb5-kdc.p5m Sat May 14 15:38:32 2016 -0700 @@ -21,7 +21,7 @@ # Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved. # -<transform file path=usr.*/man/.+ -> default mangler.man.stability "pass-through committed"> +<transform file path=usr.*/man/.+ -> default mangler.man.stability uncommitted> set name=pkg.fmri \ value=pkg:/security/kerberos-5/kdc@$(IPS_COMPONENT_VERSION),$(BUILD_VERSION) set name=pkg.summary value="Kerberos V5 Key Distribution Center (KDC)" @@ -33,39 +33,91 @@ set name=info.classification value=org.opensolaris.category.2008:System/Security set name=info.source-url value=$(COMPONENT_ARCHIVE_URL) set name=info.upstream-url value=$(COMPONENT_PROJECT_URL) -set name=org.opensolaris.arc-caseid value=PSARC/2015/144 value=PSARC/2016/244 +set name=org.opensolaris.arc-caseid value=PSARC/2015/144 set name=org.opensolaris.consolidation value=$(CONSOLIDATION) -file Solaris/kadmin.xml path=lib/svc/manifest/network/security/kadmin.xml \ +file Solaris/kadmin.xml \ + path=lib/kerberos5/$(COMPONENT_VERSION)/svc/manifest/network/security/kadmin.xml \ restart_fmri=svc:/system/manifest-import:default file Solaris/krb5_prop.xml \ - path=lib/svc/manifest/network/security/krb5_prop.xml \ + path=lib/kerberos5/$(COMPONENT_VERSION)/svc/manifest/network/security/krb5_prop.xml \ + restart_fmri=svc:/system/manifest-import:default +file Solaris/krb5kdc.xml \ + path=lib/kerberos5/$(COMPONENT_VERSION)/svc/manifest/network/security/krb5kdc.xml \ restart_fmri=svc:/system/manifest-import:default -file Solaris/krb5kdc.xml path=lib/svc/manifest/network/security/krb5kdc.xml \ - restart_fmri=svc:/system/manifest-import:default +link path=lib/svc/manifest/network/security/kadmin.xml \ + target=../../../../kerberos5/$(COMPONENT_VERSION)/svc/manifest/network/security/kadmin.xml \ + mediator=kerberos5 mediator-implementation=MIT +link path=lib/svc/manifest/network/security/krb5_prop.xml \ + target=../../../../kerberos5/$(COMPONENT_VERSION)/svc/manifest/network/security/krb5_prop.xml \ + mediator=kerberos5 mediator-implementation=MIT +link path=lib/svc/manifest/network/security/krb5kdc.xml \ + target=../../../../kerberos5/$(COMPONENT_VERSION)/svc/manifest/network/security/krb5kdc.xml \ + mediator=kerberos5 mediator-implementation=MIT +file usr/sbin/kadmin.local \ + path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kadmin.local +file usr/sbin/kadmind \ + path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kadmind +file usr/sbin/kdb5_ldap_util \ + path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kdb5_ldap_util +file usr/sbin/kdb5_util \ + path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kdb5_util +file usr/sbin/kprop path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kprop +file usr/sbin/kpropd \ + path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kpropd +file usr/sbin/kproplog \ + path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kproplog +file usr/sbin/krb5kdc \ + path=usr/kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/krb5kdc +file src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif \ + path=usr/kerberos5/$(COMPONENT_VERSION)/share/lib/ldif/kerberos.ldif +file src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema \ + path=usr/kerberos5/$(COMPONENT_VERSION)/share/lib/ldif/kerberos.schema dir path=usr/lib/$(MACH64)/krb5/plugins/kdb file path=usr/lib/$(MACH64)/krb5/plugins/kdb/db2.so file path=usr/lib/$(MACH64)/krb5/plugins/kdb/kldap.so link path=usr/lib/$(MACH64)/libkdb_ldap.so target=libkdb_ldap.so.1.0 link path=usr/lib/$(MACH64)/libkdb_ldap.so.1 target=libkdb_ldap.so.1.0 file path=usr/lib/$(MACH64)/libkdb_ldap.so.1.0 +link path=usr/lib/krb5/kadmind \ + target=../../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kadmind \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/lib/krb5/kprop \ + target=../../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kprop \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/lib/krb5/kpropd \ + target=../../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kpropd \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/lib/krb5/krb5kdc \ + target=../../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/krb5kdc \ + mediator=kerberos5 mediator-implementation=MIT dir path=usr/lib/krb5/plugins/kdb file path=usr/lib/krb5/plugins/kdb/db2.so file path=usr/lib/krb5/plugins/kdb/kldap.so -link path=usr/lib/libkdb_ldap.so target=libkdb_ldap.so.1.0 -link path=usr/lib/libkdb_ldap.so.1 target=libkdb_ldap.so.1.0 +link path=usr/lib/libkdb_ldap.so target=libkdb_ldap.so.1.0 mediator=kerberos5 \ + mediator-implementation=MIT +link path=usr/lib/libkdb_ldap.so.1 target=libkdb_ldap.so.1.0 \ + mediator=kerberos5 mediator-implementation=MIT file path=usr/lib/libkdb_ldap.so.1.0 -file usr/sbin/kadmin.local path=usr/sbin/$(MACH64)/kadmin.local -file usr/sbin/kadmind path=usr/sbin/$(MACH64)/kadmind -file usr/sbin/kdb5_ldap_util path=usr/sbin/$(MACH64)/kdb5_ldap_util -file usr/sbin/kdb5_util path=usr/sbin/$(MACH64)/kdb5_util -file usr/sbin/kprop path=usr/sbin/$(MACH64)/kprop -file usr/sbin/kpropd path=usr/sbin/$(MACH64)/kpropd -file usr/sbin/kproplog path=usr/sbin/$(MACH64)/kproplog -file usr/sbin/krb5kdc path=usr/sbin/$(MACH64)/krb5kdc -file src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif \ - path=usr/share/lib/ldif/kerberos.ldif -file src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema \ - path=usr/share/lib/ldif/kerberos.schema +link path=usr/sbin/kadmin.local \ + target=../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kadmin.local \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/sbin/kdb5_ldap_util \ + target=../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kdb5_ldap_util \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/sbin/kdb5_util \ + target=../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kdb5_util \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/sbin/kprop target=../lib/krb5/kprop mediator=kerberos5 \ + mediator-implementation=MIT +link path=usr/sbin/kproplog \ + target=../kerberos5/$(COMPONENT_VERSION)/sbin/$(MACH64)/kproplog \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/share/lib/ldif/kerberos.ldif \ + target=../../../kerberos5/$(COMPONENT_VERSION)/share/lib/ldif/kerberos.ldif \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/share/lib/ldif/kerberos.schema \ + target=../../../kerberos5/$(COMPONENT_VERSION)/share/lib/ldif/kerberos.schema \ + mediator=kerberos5 mediator-implementation=MIT file path=usr/share/man/man5/kadm5.acl.5 file path=usr/share/man/man5/kdc.conf.5 file path=usr/share/man/man8/kadmin.local.8
--- a/components/krb5/krb5-message-files.p5m Fri May 13 18:08:27 2016 -0700 +++ b/components/krb5/krb5-message-files.p5m Sat May 14 15:38:32 2016 -0700 @@ -29,7 +29,7 @@ value="translatable message content for KerberosV5" set name=com.oracle.info.tpno value=$(TPNO) set name=info.classification value=org.opensolaris.category.2008:System/Security -set name=org.opensolaris.arc-caseid value=PSARC/2015/144 value=PSARC/2016/244 +set name=org.opensolaris.arc-caseid value=PSARC/2015/144 set name=org.opensolaris.consolidation value=$(CONSOLIDATION) file src/po/mit-krb5.pot path=usr/share/applications/mit-krb5.pot license krb5.license license="BSD, BSD-like (KerberosV5)"
--- a/components/krb5/krb5.license Fri May 13 18:08:27 2016 -0700 +++ b/components/krb5/krb5.license Sat May 14 15:38:32 2016 -0700 @@ -1,4 +1,4 @@ -Copyright (C) 1985-2016 by the Massachusetts Institute of Technology. +Copyright (C) 1985-2015 by the Massachusetts Institute of Technology. All rights reserved.
--- a/components/krb5/krb5.p5m Fri May 13 18:08:27 2016 -0700 +++ b/components/krb5/krb5.p5m Sat May 14 15:38:32 2016 -0700 @@ -21,7 +21,7 @@ # Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved. # -<transform file path=usr.*/man/.+ -> default mangler.man.stability "pass-through committed"> +<transform file path=usr.*/man/.+ -> default mangler.man.stability uncommitted> set name=pkg.fmri \ value=pkg:/security/kerberos-5@$(IPS_COMPONENT_VERSION),$(BUILD_VERSION) set name=pkg.summary value="Kerberos V5 Support" @@ -32,24 +32,42 @@ set name=info.classification value=org.opensolaris.category.2008:System/Security set name=info.source-url value=$(COMPONENT_ARCHIVE_URL) set name=info.upstream-url value=$(COMPONENT_PROJECT_URL) -set name=org.opensolaris.arc-caseid value=PSARC/2015/144 value=PSARC/2016/244 +set name=org.opensolaris.arc-caseid value=PSARC/2015/144 set name=org.opensolaris.consolidation value=$(CONSOLIDATION) dir path=etc/gss/mech.d group=sys -file path=usr/bin/k5srvutil -file path=usr/bin/kadmin -file path=usr/bin/kdestroy -file path=usr/bin/kinit -file path=usr/bin/klist -file path=usr/bin/kpasswd -file path=usr/bin/krb5-config +link path=usr/bin/kdestroy \ + target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kdestroy \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/bin/kinit \ + target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kinit \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/bin/klist \ + target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/klist \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/bin/kpasswd \ + target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kpasswd \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/bin/krb5-config \ + target=../kerberos5/$(COMPONENT_VERSION)/bin/krb5-config \ + mediator=kerberos5 mediator-implementation=MIT file path=usr/bin/kswitch -file path=usr/bin/ktutil -file path=usr/bin/kvno -file path=usr/include/kerberosv5/com_err.h +link path=usr/bin/ktutil \ + target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/ktutil \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/bin/kvno \ + target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kvno \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/include/gssapi/gssapi.h \ + target=../../kerberos5/$(COMPONENT_VERSION)/include/gssapi/gssapi.h \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/include/gssapi/gssapi_ext.h \ + target=../../kerberos5/$(COMPONENT_VERSION)/include/gssapi/gssapi_ext.h \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/include/kerberosv5/com_err.h \ + target=../../kerberos5/$(COMPONENT_VERSION)/include/kerberosv5/com_err.h \ + mediator=kerberos5 mediator-implementation=MIT dir path=usr/include/kerberosv5/gssapi file path=usr/include/kerberosv5/gssapi.h -file path=usr/include/kerberosv5/gssapi/gssapi.h -file path=usr/include/kerberosv5/gssapi/gssapi_ext.h file path=usr/include/kerberosv5/gssapi/gssapi_generic.h file path=usr/include/kerberosv5/gssapi/gssapi_krb5.h file path=usr/include/kerberosv5/gssapi/mechglue.h @@ -60,7 +78,9 @@ file path=usr/include/kerberosv5/kdb.h file path=usr/include/kerberosv5/krad.h dir path=usr/include/kerberosv5/krb5 -file path=usr/include/kerberosv5/krb5.h +link path=usr/include/kerberosv5/krb5.h \ + target=../../kerberos5/$(COMPONENT_VERSION)/include/kerberosv5/krb5.h \ + mediator=kerberos5 mediator-implementation=MIT file path=usr/include/kerberosv5/krb5/ccselect_plugin.h file path=usr/include/kerberosv5/krb5/clpreauth_plugin.h file path=usr/include/kerberosv5/krb5/hostrealm_plugin.h @@ -75,13 +95,49 @@ dir path=usr/include/kerberosv5/private dir path=usr/include/kerberosv5/private/krb5 dir path=usr/include/kerberosv5/private/krb5/keytab -file Solaris/private/krb5/keytab/kt_solaris.h \ - path=usr/include/kerberosv5/private/krb5/keytab/kt_solaris.h +link path=usr/include/kerberosv5/private/krb5/keytab/kt_solaris.h \ + target=../../../../../kerberos5/$(COMPONENT_VERSION)/include/kerberosv5/private/krb5/keytab/kt_solaris.h \ + mediator=kerberos5 mediator-implementation=MIT file Solaris/private/krb5/prof_solaris.h \ path=usr/include/kerberosv5/private/krb5/prof_solaris.h file path=usr/include/kerberosv5/profile.h file path=usr/include/kerberosv5/verto-module.h file path=usr/include/kerberosv5/verto.h +file usr/bin/k5srvutil \ + path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/k5srvutil +file usr/bin/kadmin path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kadmin +file usr/bin/kdestroy \ + path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kdestroy +file