rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Remove ovsec_adm_export and confvalidator

Browse Source
This commit is contained in:
Robbie Harwood 2019-04-17 16:17:17 -04:00
parent 5ebfb70254
commit 707673a505
3 changed files with 821 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

430
Remove-confvalidator-utility.patch Normal file
View File

@ -0,0 +1,430 @@
From 32a6caec15bafd37fdf5746c08cf1a385166020e Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 3 Apr 2019 14:58:19 -0400
Subject: [PATCH] Remove confvalidator utility
This utility has not been maintained with encryption types and salt
changes, which suggests it is unused.
(cherry picked from commit 482a366793d9338e9edb504b407d7704a4bb2f8f)
---
src/util/confvalidator/README | 25 ----
src/util/confvalidator/confparser.py | 144 -------------------
src/util/confvalidator/rules.yml | 13 --
src/util/confvalidator/validator.conf | 2 -
src/util/confvalidator/validator.py | 194 --------------------------
5 files changed, 378 deletions(-)
delete mode 100644 src/util/confvalidator/README
delete mode 100644 src/util/confvalidator/confparser.py
delete mode 100644 src/util/confvalidator/rules.yml
delete mode 100644 src/util/confvalidator/validator.conf
delete mode 100644 src/util/confvalidator/validator.py
diff --git a/src/util/confvalidator/README b/src/util/confvalidator/README
deleted file mode 100644
index 7bf7a106a..000000000
--- a/src/util/confvalidator/README
+++ /dev/null
@@ -1,25 +0,0 @@
-validator.py is a command line tool for identifying invalid attributes, values and some formating problems in Kerberos configuration files.
-The list of the valid attributes is created based on the “configuration variables” section in k5-int.h and user defined attributes from the rules file.
-
-Usage:
-
-validator.py path [-d defPath] [-r rulesPath] [-c validatorConfPath]
-
-Options:
-
-path the path to the configuration file to validate
-
--d defPath path to the k5-int.h file. Starting from the 1.7 release this header holds the profile attribute names in the form #define KRB5_CONF_xxx ”ZZZ”.
-
--r rulesPath - path the rules file in yaml format. It may be used to manage the list of the valid attributes and to define the additional validation rules.
-
--c validatorConfPath the same as -r and -d options, but in validator configuration file format.
-
-Example:
-
-python validator.py src/config-files/krb5.conf -r rules.yml -d src/include/k5-int.h
-or
-python validator.py src/config-files/krb5.conf -c validator.conf
-
-For more details please refer to the sample files validator.conf and rules.yml
-
diff --git a/src/util/confvalidator/confparser.py b/src/util/confvalidator/confparser.py
deleted file mode 100644
index 2fea142a5..000000000
--- a/src/util/confvalidator/confparser.py
+++ /dev/null
@@ -1,144 +0,0 @@
-'''
-Created on Jan 31, 2010
-
-@author: tsitkova
-'''
-import re
-import copy
-import yaml
-
-class ConfParser(object):
- def __init__(self, path):
- self.configuration = self._parse(path)
-
- def walk(self):
- for trio in self._walk(self.configuration):
- yield trio
-
- def _parse(self, path):
- comment_pattern = re.compile(r'(\s*[#].*)')
- section_pattern = re.compile(r'^\s*\[(?P<section>\w+)\]\s+$')
- empty_pattern = re.compile(r'^\s*$')
- equalsign_pattern = re.compile(r'=')
-
- section = None
- parser_stack = list()
- result = dict()
- value = None
- f = open(path, 'r')
- for (ln,line) in enumerate(f):
- line = comment_pattern.sub('', line)
- line = equalsign_pattern.sub(' = ',line,count=1)
- if empty_pattern.match(line) is not None:
- continue
- m = section_pattern.match(line)
- if m is not None:
- section = m.group('section')
- value = dict()
- result[section] = value
- continue
- if section is None:
- msg = 'Failed to determine section for line #%i' % ln
- raise ValueError(msg)
- try:
- value = self._parseLine(value, line, parser_stack)
- except:
- print 'Error while parsing line %i: %s' % (ln+1, line)
- raise
- f.close()
-
- if len(parser_stack):
- raise 'Parsing error.'
