Update default krb5kdc mkey manual-entry enctype

Also update account lockout patch to upstream version
2019-05-21 12:59:56 -04:00 · 2019-05-21 12:59:56 -04:00 · 79613952e3
commit 79613952e3
parent 39ba823db6
46 changed files with 166 additions and 119 deletions
--- a/Add-dns_canonicalize_hostname-fallback-support.patch
+++ b/Add-dns_canonicalize_hostname-fallback-support.patch
@ -1,4 +1,4 @@
-From 770a525f940a319b4f9a91423a9f48bde28429b9 Mon Sep 17 00:00:00 2001
+From 8ec4a9ab41c73e7955ed7929a3d2a19592811596 Mon Sep 17 00:00:00 2001
 From: Simo Sorce <simo@redhat.com>
 Date: Tue, 4 Dec 2018 15:22:55 -0500
 Subject: [PATCH] Add dns_canonicalize_hostname=fallback support
--- a/Add-function-and-enctype-flag-for-deprecations.patch
+++ b/Add-function-and-enctype-flag-for-deprecations.patch
@ -1,4 +1,4 @@
-From 0713281743627e32f234e55bdaaeb58b37036675 Mon Sep 17 00:00:00 2001
+From 8491894d2bad21026d73b999814baffe8a695fb7 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 15 Jan 2019 16:16:57 -0500
 Subject: [PATCH] Add function and enctype flag for deprecations
--- a/Add-tests-for-KCM-ccache-type.patch
+++ b/Add-tests-for-KCM-ccache-type.patch
@ -1,4 +1,4 @@
-From b8be4f3272dcca4b34f9d79b47b88e510e0d4926 Mon Sep 17 00:00:00 2001
+From 01dcc90e901491196a7ce5da893eec0b699c28b5 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Thu, 22 Nov 2018 00:27:35 -0500
 Subject: [PATCH] Add tests for KCM ccache type
--- a/Address-some-optimized-out-memset-calls.patch
+++ b/Address-some-optimized-out-memset-calls.patch
@ -1,4 +1,4 @@
-From 31df8a3ef6b01b11a5956e16206069907a7acf17 Mon Sep 17 00:00:00 2001
+From ef4610f2ca0337bf5522dca3dc6800f795cc6a82 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Sun, 30 Dec 2018 16:40:28 -0500
 Subject: [PATCH] Address some optimized-out memset() calls
--- a/Avoid-alignment-warnings-in-openssl-rc4.c.patch
+++ b/Avoid-alignment-warnings-in-openssl-rc4.c.patch
@ -1,4 +1,4 @@
-From dac87fb5d866251731ba524053d55482bf5fad2a Mon Sep 17 00:00:00 2001
+From cf0981bf39558c6501fe1dd2386231ac5f430918 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Mon, 6 May 2019 15:14:49 -0400
 Subject: [PATCH] Avoid alignment warnings in openssl rc4.c
--- a/Avoid-allocating-a-register-in-zap-assembly.patch
+++ b/Avoid-allocating-a-register-in-zap-assembly.patch
@ -1,4 +1,4 @@
-From 087dd4f2cfde763b3b4ac1e34de87a3b9217037f Mon Sep 17 00:00:00 2001
+From f516db322b1469a13e59e1c2847e62cb265ce92c Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Thu, 3 Jan 2019 17:19:32 +0100
 Subject: [PATCH] Avoid allocating a register in zap() assembly
--- a/Check-more-errors-in-OpenSSL-crypto-backend.patch
+++ b/Check-more-errors-in-OpenSSL-crypto-backend.patch
@ -1,4 +1,4 @@
-From 43fa850e47233f95c429c5b06fc74130a9c2b2b1 Mon Sep 17 00:00:00 2001
+From f001aa86071aabc398b0d7c38033c26b21fe85f2 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Mon, 22 Apr 2019 14:26:42 -0400
 Subject: [PATCH] Check more errors in OpenSSL crypto backend
--- a/Clarify-header-comment-for-krb5_cc_start_seq_get.patch
+++ b/Clarify-header-comment-for-krb5_cc_start_seq_get.patch
@ -1,4 +1,4 @@
-From f6f799d2581251529c28bbb4644e42e19c6980ab Mon Sep 17 00:00:00 2001
+From 8f22ca7ddc9765e3d7a1de867164d307f8662cb3 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 2 Apr 2019 14:18:57 -0400
 Subject: [PATCH] Clarify header comment for krb5_cc_start_seq_get()
--- a/Clear-forwardable-flag-instead-of-denying-request.patch
+++ b/Clear-forwardable-flag-instead-of-denying-request.patch
@ -1,4 +1,4 @@
-From 63e531d3545d74d734f56987bbc77256cbcd7763 Mon Sep 17 00:00:00 2001
+From ab1435ed0654df9991bddb29971c913ef1f957be Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Thu, 15 Nov 2018 13:40:43 -0500
 Subject: [PATCH] Clear forwardable flag instead of denying request
--- a/Fix-config-realm-change-logic-in-FILE-remove_cred.patch
+++ b/Fix-config-realm-change-logic-in-FILE-remove_cred.patch
@ -1,4 +1,4 @@
-From 4cacf2fa4a181b728742bce8c1ea11c07ba9a143 Mon Sep 17 00:00:00 2001
+From 2f5531f3cffb497902241e4932db20617f4d30eb Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Tue, 16 Apr 2019 10:47:35 -0400