usr/bin/kinit path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kinit +file usr/bin/klist path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/klist +file usr/bin/kpasswd \ + path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kpasswd +file usr/bin/ktutil path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/ktutil +file usr/bin/kvno path=usr/kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kvno +file usr/bin/krb5-config path=usr/kerberos5/$(COMPONENT_VERSION)/bin/krb5-config +file usr/include/kerberosv5/gssapi/gssapi.h \ + path=usr/kerberos5/$(COMPONENT_VERSION)/include/gssapi/gssapi.h +file usr/include/kerberosv5/gssapi/gssapi_ext.h \ + path=usr/kerberos5/$(COMPONENT_VERSION)/include/gssapi/gssapi_ext.h +file usr/include/kerberosv5/com_err.h \ + path=usr/kerberos5/$(COMPONENT_VERSION)/include/kerberosv5/com_err.h +file usr/include/kerberosv5/krb5.h \ + path=usr/kerberos5/$(COMPONENT_VERSION)/include/kerberosv5/krb5.h +file Solaris/private/krb5/keytab/kt_solaris.h \ + path=usr/kerberos5/$(COMPONENT_VERSION)/include/kerberosv5/private/krb5/keytab/kt_solaris.h +file usr/lib/$(MACH64)/libgss.so.1 \ + path=usr/kerberos5/$(COMPONENT_VERSION)/lib/$(MACH64)/libgss.so.1 +file usr/lib/$(MACH64)/libkadm5clnt.so.1 \ + path=usr/kerberos5/$(COMPONENT_VERSION)/lib/$(MACH64)/libkadm5clnt.so.1 +file usr/lib/$(MACH64)/libkrb5.so.1 \ + path=usr/kerberos5/$(COMPONENT_VERSION)/lib/$(MACH64)/libkrb5.so.1 +file usr/lib/krb5/plugins/preauth/pkinit.so \ + path=usr/kerberos5/$(COMPONENT_VERSION)/lib/krb5/plugins/preauth/pkinit.so +file usr/lib/libgss.so.1 path=usr/kerberos5/$(COMPONENT_VERSION)/lib/libgss.so.1 +file usr/lib/libkadm5clnt.so.1 \ + path=usr/kerberos5/$(COMPONENT_VERSION)/lib/libkadm5clnt.so.1 +file usr/lib/libkrb5.so.1 \ + path=usr/kerberos5/$(COMPONENT_VERSION)/lib/libkrb5.so.1 dir path=usr/lib/$(MACH64)/krb5 dir path=usr/lib/$(MACH64)/krb5/plugins dir path=usr/lib/$(MACH64)/krb5/plugins/authdata @@ -94,29 +150,40 @@ link path=usr/lib/$(MACH64)/libcom_err.so target=libcom_err.so.3.0 link path=usr/lib/$(MACH64)/libcom_err.so.3 target=libcom_err.so.3.0 file path=usr/lib/$(MACH64)/libcom_err.so.3.0 -file path=usr/lib/$(MACH64)/libgss.so.1 +link path=usr/lib/$(MACH64)/libgss.so target=libgssapi_krb5.so.2.2 \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/lib/$(MACH64)/libgss.so.1 \ + target=../../kerberos5/$(COMPONENT_VERSION)/lib/$(MACH64)/libgss.so.1 \ + mediator=kerberos5 mediator-implementation=MIT link path=usr/lib/$(MACH64)/libgssapi_krb5.so target=libgssapi_krb5.so.2.2 link path=usr/lib/$(MACH64)/libgssapi_krb5.so.2 target=libgssapi_krb5.so.2.2 file path=usr/lib/$(MACH64)/libgssapi_krb5.so.2.2 link path=usr/lib/$(MACH64)/libk5crypto.so target=libk5crypto.so.3.1 link path=usr/lib/$(MACH64)/libk5crypto.so.3 target=libk5crypto.so.3.1 file path=usr/lib/$(MACH64)/libk5crypto.so.3.1 -file path=usr/lib/$(MACH64)/libkadm5clnt.so.1 -link path=usr/lib/$(MACH64)/libkadm5clnt_mit.so target=libkadm5clnt_mit.so.10.0 -link path=usr/lib/$(MACH64)/libkadm5clnt_mit.so.10 \ - target=libkadm5clnt_mit.so.10.0 -file path=usr/lib/$(MACH64)/libkadm5clnt_mit.so.10.0 +link path=usr/lib/$(MACH64)/libkadm5clnt.so target=libkadm5clnt_mit.so \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/lib/$(MACH64)/libkadm5clnt.so.1 \ + target=../../kerberos5/$(COMPONENT_VERSION)/lib/$(MACH64)/libkadm5clnt.so.1 \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/lib/$(MACH64)/libkadm5clnt_mit.so target=libkadm5clnt_mit.so.9.0 +link path=usr/lib/$(MACH64)/libkadm5clnt_mit.so.9 target=libkadm5clnt_mit.so.9.0 +file path=usr/lib/$(MACH64)/libkadm5clnt_mit.so.9.0 link path=usr/lib/$(MACH64)/libkadm5srv.so target=libkadm5srv_mit.so -link path=usr/lib/$(MACH64)/libkadm5srv_mit.so target=libkadm5srv_mit.so.10.0 -link path=usr/lib/$(MACH64)/libkadm5srv_mit.so.10 target=libkadm5srv_mit.so.10.0 -file path=usr/lib/$(MACH64)/libkadm5srv_mit.so.10.0 +link path=usr/lib/$(MACH64)/libkadm5srv_mit.so target=libkadm5srv_mit.so.9.0 +link path=usr/lib/$(MACH64)/libkadm5srv_mit.so.9 target=libkadm5srv_mit.so.9.0 +file path=usr/lib/$(MACH64)/libkadm5srv_mit.so.9.0 link path=usr/lib/$(MACH64)/libkdb5.so target=libkdb5.so.8.0 link path=usr/lib/$(MACH64)/libkdb5.so.8 target=libkdb5.so.8.0 file path=usr/lib/$(MACH64)/libkdb5.so.8.0 link path=usr/lib/$(MACH64)/libkrad.so target=libkrad.so.0.0 link path=usr/lib/$(MACH64)/libkrad.so.0 target=libkrad.so.0.0 file path=usr/lib/$(MACH64)/libkrad.so.0.0 -file path=usr/lib/$(MACH64)/libkrb5.so.1 +link path=usr/lib/$(MACH64)/libkrb5.so target=libkrb5.so.3.3 \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/lib/$(MACH64)/libkrb5.so.1 \ + target=../../kerberos5/$(COMPONENT_VERSION)/lib/$(MACH64)/libkrb5.so.1 \ + mediator=kerberos5 mediator-implementation=MIT link path=usr/lib/$(MACH64)/libkrb5.so.3 target=libkrb5.so.3.3 file path=usr/lib/$(MACH64)/libkrb5.so.3.3 link path=usr/lib/$(MACH64)/libkrb5support.so target=libkrb5support.so.0.1 @@ -145,33 +212,49 @@ dir path=usr/lib/krb5/plugins/libkrb5 dir path=usr/lib/krb5/plugins/preauth file path=usr/lib/krb5/plugins/preauth/otp.so -file path=usr/lib/krb5/plugins/preauth/pkinit.so +link path=usr/lib/krb5/plugins/preauth/pkinit.so \ + target=../../../../kerberos5/$(COMPONENT_VERSION)/lib/krb5/plugins/preauth/pkinit.so \ + mediator=kerberos5 mediator-implementation=MIT dir path=usr/lib/krb5/plugins/tls file path=usr/lib/krb5/plugins/tls/k5tls.so link path=usr/lib/libcom_err.so target=libcom_err.so.3.0 link path=usr/lib/libcom_err.so.3 target=libcom_err.so.3.0 file path=usr/lib/libcom_err.so.3.0 -file path=usr/lib/libgss.so.1 +link path=usr/lib/libgss.so target=libgssapi_krb5.so.2.2 mediator=kerberos5 \ + mediator-implementation=MIT +link path=usr/lib/libgss.so.1 \ + target=../kerberos5/$(COMPONENT_VERSION)/lib/libgss.so.1 \ + mediator=kerberos5 mediator-implementation=MIT link path=usr/lib/libgssapi_krb5.so target=libgssapi_krb5.so.2.2 link path=usr/lib/libgssapi_krb5.so.2 target=libgssapi_krb5.so.2.2 file path=usr/lib/libgssapi_krb5.so.2.2 link path=usr/lib/libk5crypto.so target=libk5crypto.so.3.1 link path=usr/lib/libk5crypto.so.3 target=libk5crypto.so.3.1 file path=usr/lib/libk5crypto.so.3.1 -file path=usr/lib/libkadm5clnt.so.1 -link path=usr/lib/libkadm5clnt_mit.so target=libkadm5clnt_mit.so.10.0 -link path=usr/lib/libkadm5clnt_mit.so.10 target=libkadm5clnt_mit.so.10.0 -file path=usr/lib/libkadm5clnt_mit.so.10.0 -link path=usr/lib/libkadm5srv_mit.so target=libkadm5srv_mit.so.10.0 -link path=usr/lib/libkadm5srv_mit.so.10 target=libkadm5srv_mit.so.10.0 -file path=usr/lib/libkadm5srv_mit.so.10.0 +link path=usr/lib/libkadm5clnt.so target=libkadm5clnt_mit.so \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/lib/libkadm5clnt.so.1 \ + target=../kerberos5/$(COMPONENT_VERSION)/lib/libkadm5clnt.so.1 \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/lib/libkadm5clnt_mit.so target=libkadm5clnt_mit.so.9.0 +link path=usr/lib/libkadm5clnt_mit.so.9 target=libkadm5clnt_mit.so.9.0 +file path=usr/lib/libkadm5clnt_mit.so.9.0 +link path=usr/lib/libkadm5srv.so target=libkadm5srv_mit.so mediator=kerberos5 \ + mediator-implementation=MIT +link path=usr/lib/libkadm5srv_mit.so target=libkadm5srv_mit.so.9.0 +link path=usr/lib/libkadm5srv_mit.so.9 target=libkadm5srv_mit.so.9.0 +file path=usr/lib/libkadm5srv_mit.so.9.0 link path=usr/lib/libkdb5.so target=libkdb5.so.8.0 link path=usr/lib/libkdb5.so.8 target=libkdb5.so.8.0 file path=usr/lib/libkdb5.so.8.0 link path=usr/lib/libkrad.so target=libkrad.so.0.0 link path=usr/lib/libkrad.so.0 target=libkrad.so.0.0 file path=usr/lib/libkrad.so.0.0 -file path=usr/lib/libkrb5.so.1 +link path=usr/lib/libkrb5.so target=libkrb5.so.3.3 mediator=kerberos5 \ + mediator-implementation=MIT +link path=usr/lib/libkrb5.so.1 \ + target=../kerberos5/$(COMPONENT_VERSION)/lib/libkrb5.so.1 \ + mediator=kerberos5 mediator-implementation=MIT link path=usr/lib/libkrb5.so.3 target=libkrb5.so.3.3 file path=usr/lib/libkrb5.so.3.3 link path=usr/lib/libkrb5support.so target=libkrb5support.so.0.1 @@ -201,6 +284,12 @@ file path=usr/lib/pkgconfig/krb5.pc file path=usr/lib/pkgconfig/mit-krb5-gssapi.pc file path=usr/lib/pkgconfig/mit-krb5.pc +link path=usr/sbin/k5srvutil \ + target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/k5srvutil \ + mediator=kerberos5 mediator-implementation=MIT +link path=usr/sbin/kadmin \ + target=../kerberos5/$(COMPONENT_VERSION)/bin/$(MACH64)/kadmin \ + mediator=kerberos5 mediator-implementation=MIT dir path=usr/share/et file path=usr/share/et/et_c.awk file path=usr/share/et/et_h.awk @@ -208,119 +297,266 @@ dir path=usr/share/examples/krb5 file path=usr/share/examples/krb5/services.append file path=usr/share/locale/en_US/LC_MESSAGES/mit-krb5.mo -file Solaris/man/libgss.3lib path=usr/share/man/3lib/libgss.3lib -file Solaris/man/libkrb5.3lib path=usr/share/man/3lib/libkrb5.3lib \ - mangler.man.stability="pass-through uncommitted" +link path=usr/share/man/3lib/libgss.3lib target=./libgss.mit.3lib \ + mediator=kerberos5 mediator-implementation=MIT +file Solaris/man/libgss.3lib path=usr/share/man/3lib/libgss.mit.3lib +link path=usr/share/man/3lib/libkrb5.3lib target=./libkrb5.mit.3lib \ + mediator=kerberos5 mediator-implementation=MIT +file Solaris/man/libkrb5.3lib path=usr/share/man/3lib/libkrb5.mit.3lib +link path=usr/share/man/ja_JP.UTF-8/man5/kerberos.5 target=./kerberos.mit.5 \ + mediator=kerberos5 mediator-implementation=MIT file Solaris/man/ja_JP.UTF-8/kerberos.5 \ - path=usr/share/man/ja_JP.UTF-8/man5/kerberos.5 + path=usr/share/man/ja_JP.UTF-8/man5/kerberos.mit.5 +link path=usr/share/man/ja_JP.UTF-8/man5/krb5envvar.5 \ + target=./krb5envvar.mit.5 mediator=kerberos5 mediator-implementation=MIT file Solaris/man/ja_JP.UTF-8/krb5envvar.5 \ - path=usr/share/man/ja_JP.UTF-8/man5/krb5envvar.5 \ - mangler.man.stability="pass-through uncommitted" + path=usr/share/man/ja_JP.UTF-8/man5/krb5envvar.mit.5 +link path=usr/share/man/ja_JP.UTF-8/man7/krb5_auth_rules.7 \ + target=./krb5_auth_rules.mit.7 mediator=kerberos5 \ + mediator-implementation=MIT file Solaris/man/ja_JP.UTF-8/krb5_auth_rules.7 \ - path=usr/share/man/ja_JP.UTF-8/man7/krb5_auth_rules.7 + path=usr/share/man/ja_JP.UTF-8/man7/krb5_auth_rules.mit.7 file path=usr/share/man/man1/k5srvutil.1 file path=usr/share/man/man1/kadmin.1 -file path=usr/share/man/man1/kdestroy.1 -file path=usr/share/man/man1/kinit.1 -file path=usr/share/man/man1/klist.1 -file path=usr/share/man/man1/kpasswd.1 -file path=usr/share/man/man1/krb5-config.1 \ - mangler.man.stability="pass-through uncommitted" +link path=usr/share/man/man1/kdestroy.1 target=./kdestroy.mit.1 \ + mediator=kerberos5 mediator-implementation=MIT +file usr/share/man/man1/kdestroy.1 path=usr/share/man/man1/kdestroy.mit.1 +link path=usr/share/man/man1/kinit.1 target=./kinit.mit.1 mediator=kerberos5 \ + mediator-implementation=MIT +file usr/share/man/man1/kinit.1 path=usr/share/man/man1/kinit.mit.1 +link path=usr/share/man/man1/klist.1 target=./klist.mit.1 mediator=kerberos5 \ + mediator-implementation=MIT +file usr/share/man/man1/klist.1 path=usr/share/man/man1/klist.mit.1 +link path=usr/share/man/man1/kpasswd.1 target=./kpasswd.mit.1 \ + mediator=kerberos5 mediator-implementation=MIT +file usr/share/man/man1/kpasswd.1 path=usr/share/man/man1/kpasswd.mit.1 +link path=usr/share/man/man1/krb5-config.1 target=./krb5-config.mit.1 \ + mediator=kerberos5 mediator-implementation=MIT +file usr/share/man/man1/krb5-config.1 path=usr/share/man/man1/krb5-config.mit.1 file path=usr/share/man/man1/kswitch.1 -file path=usr/share/man/man1/ktutil.1 -file path=usr/share/man/man1/kvno.1 +link path=usr/share/man/man1/ktutil.1 target=./ktutil.mit.1 mediator=kerberos5 \ + mediator-implementation=MIT +file usr/share/man/man1/ktutil.1 path=usr/share/man/man1/ktutil.mit.1 +link path=usr/share/man/man1/kvno.1 target=./kvno.mit.1 mediator=kerberos5 \ + mediator-implementation=MIT +file usr/share/man/man1/kvno.1 path=usr/share/man/man1/kvno.mit.1 +link path=usr/share/man/man3gss/gss_accept_sec_context.3gss \ + target=./gss_accept_sec_context.