-
- return result
-
- def _parseLine(self, value, content, stack):
- token_pattern = re.compile(r'(?P<token>\S+)(?=\s+)')
- attr = None
- token_stack = list()
-
- for m in token_pattern.finditer(content):
- token = m.group('token')
- if not self._validate(token):
- raise ValueError('Invalid token %s' % token)
- if token == '=':
- if len(token_stack) == 0:
- raise ValueError('Failed to find attribute.')
- elif len(token_stack) == 1:
- attr = token_stack.pop()
- else:
- value[attr] = token_stack[:-1]
- attr = token_stack[-1]
- token_stack = list()
- elif token == '{':
- if attr is None:
- raise ValueError('Failed to find attribute.')
- stack.append((attr,value))
- value = dict()
- elif token == '}':
- if len(stack) == 0:
- raise ValueError('Failed to parse: unbalanced braces')
- if len(token_stack):
- if attr is None:
- raise ValueError('Missing attribute')
- value[attr] = token_stack
- attr = None
- token_stack = list()
- (attr,parent_value) = stack.pop()
- parent_value[attr] = value
- value = parent_value
- else:
- token_stack.append(token)
- if len(token_stack):
- if attr is None:
- raise ValueError('Missing attribute')
- value[attr] = token_stack
-
- return value
-
- def _validate(self, token):
- result = True
- for s in ['{','}']:
- if s in token and s != token:
- result = False
-
- return result
-
- def _walk(self, parsedData, path='root'):
- dirs = list()
- av = list()
- for (key, value) in parsedData.iteritems():
- if type(value) == dict:
- new_path = path + '.' + key
- for trio in self._walk(value, new_path):
- yield trio
- dirs.append(key)
- else:
- av.append((key,value))
- yield (path, dirs, av)
-
-
-
-class ConfParserTest(ConfParser):
- def __init__(self):
- self.conf_path = '../tests/krb5.conf'
- super(ConfParserTest, self).__init__(self.conf_path)
-
- def run_tests(self):
- self._test_walk()
-
- def _test_parse(self):
- result = self._parse(self.conf_path)
- print yaml.dump(result)
-
- def _test_walk(self):
- configuration = self._parse(self.conf_path)
- for (path,dirs,av) in self.walk():
- print path,dirs,av
-
-
-
-
-if __name__ == '__main__':
- tester = ConfParserTest()
- tester.run_tests()
diff --git a/src/util/confvalidator/rules.yml b/src/util/confvalidator/rules.yml
deleted file mode 100644
index c6ccc89fe..000000000
--- a/src/util/confvalidator/rules.yml
+++ /dev/null
@@ -1,13 +0,0 @@
-# Extend the list of the allowed enctypes and salts as needed
-Types:
- supported_enctypes:
- '(aes256-cts-hmac-sha1-96|aes256-cts|aes128-cts-hmac-sha1-96|aes128-cts|des3-hmac-sha1|des3-cbc-raw|des3-cbc-sha1|des3-hmac-sha1|rc4-hmac|arcfour-hmac-md5)(:(normal|v4))?$'
- default_tgs_enctypes:
- '(aes256-cts-hmac-sha1-96|aes256-cts|aes128-cts-hmac-sha1-96|aes128-cts|des3-hmac-sha1|des3-cbc-raw|des3-cbc-sha1|des3-hmac-sha1|rc4-hmac|arcfour-hmac-md5)'
- default_tkt_enctypes:
- '(aes256-cts-hmac-sha1-96|aes256-cts|aes128-cts-hmac-sha1-96|aes128-cts|des3-hmac-sha1|des3-cbc-raw|des3-cbc-sha1|des3-hmac-sha1|rc4-hmac|arcfour-hmac-md5)'
-
-# Add all valid profile attributes that are not listed in k5-int.h
-Attributes:
- - logging
- - dbmodules
diff --git a/src/util/confvalidator/validator.conf b/src/util/confvalidator/validator.conf
deleted file mode 100644
index 71e205c3b..000000000
--- a/src/util/confvalidator/validator.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-RulesPath=./rules.yml
-HfilePath=../../include/k5-int.h
