From cd6903bceb169081ab57b9d3d9f0f4691aa0d030 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Fri, 5 Nov 2010 14:59:48 -0400 Subject: [PATCH 01/14] - fix context for applying to krb5.conf(5) --- krb5-1.9-manpaths.patch | 195 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 195 insertions(+) create mode 100644 krb5-1.9-manpaths.patch diff --git a/krb5-1.9-manpaths.patch b/krb5-1.9-manpaths.patch new file mode 100644 index 0000000..ff629cd --- /dev/null +++ b/krb5-1.9-manpaths.patch @@ -0,0 +1,195 @@ +Change the absolute paths included in the man pages so that the correct +values can be dropped in by config.status. After applying this patch, +these files should be renamed to their ".in" counterparts, and then the +configure scripts should be rebuilt. Originally RT#6525 + +diff -up krb5-1.8/src/aclocal.m4.manpaths krb5-1.8/src/aclocal.m4 +--- krb5-1.8/src/aclocal.m4.manpaths 2010-03-05 10:55:28.000000000 -0500 ++++ krb5-1.8/src/aclocal.m4 2010-03-05 10:55:29.000000000 -0500 +@@ -1770,3 +1770,24 @@ AC_SUBST(PAM_LIBS) + AC_SUBST(PAM_MAN) + AC_SUBST(NON_PAM_MAN) + ])dnl ++AC_DEFUN(V5_AC_OUTPUT_MANPAGE,[ ++mansysconfdir=$sysconfdir ++mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$prefix,g"` ++mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$ac_default_prefix,g"` ++mansbindir=$sbindir ++mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$exec_prefix,g"` ++mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$prefix,g"` ++mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$ac_default_prefix,g"` ++manlocalstatedir=$localstatedir ++manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$prefix,g"` ++manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$ac_default_prefix,g"` ++manlibexecdir=$libexecdir ++manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$exec_prefix,g"` ++manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$prefix,g"` ++manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$ac_default_prefix,g"` ++AC_SUBST(mansysconfdir) ++AC_SUBST(mansbindir) ++AC_SUBST(manlocalstatedir) ++AC_SUBST(manlibexecdir) ++AC_CONFIG_FILES($1) ++]) +diff -up krb5-1.8/src/appl/sample/sserver/sserver.M.manpaths krb5-1.8/src/appl/sample/sserver/sserver.M +--- krb5-1.8/src/appl/sample/sserver/sserver.M.manpaths 1999-09-24 17:20:59.000000000 -0400 ++++ krb5-1.8/src/appl/sample/sserver/sserver.M 2010-03-05 10:55:29.000000000 -0500 +@@ -59,7 +59,7 @@ option allows for a different keytab tha + using a line in + /etc/inetd.conf that looks like this: + .PP +-sample stream tcp nowait root /usr/local/sbin/sserver sserver ++sample stream tcp nowait root @mansbindir@/sserver sserver + .PP + Since \fBsample\fP is normally not a port defined in /etc/services, you will + usually have to add a line to /etc/services which looks like this: +diff -up krb5-1.8/src/config-files/kdc.conf.M.manpaths krb5-1.8/src/config-files/kdc.conf.M +--- krb5-1.8/src/config-files/kdc.conf.M.manpaths 2010-01-04 14:34:33.000000000 -0500 ++++ krb5-1.8/src/config-files/kdc.conf.M 2010-03-05 10:55:29.000000000 -0500 +@@ -82,14 +82,14 @@ This + .B string + specifies the location of the access control list (acl) file that + kadmin uses to determine which principals are allowed which permissions +-on the database. The default value is /usr/local/var/krb5kdc/kadm5.acl. ++on the database. The default value is @manlocalstatedir@/krb5kdc/kadm5.acl. + + .IP admin_keytab + This + .B string + Specifies the location of the keytab file that kadmin uses to + authenticate to the database. The default value is +-/usr/local/var/krb5kdc/kadm5.keytab. ++@manlocalstatedir@/krb5kdc/kadm5.keytab. + + .IP database_name + This +@@ -254,7 +254,7 @@ tickets should be checked against the tr + realm names and the [capaths] section of its krb5.conf file + + .SH FILES +-/usr/local/var/krb5kdc/kdc.conf ++@manlocalstatedir@/krb5kdc/kdc.conf + + .SH SEE ALSO + krb5.conf(5), krb5kdc(8) +diff -up krb5-1.8/src/config-files/krb5.conf.M.manpaths krb5-1.8/src/config-files/krb5.conf.M +--- krb5-1.8/src/config-files/krb5.conf.M.manpaths 2010-02-25 15:14:21.000000000 -0500 ++++ krb5-1.8/src/config-files/krb5.conf.M 2010-03-05 10:55:29.000000000 -0500 +@@ -651,6 +651,6 @@ is whitespace-separated. The LDAP server + in for this interface. + + .SH FILES +-/etc/krb5.conf ++@mansysconfdir@/krb5.conf + .SH SEE ALSO + syslog(3) +diff -up krb5-1.8/src/configure.in.manpaths krb5-1.8/src/configure.in +--- krb5-1.8/src/configure.in.manpaths 2010-03-05 10:55:29.000000000 -0500 ++++ krb5-1.8/src/configure.in 2010-03-05 10:55:29.000000000 -0500 +@@ -1054,6 +1054,16 @@ fi + KRB5_WITH_PAM + + AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) ++ ++V5_AC_OUTPUT_MANPAGE([ ++ appl/sample/sserver/sserver.M ++ config-files/kdc.conf.M ++ config-files/krb5.conf.M ++ kadmin/cli/kadmin.M ++ slave/kpropd.M ++ slave/kprop.M ++]) ++ + V5_AC_OUTPUT_MAKEFILE(. + + util util/support util/profile util/send-pr +diff -up krb5-1.8/src/kadmin/cli/kadmin.M.manpaths krb5-1.8/src/kadmin/cli/kadmin.M +--- krb5-1.8/src/kadmin/cli/kadmin.M.manpaths 2010-01-04 14:59:25.000000000 -0500 ++++ krb5-1.8/src/kadmin/cli/kadmin.M 2010-03-05 10:55:29.000000000 -0500 +@@ -869,9 +869,9 @@ option is specified, less verbose status + .RS + .TP + EXAMPLE: +-kadmin: ktremove -k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin ++kadmin: ktremove -k @manlocalstatedir@/krb5kdc/kadmind.keytab kadmin/admin + Entry for principal kadmin/admin with kvno 3 removed +- from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab. ++ from keytab WRFILE:@manlocalstatedir@/krb5kdc/kadmind.keytab. + kadmin: + .RE + .fi +@@ -913,7 +913,7 @@ passwords. + .SH HISTORY + The + .B kadmin +-prorgam was originally written by Tom Yu at MIT, as an interface to the ++program was originally written by Tom Yu at MIT, as an interface to the + OpenVision Kerberos administration program. + .SH SEE ALSO + .IR kerberos (1), +diff -up krb5-1.8/src/slave/kpropd.M.manpaths krb5-1.8/src/slave/kpropd.M +--- krb5-1.8/src/slave/kpropd.M.manpaths 2009-12-30 23:21:34.000000000 -0500 ++++ krb5-1.8/src/slave/kpropd.M 2010-03-05 10:55:29.000000000 -0500 +@@ -74,7 +74,7 @@ Normally, kpropd is invoked out of + This is done by adding a line to the inetd.conf file which looks like + this: + +-kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd ++kprop stream tcp nowait root @mansbindir@/kpropd kpropd + + However, kpropd can also run as a standalone daemon, if the + .B \-S +@@ -111,13 +111,13 @@ is used. + \fB\-f\fP \fIfile\fP + specifies the filename where the dumped principal database file is to be + stored; by default the dumped database file is KPROPD_DEFAULT_FILE +-(normally /usr/local/var/krb5kdc/from_master). ++(normally @manlocalstatedir@/krb5kdc/from_master). + .TP + .B \-p + allows the user to specify the pathname to the + .IR kdb5_util (8) + program; by default the pathname used is KPROPD_DEFAULT_KDB5_UTIL +-(normally /usr/local/sbin/kdb5_util). ++(normally @mansbindir@/kdb5_util). + .TP + .B \-S + turn on standalone mode. Normally, kpropd is invoked out of +@@ -148,14 +148,14 @@ mode. + allows the user to specify the path to the + kpropd.acl + file; by default the path used is KPROPD_ACL_FILE +-(normally /usr/local/var/krb5kdc/kpropd.acl). ++(normally @manlocalstatedir@/krb5kdc/kpropd.acl). + .SH FILES + .TP "\w'kpropd.acl\ \ 'u" + kpropd.acl + Access file for + .BR kpropd ; + the default location is KPROPD_ACL_FILE (normally +-/usr/local/var/krb5kdc/kpropd.acl). ++@manlocalstatedir@/krb5kdc/kpropd.acl). + Each entry is a line containing the principal of a host from which the + local machine will allow Kerberos database propagation via kprop. + .SH SEE ALSO +diff -up krb5-1.8/src/slave/kprop.M.manpaths krb5-1.8/src/slave/kprop.M +--- krb5-1.8/src/slave/kprop.M.manpaths 1999-09-24 17:20:59.000000000 -0400 ++++ krb5-1.8/src/slave/kprop.M 2010-03-05 10:55:29.000000000 -0500 +@@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv + This is done by transmitting the dumped database file to the slave + server over an encrypted, secure channel. The dump file must be created + by kdb5_util, and is normally KPROP_DEFAULT_FILE +-(/usr/local/var/krb5kdc/slave_datatrans). ++(@manlocalstatedir@/krb5kdc/slave_datatrans). + .SH OPTIONS + .TP + \fB\-r\fP \fIrealm\fP +@@ -51,7 +51,7 @@ is used. + \fB\-f\fP \fIfile\fP + specifies the filename where the dumped principal database file is to be + found; by default the dumped database file is KPROP_DEFAULT_FILE +-(normally /usr/local/var/krb5kdc/slave_datatrans). ++(normally @manlocalstatedir@/krb5kdc/slave_datatrans). + .TP + \fB\-P\fP \fIport\fP + specifies the port to use to contact the From 99e4741184cd53d41e65c06d3fe9941bfd4a5d6c Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Fri, 5 Nov 2010 15:00:13 -0400 Subject: [PATCH 02/14] - update to match current context in krb5.conf(5) --- krb5-1.8-key_exp.patch | 24 ----- krb5-1.8-manpaths.patch | 195 ---------------------------------------- 2 files changed, 219 deletions(-) delete mode 100644 krb5-1.8-key_exp.patch delete mode 100644 krb5-1.8-manpaths.patch diff --git a/krb5-1.8-key_exp.patch b/krb5-1.8-key_exp.patch deleted file mode 100644 index 33a07e0..0000000 --- a/krb5-1.8-key_exp.patch +++ /dev/null @@ -1,24 +0,0 @@ -Sadique Puthen notes that the warning on the client side seems to be correspond -to the wrong attribute on the KDC. Do what RFC4120 says we should do. - -RT#5755, which turns out to have been a duplicate of RT#2032. - -diff -up krb5-1.8/src/kdc/do_as_req.c.key_exp krb5-1.8/src/kdc/do_as_req.c ---- krb5-1.8/src/kdc/do_as_req.c.key_exp 2010-02-16 17:21:08.000000000 -0500 -+++ krb5-1.8/src/kdc/do_as_req.c 2010-03-05 11:02:06.000000000 -0500 -@@ -555,7 +555,14 @@ process_as_req(krb5_kdc_req *request, kr - goto errout; - } - reply_encpart.nonce = request->nonce; -- reply_encpart.key_exp = client.expiration; -+ if (client.expiration == 0) { -+ reply_encpart.key_exp = client.pw_expiration; -+ } else if (client.pw_expiration == 0) { -+ reply_encpart.key_exp = client.expiration; -+ } else { -+ reply_encpart.key_exp = client.pw_expiration < client.expiration ? -+ client.pw_expiration : client.expiration; -+ } - reply_encpart.flags = enc_tkt_reply.flags; - reply_encpart.server = ticket_reply.server; - diff --git a/krb5-1.8-manpaths.patch b/krb5-1.8-manpaths.patch deleted file mode 100644 index 60254a4..0000000 --- a/krb5-1.8-manpaths.patch +++ /dev/null @@ -1,195 +0,0 @@ -Change the absolute paths included in the man pages so that the correct -values can be dropped in by config.status. After applying this patch, -these files should be renamed to their ".in" counterparts, and then the -configure scripts should be rebuilt. Originally RT#6525 - -diff -up krb5-1.8/src/aclocal.m4.manpaths krb5-1.8/src/aclocal.m4 ---- krb5-1.8/src/aclocal.m4.manpaths 2010-03-05 10:55:28.000000000 -0500 -+++ krb5-1.8/src/aclocal.m4 2010-03-05 10:55:29.000000000 -0500 -@@ -1770,3 +1770,24 @@ AC_SUBST(PAM_LIBS) - AC_SUBST(PAM_MAN) - AC_SUBST(NON_PAM_MAN) - ])dnl -+AC_DEFUN(V5_AC_OUTPUT_MANPAGE,[ -+mansysconfdir=$sysconfdir -+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$prefix,g"` -+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$ac_default_prefix,g"` -+mansbindir=$sbindir -+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$exec_prefix,g"` -+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$prefix,g"` -+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$ac_default_prefix,g"` -+manlocalstatedir=$localstatedir -+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$prefix,g"` -+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$ac_default_prefix,g"` -+manlibexecdir=$libexecdir -+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$exec_prefix,g"` -+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$prefix,g"` -+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$ac_default_prefix,g"` -+AC_SUBST(mansysconfdir) -+AC_SUBST(mansbindir) -+AC_SUBST(manlocalstatedir) -+AC_SUBST(manlibexecdir) -+AC_CONFIG_FILES($1) -+]) -diff -up krb5-1.8/src/appl/sample/sserver/sserver.M.manpaths krb5-1.8/src/appl/sample/sserver/sserver.M ---- krb5-1.8/src/appl/sample/sserver/sserver.M.manpaths 1999-09-24 17:20:59.000000000 -0400 -+++ krb5-1.8/src/appl/sample/sserver/sserver.M 2010-03-05 10:55:29.000000000 -0500 -@@ -59,7 +59,7 @@ option allows for a different keytab tha - using a line in - /etc/inetd.conf that looks like this: - .PP --sample stream tcp nowait root /usr/local/sbin/sserver sserver -+sample stream tcp nowait root @mansbindir@/sserver sserver - .PP - Since \fBsample\fP is normally not a port defined in /etc/services, you will - usually have to add a line to /etc/services which looks like this: -diff -up krb5-1.8/src/config-files/kdc.conf.M.manpaths krb5-1.8/src/config-files/kdc.conf.M ---- krb5-1.8/src/config-files/kdc.conf.M.manpaths 2010-01-04 14:34:33.000000000 -0500 -+++ krb5-1.8/src/config-files/kdc.conf.M 2010-03-05 10:55:29.000000000 -0500 -@@ -82,14 +82,14 @@ This - .B string - specifies the location of the access control list (acl) file that - kadmin uses to determine which principals are allowed which permissions --on the database. The default value is /usr/local/var/krb5kdc/kadm5.acl. -+on the database. The default value is @manlocalstatedir@/krb5kdc/kadm5.acl. - - .IP admin_keytab - This - .B string - Specifies the location of the keytab file that kadmin uses to - authenticate to the database. The default value is --/usr/local/var/krb5kdc/kadm5.keytab. -+@manlocalstatedir@/krb5kdc/kadm5.keytab. - - .IP database_name - This -@@ -254,7 +254,7 @@ tickets should be checked against the tr - realm names and the [capaths] section of its krb5.conf file - - .SH FILES --/usr/local/var/krb5kdc/kdc.conf -+@manlocalstatedir@/krb5kdc/kdc.conf - - .SH SEE ALSO - krb5.conf(5), krb5kdc(8) -diff -up krb5-1.8/src/config-files/krb5.conf.M.manpaths krb5-1.8/src/config-files/krb5.conf.M ---- krb5-1.8/src/config-files/krb5.conf.M.manpaths 2010-02-25 15:14:21.000000000 -0500 -+++ krb5-1.8/src/config-files/krb5.conf.M 2010-03-05 10:55:29.000000000 -0500 -@@ -651,6 +651,6 @@ is whitespace-separated. The LDAP server - This LDAP specific tag indicates the number of connections to be maintained per - LDAP server. - .SH FILES --/etc/krb5.conf -+@mansysconfdir@/krb5.conf - .SH SEE ALSO - syslog(3) -diff -up krb5-1.8/src/configure.in.manpaths krb5-1.8/src/configure.in ---- krb5-1.8/src/configure.in.manpaths 2010-03-05 10:55:29.000000000 -0500 -+++ krb5-1.8/src/configure.in 2010-03-05 10:55:29.000000000 -0500 -@@ -1054,6 +1054,16 @@ fi - KRB5_WITH_PAM - - AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) -+ -+V5_AC_OUTPUT_MANPAGE([ -+ appl/sample/sserver/sserver.M -+ config-files/kdc.conf.M -+ config-files/krb5.conf.M -+ kadmin/cli/kadmin.M -+ slave/kpropd.M -+ slave/kprop.M -+]) -+ - V5_AC_OUTPUT_MAKEFILE(. - - util util/support util/profile util/send-pr -diff -up krb5-1.8/src/kadmin/cli/kadmin.M.manpaths krb5-1.8/src/kadmin/cli/kadmin.M ---- krb5-1.8/src/kadmin/cli/kadmin.M.manpaths 2010-01-04 14:59:25.000000000 -0500 -+++ krb5-1.8/src/kadmin/cli/kadmin.M 2010-03-05 10:55:29.000000000 -0500 -@@ -869,9 +869,9 @@ option is specified, less verbose status - .RS - .TP - EXAMPLE: --kadmin: ktremove -k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin -+kadmin: ktremove -k @manlocalstatedir@/krb5kdc/kadmind.keytab kadmin/admin - Entry for principal kadmin/admin with kvno 3 removed -- from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab. -+ from keytab WRFILE:@manlocalstatedir@/krb5kdc/kadmind.keytab. - kadmin: - .RE - .fi -@@ -913,7 +913,7 @@ passwords. - .SH HISTORY - The - .B kadmin --prorgam was originally written by Tom Yu at MIT, as an interface to the -+program was originally written by Tom Yu at MIT, as an interface to the - OpenVision Kerberos administration program. - .SH SEE ALSO - .IR kerberos (1), -diff -up krb5-1.8/src/slave/kpropd.M.manpaths krb5-1.8/src/slave/kpropd.M ---- krb5-1.8/src/slave/kpropd.M.manpaths 2009-12-30 23:21:34.000000000 -0500 -+++ krb5-1.8/src/slave/kpropd.M 2010-03-05 10:55:29.000000000 -0500 -@@ -74,7 +74,7 @@ Normally, kpropd is invoked out of - This is done by adding a line to the inetd.conf file which looks like - this: - --kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd -+kprop stream tcp nowait root @mansbindir@/kpropd kpropd - - However, kpropd can also run as a standalone daemon, if the - .B \-S -@@ -111,13 +111,13 @@ is used. - \fB\-f\fP \fIfile\fP - specifies the filename where the dumped principal database file is to be - stored; by default the dumped database file is KPROPD_DEFAULT_FILE --(normally /usr/local/var/krb5kdc/from_master). -+(normally @manlocalstatedir@/krb5kdc/from_master). - .TP - .B \-p - allows the user to specify the pathname to the - .IR kdb5_util (8) - program; by default the pathname used is KPROPD_DEFAULT_KDB5_UTIL --(normally /usr/local/sbin/kdb5_util). -+(normally @mansbindir@/kdb5_util). - .TP - .B \-S - turn on standalone mode. Normally, kpropd is invoked out of -@@ -148,14 +148,14 @@ mode. - allows the user to specify the path to the - kpropd.acl - file; by default the path used is KPROPD_ACL_FILE --(normally /usr/local/var/krb5kdc/kpropd.acl). -+(normally @manlocalstatedir@/krb5kdc/kpropd.acl). - .SH FILES - .TP "\w'kpropd.acl\ \ 'u" - kpropd.acl - Access file for - .BR kpropd ; - the default location is KPROPD_ACL_FILE (normally --/usr/local/var/krb5kdc/kpropd.acl). -+@manlocalstatedir@/krb5kdc/kpropd.acl). - Each