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT file Solaris/man/gss_accept_sec_context.3gss \ - path=usr/share/man/man3gss/gss_accept_sec_context.3gss + path=usr/share/man/man3gss/gss_accept_sec_context.mit.3gss +link path=usr/share/man/man3gss/gss_acquire_cred.3gss \ + target=./gss_acquire_cred.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT file Solaris/man/gss_acquire_cred.3gss \ - path=usr/share/man/man3gss/gss_acquire_cred.3gss -file Solaris/man/gss_add_cred.3gss path=usr/share/man/man3gss/gss_add_cred.3gss + path=usr/share/man/man3gss/gss_acquire_cred.mit.3gss +link path=usr/share/man/man3gss/gss_add_cred.3gss \ + target=./gss_add_cred.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT +file Solaris/man/gss_add_cred.3gss \ + path=usr/share/man/man3gss/gss_add_cred.mit.3gss +link path=usr/share/man/man3gss/gss_add_oid_set_member.3gss \ + target=./gss_add_oid_set_member.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT file Solaris/man/gss_add_oid_set_member.3gss \ - path=usr/share/man/man3gss/gss_add_oid_set_member.3gss + path=usr/share/man/man3gss/gss_add_oid_set_member.mit.3gss +link path=usr/share/man/man3gss/gss_canonicalize_name.3gss \ + target=./gss_canonicalize_name.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT file Solaris/man/gss_canonicalize_name.3gss \ - path=usr/share/man/man3gss/gss_canonicalize_name.3gss + path=usr/share/man/man3gss/gss_canonicalize_name.mit.3gss +link path=usr/share/man/man3gss/gss_compare_name.3gss \ + target=./gss_compare_name.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT file Solaris/man/gss_compare_name.3gss \ - path=usr/share/man/man3gss/gss_compare_name.3gss + path=usr/share/man/man3gss/gss_compare_name.mit.3gss +link path=usr/share/man/man3gss/gss_context_time.3gss \ + target=./gss_context_time.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT file Solaris/man/gss_context_time.3gss \ - path=usr/share/man/man3gss/gss_context_time.3gss + path=usr/share/man/man3gss/gss_context_time.mit.3gss +link path=usr/share/man/man3gss/gss_create_empty_oid_set.3gss \ + target=./gss_create_empty_oid_set.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT file Solaris/man/gss_create_empty_oid_set.3gss \ - path=usr/share/man/man3gss/gss_create_empty_oid_set.3gss + path=usr/share/man/man3gss/gss_create_empty_oid_set.mit.3gss +link path=usr/share/man/man3gss/gss_delete_sec_context.3gss \ + target=./gss_delete_sec_context.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT file Solaris/man/gss_delete_sec_context.3gss \ - path=usr/share/man/man3gss/gss_delete_sec_context.3gss + path=usr/share/man/man3gss/gss_delete_sec_context.mit.3gss +link path=usr/share/man/man3gss/gss_display_name.3gss \ + target=./gss_display_name.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT file Solaris/man/gss_display_name.3gss \ - path=usr/share/man/man3gss/gss_display_name.3gss + path=usr/share/man/man3gss/gss_display_name.mit.3gss +link path=usr/share/man/man3gss/gss_display_status.3gss \ + target=./gss_display_status.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT file Solaris/man/gss_display_status.3gss \ - path=usr/share/man/man3gss/gss_display_status.3gss + path=usr/share/man/man3gss/gss_display_status.mit.3gss +link path=usr/share/man/man3gss/gss_duplicate_name.3gss \ + target=./gss_duplicate_name.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT file Solaris/man/gss_duplicate_name.3gss \ - path=usr/share/man/man3gss/gss_duplicate_name.3gss + path=usr/share/man/man3gss/gss_duplicate_name.mit.3gss +link path=usr/share/man/man3gss/gss_export_name.3gss \ + target=./gss_export_name.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT file Solaris/man/gss_export_name.3gss \ - path=usr/share/man/man3gss/gss_export_name.3gss + path=usr/share/man/man3gss/gss_export_name.mit.3gss +link path=usr/share/man/man3gss/gss_export_sec_context.3gss \ + target=./gss_export_sec_context.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT file Solaris/man/gss_export_sec_context.3gss \ - path=usr/share/man/man3gss/gss_export_sec_context.3gss -file Solaris/man/gss_get_mic.3gss path=usr/share/man/man3gss/gss_get_mic.3gss + path=usr/share/man/man3gss/gss_export_sec_context.mit.3gss +link path=usr/share/man/man3gss/gss_get_mic.3gss target=./gss_get_mic.mit.3gss \ + mediator=kerberos5 mediator-implementation=MIT +file Solaris/man/gss_get_mic.3gss \ + path=usr/share/man/man3gss/gss_get_mic.mit.3gss +link path=usr/share/man/man3gss/gss_import_name.3gss \ + target=./gss_import_name.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT file Solaris/man/gss_import_name.3gss \ - path=usr/share/man/man3gss/gss_import_name.3gss + path=usr/share/man/man3gss/gss_import_name.mit.3gss +link path=usr/share/man/man3gss/gss_import_sec_context.3gss \ + target=./gss_import_sec_context.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT file Solaris/man/gss_import_sec_context.3gss \ - path=usr/share/man/man3gss/gss_import_sec_context.3gss + path=usr/share/man/man3gss/gss_import_sec_context.mit.3gss +link path=usr/share/man/man3gss/gss_indicate_mechs.3gss \ + target=./gss_indicate_mechs.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT file Solaris/man/gss_indicate_mechs.3gss \ - path=usr/share/man/man3gss/gss_indicate_mechs.3gss + path=usr/share/man/man3gss/gss_indicate_mechs.mit.3gss +link path=usr/share/man/man3gss/gss_init_sec_context.3gss \ + target=./gss_init_sec_context.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT file Solaris/man/gss_init_sec_context.3gss \ - path=usr/share/man/man3gss/gss_init_sec_context.3gss + path=usr/share/man/man3gss/gss_init_sec_context.mit.3gss +link path=usr/share/man/man3gss/gss_inquire_context.3gss \ + target=./gss_inquire_context.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT file Solaris/man/gss_inquire_context.3gss \ - path=usr/share/man/man3gss/gss_inquire_context.3gss + path=usr/share/man/man3gss/gss_inquire_context.mit.3gss +link path=usr/share/man/man3gss/gss_inquire_cred.3gss \ + target=./gss_inquire_cred.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT file Solaris/man/gss_inquire_cred.3gss \ - path=usr/share/man/man3gss/gss_inquire_cred.3gss + path=usr/share/man/man3gss/gss_inquire_cred.mit.3gss +link path=usr/share/man/man3gss/gss_inquire_cred_by_mech.3gss \ + target=./gss_inquire_cred_by_mech.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT file Solaris/man/gss_inquire_cred_by_mech.3gss \ - path=usr/share/man/man3gss/gss_inquire_cred_by_mech.3gss + path=usr/share/man/man3gss/gss_inquire_cred_by_mech.mit.3gss +link path=usr/share/man/man3gss/gss_inquire_mechs_for_name.3gss \ + target=./gss_inquire_mechs_for_name.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT file Solaris/man/gss_inquire_mechs_for_name.3gss \ - path=usr/share/man/man3gss/gss_inquire_mechs_for_name.3gss + path=usr/share/man/man3gss/gss_inquire_mechs_for_name.mit.3gss +link path=usr/share/man/man3gss/gss_inquire_names_for_mech.3gss \ + target=./gss_inquire_names_for_mech.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT file Solaris/man/gss_inquire_names_for_mech.3gss \ - path=usr/share/man/man3gss/gss_inquire_names_for_mech.3gss + path=usr/share/man/man3gss/gss_inquire_names_for_mech.mit.3gss +link path=usr/share/man/man3gss/gss_oid_to_str.3gss \ + target=./gss_oid_to_str.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT file Solaris/man/gss_oid_to_str.3gss \ - path=usr/share/man/man3gss/gss_oid_to_str.3gss + path=usr/share/man/man3gss/gss_oid_to_str.mit.3gss +link path=usr/share/man/man3gss/gss_process_context_token.3gss \ + target=./gss_process_context_token.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT file Solaris/man/gss_process_context_token.3gss \ - path=usr/share/man/man3gss/gss_process_context_token.3gss + path=usr/share/man/man3gss/gss_process_context_token.mit.3gss +link path=usr/share/man/man3gss/gss_release_buffer.3gss \ + target=./gss_release_buffer.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT file Solaris/man/gss_release_buffer.3gss \ - path=usr/share/man/man3gss/gss_release_buffer.3gss + path=usr/share/man/man3gss/gss_release_buffer.mit.3gss +link path=usr/share/man/man3gss/gss_release_cred.3gss \ + target=./gss_release_cred.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT file Solaris/man/gss_release_cred.3gss \ - path=usr/share/man/man3gss/gss_release_cred.3gss + path=usr/share/man/man3gss/gss_release_cred.mit.3gss +link path=usr/share/man/man3gss/gss_release_name.3gss \ + target=./gss_release_name.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT file Solaris/man/gss_release_name.3gss \ - path=usr/share/man/man3gss/gss_release_name.3gss + path=usr/share/man/man3gss/gss_release_name.mit.3gss +link path=usr/share/man/man3gss/gss_release_oid.3gss \ + target=./gss_release_oid.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT file Solaris/man/gss_release_oid.3gss \ - path=usr/share/man/man3gss/gss_release_oid.3gss + path=usr/share/man/man3gss/gss_release_oid.mit.3gss +link path=usr/share/man/man3gss/gss_release_oid_set.3gss \ + target=./gss_release_oid_set.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT file Solaris/man/gss_release_oid_set.3gss \ - path=usr/share/man/man3gss/gss_release_oid_set.3gss + path=usr/share/man/man3gss/gss_release_oid_set.mit.3gss +link path=usr/share/man/man3gss/gss_store_cred.3gss \ + target=./gss_store_cred.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT file Solaris/man/gss_store_cred.3gss \ - path=usr/share/man/man3gss/gss_store_cred.3gss + path=usr/share/man/man3gss/gss_store_cred.mit.3gss +link path=usr/share/man/man3gss/gss_str_to_oid.3gss \ + target=./gss_str_to_oid.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT file Solaris/man/gss_str_to_oid.3gss \ - path=usr/share/man/man3gss/gss_str_to_oid.3gss + path=usr/share/man/man3gss/gss_str_to_oid.mit.3gss +link path=usr/share/man/man3gss/gss_test_oid_set_member.3gss \ + target=./gss_test_oid_set_member.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT file Solaris/man/gss_test_oid_set_member.3gss \ - path=usr/share/man/man3gss/gss_test_oid_set_member.3gss -file Solaris/man/gss_unwrap.3gss path=usr/share/man/man3gss/gss_unwrap.3gss + path=usr/share/man/man3gss/gss_test_oid_set_member.mit.3gss +link path=usr/share/man/man3gss/gss_unwrap.3gss target=./gss_unwrap.mit.3gss \ + mediator=kerberos5 mediator-implementation=MIT +file Solaris/man/gss_unwrap.3gss path=usr/share/man/man3gss/gss_unwrap.mit.3gss +link path=usr/share/man/man3gss/gss_verify_mic.3gss \ + target=./gss_verify_mic.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT file Solaris/man/gss_verify_mic.3gss \ - path=usr/share/man/man3gss/gss_verify_mic.3gss -file Solaris/man/gss_wrap.3gss path=usr/share/man/man3gss/gss_wrap.3gss + path=usr/share/man/man3gss/gss_verify_mic.mit.3gss +link path=usr/share/man/man3gss/gss_wrap.3gss target=./gss_wrap.mit.3gss \ + mediator=kerberos5 mediator-implementation=MIT +file Solaris/man/gss_wrap.3gss path=usr/share/man/man3gss/gss_wrap.mit.3gss +link path=usr/share/man/man3gss/gss_wrap_size_limit.3gss \ + target=./gss_wrap_size_limit.mit.3gss mediator=kerberos5 \ + mediator-implementation=MIT file Solaris/man/gss_wrap_size_limit.3gss \ - path=usr/share/man/man3gss/gss_wrap_size_limit.3gss -file Solaris/man/libgss.3lib path=usr/share/man/man3lib/libgss.3lib -file Solaris/man/libkrb5.3lib path=usr/share/man/man3lib/libkrb5.3lib \ - mangler.man.stability="pass-through uncommitted" + path=usr/share/man/man3gss/gss_wrap_size_limit.mit.3gss +file Solaris/man/libgss.3lib path=usr/share/man/man3lib/libgss.mit.3lib +file Solaris/man/libkrb5.3lib path=usr/share/man/man3lib/libkrb5.mit.3lib file path=usr/share/man/man5/.k5identity.5 file path=usr/share/man/man5/.k5login.5 -file Solaris/man/gss_auth_rules.5 path=usr/share/man/man5/gss_auth_rules.5 +link path=usr/share/man/man5/gss_auth_rules.5 target=./gss_auth_rules.mit.5 \ + mediator=kerberos5 mediator-implementation=MIT +file Solaris/man/gss_auth_rules.5 path=usr/share/man/man5/gss_auth_rules.mit.5 file path=usr/share/man/man5/k5identity.5 file path=usr/share/man/man5/k5login.5 -file Solaris/man/kerberos.5 path=usr/share/man/man5/kerberos.5 +link path=usr/share/man/man5/kerberos.5 target=./kerberos.mit.5 \ + mediator=kerberos5 mediator-implementation=MIT +file Solaris/man/kerberos.5 path=usr/share/man/man5/kerberos.mit.5 file path=usr/share/man/man5/krb5.conf.5 -file Solaris/man/krb5envvar.5 path=usr/share/man/man5/krb5envvar.5 \ - mangler.man.stability="pass-through uncommitted" -file Solaris/man/krb5_auth_rules.7 path=usr/share/man/man7/krb5_auth_rules.7 +link path=usr/share/man/man5/krb5envvar.5 target=./krb5envvar.mit.5 \ + mediator=kerberos5 mediator-implementation=MIT +file Solaris/man/krb5envvar.5 path=usr/share/man/man5/krb5envvar.mit.5 +link path=usr/share/man/man7/krb5_auth_rules.7 target=./krb5_auth_rules.mit.7 \ + mediator=kerberos5 mediator-implementation=MIT +file Solaris/man/krb5_auth_rules.7 path=usr/share/man/man7/krb5_auth_rules.mit.7 +link path=usr/share/man/zh_CN.UTF-8/man5/kerberos.5 target=./kerberos.mit.5 \ + mediator=kerberos5 mediator-implementation=MIT file Solaris/man/zh_CN.UTF-8/kerberos.5 \ - path=usr/share/man/zh_CN.UTF-8/man5/kerberos.5 + path=usr/share/man/zh_CN.UTF-8/man5/kerberos.mit.5 +link path=usr/share/man/zh_CN.UTF-8/man5/krb5envvar.5 \ + target=./krb5envvar.mit.5 mediator=kerberos5 mediator-implementation=MIT file Solaris/man/zh_CN.UTF-8/krb5envvar.5 \ - path=usr/share/man/zh_CN.UTF-8/man5/krb5envvar.5 \ - mangler.man.stability="pass-through uncommitted" + path=usr/share/man/zh_CN.UTF-8/man5/krb5envvar.mit.5 +link path=usr/share/man/zh_CN.UTF-8/man7/krb5_auth_rules.7 \ + target=./krb5_auth_rules.mit.7 mediator=kerberos5 \ + mediator-implementation=MIT file Solaris/man/zh_CN.UTF-8/krb5_auth_rules.7 \ - path=usr/share/man/zh_CN.UTF-8/man7/krb5_auth_rules.7 + path=usr/share/man/zh_CN.UTF-8/man7/krb5_auth_rules.mit.7 dir path=var/krb5/rcache group=sys mode=1777 dir path=var/krb5/rcache/root group=sys mode=0700 revert-tag=clone-archive=* license krb5.license license="BSD, BSD-like (KerberosV5)"