diff --git a/src/util/confvalidator/validator.py b/src/util/confvalidator/validator.py
deleted file mode 100644
index d739bc091..000000000
--- a/src/util/confvalidator/validator.py
+++ /dev/null
@@ -1,194 +0,0 @@
-'''
-Created on Jan 25, 2010
-
-@author: tsitkova
-'''
-import os
-import sys
-import re
-import yaml
-from optparse import OptionParser
-from confparser import ConfParser
-
-class Rule(object):
- def __init__(self):
- pass
-
- def validate(self,node):
- (path,dirs,avs) = node
-
-
-class Validator(object):
- def __init__(self, kerberosPath, confPath=None, rulesPath=None, hfilePath=None):
- self.parser = ConfParser(kerberosPath)
- if confPath is not None:
- content = self._readConfigFile(confPath)
- rulesPath = content['RulesPath']
- hfilePath = content['HfilePath']
- if rulesPath is not None and hfilePath is not None:
- self.rules = self._loadRules(rulesPath)
- self.validKeys = SupportedKeys(hfilePath).validKeys.union(self.rules['Attributes'])
- else:
- raise ValueError('Invalid arguments for validator: no path to rules and definition files')
-
- self._attribute_pattern = re.compile(r'^\w+$')
- self._lowercase_pattern = re.compile(r'[a-z]')
-
- def _readConfigFile(self,path):
- f = open(path)
- result = dict()
- for line in f:
- line = line.rstrip()
- fields = line.split('=')
- result[fields[0]] = fields[1]
-
- return result
-
- def _loadRules(self, path):
- f = open(path)
- rules = yaml.load(f)
- f.close()
-
- return rules
-
- def validate(self):
- typeInfo = self.rules['Types']
-
- for node in self.parser.walk():
- self._validateTypes(node, typeInfo)
- self._validateAttrubutes(node, self.validKeys)
- # self._validateRealm(node)
-
-
- def _validateTypes(self, node, typeInfo):
- (path, dirs, avs) = node
- for (key, value) in avs:
- valid_type_pattern = typeInfo.get(key)
- if valid_type_pattern is not None:
- for t in value:
- if re.match(valid_type_pattern, t) is None:
- print 'Wrong type %s for attribute %s.%s' % (t,path,key)
-
- def _validateAttrubutes(self, node, validKeys):
- (path, dirs, avs) = node
- attributes = list()
- for attr in dirs:
- if self._attribute_pattern.match(attr) is not None:
- attributes.append(attr)
- for (attr, value) in avs:
- if self._attribute_pattern.match(attr) is not None:
- attributes.append(attr)
-
- for attr in attributes:
- if attr not in validKeys:
- print 'Unrecognized attribute %s at %s' % (attr, path)
-
-# def _validateRealm(self, node):
-# (path, dirs, avs) = node
-# if path == 'root.realms':
-# for attr in dirs:
-# if self._lowercase_pattern.search(attr) is not None:
-# print 'Lower case letter in realm attribute: %s at %s' % (attr, path)
-
-class SupportedKeys(object):
- def __init__(self, path):
- self.validKeys = self.getKeysFromHfile(path)
-
- def getKeysFromHfile(self, path):
- pattern = re.compile(r'^[#]define KRB5_CONF_\w+\s+["](\w+)["]')
- f = open(path)
- result = set()
- for l in f:
- l = l.rstrip()
- m = pattern.match(l)
- if m is not None:
- result.add(m.groups()[0])
- f.close()
-
- return result
-
-
-class ValidatorTest(Validator):
- def __init__(self):
- self.kerberosPath = '../tests/kdc1.conf'
- self.rulesPath = '../tests/rules.yml'
- self.hfilePath = '../tests/k5-int.h'
- self.confPath = '../tests/validator.conf'
-
- super(ValidatorTest, self).__init__(self.kerberosPath,
- rulesPath=self.rulesPath,
- hfilePath=self.hfilePath)
-
- def run_tests(self):
- self._test_validate()