entry is a line containing the principal of a host from which the - local machine will allow Kerberos database propagation via kprop. - .SH SEE ALSO -diff -up krb5-1.8/src/slave/kprop.M.manpaths krb5-1.8/src/slave/kprop.M ---- krb5-1.8/src/slave/kprop.M.manpaths 1999-09-24 17:20:59.000000000 -0400 -+++ krb5-1.8/src/slave/kprop.M 2010-03-05 10:55:29.000000000 -0500 -@@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv - This is done by transmitting the dumped database file to the slave - server over an encrypted, secure channel. The dump file must be created - by kdb5_util, and is normally KPROP_DEFAULT_FILE --(/usr/local/var/krb5kdc/slave_datatrans). -+(@manlocalstatedir@/krb5kdc/slave_datatrans). - .SH OPTIONS - .TP - \fB\-r\fP \fIrealm\fP -@@ -51,7 +51,7 @@ is used. - \fB\-f\fP \fIfile\fP - specifies the filename where the dumped principal database file is to be - found; by default the dumped database file is KPROP_DEFAULT_FILE --(normally /usr/local/var/krb5kdc/slave_datatrans). -+(normally @manlocalstatedir@/krb5kdc/slave_datatrans). - .TP - \fB\-P\fP \fIport\fP - specifies the port to use to contact the From e2734a2f40dce16709011384bd65390211d25d73 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Fri, 5 Nov 2010 15:03:55 -0400 Subject: [PATCH 03/14] - update to apply to 1.9 --- ...irsrv-accountlock.patch => krb5-1.9-dirsrv-accountlock.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename krb5-1.8-dirsrv-accountlock.patch => krb5-1.9-dirsrv-accountlock.patch (98%) diff --git a/krb5-1.8-dirsrv-accountlock.patch b/krb5-1.9-dirsrv-accountlock.patch similarity index 98% rename from krb5-1.8-dirsrv-accountlock.patch rename to krb5-1.9-dirsrv-accountlock.patch index 09629a1..8657882 100644 --- a/krb5-1.8-dirsrv-accountlock.patch +++ b/krb5-1.9-dirsrv-accountlock.patch @@ -65,5 +65,5 @@ diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c.dirsrv-accou + "nsaccountlock", +#endif "krbLastPwdChange", + "krbLastAdminUnlock", "krbExtraData", - "krbObjectReferences", From 7bf6313a47f7ed69c821b5427619f147b59d9bf2 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Fri, 5 Nov 2010 15:06:01 -0400 Subject: [PATCH 04/14] - fix included in 1.9 --- krb5-trunk-explife.patch | 28 ---------------------------- 1 file changed, 28 deletions(-) delete mode 100644 krb5-trunk-explife.patch diff --git a/krb5-trunk-explife.patch b/krb5-trunk-explife.patch deleted file mode 100644 index ddcf143..0000000 --- a/krb5-trunk-explife.patch +++ /dev/null @@ -1,28 +0,0 @@ -Rob Crittenden noticed that, in populate_krb5_db_entry(), key -expirations weren't being computed as expected. It turns out -that neither KDB_PRINC_EXPIRE_TIME_ATTR nor KDB_PWD_EXPIRE_TIME_ATTR -is defined to 1, so the check for their bits could never succeed as -written. RT#6762. - -Index: src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -=================================================================== ---- src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c (revision 24252) -+++ src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c (working copy) -@@ -2087,7 +2087,7 @@ - goto cleanup; - - if (attr_present == TRUE) { -- if ((mask & KDB_PRINC_EXPIRE_TIME_ATTR) == 1) { -+ if (mask & KDB_PRINC_EXPIRE_TIME_ATTR) { - if (expiretime < entry->expiration) - entry->expiration = expiretime; - } else { -@@ -2127,7 +2127,7 @@ - if ((st=krb5_dbe_lookup_last_pwd_change(context, entry, &last_pw_changed)) != 0) - goto cleanup; - -- if ((mask & KDB_PWD_EXPIRE_TIME_ATTR) == 1) { -+ if (mask & KDB_PWD_EXPIRE_TIME_ATTR) { - if ((last_pw_changed + pw_max_life) < entry->pw_expiration) - entry->pw_expiration = last_pw_changed + pw_max_life; - } else From 01711b78ff6ad177243d7aeb0f10b1d92c5eadf8 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Fri, 5 Nov 2010 15:06:39 -0400 Subject: [PATCH 05/14] - fix included in 1.9 --- krb5-trunk-key_usage.patch | 25 ------------------------- 1 file changed, 25 deletions(-) delete mode 100644 krb5-trunk-key_usage.patch diff --git a/krb5-trunk-key_usage.patch b/krb5-trunk-key_usage.patch deleted file mode 100644 index f45db69..0000000 --- a/krb5-trunk-key_usage.patch +++ /dev/null @@ -1,25 +0,0 @@ -Reading the NID_key_usage extension doesn't ensure that the ex_flags and -ex_kusage fields that the ku_reject() macro checks. It'd probably be -better to check the usage string directly, but calling X509_check_ca() -makes the right things happen. RT#6775, part of #629022. - -Index: src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -=================================================================== ---- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c (revision 24312) -+++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c (revision 24313) -@@ -2005,6 +2005,7 @@ - pkiDebug("%s: found acceptable EKU, checking for digitalSignature\n", __FUNCTION__); - - /* check that digitalSignature KeyUsage is present */ -+ X509_check_ca(reqctx->received_cert); - if ((usage = X509_get_ext_d2i(reqctx->received_cert, - NID_key_usage, NULL, NULL))) { - -@@ -4551,6 +4552,7 @@ - } - - /* Make sure usage exists before checking bits */ -+ X509_check_ca(x); - usage = X509_get_ext_d2i(x, NID_key_usage, NULL, NULL); - if (usage) { - if (!ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE)) From c4fcdebf2560a7fc22b5932a107523b7eee7e2ad Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Fri, 5 Nov 2010 15:07:40 -0400 Subject: [PATCH 06/14] - fix included in 1.9 --- krb5-trunk-signed.patch | 42 ----------------------------------------- 1 file changed, 42 deletions(-) delete mode 100644 krb5-trunk-signed.patch diff --git a/krb5-trunk-signed.patch b/krb5-trunk-signed.patch deleted file mode 100644 index c8be88e..0000000 --- a/krb5-trunk-signed.patch +++ /dev/null @@ -1,42 +0,0 @@ -In crypto_retrieve_X509_sans(), the "i" used to hold the result of -X509_get_ext_by_NID() is unsigned, so without a cast or changing its -type, the comparison to -1 will always succeed. - -If the attempt to parse the SAN value then fails because the extension -is not present, then crypto_retrieve_X509_sans(), -crypto_cert_get_matching_data(), and obtain_all_cert_matching_data() -will all return EINVAL, pkinit_cert_matching() will fail, and -pkinit_identity_initialize() will fail. As a result, the presence one -candidate certificate which doesn't contain any SAN values will cause -the client to fail to locate its certificate. RT#6774, part of #629022. - -Index: src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -=================================================================== ---- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c (revision 24322) -+++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c (revision 24323) -@@ -1767,7 +1767,7 @@ - { - krb5_error_code retval = EINVAL; - char buf[DN_BUF_LEN]; -- int p = 0, u = 0, d = 0; -+ int p = 0, u = 0, d = 0, l; - krb5_principal *princs = NULL; - krb5_principal *upns = NULL; - unsigned char **dnss = NULL; -@@ -1787,14 +1787,14 @@ - buf, sizeof(buf)); - pkiDebug("%s: looking for SANs in cert = %s\n", __FUNCTION__, buf); - -- if ((i = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1)) >= 0) { -+ if ((l = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1)) >= 0) { - X509_EXTENSION *ext = NULL; - GENERAL_NAMES *ialt = NULL; - GENERAL_NAME *gen = NULL; - int ret = 0; - unsigned int num_sans = 0; - -- if (!(ext = X509_get_ext(cert, i)) || !(ialt = X509V3_EXT_d2i(ext))) { -+ if (!(ext = X509_get_ext(cert, l)) || !(ialt = X509V3_EXT_d2i(ext))) { - pkiDebug("%s: found no subject alt name extensions\n", - __FUNCTION__); - goto cleanup; From a048f0f12ec5c5c012939dd8e1613b5fa9f5c093 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Fri, 5 Nov 2010 15:09:04 -0400 Subject: [PATCH 07/14] - fix included in 1.9 --- krb5-trunk-k5login.patch | 333 --------------------------------------- 1 file changed, 333 deletions(-) delete mode 100644 krb5-trunk-k5login.patch diff --git a/krb5-trunk-k5login.patch b/krb5-trunk-k5login.patch deleted file mode 100644 index e3bfc94..0000000 --- a/krb5-trunk-k5login.patch +++ /dev/null @@ -1,333 +0,0 @@ -commit 3ec524d3aa8f92b150a02062ae8faf0bb2ffaa9d -Author: ghudson -Date: Fri Oct 1 15:56:30 2010 +0000 - - ticket: 6792 - subject: Implement k5login_directory and k5login_authoritative options - - Add and document two new options for controlling k5login behavior. - - - git-svn-id: svn://anonsvn.mit.edu:/krb5/trunk@24402 dc483132-0cff-0310-8789-dd5450dbe970 - -diff --git a/doc/admin.texinfo b/doc/admin.texinfo -index 8603b93..2a811de 100644 ---- a/doc/admin.texinfo -+++ b/doc/admin.texinfo -@@ -468,6 +468,20 @@ Sets the maximum allowable amount of clockskew in seconds that the - library will tolerate before assuming that a Kerberos message is - invalid. The default value is @value{DefaultClockskew}. - -+@itemx k5login_authoritative -+If the value of this relation is true (the default), principals must -+be listed in a local user's k5login file to be granted login access, -+if a k5login file exists. If the value of this relation is false, a -+principal may still be granted login access through other mechanisms -+even if a k5login file exists but does not list the principal. -+ -+@itemx k5login_directory -+If set, the library will look for a local user's k5login file within the -+named directory, with a filename corresponding to the local username. -+If not set, the library will look for k5login files in the user's home -+directory, with the filename @code{.k5login}. For security reasons, -+k5login files must be owned by the local user or by root. -+ - @itemx kdc_timesync - If this is set to 1 (for true), then client machines will compute the - difference between their time and the time returned by the KDC in the -diff --git a/src/config-files/krb5.conf.M b/src/config-files/krb5.conf.M -index 2995aa2..e658e89 100644 ---- a/src/config-files/krb5.conf.M -+++ b/src/config-files/krb5.conf.M -@@ -155,6 +155,20 @@ This relation sets the maximum allowable amount of clockskew in seconds - that the library will tolerate before assuming that a Kerberos message - is invalid. The default value is 300 seconds, or five minutes. - -+.IP k5login_authoritative -+If the value of this relation is true (the default), principals must -+be listed in a local user's k5login file to be granted login access, -+if a k5login file exists. If the value of this relation is false, a -+principal may still be granted login access through other mechanisms -+even if a k5login file exists but does not list the principal. -+ -+.IP k5login_directory -+If set, the library will look for a local user's k5login file within -+the named directory, with a filename corresponding to the local -+username. If not set, the library will look for k5login files in the -+user's home directory, with the filename .k5login. For security -+reasons, k5login files must be owned by the local user or by root. -+ - .IP kdc_timesync - If the value of this relation is non-zero (the default), the library - will compute the difference between the system clock and the time -diff --git a/src/include/k5-int.h b/src/include/k5-int.h -index 750f989..f2a037c 100644 ---- a/src/include/k5-int.h -+++ b/src/include/k5-int.h -@@ -222,6 +222,8 @@ typedef INT64_TYPE krb5_int64; - #define KRB5_CONF_IPROP_PORT "iprop_port" - #define KRB5_CONF_IPROP_SLAVE_POLL "iprop_slave_poll" - #define KRB5_CONF_IPROP_LOGFILE "iprop_logfile" -+#define KRB5_CONF_K5LOGIN_AUTHORITATIVE "k5login_authoritative" -+#define KRB5_CONF_K5LOGIN_DIRECTORY "k5login_directory" - #define KRB5_CONF_KADMIND_PORT "kadmind_port" - #define KRB5_CONF_KRB524_SERVER "krb524_server" - #define KRB5_CONF_KDC "kdc" -diff --git a/src/lib/krb5/os/kuserok.c b/src/lib/krb5/os/kuserok.c -index 1bc7505..985bb14 100644 ---- a/src/lib/krb5/os/kuserok.c -+++ b/src/lib/krb5/os/kuserok.c -@@ -48,105 +48,138 @@ - #define FILE_OWNER_OK(UID) ((UID) == 0) - #endif - -+enum result { ACCEPT, REJECT, PASS }; -+ - /* -- * Given a Kerberos principal "principal", and a local username "luser", -- * determine whether user is authorized to login according to the -- * authorization file ("~luser/.k5login" by default). Returns TRUE -- * if authorized, FALSE if not authorized. -- * -- * If there is no account for "luser" on the local machine, returns -- * FALSE. If there is no authorization file, and the given Kerberos -- * name "server" translates to the same name as "luser" (using -- * krb5_aname_to_lname()), returns TRUE. Otherwise, if the authorization file -- * can't be accessed, returns FALSE. Otherwise, the file is read for -- * a matching principal name, instance, and realm. If one is found, -- * returns TRUE, if none is found, returns FALSE. -- * -- * The file entries are in the format produced by krb5_unparse_name(), -- * one entry per line. -- * -+ * Find the k5login filename for luser, either in the user's homedir or in a -+ * configured directory under the username. - */ -+static krb5_error_code -+get_k5login_filename(krb5_context context, const char *luser, -+ const char *homedir, char **filename_out) -+{ -+ krb5_error_code ret; -+ char *dir, *filename; - --krb5_boolean KRB5_CALLCONV --krb5_kuserok(krb5_context context, krb5_principal principal, const char *luser) -+ *filename_out = NULL; -+ ret = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS, -+ KRB5_CONF_K5LOGIN_DIRECTORY, NULL, NULL, &dir); -+ if (ret != 0) -+ return ret; -+ -+ if (dir == NULL) { -+ /* Look in the user's homedir. */ -+ if (asprintf(&filename, "%s/.k5login", homedir) < 0) -+ return ENOMEM; -+ } else { -+ /* Look in the configured directory. */ -+ if (asprintf(&filename, "%s/%s", dir, luser) < 0) -+ ret = ENOMEM; -+ profile_release_string(dir); -+ if (ret) -+ return ret; -+ } -+ *filename_out = filename; -+ return 0; -+} -+ -+/* -+ * Determine whether principal is authorized to log in as luser according to -+ * the user's k5login file. Return ACCEPT if the k5login file authorizes the -+ * principal, PASS if the k5login file does not exist, or REJECT if the k5login -+ * file exists but does not authorize the principal. If k5login files are -+ * configured to be non-authoritative, pass instead of rejecting. -+ */ -+static enum result -+k5login_ok(krb5_context context, krb5_principal principal, const char *luser) - { -+ int authoritative = TRUE; -+ enum result result = REJECT; -+ char *filename = NULL, *princname = NULL; -+ char gobble, *newline, linebuf[BUFSIZ], pwbuf[BUFSIZ]; - struct stat sbuf; -- struct passwd *pwd; -- char pbuf[MAXPATHLEN]; -- krb5_boolean isok = FALSE; -- FILE *fp; -- char kuser[MAX_USERNAME]; -- char *princname; -- char linebuf[BUFSIZ]; -- char *newline; -- int gobble; -- char pwbuf[BUFSIZ]; -- struct passwd pwx; -- int result; -- -- /* no account => no access */ -+ struct passwd pwx, *pwd; -+ FILE *fp = NULL; -+ -+ if (profile_get_boolean(context->profile, KRB5_CONF_LIBDEFAULTS, -+ KRB5_CONF_K5LOGIN_AUTHORITATIVE, NULL, TRUE, -+ &authoritative) != 0) -+ goto cleanup; -+ -+ /* Get the local user's homedir and uid. */ - if (k5_getpwnam_r(luser, &pwx, pwbuf, sizeof(pwbuf), &pwd) != 0) -- return(FALSE); -- result = snprintf(pbuf, sizeof(pbuf), "%s/.k5login", pwd->pw_dir); -- if (SNPRINTF_OVERFLOW(result, sizeof(pbuf))) -- return(FALSE); -- -- if (access(pbuf, F_OK)) { /* not accessible */ -- /* -- * if he's trying to log in as himself, and there is no .k5login file, -- * let him. To find out, call -- * krb5_aname_to_localname to convert the principal to a name -- * which we can string compare. -- */ -- if (!(krb5_aname_to_localname(context, principal, -- sizeof(kuser), kuser)) -- && (strcmp(kuser, luser) == 0)) { -- return(TRUE); -- } -- } -- if (krb5_unparse_name(context, principal, &princname)) -- return(FALSE); /* no hope of matching */ -+ goto cleanup; -+ -+ if (get_k5login_filename(context, luser, pwd->pw_dir, &filename) != 0) -+ goto cleanup; - -- /* open ~/.k5login */ -- if ((fp = fopen(pbuf, "r")) == NULL) { -- free(princname); -- return(FALSE); -+ if (access(filename, F_OK) != 0) { -+ result = PASS; -+ goto cleanup; - } -+ -+ if (krb5_unparse_name(context, principal, &princname) != 0) -+ goto cleanup; -+ -+ fp = fopen(filename, "r"); -+ if (fp == NULL) -+ goto cleanup; - set_cloexec_file(fp); -- /* -- * For security reasons, the .k5login file must be owned either by -- * the user himself, or by root. Otherwise, don't grant access. -- */ -- if (fstat(fileno(fp), &sbuf)) { -- fclose(fp); -- free(princname); -- return(FALSE); -- } -- if (sbuf.st_uid != pwd->pw_uid && !FILE_OWNER_OK(sbuf.st_uid)) { -- fclose(fp); -- free(princname); -- return(FALSE); -- } - -- /* check each line */ -- while (!isok && (fgets(linebuf, BUFSIZ, fp) != NULL)) { -- /* null-terminate the input string */ -- linebuf[BUFSIZ-1] = '\0'; -- newline = NULL; -- /* nuke the newline if it exists */ -- if ((newline = strchr(linebuf, '\n'))) -+ /* For security reasons, the .k5login file must be owned either by -+ * the user or by root. */ -+ if (fstat(fileno(fp), &sbuf)) -+ goto cleanup; -+ if (sbuf.st_uid != pwd->pw_uid && !FILE_OWNER_OK(sbuf.st_uid)) -+ goto cleanup; -+ -+ /* Check each line. */ -+ while (result != ACCEPT && (fgets(linebuf, sizeof(linebuf), fp) != NULL)) { -+ newline = strrchr(linebuf, '\n'); -+ if (newline != NULL) - *newline = '\0'; -- if (!strcmp(linebuf, princname)) { -- isok = TRUE; -- continue; -- } -- /* clean up the rest of the line if necessary */ -- if (!newline) -+ if (strcmp(linebuf, princname) == 