--- a/components/krb5/patches/024-smb-compat.patch Fri May 13 18:08:27 2016 -0700 +++ b/components/krb5/patches/024-smb-compat.patch Sat May 14 15:38:32 2016 -0700 @@ -4,6 +4,7 @@ # stress testing. The CRs in order: # # 15580724 SUNBT6868908 Solaris acceptors should have returned KRB5KRB_AP_... +# 15648322 SUNBT6959251 coredump in gss_release_name+0x36 # 20416772 spnego_gss_accept_sec_context issue with incorrect KRB OID # 16005842 Should retry SMB authentication upgrade to account for network... # 15579598 SUNBT6867208 Windows client cannot recover from KRB5KRB_AP_ERR_SKEW.. @@ -67,15 +68,13 @@ code -= ERROR_TABLE_BASE_krb5; if (code < 0 || code > KRB_ERR_MAX) code = 60 /* KRB_ERR_GENERIC */; - -diff -pur new/src/lib/gssapi/spnego/spnego_mech.c patched/src/lib/gssapi/spnego/spnego_mech.c ---- new/src/lib/gssapi/spnego/spnego_mech.c 2016-02-29 11:50:13.000000000 -0800 -+++ patched/src/lib/gssapi/spnego/spnego_mech.c 2016-03-18 21:55:31.131280297 -0700 -@@ -191,7 +190,14 @@ static const gss_OID_set_desc spnego_oid +diff -ur krb5-1.13.3.023-mem-rcache.patch/src/lib/gssapi/spnego/spnego_mech.c krb5-1.13.3/src/lib/gssapi/spnego/spnego_mech.c +--- krb5-1.13.3.023-mem-rcache.patch/src/lib/gssapi/spnego/spnego_mech.c ++++ krb5-1.13.3/src/lib/gssapi/spnego/spnego_mech.c +@@ -190,6 +190,13 @@ }; const gss_OID_set_desc * const gss_mech_set_spnego = spnego_oidsets+0; - static int make_NegHints(OM_uint32 *, gss_buffer_t *); +/* encoded OID octet string for NTLMSSP security mechanism */ +#define GSS_MECH_NTLMSSP_OID_LENGTH 10 +#define GSS_MECH_NTLMSSP_OID "\053\006\001\004\001\202\067\002\002\012" @@ -83,10 +82,19 @@ + GSS_MECH_NTLMSSP_OID_LENGTH, GSS_MECH_NTLMSSP_OID +}; + + static int make_NegHints(OM_uint32 *, spnego_gss_cred_id_t, gss_buffer_t *); static int put_neg_hints(unsigned char **, gss_buffer_t, unsigned int); static OM_uint32 - acc_ctx_hints(OM_uint32 *, gss_ctx_id_t *, spnego_gss_cred_id_t, -@@ -1325,6 +1387,7 @@ acc_ctx_new(OM_uint32 *minor_status, +@@ -1237,7 +1244,7 @@ + &hintNameBuf, + &hintNameType); + if (major_status != GSS_S_COMPLETE) { +- gss_release_name(&minor, &hintName); ++ gss_release_name(&minor, &hintKerberosName); + return (major_status); + } + gss_release_name(&minor, &hintKerberosName); +@@ -1380,6 +1387,7 @@ gss_buffer_desc der_mechTypes; gss_OID mech_wanted; spnego_gss_ctx_id_t sc = NULL; @@ -94,7 +102,7 @@ ret = GSS_S_DEFECTIVE_TOKEN; der_mechTypes.length = 0; -@@ -1348,6 +1411,24 @@ acc_ctx_new(OM_uint32 *minor_status, +@@ -1403,6 +1411,24 @@ goto cleanup; } /* @@ -119,15 +127,15 @@ * Select the best match between the list of mechs * that the initiator requested and the list that * the acceptor will support. -@@ -3072,6 +3163,7 @@ static OM_uint32 +@@ -3136,6 +3162,7 @@ + int found = 0; + OM_uint32 major_status = GSS_S_COMPLETE, tmpmin; gss_OID_set mechs, goodmechs; - gss_OID_set_desc except_attrs; - gss_OID_desc attr_oids[2]; + char *msinterop = getenv("MS_INTEROP"); - attr_oids[0] = *GSS_C_MA_DEPRECATED; - attr_oids[1] = *GSS_C_MA_NOT_DFLT_MECH; -@@ -3108,6 +3177,15 @@ get_available_mechs(OM_uint32 *minor_sta + major_status = gss_indicate_mechs(minor_status, &mechs); + +@@ -3150,6 +3177,15 @@ return (major_status); } @@ -143,7 +151,7 @@ for (i = 0; i < mechs->count && major_status == GSS_S_COMPLETE; i++) { if ((mechs->elements[i].length != spnego_mechanism.mech_type.length) || -@@ -3123,6 +3201,25 @@ get_available_mechs(OM_uint32 *minor_sta +@@ -3165,6 +3201,25 @@ } } @@ -169,7 +177,7 @@ /* * If the caller wanted a list of creds returned, * trim the list of mechanisms down to only those -@@ -3698,9 +3795,17 @@ negotiate_mech(gss_OID_set supported, gs +@@ -3740,9 +3795,17 @@ for (i = 0; i < received->count; i++) { gss_OID mech_oid = &received->elements[i];
--- a/components/krb5/patches/028-rpc-gss.patch Fri May 13 18:08:27 2016 -0700 +++ b/components/krb5/patches/028-rpc-gss.patch Sat May 14 15:38:32 2016 -0700 @@ -1897,9 +1897,9 @@ RELDIR=kadm5/clnt ##DOSBUILDTOP = ..\..\.. -diff -pur new/src/lib/kadm5/clnt/client_init.c patched.1/src/lib/kadm5/clnt/client_init.c ---- no-028/src/lib/kadm5/clnt/client_init.c 2016-03-28 14:39:09.439503108 -0600 -+++ 028/src/lib/kadm5/clnt/client_init.c 2016-03-28 14:40:49.154436988 -0600 +diff -pur old/src/lib/kadm5/clnt/client_init.c new/src/lib/kadm5/clnt/client_init.c +--- old/src/lib/kadm5/clnt/client_init.c ++++ new/src/lib/kadm5/clnt/client_init.c @@ -44,12 +44,12 @@ #include <iprop_hdr.h> #include "iprop.h" @@ -1915,7 +1915,7 @@ enum init_type { INIT_PASS, INIT_SKEY, INIT_CREDS, INIT_ANONYMOUS }; -@@ -138,9 +138,385 @@ kadm5_init_with_skey(krb5_context contex +@@ -138,9 +138,379 @@ kadm5_init_with_skey(krb5_context contex server_handle); } @@ -2096,7 +2096,6 @@ + enum clnt_stat rpc_err_code; + char *server; + int port; -+ struct timeval timeout; + + /* service name is service/host */ + server = strpbrk(service_name, "/"); @@ -2158,11 +2157,6 @@ + if (iprop_svc) + free(iprop_svc); + -+ /* Set a one-hour timeout. */ -+ timeout.tv_sec = 3600; -+ timeout.tv_usec = 0; -+ (void)clnt_control(handle->clnt, CLSET_TIMEOUT, &timeout); -+ + handle->lhandle->clnt = handle->clnt; + + /* now that handle->clnt is set, we can check the handle */ @@ -2302,14 +2296,7 @@ kadm5_config_params *params_in, krb5_ui_4 struct_version, krb5_ui_4 api_version, char **db_args, void **server_handle) { -@@ -152,13 +528,13 @@ init_any(krb5_context context, char *cli - rpcvers_t rpc_vers; - krb5_ccache ccache; - krb5_principal client = NULL, server = NULL; -- struct timeval timeout; - - kadm5_server_handle_t handle; - kadm5_config_params params_local; +@@ -158,6 +528,7 @@ init_any(krb5_context context, char *cli int code = 0; generic_ret *r; @@ -2317,7 +2304,7 @@ initialize_ovk_error_table(); /* initialize_adb_error_table(); */ -@@ -226,105 +602,27 @@ init_any(krb5_context context, char *cli +@@ -225,99 +596,27 @@ init_any(krb5_context context, char *cli if (code) goto error; @@ -2366,12 +2353,6 @@ + strncpy(svcname, svcname_in, sizeof(svcname)); + svcname[sizeof(svcname)-1] = '\0'; } - -- /* Set a one-hour timeout. */ -- timeout.tv_sec = 3600; -- timeout.tv_usec = 0; -- (void)clnt_control(handle->clnt, CLSET_TIMEOUT, &timeout); -- - handle->client_socket = fd; - handle->lhandle->clnt = handle->clnt; - handle->lhandle->client_socket = fd; @@ -2379,7 +2360,7 @@ - /* now that handle->clnt is set, we can check the handle */ - if ((code = _kadm5_check_handle((void *) handle))) - goto error; -- + - /* - * The RPC connection is open; establish the GSS-API - * authentication context. @@ -2438,7 +2419,7 @@ goto error; } -@@ -364,31 +662,17 @@ cleanup: +@@ -357,31 +656,17 @@ cleanup: return code; } @@ -2472,7 +2453,7 @@ /* * Acquire a service ticket for svcname@realm for client, using password * pass (which could be NULL), and create a ccache to store them in. If -@@ -426,12 +710,6 @@ get_init_creds(kadm5_server_handle_t han +@@ -419,12 +704,6 @@ get_init_creds(kadm5_server_handle_t han code = gic_iter(handle, init_type, ccache, client, pass, svcname, realm, server_out); @@ -2485,7 +2466,7 @@ /* Improved error messages */ if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) code = KADM5_BAD_PASSWORD; if (code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) -@@ -698,6 +976,26 @@ rpc_auth(kadm5_server_handle_t handle, k +@@ -691,6 +970,26 @@ rpc_auth(kadm5_server_handle_t handle, k gss_cred_id_t gss_client_creds, gss_name_t gss_target) { OM_uint32 gssstat, minor_stat; @@ -2512,7 +2493,7 @@ struct rpc_gss_sec sec; /* Allow unauthenticated option for testing. */ -@@ -732,6 +1030,7 @@ rpc_auth(kadm5_server_handle_t handle, k +@@ -725,6 +1024,7 @@ rpc_auth(kadm5_server_handle_t handle, k GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG, 0, NULL, NULL, NULL); @@ -2520,6 +2501,7 @@ } kadm5_ret_t +diff -pur old/src/lib/kadm5/clnt/client_principal.c new/src/lib/kadm5/clnt/client_principal.c --- old/src/lib/kadm5/clnt/client_principal.c +++ new/src/lib/kadm5/clnt/client_principal.c @@ -5,7 +5,7 @@ @@ -2955,10 +2937,10 @@ (caddr_t)&vers, (xdrproc_t)xdr_kdb_fullresync_result_t, (caddr_t)&clnt_res, full_resync_timeout); if (status == RPC_PROCUNAVAIL) { -diff -pur new/src/tests/misc/Makefile.in patched.1/src/tests/misc/Makefile.in ---- new/src/tests/misc/Makefile.in 2016-02-29 11:50:13.000000000 -0800 -+++ patched.1/src/tests/misc/Makefile.in 2016-03-19 08:15:59.222125882 -0700 -@@ -12,19 +12,17 @@ SRCS=\ +diff -pur old/src/tests/misc/Makefile.in new/src/tests/misc/Makefile.in +--- old/src/tests/misc/Makefile.in ++++ new/src/tests/misc/Makefile.in +@@ -12,18 +12,16 @@ SRCS=\ $(srcdir)/test_cxx_krb5.cpp \ $(srcdir)/test_cxx_k5int.cpp \ $(srcdir)/test_cxx_gss.cpp \ @@ -2969,16 +2951,15 @@ -check:: test_getpw test_chpw_message test_cxx_krb5 test_cxx_gss test_cxx_rpc test_cxx_k5int test_cxx_kadm5 +check:: test_getpw test_chpw_message test_cxx_krb5 test_cxx_gss test_cxx_k5int test_cxx_kadm5 - $(RUN_TEST) ./test_getpw - $(RUN_TEST) ./test_chpw_message - $(RUN_TEST) ./test_cxx_krb5 - $(RUN_TEST) ./test_cxx_k5int - $(RUN_TEST) ./test_cxx_gss -- $(RUN_TEST) ./test_cxx_rpc - $(RUN_TEST) ./test_cxx_kadm5 + $(RUN_SETUP) $(VALGRIND) ./test_getpw + $(RUN_SETUP) $(VALGRIND) ./test_chpw_message + $(RUN_SETUP) $(VALGRIND) ./test_cxx_krb5 + $(RUN_SETUP) $(VALGRIND) ./test_cxx_k5int + $(RUN_SETUP) $(VALGRIND) ./test_cxx_gss +- $(RUN_SETUP) $(VALGRIND) ./test_cxx_rpc + $(RUN_SETUP) $(VALGRIND) ./test_cxx_kadm5 test_getpw: $(OUTPRE)test_getpw.$(OBJEXT) $(SUPPORT_DEPLIB) - $(CC_LINK) $(ALL_CFLAGS) -o test_getpw $(OUTPRE)test_getpw.$(OBJEXT) $(SUPPORT_LIB) @@ -41,18 +39,15 @@ test_cxx_k5int: $(OUTPRE)test_cxx_k5int. $(CXX_LINK) $(ALL_CXXFLAGS) -o test_cxx_k5int $(OUTPRE)test_cxx_k5int.$(OBJEXT) $(KRB5_BASE_LIBS) $(LIBS) test_cxx_gss: $(OUTPRE)test_cxx_gss.$(OBJEXT) @@ -3000,9 +2981,9 @@ + $(RM) test_getpw test_chpw_message test_cxx_krb5 test_cxx_gss test_cxx_k5int test_cxx_kadm5 *.o diff -pur old/src/tests/t_iprop.py new/src/tests/t_iprop.py ---- old/src/tests/t_iprop.py 2016-02-29 11:50:13.000000000 -0800 -+++ new/src/tests/t_iprop.py 2016-04-08 11:08:10.225701596 -0700 -@@ -1,44 +1,35 @@ +--- old/src/tests/t_iprop.py ++++ new/src/tests/t_iprop.py +@@ -1,50 +1,35 @@ #!