-
- def _test__loadRules(self):
- result = self._loadRules(self.rulesPath)
- print result
-
- def _test_validate(self):
- self.validate()
-
- def _test__readConfigFile(self):
- result = self._readConfigFile(self.confPath)
- print result
-
-class SupportedKeysTest(SupportedKeys):
- def __init__(self):
- self.path = '../tests/k5-int.h'
-
- def run_tests(self):
- self._test_getKeysFromHFile()
-
- def _test_getKeysFromHFile(self):
- result = set()
- krb5keys = self.getKeysFromHfile(self.path)
- for key in krb5keys:
- print key
- result.update(key)
- print len(krb5keys)
-
- return result
-
-def _test():
- tester = ValidatorTest()
- krb5keys = tester.run_tests()
-
-if __name__ == '__main__':
- TEST = False
- if TEST:
- _test()
- sys.exit()
-
-
- usage = "\n\t%prog path [-d defPath] [-r rulesPath] [-c validatorConfPath]"
- description = 'Description: validates kerberos configuration file'
- parser = OptionParser(usage = usage, description = description)
- parser.add_option("-c", dest="confPath",
- help='path to validator config file')
- parser.add_option("-d", dest="hfilePath",
- help='path to h-file with attribute definition')
- parser.add_option("-r", dest="rulesPath",
- help='path to file with validation rules')
- (options, args) = parser.parse_args()
-
- if len(args) != 1 and len(sys.argv) <= 3:
- print '\n%s' % parser.get_usage()
- sys.exit()
-
- validator = None
- if options.confPath is not None:
- validator = Validator(args[0], confPath=options.confPath)
- elif options.hfilePath is not None and options.rulesPath is not None:
- validator = Validator(args[0], hfilePath=options.hfilePath, rulesPath=options.rulesPath)
- else:
- print '\nMust specify either configuration file or paths to rules and definitions files'
- print '%s' % parser.get_usage()
- sys.exit()
-
- validator.validate()
-
-
-
-
-

385
Remove-ovsec_adm_export-dump-format-support.patch Normal file
View File

@ -0,0 +1,385 @@
From 34bde16a10c0cf0f05732376b955af0302af155d Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 22 Jan 2019 18:34:58 -0500
Subject: [PATCH] Remove ovsec_adm_export dump format support
Dumping only suported single-DES principals. While importing still
functioned, it would only have been useful for extremely old (1.3-era)
KDCs.
ticket: 8798 (new)
(cherry picked from commit 23b93fd48bc445005436c5be98a7269b599b1800)
---
doc/admin/admin_commands/kdb5_util.rst | 11 +--
doc/admin/database.rst | 14 ----
src/kadmin/dbutil/dump.c | 109 ++-----------------------
src/kadmin/dbutil/kdb5_util.c | 4 +-
src/man/kdb5_util.man | 13 +--
src/tests/Makefile.in | 6 --
src/tests/t_dump.py | 8 --
7 files changed, 13 insertions(+), 152 deletions(-)
diff --git a/doc/admin/admin_commands/kdb5_util.rst b/doc/admin/admin_commands/kdb5_util.rst
index fee68261a..7dd54f797 100644
--- a/doc/admin/admin_commands/kdb5_util.rst
+++ b/doc/admin/admin_commands/kdb5_util.rst
@@ -136,7 +136,7 @@ dump
.. _kdb5_util_dump:
- **dump** [**-b7**\|\ **-ov**\|\ **-r13**\|\ **-r18**]
+ **dump** [**-b7**\|\ **-r13**\|\ **-r18**]
[**-verbose**] [**-mkey_convert**] [**-new_mkey_file**
*mkey_file*] [**-rev**] [**-recurse**] [*filename*
[*principals*...]]
@@ -151,9 +151,6 @@ load_dump version 7". If filename is not specified, or is the string
load_dump version 4"). This was the dump format produced on
releases prior to 1.2.2.
-**-ov**
- causes the dump to be in "ovsec_adm_export" format.