0) -+ result = ACCEPT; -+ /* Clean up the rest of the line if necessary. */ -+ if (newline == NULL) - while (((gobble = getc(fp)) != EOF) && gobble != '\n'); - } -+ -+cleanup: - free(princname); -- fclose(fp); -- return(isok); -+ free(filename); -+ if (fp != NULL) -+ fclose(fp); -+ /* If k5login files are non-authoritative, never reject. */ -+ return (!authoritative && result == REJECT) ? PASS : result; -+} -+ -+/* -+ * Determine whether principal is authorized to log in as luser according to -+ * aname-to-localname translation. Return ACCEPT if principal translates to -+ * luser or PASS if it does not. -+ */ -+static enum result -+an2ln_ok(krb5_context context, krb5_principal principal, const char *luser) -+{ -+ krb5_error_code ret; -+ char kuser[MAX_USERNAME]; -+ -+ ret = krb5_aname_to_localname(context, principal, sizeof(kuser), kuser); -+ if (ret != 0) -+ return PASS; -+ return (strcmp(kuser, luser) == 0) ? ACCEPT : PASS; -+} -+ -+krb5_boolean KRB5_CALLCONV -+krb5_kuserok(krb5_context context, krb5_principal principal, const char *luser) -+{ -+ enum result result; -+ -+ result = k5login_ok(context, principal, luser); -+ if (result == PASS) -+ result = an2ln_ok(context, principal, luser); -+ return (result == ACCEPT) ? TRUE : FALSE; - } - - #else /* _WIN32 */ -commit 6f46ab42b718410aee67a888b3fefe7df8ce2062 -Author: ghudson -Date: Sat Oct 2 11:48:06 2010 +0000 - - ticket: 6792 - - In the krb5_kuserok implementation, fix an unintentional type change - to "gobble" (was an int, was accidentally changed to a char) which - could result in an infinite loop. - - - git-svn-id: svn://anonsvn.mit.edu:/krb5/trunk@24413 dc483132-0cff-0310-8789-dd5450dbe970 - -diff --git a/src/lib/krb5/os/kuserok.c b/src/lib/krb5/os/kuserok.c -index 985bb14..e1619f3 100644 ---- a/src/lib/krb5/os/kuserok.c -+++ b/src/lib/krb5/os/kuserok.c -@@ -93,10 +93,10 @@ get_k5login_filename(krb5_context context, const char *luser, - static enum result - k5login_ok(krb5_context context, krb5_principal principal, const char *luser) - { -- int authoritative = TRUE; -+ int authoritative = TRUE, gobble; - enum result result = REJECT; - char *filename = NULL, *princname = NULL; -- char gobble, *newline, linebuf[BUFSIZ], pwbuf[BUFSIZ]; -+ char *newline, linebuf[BUFSIZ], pwbuf[BUFSIZ]; - struct stat sbuf; - struct passwd pwx, *pwd; - FILE *fp = NULL; From eb1f8e54b9be5baea2999b96bed043b011665c86 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Fri, 5 Nov 2010 15:09:31 -0400 Subject: [PATCH 08/14] - fix included in 1.9 --- krb5-1.8.x-authdata.patch | 34 ---------------------------------- 1 file changed, 34 deletions(-) delete mode 100644 krb5-1.8.x-authdata.patch diff --git a/krb5-1.8.x-authdata.patch b/krb5-1.8.x-authdata.patch deleted file mode 100644 index a5bce28..0000000 --- a/krb5-1.8.x-authdata.patch +++ /dev/null @@ -1,34 +0,0 @@ -Candidate fix for CVE-2010-1322. - -diff -up krb5/src/kdc/kdc_authdata.c krb5/src/kdc/kdc_authdata.c ---- krb5/src/kdc/kdc_authdata.c 2010-09-22 16:01:55.196827943 -0400 -+++ krb5/src/kdc/kdc_authdata.c 2010-09-22 16:01:58.282828001 -0400 -@@ -495,7 +495,7 @@ merge_authdata (krb5_context context, - krb5_boolean copy, - krb5_boolean ignore_kdc_issued) - { -- size_t i, nadata = 0; -+ size_t i, j, nadata = 0; - krb5_authdata **authdata = *out_authdata; - - if (in_authdata == NULL || in_authdata[0] == NULL) -@@ -529,16 +529,16 @@ merge_authdata (krb5_context context, - in_authdata = tmp; - } - -- for (i = 0; in_authdata[i] != NULL; i++) { -+ for (i = 0, j = 0; in_authdata[i] != NULL; i++) { - if (ignore_kdc_issued && - is_kdc_issued_authdatum(context, in_authdata[i], 0)) { - free(in_authdata[i]->contents); - free(in_authdata[i]); - } else -- authdata[nadata + i] = in_authdata[i]; -+ authdata[nadata + j++] = in_authdata[i]; - } - -- authdata[nadata + i] = NULL; -+ authdata[nadata + j] = NULL; - - free(in_authdata); - From f5a4e92a9532c48d1d69401829c35765a3063b77 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Fri, 5 Nov 2010 15:18:45 -0400 Subject: [PATCH 09/14] - initial jump to 1.9 beta 1 --- krb5.spec | 44 +++++++++++++++----------------------------- 1 file changed, 15 insertions(+), 29 deletions(-) diff --git a/krb5.spec b/krb5.spec index fd52c5c..a6af1af 100644 --- a/krb5.spec +++ b/krb5.spec @@ -4,12 +4,12 @@ Summary: The Kerberos network authentication system Name: krb5 -Version: 1.8.3 -Release: 8%{?dist} +Version: 1.9 +Release: 0%{?dist}.beta1.0 # Maybe we should explode from the now-available-to-everybody tarball instead? -# http://web.mit.edu/kerberos/dist/krb5/1.8/krb5-1.8.3-signed.tar -Source0: krb5-%{version}.tar.gz -Source1: krb5-%{version}.tar.gz.asc +# http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9-beta1-signed.tar +Source0: krb5-%{version}-beta1.tar.gz +Source1: krb5-%{version}-beta1.tar.gz.asc Source2: kpropd.init Source4: kadmind.init Source5: krb5kdc.init @@ -20,7 +20,7 @@ Source19: krb5kdc.sysconfig Source20: kadmin.sysconfig # The same source files we "check", generated with "krb5-tex-pdf.sh create" # and tarred up. -Source23: krb5-%{version}-pdf.tar.gz +Source23: krb5-%{version}-beta1-pdf.tar.bz2 Source24: krb5-tex-pdf.sh Source25: krb5-1.8-manpaths.txt Source29: ksu.pamd @@ -40,18 +40,12 @@ Patch30: krb5-1.3.4-send-pr-tempfile.patch Patch39: krb5-1.8-api.patch Patch53: krb5-1.7-nodeplibs.patch Patch56: krb5-1.7-doublelog.patch -Patch58: krb5-1.8-key_exp.patch Patch59: krb5-1.8-kpasswd_tcp.patch Patch60: krb5-1.8-pam.patch -Patch61: krb5-1.8-manpaths.patch +Patch61: krb5-1.9-manpaths.patch Patch63: krb5-1.8-selinux-label.patch Patch70: krb5-trunk-kpasswd_tcp2.patch -Patch71: krb5-1.8-dirsrv-accountlock.patch -Patch72: krb5-trunk-explife.patch -Patch73: krb5-trunk-key_usage.patch -Patch74: krb5-trunk-signed.patch -Patch75: krb5-trunk-k5login.patch -Patch76: krb5-1.8.x-authdata.patch +Patch71: krb5-1.9-dirsrv-accountlock.