/usr/bin/python import os @@ -3016,7 +2997,7 @@ -def wait_for_prop(kpropd, full_expected, expected_old, expected_new): +def wait_for_prop(kpropd, full_expected): output('*** Waiting for sync from kpropd\n') -- full_seen = sleep_seen = False +- full_seen = sleep_seen = prodded_after_dump = False - old_sno = new_sno = -1 + full_seen = False while True: @@ -3052,14 +3033,19 @@ - sleep_seen = True if 'load process for full propagation completed' in line: full_seen = True +- if sleep_seen and full_seen and not prodded_after_dump: +- # Prod the kpropd parent into getting incrementals after +- # it finishes a DB load. This will be unnecessary if +- # kpropd is simplified to use a single process. + # kpropd's child process has finished a DB load; make the parent + # do another iprop request. This will be unnecessary if kpropd + # is simplified to use a single process. -+ kpropd.send_signal(signal.SIGUSR1) + kpropd.send_signal(signal.SIGUSR1) +- prodded_after_dump = True # Detect some failure conditions. if 'Still waiting for full resync' in line: -@@ -54,98 +45,28 @@ def wait_for_prop(kpropd, full_expected, +@@ -60,92 +45,28 @@ def wait_for_prop(kpropd, full_expected, if 'invalid return' in line: fail('kadmind returned invalid result') @@ -3109,13 +3095,7 @@ - m = re.match(r'\tUpdate principal : (.*)$', line) - if m: - eprinc = entries[ser - first] -- if eprinc == None: -- fail('Expected dummy update entry %d' % ser) -- elif m.group(1) != eprinc: -- fail('Expected princ %s in update entry %d' % (eprinc, ser)) -- if line == '\tDummy entry': -- eprinc = entries[ser - first] -- if eprinc != None: +- if m.group(1) != eprinc: - fail('Expected princ %s in update entry %d' % (eprinc, ser)) - -# slave1 will receive updates from master, and slave2 will receive @@ -3178,8 +3158,11 @@ ulog = os.path.join(realm.testdir, 'db.ulog') if not os.path.exists(ulog): -@@ -155,234 +76,114 @@ if not os.path.exists(ulog): +@@ -153,209 +74,117 @@ if not os.path.exists(ulog): + + # Create the principal used to authenticate kpropd to kadmind. kiprop_princ = 'kiprop/' + hostname ++realm.addprinc(kiprop_princ) realm.extract_keytab(kiprop_princ, realm.keytab) -# Create the initial slave1 and slave2 databases. @@ -3194,7 +3177,7 @@ -# Reinitialize the master ulog so we know exactly what to expect in -# it. -realm.run([kproplog, '-R']) --check_ulog(1, 1, 1, [None]) +-check_ulog(0, 0, 0, []) +# Make some changes to the master db. +realm.addprinc('wakawaka') +# Add a principal enough to make realloc likely, but not enough to grow @@ -3204,24 +3187,24 @@ +longname = cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + c +realm.addprinc(longname) +realm.addprinc('w') -+realm.run([kadminl, 'modprinc', '-allow_tix', 'w']) -+realm.run([kadminl, 'modprinc', '+allow_tix', 'w']) ++realm.run_kadminl('modprinc -allow_tix w') ++realm.run_kadminl('modprinc +allow_tix w') -# Make some changes to the master DB. -realm.addprinc(pr1) -realm.addprinc(pr3) -realm.addprinc(pr2) --realm.run([kadminl, 'modprinc', '-allow_tix', pr2]) --realm.run([kadminl, 'modprinc', '+allow_tix', pr2]) --check_ulog(6, 1, 6, [None, pr1, pr3, pr2, pr2, pr2]) +-realm.run_kadminl('modprinc -allow_tix ' + pr2) +-realm.run_kadminl('modprinc +allow_tix ' + pr2) +-check_ulog(5, 1, 5, [pr1, pr3, pr2, pr2, pr2]) - -# Start kpropd for slave1 and get a full dump from master. -kpropd1 = realm.start_kpropd(slave1, ['-d']) --wait_for_prop(kpropd1, True, 1, 6) --out = realm.run([kadminl, 'listprincs'], env=slave1) +-wait_for_prop(kpropd1, True, 0, 5) +-out = realm.run_kadminl('listprincs', slave1) -if pr1 not in out or pr2 not in out or pr3 not in out: - fail('slave1 does not have all principals from master') --check_ulog(1, 6, 6, [None], slave1) +-check_ulog(0, 0, 5, [], slave1) +check_serial(realm, '7') + +# Set up the kpropd acl file. @@ -3233,23 +3216,23 @@ +# Start kpropd and get a full dump from master. +kpropd = realm.start_kpropd(slave, ['-d']) +wait_for_prop(kpropd, True) -+out = realm.run([kadminl, 'listprincs'], env=slave) ++out = realm.run_kadminl('listprincs', slave) +if longname not in out or 'wakawaka' not in out or 'w@' not in out: + fail('Slave does not have all principals from master') # Make a change and check that it propagates incrementally. --realm.run([kadminl, 'modprinc', '-allow_tix', pr2]) --check_ulog(7, 1, 7, [None, pr1, pr3, pr2, pr2, pr2, pr2]) +-realm.run_kadminl('modprinc -allow_tix ' + pr2) +-check_ulog(6, 1, 6, [pr1, pr3, pr2, pr2, pr2, pr2]) -kpropd1.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd1, False, 6, 7) --check_ulog(2, 6, 7, [None, pr2], slave1) --out = realm.run([kadminl, 'getprinc', pr2], env=slave1) -+realm.run([kadminl, 'modprinc', '-allow_tix', 'w']) +-wait_for_prop(kpropd1, False, 5, 6) +-check_ulog(1, 6, 6, [pr2], slave1) +-out = realm.run_kadminl('getprinc ' + pr2, slave1) ++realm.run_kadminl('modprinc -allow_tix w') +check_serial(realm, '8') +kpropd.send_signal(signal.SIGUSR1) +wait_for_prop(kpropd, False) +check_serial(realm, '8', slave) -+out = realm.run([kadminl, 'getprinc', 'w'], env=slave) ++out = realm.run_kadminl('getprinc w', slave) if 'Attributes: DISALLOW_ALL_TIX' not in out: - fail('slave1 does not have modification from master') + fail('Slave does not have modification from master') @@ -3271,26 +3254,26 @@ -kpropd2 = realm.start_server([kpropd, '-d', '-D', '-P', slave2_kprop_port, - '-f', slave2_in_dump_path, '-p', kdb5_util, - '-a', acl_file, '-A', hostname], 'ready', slave2) --wait_for_prop(kpropd2, True, 1, 7) --check_ulog(1, 7, 7, [None], slave2) --out = realm.run([kadminl, 'listprincs'], env=slave1) +-wait_for_prop(kpropd2, True, 0, 6) +-check_ulog(0, 0, 6, [], slave2) +-out = realm.run_kadminl('listprincs', slave1) -if pr1 not in out or pr2 not in out or pr3 not in out: - fail('slave2 does not have all principals from slave1') - -# Make another change and check that it propagates incrementally to -# both slaves. --realm.run([kadminl, 'modprinc', '-maxrenewlife', '22 hours', pr1]) --check_ulog(8, 1, 8, [None, pr1, pr3, pr2, pr2, pr2, pr2, pr1]) +-realm.run_kadminl('modprinc -maxrenewlife "22 hours" ' + pr1) +-check_ulog(7, 1, 7, [pr1, pr3, pr2, pr2, pr2, pr2, pr1]) -kpropd1.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd1, False, 7, 8) --check_ulog(3, 6, 8, [None, pr2, pr1], slave1) --out = realm.run([kadminl, 'getprinc', pr1], env=slave1) +-wait_for_prop(kpropd1, False, 6, 7) +-check_ulog(2, 6, 7, [pr2, pr1], slave1) +-out = realm.run_kadminl('getprinc ' + pr1, slave1) -if 'Maximum renewable life: 0 days 22:00:00\n' not in out: - fail('slave1 does not have modification from master') -kpropd2.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd2, False, 7, 8) --check_ulog(2, 7, 8, [None, pr1], slave2) --out = realm.run([kadminl, 'getprinc', pr1], env=slave2) +-wait_for_prop(kpropd2, False, 6, 7) +-check_ulog(1, 7, 7, [pr1], slave2) +-out = realm.run_kadminl('getprinc ' + pr1, slave2) -if 'Maximum renewable life: 0 days 22:00:00\n' not in out: - fail('slave2 does not have modification from slave1') - @@ -3299,34 +3282,34 @@ -# slave2 should still be in sync with slave1 after the resync, so make -# sure it doesn't take a full resync. -realm.run([kproplog, '-R'], slave1) --check_ulog(1, 1, 1, [None], slave1) +-check_ulog(0, 0, 0, [], slave1) -kpropd1.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd1, True, 1, 8) --check_ulog(3, 6, 8, [None, pr2, pr1], slave1) +-wait_for_prop(kpropd1, True, 0, 7) +-check_ulog(2, 6, 7, [pr2, pr1], slave1) -kpropd2.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd2, False, 8, 8) --check_ulog(2, 7, 8, [None, pr1], slave2) +-wait_for_prop(kpropd2, False, 7, 7) +-check_ulog(1, 7, 7, [pr1], slave2) - -# Make another change and check that it propagates incrementally to -# both slaves. +# Make another change and check that it propagates incrementally. - realm.run([kadminl, 'modprinc', '+allow_tix', 'w']) --check_ulog(9, 1, 9, [None, pr1, pr3, pr2, pr2, pr2, pr2, pr1, pr2]) + realm.run_kadminl('modprinc +allow_tix w') +-check_ulog(8, 1, 8, [pr1, pr3, pr2, pr2, pr2, pr2, pr1, pr2]) -kpropd1.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd1, False, 8, 9) --check_ulog(4, 6, 9, [None, pr2, pr1, pr2], slave1) --out = realm.run([kadminl, 'getprinc', pr2], env=slave1) +-wait_for_prop(kpropd1, False, 7, 8) +-check_ulog(3, 6, 8, [pr2, pr1, pr2], slave1) +-out = realm.run_kadminl('getprinc ' + pr2, slave1) +check_serial(realm, '9') +kpropd.send_signal(signal.SIGUSR1) +wait_for_prop(kpropd, False) +check_serial(realm, '9', slave) -+out = realm.run([kadminl, 'getprinc', 'w'], env=slave) ++out = realm.run_kadminl('getprinc w', slave) if 'Attributes:\n' not in out: - fail('slave1 does not have modification from master') -kpropd2.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd2, False, 8, 9) --check_ulog(3, 7, 9, [None, pr1, pr2], slave2) --out = realm.run([kadminl, 'getprinc', pr2], env=slave2) +-wait_for_prop(kpropd2, False, 7, 8) +-check_ulog(2, 7, 8, [pr1, pr2], slave2) +-out = realm.run_kadminl('getprinc ' + pr2, slave2) + fail('Slave does not have modification from master') + +# Reset the ulog on the slave side to force a full resync to the slave. @@ -3337,111 +3320,116 @@ +check_serial(realm, '9', slave) + +# Make another change and check that it propagates incrementally. -+realm.run([kadminl, 'modprinc', '+allow_tix', 'w']) ++realm.run_kadminl('modprinc +allow_tix w') +check_serial(realm, '10') +kpropd.send_signal(signal.SIGUSR1) +wait_for_prop(kpropd, False) +check_serial(realm, '10', slave) -+out = realm.run([kadminl, 'getprinc', 'w'], env=slave) ++out = realm.run_kadminl('getprinc w', slave) if 'Attributes:\n' not in out: - fail('slave2 does not have modification from slave1') + fail('Slave has different state from master') # Create a policy and check that it propagates via full resync. - realm.run([kadminl, 'addpol', '-minclasses', '2', 'testpol']) --check_ulog(1, 1, 1, [None]) + realm.run_kadminl('addpol -minclasses 2 testpol') +-check_ulog(0, 0, 0, []) -kpropd1.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd1, True, 9, 1) --check_ulog(1, 1, 1, [None], slave1) --out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1) +-wait_for_prop(kpropd1, True, 8, 0) +-check_ulog(0, 0, 0, [], slave1) +-out = realm.run_kadminl('getpol testpol', slave1) +check_serial(realm, 'None') +kpropd.send_signal(signal.SIGUSR1) +wait_for_prop(kpropd, True) +check_serial(realm, 'None', slave) -+out = realm.run([kadminl, 'getpol', 'testpol'], env=slave) ++out = realm.run_kadminl('getpol testpol', slave) if 'Minimum number of password character classes: 2' not in out: - fail('slave1 does not have policy from master') -kpropd2.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd2, True, 9, 1) --check_ulog(1, 1, 1, [None], slave2) --out = realm.run([kadminl, 'getpol', 'testpol'], env=slave2) +-wait_for_prop(kpropd2, True, 8, 0) +-check_ulog(0, 0, 0, [], slave2) +-out = realm.run_kadminl('getpol testpol', slave2) -if 'Minimum number of password character classes: 2' not in out: - fail('slave2 does not have policy from slave1') + fail('Slave does not have policy from master') # Modify the policy and test that it also propagates via full resync. - realm.run([kadminl, 'modpol', '-minlength', '17', 'testpol']) --check_ulog(1, 1, 1, [None]) + realm.run_kadminl('modpol -minlength 17 testpol') +-check_ulog(0, 0, 0, []) -kpropd1.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd1, True, 1, 1) --check_ulog(1, 1, 1, [None], slave1) --out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1) +-wait_for_prop(kpropd1, True, 0, 0) +-check_ulog(0, 0, 0, [], slave1) +-out = realm.run_kadminl('getpol testpol', slave1) -if 'Minimum password length: 17' not in out: - fail('slave1 does not have policy change from master') -kpropd2.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd2, True, 1, 1) --check_ulog(1, 1, 1, [None], slave2) --out = realm.run([kadminl, 'getpol', 'testpol'], env=slave2) +-wait_for_prop(kpropd2, True, 0, 0) +-check_ulog(0, 0, 0, [], slave2) +-out = realm.run_kadminl('getpol testpol', slave2) +check_serial(realm, 'None') +kpropd.send_signal(signal.SIGUSR1) +wait_for_prop(kpropd, True) +check_serial(realm, 'None', slave) -+out = realm.run([kadminl, 'getpol', 'testpol'], env=slave) ++out = realm.run_kadminl('getpol testpol', slave) if 'Minimum password length: 17' not in out: - fail('slave2 does not have policy change from slave1') + fail('Slave does not have policy change from master') # Delete the policy and test that it propagates via full resync. --realm.run([kadminl, 'delpol', 'testpol']) --check_ulog(1, 1, 1, [None]) + realm.run_kadminl('delpol -force testpol') +-check_ulog(0, 0, 0, []) -kpropd1.