-
**-r13**
causes the dump to be in the Kerberos 5 1.3 format ("kdb5_util
load_dump version 5"). This was the dump format produced on
@@ -204,7 +201,7 @@ load
.. _kdb5_util_load:
- **load** [**-b7**\|\ **-ov**\|\ **-r13**\|\ **-r18**] [**-hash**]
+ **load** [**-b7**\|\ **-r13**\|\ **-r18**] [**-hash**]
[**-verbose**] [**-update**] *filename*
Loads a database dump from the named file into the named database. If
@@ -222,10 +219,6 @@ Options:
("kdb5_util load_dump version 4"). This was the dump format
produced on releases prior to 1.2.2.
-**-ov**
- requires the database to be in "ovsec_adm_import" format. Must be
- used with the **-update** option.
-
**-r13**
requires the database to be in Kerberos 5 1.3 format ("kdb5_util
load_dump version 5"). This was the dump format produced on
diff --git a/doc/admin/database.rst b/doc/admin/database.rst
index 2b02af3a0..113a680a6 100644
--- a/doc/admin/database.rst
+++ b/doc/admin/database.rst
@@ -393,20 +393,6 @@ To dump a single principal and later load it, updating the database:
If the database file exists, and the *-update* flag was not
given, *kdb5_util* will overwrite the existing database.
-Using kdb5_util to upgrade a master KDC from krb5 1.1.x:
-
-::
-
- shell% kdb5_util dump old-kdb-dump
- shell% kdb5_util dump -ov old-kdb-dump.ov
- [Create a new KDC installation, using the old stash file/master password]
- shell% kdb5_util load old-kdb-dump
- shell% kdb5_util load -update old-kdb-dump.ov
-
-The use of old-kdb-dump.ov for an extra dump and load is necessary
-to preserve per-principal policy information, which is not included in
-the default dump format of krb5 1.1.x.
-
.. note::
Using kdb5_util to dump and reload the principal database is
diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
index 8301a33d0..19f2cc230 100644
--- a/src/kadmin/dbutil/dump.c
+++ b/src/kadmin/dbutil/dump.c
@@ -484,83 +484,6 @@ dump_r1_11_policy(void *data, osa_policy_ent_t entry)
fprintf(arg->ofile, "\n");
}
-static void
-print_key_data(FILE *f, krb5_key_data *kd)
-{
- int c;
-
- fprintf(f, "%d\t%d\t", kd->key_data_type[0], kd->key_data_length[0]);
- for (c = 0; c < kd->key_data_length[0]; c++)
- fprintf(f, "%02x ", kd->key_data_contents[0][c]);
-}
-
-/* Output osa_adb_princ_ent data in a printable serialized format, suitable for
- * ovsec_adm_import consumption. */
-static krb5_error_code
-dump_ov_princ(krb5_context context, krb5_db_entry *entry, const char *name,
- FILE *fp, krb5_boolean verbose, krb5_boolean omit_nra)
-{
- char *princstr;
- unsigned int x;
- int y, foundcrc;
- krb5_tl_data tl_data;
- osa_princ_ent_rec adb;
- XDR xdrs;
- krb5_key_data *key_data;
-
- tl_data.tl_data_type = KRB5_TL_KADM_DATA;
- if (krb5_dbe_lookup_tl_data(context, entry, &tl_data) ||
- tl_data.tl_data_length == 0)
- return 0;
-
- memset(&adb, 0, sizeof(adb));
- xdrmem_create(&xdrs, (caddr_t)tl_data.tl_data_contents,
- tl_data.tl_data_length, XDR_DECODE);
- if (!xdr_osa_princ_ent_rec(&xdrs, &adb)) {
- xdr_destroy(&xdrs);
