diff --git a/krb5-1.6-manpage-paths.patch b/krb5-1.6-manpage-paths.patch deleted file mode 100644 index dda7e3f..0000000 --- a/krb5-1.6-manpage-paths.patch +++ /dev/null @@ -1,142 +0,0 @@ ---- krb5-1.3/src/appl/bsd/klogind.M -+++ krb5-1.3/src/appl/bsd/klogind.M -@@ -27,7 +27,7 @@ - the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf - configuration line for \fIklogind\fP might be: - --klogin stream tcp nowait root /usr/cygnus/sbin/klogind klogind -e5c -+klogin stream tcp nowait root /usr/kerberos/sbin/klogind klogind -e5c - - When a service request is received, the following protocol is initiated: - ---- krb5-1.3/src/appl/bsd/kshd.M -+++ krb5-1.3/src/appl/bsd/kshd.M -@@ -8,7 +8,7 @@ - .SH NAME - kshd \- kerberized remote shell server - .SH SYNOPSIS --.B /usr/local/sbin/kshd -+.B /usr/kerberos/sbin/kshd - [ - .B \-kr45ec - ] -@@ -30,7 +30,7 @@ - on the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf - configuration line for \fIkrshd\fP might be: - --kshell stream tcp nowait root /usr/local/sbin/kshd kshd -5c -+kshell stream tcp nowait root /usr/kerberos/sbin/kshd kshd -5c - - When a service request is received, the following protocol is initiated: - ---- krb5-1.3/src/appl/sample/sserver/sserver.M -+++ krb5-1.3/src/appl/sample/sserver/sserver.M -@@ -59,7 +59,7 @@ - using a line in - /etc/inetd.conf that looks like this: - .PP --sample stream tcp nowait root /usr/local/sbin/sserver sserver -+sample stream tcp nowait root /usr/kerberos/sbin/sserver sserver - .PP - Since \fBsample\fP is normally not a port defined in /etc/services, you will - usually have to add a line to /etc/services which looks like this: ---- krb5-1.3/src/appl/telnet/telnetd/telnetd.8 -+++ krb5-1.3/src/appl/telnet/telnetd/telnetd.8 -@@ -37,7 +37,7 @@ - .SM DARPA TELNET - protocol server - .SH SYNOPSIS --.B /usr/libexec/telnetd -+.B /usr/kerberos/sbin/telnetd - [\fB\-a\fP \fIauthmode\fP] [\fB\-B\fP] [\fB\-D\fP] [\fIdebugmode\fP] - [\fB\-edebug\fP] [\fB\-h\fP] [\fB\-I\fP\fIinitid\fP] [\fB\-l\fP] - [\fB\-k\fP] [\fB\-n\fP] [\fB\-r\fP\fIlowpty-highpty\fP] [\fB\-s\fP] ---- krb5-1.3/src/config-files/kdc.conf.M -+++ krb5-1.3/src/config-files/kdc.conf.M -@@ -235,7 +235,7 @@ - realm names and the [capaths] section of its krb5.conf file - - .SH FILES --/usr/local/var/krb5kdc/kdc.conf -+/var/kerberos/krb5kdc/kdc.conf - - .SH SEE ALSO - krb5.conf(5), krb5kdc(8) ---- krb5-1.3/src/kadmin/cli/kadmin.M -+++ krb5-1.3/src/kadmin/cli/kadmin.M -@@ -733,9 +733,9 @@ - .RS - .TP - EXAMPLE: --kadmin: ktremove -k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin -+kadmin: ktremove -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin - Entry for principal kadmin/admin with kvno 3 removed -- from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab. -+ from keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab. - kadmin: - .RE - .fi ---- krb5-1.3/src/slave/kprop.M -+++ krb5-1.3/src/slave/kprop.M -@@ -39,7 +39,7 @@ - This is done by transmitting the dumped database file to the slave - server over an encrypted, secure channel. The dump file must be created - by kdb5_util, and is normally KPROP_DEFAULT_FILE --(/usr/local/var/krb5kdc/slave_datatrans). -+(/var/kerberos/krb5kdc/slave_datatrans). - .SH OPTIONS - .TP - \fB\-r\fP \fIrealm\fP -@@ -51,7 +51,7 @@ - \fB\-f\fP \fIfile\fP - specifies the filename where the dumped principal database file is to be - found; by default the dumped database file is KPROP_DEFAULT_FILE --(normally /usr/local/var/krb5kdc/slave_datatrans). -+(normally /var/kerberos/krb5kdc/slave_datatrans). - .TP - \fB\-P\fP \fIport\fP - specifies the port to use to contact the ---- krb5-1.3/src/slave/kpropd.M -+++ krb5-1.3/src/slave/kpropd.M -@@ -69,7 +69,7 @@ - This is done by adding a line to the inetd.conf file which looks like - this: - --kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd -+kprop stream tcp nowait root /usr/kerberos/sbin/kpropd kpropd - - However, kpropd can also run as a standalone deamon, if the - .B \-S -@@ -87,13 +87,13 @@ - \fB\-f\fP \fIfile\fP - specifies the filename where the dumped principal database file is to be - stored; by default the dumped database file is KPROPD_DEFAULT_FILE --(normally /usr/local/var/krb5kdc/from_master). -+(normally /var/kerberos/krb5kdc/from_master). - .TP - .B \-p - allows the user to specify the pathname to the - .IR kdb5_util (8) - program; by default the pathname used is KPROPD_DEFAULT_KDB5_UTIL --(normally /usr/local/sbin/kdb5_util). -+(normally /usr/kerberos/sbin/kdb5_util). - .TP - .B \-S - turn on standalone mode. Normally, kpropd is invoked out of -@@ -124,14 +124,14 @@ - allows the user to specify the path to the - .KR kpropd.acl - file; by default the path used is KPROPD_ACL_FILE --(normally /usr/local/var/krb5kdc/kpropd.acl). -+(normally /var/kerberos/krb5kdc/kpropd.acl). - .SH FILES - .TP "\w'kpropd.acl\ \ 'u" - kpropd.acl - Access file for - .BR kpropd ; - the default location is KPROPD_ACL_FILE (normally --/usr/local/var/krb5kdc/kpropd.acl). -+/var/kerberos/krb5kdc/kpropd.acl). - Each entry is a line containing the principal of a host from which the - local machine will allow Kerberos database propagation via kprop. - .SH SEE ALSO diff --git a/krb5-selinux.patch b/krb5-selinux.patch deleted file mode 100644 index cd66c37..0000000 --- a/krb5-selinux.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- krb5-1.3.1/src/util/profile/prof_file.c.selinux 2003-03-06 13:48:03.000000000 -0500 -+++ krb5-1.3.1/src/util/profile/prof_file.c 2003-09-03 13:42:42.343661059 -0400 -@@ -220,8 +220,10 @@ errcode_t profile_update_file_data(prf_d - } - data->upd_serial++; - data->flags = 0; -+#ifdef NO_SELINUX - if (rw_access(data->filespec)) - data->flags |= PROFILE_FILE_RW; -+#endif - retval = profile_parse_file(f, &data->root); - fclose(f); - if (retval) diff --git a/krb5.spec b/krb5.spec index a6c6c14..973cd94 100644 --- a/krb5.spec +++ b/krb5.spec @@ -1,7 +1,3 @@ -%if %{?WITH_SELINUX:0}%{!?WITH_SELINUX:1} -%define WITH_SELINUX 0 -%endif - %define WITH_LDAP 1 %define krb5prefix %{_prefix}/kerberos @@ -12,6 +8,9 @@ # This'll be pulled out at some point. %define build_static 0 +# For consistency with regular login. +%define login_pam_service remote + Summary: The Kerberos network authentication system. Name: krb5 Version: 1.6.1 @@ -45,8 +44,11 @@ Source22: ekrb5-telnet.xinetd # and tarred up. Source23: krb5-%{version}-pdf.tar.gz Source24: krb5-tex-pdf.sh +Source25: krb5-trunk-manpaths.txt +Source26: gssftp.pamd +Source27: kshell.pamd +Source28: ekshell.pamd -Patch2: krb5-1.6-manpage-paths.patch Patch3: krb5-1.3-netkit-rsh.patch Patch4: krb5-1.3-rlogind-environ.patch Patch5: krb5-1.3-ksu-access.patch @@ -58,7 +60,6 @@ Patch13: krb5-1.3-large-file.patch Patch14: krb5-1.3-ftp-glob.patch Patch16: krb5-1.6-buildconf.patch Patch18: krb5-1.2.7-reject-bad-transited.patch -Patch21: krb5-selinux.patch Patch23: krb5-1.3.1-dns.patch Patch25: krb5-1.4-null.patch Patch26: krb5-1.3.2-efence.patch @@ -82,6 +83,10 @@ Patch55: krb5-1.6.1-empty.patch Patch56: krb5-1.6.1-get_opt_fixup.patch Patch57: krb5-1.6.1-ftp-nospew.patch +Patch60: krb5-1.6.1-pam.patch +Patch61: krb5-trunk-manpaths.patch +Patch62: krb5-any-fixup-patch.txt + License: MIT, freely distributable. URL: http://web.mit.edu/kerberos/www/ Group: System Environment/Libraries @@ -90,7 +95,6 @@ Prereq: grep, info, sh-utils, /sbin/install-info BuildPrereq: autoconf, bison, e2fsprogs-devel >= 1.35, flex BuildPrereq: gzip, ncurses-devel, rsh, texinfo, tar BuildRequires: tetex-latex -# Wait until the merge completes -- keyutils lives in Extras. BuildRequires: keyutils-libs-devel %if %{WITH_LDAP} @@ -185,7 +189,7 @@ Group: System Environment/Base Requires: %{name}-workstation = %{version}-%{release} Prereq: grep, /sbin/install-info, /bin/sh, sh-utils # mktemp is used by krb5-send-pr -Requires: mktemp, xinetd +Requires: mktemp, xinetd, /etc/pam.d/%{login_pam_service} %description workstation-servers Kerberos is a network authentication system. The krb5-workstation-servers @@ -195,6 +199,12 @@ installed on systems which are meant provide these services. %endif %changelog +* Fri Jun 22 2007 Nalin Dahyabhai +- switch man pages to being generated with the right paths in them +- drop old, incomplete SELinux patch +- add patch from Greg Hudson to make srvtab routines report missing-file errors + at same point that keytab routines do (#241805) + * Thu May 24 2007 Nalin Dahyabhai 1.6.1-2 - pull patch from svn to undo unintentional chattiness in ftp - pull patch from svn to handle NULL krb5_get_init_creds_opt structures @@ -1087,7 +1097,13 @@ installed on systems which are meant provide these services. %prep %setup -q -a 23 -%patch2 -p1 -b .manpage-paths +pushd src +%patch60 -p2 -b .pam +%patch61 -p0 -b .manpaths +popd +pushd src/lib/krb5/keytab +%patch62 -p0 -b .any-fixup +popd %patch3 -p1 -b .netkit-rsh %patch4 -p1 -b .rlogind-environ %patch5 -p1 -b .ksu-access @@ -1099,9 +1115,6 @@ installed on systems which are meant provide these services. %patch14 -p1 -b .ftp-glob %patch16 -p1 -b .buildconf %patch18 -p1 -b .reject-bad-transited -%if %{WITH_SELINUX} -%patch21 -p1 -b .selinux -%endif %patch23 -p1 -b .dns %patch25 -p1 -b .null # Removes a malloc(0) case, nothing more. @@ -1138,6 +1151,13 @@ sed -i -e '1c\ \\usepackage{fancyheadings}\ \\usepackage{hyperref}' doc/implement/implement.tex +# Rename the man pages so that they'll get generated correctly. +pushd src +cat $RPM_SOURCE_DIR/krb5-trunk-manpaths.txt | while read manpage ; do + mv "$manpage" "$manpage".in +done +popd + # Check that the PDFs we built earlier match this source tree. $RPM_SOURCE_DIR/krb5-tex-pdf.sh check << EOF doc/api library krb5 @@ -1195,7 +1215,9 @@ CPPFLAGS="`echo $DEFINES $INCLUDES`" --with-system-ss \ --with-netlib=-lresolv \ --without-tcl \ - --enable-dns + --enable-dns \ + --with-pam \ + --with-pam-login-service=%{login_pam_service} # Now build it. make @@ -1250,6 +1272,13 @@ for xinetd in eklogin klogin kshell ekrb5-telnet krb5-telnet gssftp ; do $RPM_BUILD_ROOT/etc/xinetd.d/${xinetd} done +# PAM configuration files. +mkdir -p $RPM_BUILD_ROOT/etc/pam.d/ +for pam in kshell ekshell remote gssftp ; do + install -pm 644 $RPM_SOURCE_DIR/$pam.pamd \ + $RPM_BUILD_ROOT/etc/pam.d/$pam +done + # Plug-in directories. install -pdm 755 $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/preauth install -pdm 755 $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/kdb @@ -1440,6 +1469,7 @@ exit 0 %endif %config(noreplace) /etc/xinetd.d/* +%config(noreplace) /etc/pam.d/* # Login is used by telnetd and klogind. %{krb5prefix}/sbin/login.krb5