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd1, True, 1, 1) --check_ulog(1, 1, 1, [None], slave1) --out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1, expected_code=1) -+realm.run([kadminl, 'delpol', '-force', 'testpol']) +-wait_for_prop(kpropd1, True, 0, 0) +-check_ulog(0, 0, 0, [], slave1) +-out = realm.run_kadminl('getpol testpol', slave1) +check_serial(realm, 'None') +kpropd.send_signal(signal.SIGUSR1) +wait_for_prop(kpropd, True) +check_serial(realm, 'None', slave) -+out = realm.run([kadminl, 'getpol', 'testpol'], env=slave, expected_code=1) ++out = realm.run_kadminl('getpol testpol', slave) if 'Policy does not exist' not in out: - fail('slave1 did not get policy deletion from master') -kpropd2.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd2, True, 1, 1) --check_ulog(1, 1, 1, [None], slave2) --out = realm.run([kadminl, 'getpol', 'testpol'], env=slave2, expected_code=1) +-wait_for_prop(kpropd2, True, 0, 0) +-check_ulog(0, 0, 0, [], slave2) +-out = realm.run_kadminl('getpol testpol', slave2) -if 'Policy does not exist' not in out: - fail('slave2 did not get policy deletion from slave1') - --# Modify a principal on the master and test that it propagates incrementally. --realm.run([kadminl, 'modprinc', '-maxlife', '10 minutes', pr1]) --check_ulog(2, 1, 2, [None, pr1]) +-# Modify a principal on the master and test that it propagates via +-# full resync. (The master's ulog does not remember the timestamp it +-# had at serial number 0, so it does not know that an incremental +-# propagation is possible.) +-realm.run_kadminl('modprinc -maxlife "10 minutes" ' + pr1) +-check_ulog(1, 1, 1, [pr1]) -kpropd1.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd1, False, 1, 2) --check_ulog(2, 1, 2, [None, pr1], slave1) --out = realm.run([kadminl, 'getprinc', pr1], env=slave1) +-wait_for_prop(kpropd1, True, 0, 1) +-check_ulog(0, 0, 1, [], slave1) +-out = realm.run_kadminl('getprinc ' + pr1, slave1) -if 'Maximum ticket life: 0 days 00:10:00' not in out: - fail('slave1 does not have modification from master') -kpropd2.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd2, False, 1, 2) --check_ulog(2, 1, 2, [None, pr1], slave2) --out = realm.run([kadminl, 'getprinc', pr1], env=slave2) +-wait_for_prop(kpropd2, True, 0, 1) +-check_ulog(0, 0, 1, [], slave2) +-out = realm.run_kadminl('getprinc ' + pr1, slave2) -if 'Maximum ticket life: 0 days 00:10:00' not in out: - fail('slave2 does not have modification from slave1') - --# Delete a principal and test that it propagates incrementally. --realm.run([kadminl, 'delprinc', pr3]) --check_ulog(3, 1, 3, [None, pr1, pr3]) +-# Delete a principal and test that it propagates incrementally to +-# slave1. slave2 needs another full resync because slave1 no longer +-# has serial number 1 in its ulog after processing its first +-# incremental update. +-realm.run_kadminl('delprinc -force ' + pr3) +-check_ulog(2, 1, 2, [pr1, pr3]) -kpropd1.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd1, False, 2, 3) --check_ulog(3, 1, 3, [None, pr1, pr3], slave1) --out = realm.run([kadminl, 'getprinc', pr3], env=slave1, expected_code=1) +-wait_for_prop(kpropd1, False, 1, 2) +-check_ulog(1, 2, 2, [pr3], slave1) +-out = realm.run_kadminl('getprinc ' + pr3, slave1) -if 'Principal does not exist' not in out: - fail('slave1 does not have principal deletion from master') -kpropd2.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd2, False, 2, 3) --check_ulog(3, 1, 3, [None, pr1, pr3], slave2) --out = realm.run([kadminl, 'getprinc', pr3], env=slave2, expected_code=1) +-wait_for_prop(kpropd2, True, 1, 2) +-check_ulog(0, 0, 2, [], slave2) +-out = realm.run_kadminl('getprinc ' + pr3, slave2) -if 'Principal does not exist' not in out: - fail('slave2 does not have principal deletion from slave1') + fail('Slave did not get policy deletion from master') @@ -3451,46 +3439,13 @@ +# XXX Note that we only have one slave in this test, so we can't really +# test this. realm.run([kproplog, '-R']) --check_ulog(1, 1, 1, [None]) +-check_ulog(0, 0, 0, []) -kpropd1.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd1, True, 3, 1) --check_ulog(1, 1, 1, [None], slave1) +-wait_for_prop(kpropd1, True, 2, 0) +-check_ulog(0, 0, 0, [], slave1) -kpropd2.send_signal(signal.SIGUSR1) --wait_for_prop(kpropd2, True, 3, 1) --check_ulog(1, 1, 1, [None], slave2) -- --# Stop the kprop daemons so we can test kpropd -t. --stop_daemon(kpropd1) --stop_daemon(kpropd2) -- --# Test the case where no updates are needed. --out = realm.run_kpropd_once(slave1, ['-d']) --if 'KDC is synchronized' not in out: -- fail('Expected synchronized from kpropd -t') --check_ulog(1, 1, 1, [None], slave1) -- --# Make a change on the master and fetch it incrementally. --realm.run([kadminl, 'modprinc', '-maxlife', '5 minutes', pr1]) --check_ulog(2, 1, 2, [None, pr1]) --out = realm.run_kpropd_once(slave1, ['-d']) --if 'Got incremental updates (sno=2 ' not in out: -- fail('Expected full dump and synchronized from kpropd -t') --check_ulog(2, 1, 2, [None, pr1], slave1) --out = realm.run([kadminl, 'getprinc', pr1], env=slave1) --if 'Maximum ticket life: 0 days 00:05:00' not in out: -- fail('slave1 does not have modification from master after kpropd -t') -- --# Propagate a policy change via full resync. --realm.run([kadminl, 'addpol', '-minclasses', '3', 'testpol']) --check_ulog(1, 1, 1, [None]) --out = realm.run_kpropd_once(slave1, ['-d']) --if ('Full propagation transfer finished' not in out or -- 'KDC is synchronized' not in out): -- fail('Expected full dump and synchronized from kpropd -t') --check_ulog(1, 1, 1, [None], slave1) --out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1) --if 'Minimum number of password character classes: 3' not in out: -- fail('slave1 does not have policy from master after kpropd -t') +-wait_for_prop(kpropd2, True, 2, 0) +-check_ulog(0, 0, 0, [], slave2) +check_serial(realm, 'None') +kpropd.send_signal(signal.SIGUSR1) +wait_for_prop(kpropd, True) @@ -3534,15 +3489,3 @@ '-c', self.kadmin_ccache] + flags) def run_kadmin(self, query, **keywords): -/usr/gnu/bin/diff -pur old/src/tests/t_ccache.py new/src/tests/t_ccache.py ---- old/src/tests/t_ccache.py 2016-04-08 09:50:18.104351949 -0700 -+++ new/src/tests/t_ccache.py 2016-04-08 09:48:10.841275532 -0700 -@@ -51,7 +51,7 @@ realm.kinit(realm.user_princ, password(' - realm.run([klist, '-s']) - realm.kinit(realm.user_princ, password('user'), ['-l', '-1s']) - realm.run([klist, '-s'], expected_code=1) --realm.kinit(realm.user_princ, password('user'), ['-S', 'kadmin/admin']) -+realm.kinit(realm.user_princ, password('user'), ['-S', 'kadmin/changepw']) - realm.run([klist, '-s']) - realm.run([kdestroy]) - realm.run([klist, '-s'], expected_code=1)
--- a/components/krb5/patches/029-kadmin_disable_anonymity.patch Fri May 13 18:08:27 2016 -0700 +++ b/components/krb5/patches/029-kadmin_disable_anonymity.patch Sat May 14 15:38:32 2016 -0700 @@ -24,8 +24,8 @@ } while ((optchar = getopt(argc, argv, -- "+x:r:p:knq:w:d:s:mc:t:e:ON")) != EOF) { -+ "+x:r:p:kq:w:d:s:mc:t:e:ON")) != EOF) { +- "x:r:p:knq:w:d:s:mc:t:e:ON")) != EOF) { ++ "x:r:p:kq:w:d:s:mc:t:e:ON")) != EOF) { switch (optchar) { case 'x': db_args_size++; @@ -64,31 +64,35 @@ Use \fIcredentials_cache\fP as the credentials cache. The cache should contain a service ticket for the \fBkadmin/ADMINHOST\fP diff -pur old/src/tests/t_pkinit.py new/src/tests/t_pkinit.py ---- new/src/tests/t_pkinit.py 2016-02-29 11:50:13.000000000 -0800 -+++ patched.1/src/tests/t_pkinit.py 2016-03-19 08:15:59.287791038 -0700 -@@ -73,15 +73,16 @@ if '97:' in out: - fail('auth indicators seen in anonymous PKINIT ticket') +--- old/src/tests/t_pkinit.py 2015-02-11 19:16:43.000000000 -0800 ++++ new/src/tests/t_pkinit.py 2015-03-05 09:09:09.690228292 -0800 +@@ -72,17 +72,18 @@ realm.klist('WELLKNOWN/ANONYMOUS@WELLKNO + realm.run([kvno, realm.host_princ]) # Test anonymous kadmin. -f = open(os.path.join(realm.testdir, 'acl'), 'a') -f.write('WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS a *') -f.close() -realm.start_kadmind() --realm.run([kadmin, '-n', 'addprinc', '-pw', 'test', 'testadd']) --out = realm.run([kadmin, '-n', 'getprinc', 'testadd'], expected_code=1) +-out = realm.run([kadmin, '-n', '-q', 'addprinc -pw test testadd']) +-if 'created.' not in out: +- fail('Could not create principal with anonymous kadmin') +-out = realm.run([kadmin, '-n', '-q', 'getprinc testadd']) -if "Operation requires ``get'' privilege" not in out: - fail('Anonymous kadmin has too much privilege') -realm.stop_kadmind() ++sys.stderr.write("Anonymous pkinit support in kadmin disabled, skipping...\n"); +#f = open(os.path.join(realm.testdir, 'acl'), 'a') +#f.write('WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS a *') +#f.close() +#realm.start_kadmind() -+#realm.run([kadmin, '-n', 'addprinc', '-pw', 'test', 'testadd']) -+#out = realm.run([kadmin, '-n', 'getprinc', 'testadd'], expected_code=1) ++#out = realm.run([kadmin, '-n', '-q', 'addprinc -pw test testadd']) ++#if 'created.' not in out: ++# fail('Could not create principal with anonymous kadmin') ++#out = realm.run([kadmin, '-n', '-q', 'getprinc testadd']) +#if "Operation requires ``get'' privilege" not in out: +# fail('Anonymous kadmin has too much privilege') +#realm.stop_kadmind() -+sys.stderr.write("Anonymous pkinit support in kadmin disabled, skipping...\n"); # Test with anonymous restricted; FAST should work but kvno should fail. r_env = realm.special_env('restrict', True, kdc_conf=restrictive_kdc_conf)
--- a/components/krb5/patches/032-pam-krb5.patch Fri May 13 18:08:27 2016 -0700 +++ b/components/krb5/patches/032-pam-krb5.patch Sat May 14 15:38:32 2016 -0700 @@ -14,8 +14,8 @@ # Patch source: in-house # diff -pur old/src/lib/kadm5/clnt/client_init.c new/src/lib/kadm5/clnt/client_init.c ---- no-032/src/lib/kadm5/clnt/client_init.c 2016-03-28 14:25:17.265078167 -0600 -+++ 032/src/lib/kadm5/clnt/client_init.c 2016-03-28 14:27:42.301681052 -0600 +--- old/src/lib/kadm5/clnt/client_init.c 2015-04-30 01:12:10.579373279 -0600 ++++ new/src/lib/kadm5/clnt/client_init.c 2015-05-26 23:38:41.638267439 -0600 @@ -299,7 +299,7 @@ _kadm5_initialize_rpcsec_gss_handle(kadm { int code = 0; @@ -25,9 +25,9 @@ char *iprop_svc; boolean_t iprop_enable = B_FALSE; char mech[] = "kerberos_v5"; -@@ -317,15 +317,13 @@ _kadm5_initialize_rpcsec_gss_handle(kadm +@@ -316,15 +316,13 @@ _kadm5_initialize_rpcsec_gss_handle(kadm + char *server; int port; - struct timeval timeout; - /* service name is service/host */ - server = strpbrk(service_name, "/"); @@ -44,7 +44,7 @@ iprop_svc = strdup(KIPROP_SVC_NAME); if (iprop_svc == NULL) -@@ -516,7 +514,7 @@ cleanup: +@@ -510,7 +508,7 @@ cleanup: static kadm5_ret_t init_any(krb5_context context, char *client_name, enum init_type init_type, @@ -53,7 +53,7 @@ kadm5_config_params *params_in, krb5_ui_4 struct_version, krb5_ui_4 api_version, char **db_args, void **server_handle) { -@@ -534,7 +532,6 @@ init_any(krb5_context context, char *cli +@@ -528,7 +526,6 @@ init_any(krb5_context context, char *cli int code = 0; generic_ret *r; @@ -61,7 +61,7 @@ initialize_ovk_error_table(); /* initialize_adb_error_table(); */ -@@ -603,15 +600,19 @@ init_any(krb5_context context, char *cli +@@ -597,15 +594,19 @@ init_any(krb5_context context, char *cli goto error; /* NULL svcname means use host-based. */ @@ -88,7 +88,7 @@ } /* Get credentials. */ -@@ -666,14 +667,52 @@ cleanup: +@@ -660,14 +661,52 @@ cleanup: static kadm5_ret_t get_init_creds(kadm5_server_handle_t handle, krb5_principal client, enum init_type init_type, char *pass, krb5_ccache ccache_in, @@ -142,7 +142,7 @@ * Acquire a service ticket for svcname@realm for client, using password * pass (which could be NULL), and create a ccache to store them in. If * INIT_CREDS, use the ccache we were provided instead. -@@ -708,7 +747,7 @@ get_init_creds(kadm5_server_handle_t han +@@ -702,7 +741,7 @@ get_init_creds(kadm5_server_handle_t han } handle->lhandle->cache_name = handle->cache_name;