- return KADM5_XDR_FAILURE;
- }
- xdr_destroy(&xdrs);
-
- krb5_unparse_name(context, entry->princ, &princstr);
- fprintf(fp, "princ\t%s\t", princstr);
- if (adb.policy == NULL)
- fputc('\t', fp);
- else
- fprintf(fp, "%s\t", adb.policy);
- fprintf(fp, "%lx\t%d\t%d\t%d", adb.aux_attributes, adb.old_key_len,
- adb.old_key_next, adb.admin_history_kvno);
-
- for (x = 0; x < adb.old_key_len; x++) {
- foundcrc = 0;
- for (y = 0; y < adb.old_keys[x].n_key_data; y++) {
- key_data = &adb.old_keys[x].key_data[y];
- if (key_data->key_data_type[0] != ENCTYPE_DES_CBC_CRC)
- continue;
- if (foundcrc) {
- fprintf(stderr, _("Warning! Multiple DES-CBC-CRC keys for "
- "principal %s; skipping duplicates.\n"),
- princstr);
- continue;
- }
- foundcrc++;
-
- fputc('\t', fp);
- print_key_data(fp, key_data);
- }
- if (!foundcrc) {
- fprintf(stderr, _("Warning! No DES-CBC-CRC key for principal %s, "
- "cannot generate OV-compatible record; "
- "skipping\n"), princstr);
- }
- }
-
- fputc('\n', fp);
- free(princstr);
- xdr_free(xdr_osa_princ_ent_rec, &adb);
- return 0;
-}
-
static krb5_error_code
dump_iterator(void *ptr, krb5_db_entry *entry)
{
@@ -1101,14 +1024,6 @@ process_k5beta7_record(krb5_context context, const char *fname, FILE *filep,
process_k5beta7_princ, process_k5beta7_policy);
}
-static int
-process_ov_record(krb5_context context, const char *fname, FILE *filep,
- krb5_boolean verbose, int *linenop)
-{
- return process_tagged(context, fname, filep, verbose, linenop,
- process_ov_principal, process_k5beta7_policy);
-}
-
static int
process_r1_8_record(krb5_context context, const char *fname, FILE *filep,
krb5_boolean verbose, int *linenop)
@@ -1135,16 +1050,6 @@ dump_version beta7_version = {
dump_k5beta7_policy,
process_k5beta7_record,
};
-dump_version ov_version = {
- "OpenV*Secure V1.0",
- "OpenV*Secure V1.0\t",
- 1,
- 0,
- 0,
- dump_ov_princ,
- dump_k5beta7_policy,
- process_ov_record
-};
dump_version r1_3_version = {
"Kerberos version 5 release 1.3",
"kdb5_util load_dump version 5\n",
@@ -1267,7 +1172,7 @@ current_dump_sno_in_ulog(krb5_context context, const char *ifile)
/*
* usage is:
- * dump_db [-b7] [-ov] [-r13] [-r18] [-verbose] [-mkey_convert]
+ * dump_db [-b7] [-r13] [-r18] [-verbose] [-mkey_convert]
* [-new_mkey_file mkey_file] [-rev] [-recurse]
* [filename [principals...]]
*/
@@ -1302,7 +1207,8 @@ dump_db(int argc, char **argv)
if (!strcmp(argv[aindex], "-b7")) {
dump = &beta7_version;
} else if (!strcmp(argv[aindex], "-ov")) {
- dump = &ov_version;
+ fprintf(stderr, _("OV dump format not supported\n"));
+ goto error;
} else if (!strcmp(argv[aindex], "-r13")) {
dump = &r1_3_version;
} else if (!strcmp(argv[aindex], "-r18")) {
@@ -1515,8 +1421,7 @@ restore_dump(krb5_context context, char *dumpfile, FILE *f,
}
/*
- * Usage: load_db [-ov] [-b7] [-r13] [-r18] [-verbose] [-update] [-hash]
- * filename
+ * Usage: load_db [-b7] [-r13] [-r18] [-verbose] [-update] [-hash] filename
*/
void
load_db(int argc, char **argv)
@@ -1540,7 +1445,8 @@ load_db(int argc, char **argv)