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -166,7 +160,7 @@ to obtain initial credentials from a KDC using a private key and a certificate. %prep -%setup -q -a 23 +%setup -q -a 23 -n krb5-%{version}-beta1 ln -s NOTICE LICENSE %patch60 -p1 -b .pam @@ -185,15 +179,9 @@ ln -s NOTICE LICENSE %patch39 -p1 -b .api %patch53 -p1 -b .nodeplibs %patch56 -p1 -b .doublelog -%patch58 -p1 -b .key_exp %patch59 -p1 -b .kpasswd_tcp #%patch70 -p0 -b .kpasswd_tcp2 %patch71 -p1 -b .dirsrv-accountlock -%patch72 -p0 -b .explife -%patch73 -p0 -b .key_usage -%patch74 -p0 -b .signed -%patch75 -p1 -b .k5login -%patch76 -p1 -b .authdata gzip doc/*.ps sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex @@ -226,14 +214,6 @@ doc/kadm5 api-funcspec doc/kadm5 api-server-design EOF -# Fix the LDIF file. -if test %{version} != 1.8.3 ; then - # Hopefully this was fixed later. - exit 1 -fi -sed -i s,^attributetype:,attributetypes:,g \ - src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif - # Generate an FDS-compatible LDIF file. inldif=src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif cat > 60kerberos.ldif << EOF @@ -645,6 +625,12 @@ exit 0 %{_sbindir}/uuserver %changelog +* Fri Nov 5 2010 Nalin Dahyabhai 1.9-0.beta1.0 +- start moving to 1.9 with beta 1 + - drop patches for RT#5755, RT#6762, RT#6774, RT#6775 + - drop no-longer-needed backport patch for #539423 + - drop no-longer-needed patch for CVE-2010-1322 + * Tue Oct 5 2010 Nalin Dahyabhai 1.8.3-8 - incorporate upstream patch to fix uninitialized pointer crash in the KDC's authorization data handling (CVE-2010-1322, #636335) From 72245b6dbe07bb913efee5299913ef09255ed030 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Fri, 5 Nov 2010 15:19:30 -0400 Subject: [PATCH 10/14] - drop 1.8.3 sources --- sources | 3 --- 1 file changed, 3 deletions(-) diff --git a/sources b/sources index f533ff0..e69de29 100644 --- a/sources +++ b/sources @@ -1,3 +0,0 @@ -1597a1e762f6e0d6fec6fd78638d0f4b krb5-1.8.3.tar.gz -7d67d4314ab44e0cca79bc6815db4873 krb5-1.8.3.tar.gz.asc -7851dd78723161b85399bdaefc3f3054 krb5-1.8.3-pdf.tar.gz From d8eebf32f724bca246308deb9379755d5f01c4f6 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Fri, 5 Nov 2010 15:21:49 -0400 Subject: [PATCH 11/14] - add 1.9-beta1 sources --- sources | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sources b/sources index e69de29..8a2301d 100644 --- a/sources +++ b/sources @@ -0,0 +1,3 @@ +82ba4f2d0f1294c293c8950273699baf krb5-1.9-beta1.tar.gz +9cbfa9872d119d8d6b5257238aae4740 krb5-1.9-beta1.tar.gz.asc +d35f2aab55fcef566bd4fc03c68c383c krb5-1.9-beta1-pdf.tar.bz2 From eab0a264a6ec231832a59b9134ed5446c5768b4a Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Fri, 5 Nov 2010 15:41:19 -0400 Subject: [PATCH 12/14] - if WITH_NSS is set, built with --with-crypto-impl=nss (requires NSS 3.12.9) --- krb5.spec | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/krb5.spec b/krb5.spec index a6af1af..b99474c 100644 --- a/krb5.spec +++ b/krb5.spec @@ -1,5 +1,6 @@ %global WITH_LDAP 1 %global WITH_OPENSSL 1 +%global WITH_NSS 0 %global WITH_DIRSRV 1 Summary: The Kerberos network authentication system @@ -263,6 +264,9 @@ CPPFLAGS="`echo $DEFINES $INCLUDES`" --enable-pkinit \ %else --disable-pkinit \ +%endif +%if %{WITH_NSS} + --with-crypto-impl=nss \ %endif --with-pam \ --with-selinux @@ -630,6 +634,7 @@ exit 0 - drop patches for RT#5755, RT#6762, RT#6774, RT#6775 - drop no-longer-needed backport patch for #539423 - drop no-longer-needed patch for CVE-2010-1322 +- if WITH_NSS is set, built with --with-crypto-impl=nss (requires NSS 3.12.9) * Tue Oct 5 2010 Nalin Dahyabhai 1.8.3-8 - incorporate upstream patch to fix uninitialized pointer crash in the KDC's From 3515095a61d574fa2dad2634e11db4a62a3b2766 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Tue, 9 Nov 2010 10:30:57 -0500 Subject: [PATCH 13/14] - drop not-needed-since-1.8 build dependency on rsh (ssorce) --- krb5.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/krb5.spec b/krb5.spec index b99474c..20a9d93 100644 --- a/krb5.spec +++ b/krb5.spec @@ -6,7 +6,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.9 -Release: 0%{?dist}.beta1.0 +Release: 0%{?dist}.beta1.1 # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9-beta1-signed.tar Source0: krb5-%{version}-beta1.tar.gz @@ -56,7 +56,7 @@ BuildRequires: autoconf, bison, flex, gawk %if 0%{?fedora} >= 12 || 0%{?rhel} >= 6 BuildRequires: libcom_err-devel, libss-devel %endif -BuildRequires: gzip, ncurses-devel, rsh, texinfo, texinfo-tex, tar +BuildRequires: gzip, ncurses-devel, texinfo, texinfo-tex, tar BuildRequires: texlive-latex BuildRequires: keyutils-libs-devel BuildRequires: libselinux-devel @@ -629,6 +629,9 @@ exit 0 %{_sbindir}/uuserver %changelog +* Tue Nov 9 2010 Nalin Dahyabhai 1.9-0.beta1.1 +- drop not-needed-since-1.8 build dependency on rsh (ssorce) + * Fri Nov 5 2010 Nalin Dahyabhai 1.9-0.beta1.0 - start moving to 1.9 with beta 1 - drop patches for RT#5755, RT#6762, RT#6774, RT#6775 From b5f2ca038984e0491b76c8c9488fe1bd6a2f78bd Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Tue, 30 Nov 2010 11:46:12 -0500 Subject: [PATCH 14/14] add tweaks for initial whitespace that cause 389-ds to choke on the schema ldif --- krb5.spec | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/krb5.spec b/krb5.spec index b99474c..5f55b89 100644 --- a/krb5.spec +++ b/krb5.spec @@ -221,7 +221,9 @@ cat > 60kerberos.ldif << EOF # This is a variation on kerberos.ldif which 389 Directory Server will like. dn: cn=schema EOF -egrep -iv '(^$|^dn:|^changetype:|^add:)' $inldif >> 60kerberos.ldif +egrep -iv '(^$|^dn:|^changetype:|^add:)' $inldif | \ +sed -r 's,^ , ,g' | \ +sed -r 's,^ , ,g' >> 60kerberos.ldif touch -r $inldif 60kerberos.ldif # Rebuild the configure scripts.