--- a/components/krb5/patches/035-multi-master.patch Fri May 13 18:08:27 2016 -0700 +++ b/components/krb5/patches/035-multi-master.patch Sat May 14 15:38:32 2016 -0700 @@ -8,10 +8,10 @@ # should look at modifying/deleting this patch. # Patch source: in-house # -diff -pur new/src/kadmin/cli/kadmin.c old/src/kadmin/cli/kadmin.c ---- old/src/kadmin/cli/kadmin.c 2016-03-31 16:44:43.282366236 -0700 -+++ patched/src/kadmin/cli/kadmin.c 2016-03-31 19:24:20.929551275 -0700 -@@ -255,7 +255,7 @@ kadmin_startup(int argc, char *argv[], c +diff -u -r old/src/kadmin/cli/kadmin.c new/src/kadmin/cli/kadmin.c +--- old/src/kadmin/cli/kadmin.c 2015-05-28 15:10:45.129616302 -0500 ++++ new/src/kadmin/cli/kadmin.c 2015-05-29 13:32:41.901105712 -0500 +@@ -268,7 +268,7 @@ char **db_args = NULL; int db_args_size = 0; char *db_name = NULL; @@ -20,7 +20,7 @@ memset(¶ms, 0, sizeof(params)); -@@ -370,11 +370,6 @@ kadmin_startup(int argc, char *argv[], c +@@ -380,11 +380,6 @@ params.mask |= KADM5_CONFIG_REALM; params.realm = def_realm; @@ -32,35 +32,36 @@ /* * Set cc to an open credentials cache, either specified by the -c * argument or the default. -@@ -503,13 +498,14 @@ kadmin_startup(int argc, char *argv[], c +@@ -515,13 +510,15 @@ if (ccache_name) { - info(_("Authenticating as principal %s with existing " - "credentials.\n"), princstr); + printf(_("Authenticating as principal %s with existing " + "credentials.\n"), princstr); - retval = kadm5_init_with_creds(context, princstr, cc, svcname, ¶ms, + retval = kadm5_init_with_creds_mm(context, princstr, cc, svcnames, + ¶ms, KADM5_STRUCT_VERSION, KADM5_API_VERSION_4, db_args, &handle); } else if (use_anonymous) { - info(_("Authenticating as principal %s with password; " - "anonymous requested.\n"), princstr); + printf(_("Authenticating as principal %s with password; " + "anonymous requested.\n"), princstr); - retval = kadm5_init_anonymous(context, princstr, svcname, ¶ms, -+ retval = kadm5_init_anonymous_mm(context, princstr, svcnames, ¶ms, ++ retval = kadm5_init_anonymous_mm(context, princstr, svcnames, ++ ¶ms, KADM5_STRUCT_VERSION, KADM5_API_VERSION_4, db_args, &handle); } else if (use_keytab) { -@@ -520,17 +516,20 @@ kadmin_startup(int argc, char *argv[], c - info(_("Authenticating as principal %s with default keytab.\n"), - princstr); - } +@@ -531,17 +528,20 @@ + else + printf(_("Authenticating as principal %s with default keytab.\n"), + princstr); - retval = kadm5_init_with_skey(context, princstr, keytab_name, svcname, + retval = kadm5_init_with_skey_mm(context, princstr, keytab_name, + svcnames, ¶ms, KADM5_STRUCT_VERSION, KADM5_API_VERSION_4, db_args, &handle); } else { - info(_("Authenticating as principal %s with password.\n"), - princstr); + printf(_("Authenticating as principal %s with password.\n"), + princstr); - retval = kadm5_init_with_password(context, princstr, password, svcname, + retval = kadm5_init_with_password_mm(context, princstr, password, + svcnames, @@ -127,10 +128,10 @@ kadm5_ret_t kadm5_lock(void *server_handle); kadm5_ret_t kadm5_unlock(void *server_handle); kadm5_ret_t kadm5_flush(void *server_handle); -/usr/gnu/bin/diff -pur old/src/lib/kadm5/clnt/client_init.c new/src/lib/kadm5/clnt/client_init.c ---- unpatched/src/lib/kadm5/clnt/client_init.c 2016-03-28 00:19:36.988270188 -0600 -+++ patched/src/lib/kadm5/clnt/client_init.c 2016-03-28 13:12:43.769371355 -0600 -@@ -55,7 +55,7 @@ enum init_type { INIT_PASS, INIT_SKEY, I +diff -u -r old/src/lib/kadm5/clnt/client_init.c new/src/lib/kadm5/clnt/client_init.c +--- old/src/lib/kadm5/clnt/client_init.c 2015-05-28 15:10:45.192975632 -0500 ++++ new/src/lib/kadm5/clnt/client_init.c 2015-06-02 10:33:51.639341637 -0500 +@@ -55,7 +55,7 @@ static kadm5_ret_t init_any(krb5_context context, char *client_name, enum init_type init_type, @@ -139,7 +140,7 @@ kadm5_config_params *params, krb5_ui_4 struct_version, krb5_ui_4 api_version, char **db_args, void **server_handle); -@@ -87,8 +87,25 @@ kadm5_init_with_creds(krb5_context conte +@@ -87,8 +87,25 @@ krb5_ui_4 api_version, char **db_args, void **server_handle) { @@ -166,7 +167,7 @@ server_handle); } -@@ -99,7 +116,24 @@ kadm5_init_with_password(krb5_context co +@@ -99,7 +116,24 @@ krb5_ui_4 api_version, char **db_args, void **server_handle) { @@ -192,7 +193,7 @@ params, struct_version, api_version, db_args, server_handle); } -@@ -110,8 +144,24 @@ kadm5_init_anonymous(krb5_context contex +@@ -110,8 +144,24 @@ krb5_ui_4 struct_version, krb5_ui_4 api_version, char **db_args, void **server_handle) { @@ -218,7 +219,7 @@ db_args, server_handle); } -@@ -121,7 +171,23 @@ kadm5_init(krb5_context context, char *c +@@ -121,7 +171,23 @@ krb5_ui_4 struct_version, krb5_ui_4 api_version, char **db_args, void **server_handle) { @@ -243,7 +244,7 @@ params, struct_version, api_version, db_args, server_handle); } -@@ -133,8 +199,25 @@ kadm5_init_with_skey(krb5_context contex +@@ -133,8 +199,25 @@ krb5_ui_4 api_version, char **db_args, void **server_handle) { @@ -270,7 +271,7 @@ server_handle); } -@@ -339,7 +422,7 @@ _kadm5_initialize_rpcsec_gss_handle(kadm +@@ -338,7 +421,7 @@ } /* @@ -279,7 +280,7 @@ * - if iprop_port is configured, connect to iprop_port * - if not, query remote rpc/bind * - if that fails, try consuming iprop service on kadmin port -@@ -512,9 +595,35 @@ cleanup: +@@ -506,9 +589,35 @@ return (code); } @@ -316,7 +317,7 @@ kadm5_config_params *params_in, krb5_ui_4 struct_version, krb5_ui_4 api_version, char **db_args, void **server_handle) { -@@ -532,6 +641,10 @@ init_any(krb5_context context, char *cli +@@ -526,6 +635,10 @@ int code = 0; generic_ret *r; @@ -327,7 +328,7 @@ initialize_ovk_error_table(); /* initialize_adb_error_table(); */ -@@ -599,34 +712,56 @@ init_any(krb5_context context, char *cli +@@ -593,34 +706,56 @@ if (code) goto error; @@ -406,7 +407,7 @@ *server_handle = (void *) handle; goto cleanup; -@@ -659,6 +794,8 @@ cleanup: +@@ -653,6 +788,8 @@ krb5_free_principal(handle->context, server); if (code) free(handle); @@ -415,7 +416,7 @@ return code; } -@@ -671,46 +808,43 @@ get_init_creds(kadm5_server_handle_t han +@@ -665,46 +802,43 @@ { kadm5_ret_t code; krb5_ccache ccache = NULL; @@ -493,7 +494,7 @@ /* * Acquire a service ticket for svcname@realm for client, using password -@@ -747,7 +881,7 @@ get_init_creds(kadm5_server_handle_t han +@@ -741,7 +875,7 @@ } handle->lhandle->cache_name = handle->cache_name;
--- a/components/krb5/patches/036-verify-nofail.patch Fri May 13 18:08:27 2016 -0700 +++ b/components/krb5/patches/036-verify-nofail.patch Sat May 14 15:38:32 2016 -0700 @@ -21,8 +21,8 @@ if (*argv != NULL) check(krb5_parse_name(context, *argv, &princ)); diff -pur old/src/lib/krb5/krb/t_vfy_increds.py new/src/lib/krb5/krb/t_vfy_increds.py ---- old/src/lib/krb5/krb/t_vfy_increds.py 2016-03-31 16:44:48.483714940 -0700 -+++ patched/src/lib/krb5/krb/t_vfy_increds.py 2016-03-31 19:34:30.816360770 -0700 +--- old/src/lib/krb5/krb/t_vfy_increds.py 2015-05-28 14:42:17.100176857 -0600 ++++ new/src/lib/krb5/krb/t_vfy_increds.py 2015-05-28 18:03:03.977698328 -0600 @@ -53,29 +53,31 @@ realm.run(['./t_vfy_increds']) realm.run(['./t_vfy_increds', '-n']) @@ -55,8 +55,8 @@ -# default (succeeding unless nofail is set), but should verify with it +# default (succeeding only when nofail is unset), but should verify with it # when it is specifically requested. - realm.run([kadminl, 'addprinc', '-randkey', realm.nfs_princ]) - realm.run([kadminl, 'ktadd', realm.nfs_princ]) + realm.run_kadminl('addprinc -randkey ' + realm.nfs_princ) + realm.run_kadminl('ktadd ' + realm.nfs_princ) -realm.run(['./t_vfy_increds']) +realm.run(['./t_vfy_increds'], expected_code=1) realm.run(['./t_vfy_increds', '-n'], expected_code=1) @@ -65,7 +65,7 @@ @@ -84,7 +86,7 @@ realm.run(['./t_vfy_increds', '-n', real # results with the default principal argument, but verification should # now fail if we request it specifically. - realm.run([kadminl, 'change_password', '-randkey', realm.nfs_princ]) + realm.run_kadminl('change_password -randkey ' + realm.nfs_princ) -realm.run(['./t_vfy_increds']) +realm.run(['./t_vfy_increds'], expected_code=1) realm.run(['./t_vfy_increds', '-n'], expected_code=1)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/045-correct_err_code_for_bad_QOP.patch Sat May 14 15:38:32 2016 -0700 @@ -0,0 +1,55 @@ +# +# This patch fixes krb5_gss_wrap_size_limit return code to comply with +# RFC 2743. +# +# Found by usr/ontest/lib/libgss/gss_api:gss.17. +# +# The patch was accepted upstream and will be part of krb5 1.14: +# https://github.com/krb5/krb5/commit/45ccc1c85f42e4f41f2042df8a51dd7826533029 +# Patch source: in-house +# +diff -pur old/src/lib/gssapi/krb5/k5seal.c new/src/lib/gssapi/krb5/k5seal.c +--- old/src/lib/gssapi/krb5/k5seal.c ++++ new/src/lib/gssapi/krb5/k5seal.c +@@ -337,7 +337,7 @@ kg_seal(minor_status, context_handle, co + them later. */ + if (qop_req != 0) { + *minor_status = (OM_uint32) G_UNKNOWN_QOP; +- return GSS_S_FAILURE; ++ return GSS_S_BAD_QOP; + } + + ctx = (krb5_gss_ctx_id_rec *) context_handle; +diff -pur old/src/lib/gssapi/krb5/k5sealiov.c new/src/lib/gssapi/krb5/k5sealiov.c +--- old/src/lib/gssapi/krb5/k5sealiov.c ++++ new/src/lib/gssapi/krb5/k5sealiov.c +@@ -277,7 +277,7 @@ kg_seal_iov(OM_uint32 *minor_status, + + if (qop_req != 0) { + *minor_status = (OM_uint32)G_UNKNOWN_QOP; +- return GSS_S_FAILURE; ++ return GSS_S_BAD_QOP; + } + + ctx = (krb5_gss_ctx_id_rec *)context_handle; +@@ -342,7 +342,7 @@ kg_seal_iov_length(OM_uint32 *minor_stat + + if (qop_req != GSS_C_QOP_DEFAULT) { + *minor_status = (OM_uint32)G_UNKNOWN_QOP; +- return GSS_S_FAILURE; ++ return GSS_S_BAD_QOP; + } + + ctx = (krb5_gss_ctx_id_rec *)context_handle; +diff -pur old/src/lib/gssapi/krb5/wrap_size_limit.c new/src/lib/gssapi/krb5/wrap_size_limit.c +--- old/src/lib/gssapi/krb5/wrap_size_limit.c ++++ new/src/lib/gssapi/krb5/wrap_size_limit.c +@@ -91,7 +91,7 @@ krb5_gss_wrap_size_limit(minor_status, c + /* only default qop is allowed */ + if (qop_req != GSS_C_QOP_DEFAULT) { + *minor_status = (OM_uint32) G_UNKNOWN_QOP; +- return(GSS_S_FAILURE); ++ return(GSS_S_BAD_QOP); + } + + ctx = (krb5_gss_ctx_id_rec *) context_handle;
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/046-creds_usage_mismatch_err_code.patch Sat May 14 15:38:32 2016 -0700 @@ -0,0 +1,26 @@ +# +# In krb5_gss_store_cred_into(), if the credential is acceptor-only, set +# the minor status to G_STORE_ACCEPTOR_CRED_NOSUPP instead of +# G_BAD_USAGE. +# +# Found by usr/ontest/lib/libgss/gss_api:gss.27. +# +# Accepted upstream, will be part of krb5 1.14: +# https://github.com/krb5/krb5/commit/c0e16bb2f654038ad81602e89851f232916da051 +# Patch source: in-house +# +diff -pur old/src/lib/gssapi/krb5/store_cred.c new/src/lib/gssapi/krb5/store_cred.c +--- old/src/lib/gssapi/krb5/store_cred.c 2015-06-12 08:13:27.399201700 -0700 ++++ new/src/lib/gssapi/krb5/store_cred.c 2015-06-12 08:17:35.570611897 -0700 +@@ -241,7 +241,10 @@ krb5_gss_store_cred_into(OM_uint32 *mino + if (lifetime == 0) + return GSS_S_CREDENTIALS_EXPIRED; + +- if (actual_usage != GSS_C_INITIATE && actual_usage != GSS_C_BOTH) { ++ if (actual_usage == GSS_C_ACCEPT) { ++ *minor_status = G_STORE_ACCEPTOR_CRED_NOSUPP; ++ return GSS_S_FAILURE; ++ } else if (actual_usage != GSS_C_INITIATE && actual_usage != GSS_C_BOTH) { + *minor_status = G_BAD_USAGE; + return GSS_S_FAILURE; + }