if (!strcmp(argv[aindex], "-b7")){
load = &beta7_version;
} else if (!strcmp(argv[aindex], "-ov")) {
- load = &ov_version;
+ fprintf(stderr, _("OV dump format not supported\n"));
+ goto error;
} else if (!strcmp(argv[aindex], "-r13")) {
load = &r1_3_version;
} else if (!strcmp(argv[aindex], "-r18")){
@@ -1605,9 +1511,6 @@ load_db(int argc, char **argv)
load = &r1_8_version;
} else if (strcmp(buf, r1_11_version.header) == 0) {
load = &r1_11_version;
- } else if (strncmp(buf, ov_version.header,
- strlen(ov_version.header)) == 0) {
- load = &ov_version;
} else {
fprintf(stderr, _("%s: dump header bad in %s\n"), progname,
dumpfile);
diff --git a/src/kadmin/dbutil/kdb5_util.c b/src/kadmin/dbutil/kdb5_util.c
index accc959e0..e73e2c68e 100644
--- a/src/kadmin/dbutil/kdb5_util.c
+++ b/src/kadmin/dbutil/kdb5_util.c
@@ -85,10 +85,10 @@ void usage()
"\tcreate [-s]\n"
"\tdestroy [-f]\n"
"\tstash [-f keyfile]\n"
- "\tdump [-old|-ov|-b6|-b7|-r13|-r18] [-verbose]\n"
+ "\tdump [-old|-b6|-b7|-r13|-r18] [-verbose]\n"
"\t [-mkey_convert] [-new_mkey_file mkey_file]\n"
"\t [-rev] [-recurse] [filename [princs...]]\n"
- "\tload [-old|-ov|-b6|-b7|-r13|-r18] [-verbose] [-update] "
+ "\tload [-old|-b6|-b7|-r13|-r18] [-verbose] [-update] "
"filename\n"
"\tark [-e etype_list] principal\n"
"\tadd_mkey [-e etype] [-s]\n"
diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man
index 5ebc68a57..9a36ef0df 100644
--- a/src/man/kdb5_util.man
+++ b/src/man/kdb5_util.man
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "KDB5_UTIL" "8" " " "1.17" "MIT Kerberos"
+.TH "KDB5_UTIL" "8" " " "1.18" "MIT Kerberos"
.SH NAME
kdb5_util \- Kerberos database maintenance utility
.
@@ -136,7 +136,7 @@ kdc.conf(5)\&.
.SS dump
.INDENT 0.0
.INDENT 3.5
-\fBdump\fP [\fB\-b7\fP|\fB\-ov\fP|\fB\-r13\fP|\fB\-r18\fP]
+\fBdump\fP [\fB\-b7\fP|\fB\-r13\fP|\fB\-r18\fP]
[\fB\-verbose\fP] [\fB\-mkey_convert\fP] [\fB\-new_mkey_file\fP
\fImkey_file\fP] [\fB\-rev\fP] [\fB\-recurse\fP] [\fIfilename\fP
[\fIprincipals\fP\&...]]
@@ -154,9 +154,6 @@ causes the dump to be in the Kerberos 5 Beta 7 format ("kdb5_util
load_dump version 4"). This was the dump format produced on
releases prior to 1.2.2.
.TP
-\fB\-ov\fP
-causes the dump to be in "ovsec_adm_export" format.
-.TP
\fB\-r13\fP
causes the dump to be in the Kerberos 5 1.3 format ("kdb5_util
load_dump version 5"). This was the dump format produced on
@@ -203,7 +200,7 @@ doing a normal dump instead of a recursive traversal.
.SS load
.INDENT 0.0
.INDENT 3.5
-\fBload\fP [\fB\-b7\fP|\fB\-ov\fP|\fB\-r13\fP|\fB\-r18\fP] [\fB\-hash\fP]
+\fBload\fP [\fB\-b7\fP|\fB\-r13\fP|\fB\-r18\fP] [\fB\-hash\fP]
[\fB\-verbose\fP] [\fB\-update\fP] \fIfilename\fP
.UNINDENT
.UNINDENT
@@ -224,10 +221,6 @@ requires the database to be in the Kerberos 5 Beta 7 format
("kdb5_util load_dump version 4"). This was the dump format
produced on releases prior to 1.2.2.
.TP
-\fB\-ov\fP
-requires the database to be in "ovsec_adm_import" format. Must be
-used with the \fB\-update\fP option.
-.TP
\fB\-r13\fP
requires the database to be in Kerberos 5 1.3 format ("kdb5_util
load_dump version 5"). This was the dump format produced on
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index e27617ee2..c96c5d6b7 100644
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -97,7 +97,6 @@ kdb_check: kdc.conf krb5.conf
$(RUN_DB_TEST) ../tests/create/kdb5_mkdums $(KTEST_OPTS)
$(RUN_DB_TEST) ../tests/verify/kdb5_verify $(KTEST_OPTS)
$(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump $(TEST_DB).dump
- $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump -ov $(TEST_DB).ovdump
$(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f
@echo "====> NOTE!"
@echo "The following 'create' command is needed due to a change"
@@ -105,16 +104,11 @@ kdb_check: kdc.conf krb5.conf
@echo ====
$(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) create -W
$(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) load $(TEST_DB).dump
- $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) load -update -ov $(TEST_DB).ovdump
$(RUN_DB_TEST) ../tests/verify/kdb5_verify $(KTEST_OPTS)
$(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump $(TEST_DB).dump2
- $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump -ov $(TEST_DB).ovdump2
sort $(TEST_DB).dump > $(TEST_DB).sort
sort $(TEST_DB).dump2 > $(TEST_DB).sort2
- sort $(TEST_DB).ovdump > $(TEST_DB).ovsort
- sort $(TEST_DB).ovdump2 > $(TEST_DB).ovsort2
cmp $(TEST_DB).sort $(TEST_DB).sort2
- cmp $(TEST_DB).ovsort $(TEST_DB).ovsort2
$(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f
$(RM) $(TEST_DB)* stash_file
diff --git a/src/tests/t_dump.py b/src/tests/t_dump.py
index d803d5602..5d692df99 100755
--- a/src/tests/t_dump.py
+++ b/src/tests/t_dump.py
@@ -73,7 +73,6 @@ for realm in multidb_realms(start_kdc=False):
srcdump_r18 = os.path.join(srcdumpdir, 'dump.r18')
srcdump_r13 = os.path.join(srcdumpdir, 'dump.r13')
srcdump_b7 = os.path.join(srcdumpdir, 'dump.b7')
- srcdump_ov = os.path.join(srcdumpdir, 'dump.ov')
# Load a dump file from the source directory.
realm.run([kdb5_util, 'destroy', '-f'])
@@ -86,17 +85,10 @@ for realm in multidb_realms(start_kdc=False):
dump_compare(realm, ['-r18'], srcdump_r18)
dump_compare(realm, ['-r13'], srcdump_r13)
dump_compare(realm, ['-b7'], srcdump_b7)
- dump_compare(realm, ['-ov'], srcdump_ov)
# Load each format of dump, check it, re-dump it, and compare.
load_dump_check_compare(realm, ['-r18'], srcdump_r18)
load_dump_check_compare(realm, ['-r13'], srcdump_r13)
load_dump_check_compare(realm, ['-b7'], srcdump_b7)
- # Loading the last (-b7 format) dump won't have loaded the
- # per-principal kadm data. Load that incrementally with -ov.
- realm.run([kadminl, 'getprinc', 'user'], expected_msg='Policy: [none]')
- realm.run([kdb5_util, 'load', '-update', '-ov', srcdump_ov])
- realm.run([kadminl, 'getprinc', 'user'], expected_msg='Policy: testpol')
-
success('Dump/load tests')

7
krb5.spec
View File

@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
Name: krb5
Version: 1.17
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
Release: 10%{?dist}
Release: 11%{?dist}
# lookaside-cached sources; two downloads and a build artifact
Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz
@ -81,6 +81,8 @@ Patch108: Remove-ccapi-related-comments-in-configure.ac.patch
Patch109: Remove-doxygen-generated-HTML-output-for-ccapi.patch
Patch110: Remove-Kerberos-v4-support-vestiges-from-ccapi.patch
Patch111: Fix-config-realm-change-logic-in-FILE-remove_cred.patch
Patch112: Remove-confvalidator-utility.patch
Patch113: Remove-ovsec_adm_export-dump-format-support.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@ -717,6 +719,9 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
* Wed Apr 17 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-11
- Remove ovsec_adm_export and confvalidator
* Wed Apr 17 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-10
- Fix config realm change logic in FILE remove_cred