--- a/components/krb5/patches/051-fopenF.patch Fri May 13 18:08:27 2016 -0700 +++ b/components/krb5/patches/051-fopenF.patch Sat May 14 15:38:32 2016 -0700 @@ -787,9 +787,9 @@ if (!logfile) { perror(*argv); diff -ur krb5-1.13.2/src/util/profile/prof_file.c krb5-1.13.2.fopen/src/util/profile/prof_file.c ---- old/src/util/profile/prof_file.c 2016-03-31 16:44:53.634245353 -0700 -+++ patched/src/util/profile/prof_file.c 2016-03-31 20:07:34.843286876 -0700 -@@ -126,7 +126,7 @@ static int rw_access(const_profile_files +--- krb5-1.13.2/src/util/profile/prof_file.c 2015-05-08 18:27:02.000000000 -0500 ++++ krb5-1.13.2.fopen/src/util/profile/prof_file.c 2015-08-11 13:56:49.450805045 -0500 +@@ -123,7 +123,7 @@ */ FILE *f; @@ -798,7 +798,7 @@ if (f) { fclose(f); return 1; -@@ -150,7 +150,7 @@ static int r_access(const_profile_filesp +@@ -147,7 +147,7 @@ */ FILE *f; @@ -807,16 +807,16 @@ if (f) { fclose(f); return 1; -@@ -355,7 +355,7 @@ errcode_t profile_update_file_data_locke +@@ -346,7 +346,7 @@ + } #endif - if (!isdir) { - errno = 0; -- f = fopen(data->filespec, "r"); -+ f = fopen(data->filespec, "rF"); - if (f == NULL) - return (errno != 0) ? errno : ENOENT; - set_cloexec_file(f); -@@ -423,7 +423,7 @@ static errcode_t write_data_to_file(prf_ + errno = 0; +- f = fopen(data->filespec, "r"); ++ f = fopen(data->filespec, "rF"); + if (f == NULL) { + retval = errno; + if (retval == 0) +@@ -411,7 +411,7 @@ errno = 0;
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/061-ccache-nounlink.patch Sat May 14 15:38:32 2016 -0700 @@ -0,0 +1,269 @@ +# +# This patch modifies the MIT implementation of krb5_fcc_initialize() so +# it doesn't call unlink() on an existing ccache file. This modification +# was done a long time ago in Solaris to workaround a race condition +# brought on by the interaction between Solaris pam_krb5 and MIT's +# implementation of krb5_fcc_initialize(). Given there are better ways of +# fixing the race condition we will not give this patch to MIT however a +# proper race condition fix would take prohibitively long to implement +# hence this patch. When pam_krb5 is modified to better deal with the +# ccache file and RFE 22229031 regarding ktkt_warnd is implemented then +# this patch can be removed. +# Patch source: in-house +# + +diff -Naru old/src/lib/krb5/ccache/cc_file.c new/src/lib/krb5/ccache/cc_file.c +--- old/src/lib/krb5/ccache/cc_file.c 2015-05-08 16:27:02.000000000 -0700 ++++ new/src/lib/krb5/ccache/cc_file.c 2015-11-16 15:54:02.138183303 -0800 +@@ -64,6 +64,10 @@ + #include "k5-int.h" + #include "cc-int.h" + ++/* Solaris Kerberos */ ++#include <syslog.h> ++#include <ctype.h> ++ + #include <stdio.h> + #include <errno.h> + +@@ -71,6 +75,11 @@ + #include <unistd.h> + #endif + ++/* Solaris Kerberos */ ++/* How long to block if flock fails with EAGAIN */ ++#define LOCK_RETRIES 100 ++#define WAIT_LENGTH 20 /* in milliseconds */ ++ + extern const krb5_cc_ops krb5_cc_file_ops; + + krb5_error_code krb5_change_cache(void); +@@ -85,6 +94,7 @@ + #define FCC_OPEN_AND_ERASE 1 + #define FCC_OPEN_RDWR 2 + #define FCC_OPEN_RDONLY 3 ++#define FCC_OPEN_AND_ERASE_NOUNLINK 255 /* Solaris Kerberos */ + + #define FCC_TAG_DELTATIME 1 + +@@ -524,6 +534,130 @@ + ((SIZE) < BUFSIZE ? (abort(),0) : setbuf(FILE, BUF)) + #endif + ++/* Solaris Kerberos */ ++static krb5_error_code ++krb5_fcc_open_nounlink(char *filename, int open_flag, int *ret_fd, int *new) ++{ ++ struct stat lres; ++ struct stat fres; ++ int error; ++ uid_t uid, euid; ++ int fd; ++ int newfile = 0; ++ ++ *ret_fd = -1; ++ /* ++ * Solaris Kerberos ++ * If we are opening in NOUNLINK mode, we have to check that the ++ * existing file, if any, is not a symlink. If it is, we try to ++ * delete and re-create it. ++ */ ++ error = lstat(filename, &lres); ++ if (error == -1 && errno != ENOENT) { ++ syslog(LOG_ERR, "lstat failed for %s [%m]", filename); ++ return (-1); ++ } ++ ++ if (error == 0 && !S_ISREG(lres.st_mode)) { ++ syslog(LOG_WARNING, "%s is not a plain file!", filename); ++ syslog(LOG_WARNING, "trying to unlink %s", filename); ++ if (unlink(filename) != 0) { ++ syslog(LOG_ERR, "could not unlink %s [%m]", filename); ++ return (-1); ++ } ++ } ++ ++ fd = THREEPARAMOPEN(filename, open_flag | O_NONBLOCK | O_NOFOLLOW, 0600); ++ if (fd == -1) { ++ if (errno == ENOENT) { ++ fd = THREEPARAMOPEN(filename, open_flag | O_EXCL | O_CREAT, ++ 0600); ++ if (fd != -1) { ++ newfile = 1; ++ } else { ++ /* If the file got created after the open we must retry */ ++ if (errno == EEXIST) ++ return (0); ++ } ++ } else if (errno == EACCES) { ++ /* ++ * We failed since the file existed with wrong permissions. ++ * Let's try to unlink it and if that succeeds retry. ++ */ ++ syslog(LOG_WARNING, "Insufficient permissions on %s", filename); ++ syslog(LOG_WARNING, "trying to unlink %s", filename); ++ if (unlink(filename) != 0) { ++ syslog(LOG_ERR, "could not unlink %s [%m]", filename); ++ return (-1); ++ } ++ return (0); ++ } ++ } ++ /* If we still don't have a valid fd, we stop trying */ ++ if (fd == -1) ++ return (-1); ++ ++ /* ++ * Solaris Kerberos ++ * If the file was not created now with a O_CREAT | O_EXCL open, ++ * we have opened an existing file. We should check if the file ++ * owner is us, if not, unlink and retry. If unlink fails we log ++ * the error and return. ++ */ ++ if (!newfile) { ++ if (fstat(fd, &fres) == -1) { ++ syslog(LOG_ERR, "lstat failed for %s [%m]", filename); ++ close(fd); ++ return (-1); ++ } ++ /* Check if this is the same file we lstat'd earlier */ ++ if (lres.st_dev != fres.st_dev || lres.st_ino != fres.st_ino) { ++ syslog(LOG_ERR, "%s changed between stat and open!", filename); ++ close(fd); ++ return (-1); ++ } ++ ++ /* ++ * Solaris Kerberos ++ * Check if the cc filename uid matches owner of file. ++ * Expects cc file to be in the form of /tmp/krb5cc_<uid>, ++ * else skip this check. ++ */ ++ if (strncmp(filename, "/tmp/krb5cc_", strlen("/tmp/krb5cc_")) == 0) { ++ uid_t fname_uid; ++ char *uidstr = strchr(filename, '_'); ++ char *s = NULL; ++ ++ /* make sure we have some non-null char after '_' */ ++ if (!*++uidstr) ++ goto out; ++ ++ /* make sure the uid part is all digits */ ++ for (s = uidstr; *s; s++) ++ if (!isdigit(*s)) ++ goto out; ++ ++ fname_uid = (uid_t) atoi(uidstr); ++ if (fname_uid != fres.st_uid) { ++ close(fd); ++ syslog(LOG_WARNING, "%s owned by %d instead of %d", ++ filename, fres.st_uid, fname_uid); ++ syslog(LOG_WARNING, "trying to unlink %s", filename); ++ if (unlink(filename) != 0) { ++ syslog(LOG_ERR, "could not unlink %s [%m]", filename); ++ return (-1); ++ } ++ return (0); ++ } ++ } ++ } ++ ++out: ++ *new = newfile; ++ *ret_fd = fd; ++ return (0); ++} ++ + /* Open and lock the cache file. If mode is FCC_OPEN_AND_ERASE, initialize it + * with a header. Call with the mutex locked. */ + static krb5_error_code +@@ -538,6 +672,10 @@ + int f, open_flag, lock_flag, cnt; + char buf[1024]; + ++ /* Solaris Kerberos */ ++ int retries = 0; ++ int newfile = 0; ++ + k5_cc_mutex_assert_locked(context, &data->lock); + invalidate_cache(data); + +@@ -549,6 +687,10 @@ + } + + switch (mode) { ++ /* Solaris Kerberos */ ++ case FCC_OPEN_AND_ERASE_NOUNLINK: ++ open_flag = O_RDWR; ++ break; + case FCC_OPEN_AND_ERASE: + unlink(data->filename); + open_flag = O_CREAT | O_EXCL | O_TRUNC | O_RDWR; +@@ -562,7 +704,21 @@ + break; + } + ++fcc_retry: ++ /* ++ * Solaris Kerberos ++ * If we are opening in NOUNLINK mode, check whether we are opening a ++ * symlink or a file owned by some other user and take preventive action. ++ */ ++ newfile = 0; ++ if (mode == FCC_OPEN_AND_ERASE_NOUNLINK) { ++ ret = krb5_fcc_open_nounlink(data->filename, open_flag, ++ &f, &newfile); ++ if (ret == 0 && f == -1) ++ goto fcc_retry; ++ } else { + f = THREEPARAMOPEN(data->filename, open_flag | O_BINARY, 0600); ++ } + if (f == NO_FILE) { + if (errno == ENOENT) { + ret = KRB5_FCC_NOFILE; +@@ -584,10 +740,26 @@ + ret = krb5_lock_file(context, f, lock_flag); + if (ret) { + (void)close(f); ++ if (ret == EAGAIN && retries++ < LOCK_RETRIES) { ++ /* Solaris Kerberos wait some time before retrying */ ++ if (poll(NULL, 0, WAIT_LENGTH) == 0) ++ goto fcc_retry; ++ } ++ syslog(LOG_ERR, "Failed to lock %s [%m]", data->filename); + return ret; + } + +- if (mode == FCC_OPEN_AND_ERASE) { ++ if (mode == FCC_OPEN_AND_ERASE || mode == FCC_OPEN_AND_ERASE_NOUNLINK) { ++ /* ++ * Solaris Kerberos ++ * If this file was not created, we have to flush existing data. ++ * This will happen only if we are doing an ERASE_NOUNLINK open. ++ */ ++ if (newfile == 0 && (ftruncate(f, 0) == -1)) { ++ syslog(LOG_ERR, "ftruncate failed for %s [%m]", data->filename); ++ close(f); ++ return (interpret_errno(context, errno)); ++ } + /* write the version number */ + store_16_be(context->fcc_default_format, fcc_fvno); + data->version = context->fcc_default_format; +@@ -755,14 +927,16 @@ + + k5_cc_mutex_lock(context, &data->lock); + +- MAYBE_OPEN(context, id, FCC_OPEN_AND_ERASE); ++ MAYBE_OPEN(context, id, FCC_OPEN_AND_ERASE_NOUNLINK); + ++#if 0 + #if defined(HAVE_FCHMOD) || defined(HAVE_CHMOD) + #ifdef HAVE_FCHMOD + st = fchmod(data->fd, S_IRUSR | S_IWUSR); + #else + st = chmod(data->filename, S_IRUSR | S_IWUSR); + #endif ++#endif + if (st == -1) { + ret = interpret_errno(context, errno); + MAYBE_CLOSE(context, id, ret);
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/064-enable-debug-compile.patch Sat May 14 15:38:32 2016 -0700 @@ -0,0 +1,25 @@ +# +# This patch fixes a minor issue where the hostrealm plugin test program will +# not compile non-optimized. There is a MIT ticket which they intend on +# fixing: Ticket #8326 hostrealm code won't compile in debug mode using Solaris +# Studio C +# Patch source: in-house +# +diff -ur krb5-1.13.2/src/plugins/hostrealm/test/Makefile.in krb5-1.13.2.debug-build/src/plugins/hostrealm/test/Makefile.in +--- krb5-1.13.2/src/plugins/hostrealm/test/Makefile.in ++++ krb5-1.13.2.debug-build/src/plugins/hostrealm/test/Makefile.in +@@ -5,9 +5,10 @@ + LIBMAJOR=0 + LIBMINOR=0 + RELDIR=../plugins/hostrealm/test +-# Depends on libkrb5 +-SHLIB_EXPDEPS= $(KRB5_DEPLIB) +-SHLIB_EXPLIBS= $(KRB5_LIB) ++# Depends on libkrb5 and libkrb5support when building non-optimized with ++# certain compilers. ++SHLIB_EXPDEPS= $(KRB5_DEPLIB) $(SUPPORT_DEPLIB) ++SHLIB_EXPLIBS= $(KRB5_LIB) $(SUPPORT_LIB) + + STLIBOBJS=main.o + +
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/066-sanitize_context_ptr.patch Sat May 14 15:38:32 2016 -0700 @@ -0,0 +1,34 @@ +# Sanitize context pointer in gss_export_sec_context +# +# After 4f35b27 context pointer in gss_export_sec_context() is first +# dereferenced before arguments are sanitized in val_exp_sec_ctx_args(). +# With context == NULL the new code segfaults instead of failing +# gracefully. +# +# Revert this part of 4f35b27 and only dereference context if not NULL. +# +# Patch submitted upstream: +# https://github.com/krb5/krb5/pull/382 +# Patch source: in-house +# + +diff -pur old/src/lib/gssapi/mechglue/g_exp_sec_context.c new/src/lib/gssapi/mechglue/g_exp_sec_context.c +--- old/src/lib/gssapi/mechglue/g_exp_sec_context.c ++++ new/src/lib/gssapi/mechglue/g_exp_sec_context.c +@@ -79,7 +79,7 @@ gss_buffer_t interprocess_token; + { + OM_uint32 status; + OM_uint32 length; +- gss_union_ctx_id_t ctx = (gss_union_ctx_id_t) *context_handle; ++ gss_union_ctx_id_t ctx; + gss_mechanism mech; + gss_buffer_desc token = GSS_C_EMPTY_BUFFER; + char *buf; +@@ -94,6 +94,7 @@ gss_buffer_t interprocess_token; + * call it. + */ + ++ ctx = (gss_union_ctx_id_t) *context_handle; + mech = gssint_get_mechanism (ctx->mech_type); + if (!mech) + return GSS_S_BAD_MECH;
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/krb5/patches/067-iprop-double-free-fix.patch Sat May 14 15:38:32 2016 -0700 @@ -0,0 +1,26 @@ +# Fix a potential but unlikely to occur double free() in a couple places in ipropd_svc.c. +# This has been reported to MIT who will be fixing this via pull request +# https://github.com/krb5/krb5/pull/396 . +# Patch source: in-house + +diff -ur krb5-1.13.3/src/kadmin/server/ipropd_svc.c krb5-1.13.3.memleak/src/kadmin/server/ipropd_svc.c +--- krb5-1.13.3/src/kadmin/server/ipropd_svc.c ++++ krb5-1.13.3.memleak/src/kadmin/server/ipropd_svc.c +@@ -160,8 +160,6 @@ + client_name = buf_to_string(&client_desc); + service_name = buf_to_string(&service_desc); + if (client_name == NULL || service_name == NULL) { +- free(client_name); +- free(service_name); + krb5_klog_syslog(LOG_ERR, + _("%s: out of memory recording principal names"), + whoami); +@@ -288,8 +286,6 @@ + client_name = buf_to_string(&client_desc); + service_name = buf_to_string(&service_desc); + if (client_name == NULL || service_name == NULL) { +- free(client_name); +- free(service_name); + DPRINT("%s: out of memory\n", whoami); + krb5_klog_syslog(LOG_ERR, + _("%s: out of memory recording principal names"),