 Subject: [PATCH] Fix config realm change logic in FILE remove_cred
--- a/Fix-memory-leak-in-none-replay-cache-type.patch
+++ b/Fix-memory-leak-in-none-replay-cache-type.patch
@ -1,4 +1,4 @@
-From 492872c4581f8b7f6d78cbc2e50e0b819c47a168 Mon Sep 17 00:00:00 2001
+From 75b39bfb256b639cf6ca491568fd6ef667b19d46 Mon Sep 17 00:00:00 2001
 From: Corene Casper <C.Casper@Dell.com>
 Date: Sat, 16 Feb 2019 00:49:26 -0500
 Subject: [PATCH] Fix memory leak in 'none' replay cache type
--- a/Fix-potential-close-1-in-cc_file.c.patch
+++ b/Fix-potential-close-1-in-cc_file.c.patch
@ -1,4 +1,4 @@
-From 0201f95a60194c99bd3139235eb46e13e7f4484f Mon Sep 17 00:00:00 2001
+From 4faa872c4fc674b791a1c05652833ff40dac7889 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Thu, 18 Apr 2019 13:39:37 -0400
 Subject: [PATCH] Fix potential close(-1) in cc_file.c
--- a/Fix-some-return-code-handling-bugs.patch
+++ b/Fix-some-return-code-handling-bugs.patch
@ -1,4 +1,4 @@
-From e196f175f5b551290efab029295dcf728feb4fac Mon Sep 17 00:00:00 2001
+From b7bbc88f5ebc6000a8dec95e7f0ff92bbeb54ad4 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Thu, 2 May 2019 14:05:38 -0400
 Subject: [PATCH] Fix some return code handling bugs
--- a/Implement-krb5_cc_remove_cred-for-remaining-types.patch
+++ b/Implement-krb5_cc_remove_cred-for-remaining-types.patch
@ -1,4 +1,4 @@
-From 6e199a7d007bbfd72ed76ff5534b9b3b88a82227 Mon Sep 17 00:00:00 2001
+From 7d3da40bd7f44f2d6960b5a9245a1d773c4ee1a0 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Mon, 1 Apr 2019 14:28:48 -0400
 Subject: [PATCH] Implement krb5_cc_remove_cred for remaining types
--- a/Improve-error-messages-from-kadmin-change_password.patch
+++ b/Improve-error-messages-from-kadmin-change_password.patch
@ -1,4 +1,4 @@
-From 35681c176f3519df4700fd799ed66efd323f8c66 Mon Sep 17 00:00:00 2001
+From ae3053282d879cdbb803c0ff1d6deef8940eeb2a Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Mon, 6 May 2019 13:13:16 -0400
 Subject: [PATCH] Improve error messages from kadmin change_password
--- a/In-kpropd-debug-log-proper-ticket-enctype-names.patch
+++ b/In-kpropd-debug-log-proper-ticket-enctype-names.patch
@ -1,4 +1,4 @@
-From 34883789b60e7961ac0c63062ffadbb2e628a76e Mon Sep 17 00:00:00 2001
+From 71cbe768d29bbe35cff9c37959f3e5352569af39 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 15 Jan 2019 13:41:16 -0500
 Subject: [PATCH] In kpropd, debug-log proper ticket enctype names
--- a/In-rd_req_dec-always-log-non-permitted-enctypes.patch
+++ b/In-rd_req_dec-always-log-non-permitted-enctypes.patch
@ -1,4 +1,4 @@
-From 4d178af94f1a5f187b43de96ae16b2fb1cf4ba8a Mon Sep 17 00:00:00 2001
+From 4c59f0f53a698c9c4242791e8d620d50a394d5c6 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Mon, 14 Jan 2019 17:14:42 -0500
 Subject: [PATCH] In rd_req_dec, always log non-permitted enctypes
--- a/Initialize-some-data-structure-magic-fields.patch
+++ b/Initialize-some-data-structure-magic-fields.patch
@ -1,4 +1,4 @@
-From da7349429a2985423ad006cc1f9d149e594118b7 Mon Sep 17 00:00:00 2001
+From 37b73dd837a05c14d422379b686b8a10de0083fa Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Thu, 2 May 2019 13:36:38 -0400
 Subject: [PATCH] Initialize some data structure magic fields
--- a/Make-etype-names-in-KDC-logs-human-readable.patch
+++ b/Make-etype-names-in-KDC-logs-human-readable.patch
@ -1,4 +1,4 @@
-From fddfa2abbc9e1ccd138d66a8c462a6a0eba1ecaa Mon Sep 17 00:00:00 2001
+From e05c448510fc20946fb6d777bd7e3841dd986e75 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 8 Jan 2019 17:42:35 -0500
 Subject: [PATCH] Make etype names in KDC logs human-readable
--- a/Mark-deprecated-enctypes-when-used.patch
+++ b/Mark-deprecated-enctypes-when-used.patch
@ -1,4 +1,4 @@
-From c40eb78a918138369f6d7142590732f563968909 Mon Sep 17 00:00:00 2001
+From 7acee539da508c10aabbc8483243da6c6ba37892 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Thu, 10 Jan 2019 16:34:54 -0500
 Subject: [PATCH] Mark deprecated enctypes when used
--- a/Mark-the-doc-kadm5-tex-files-as-historic.patch
+++ b/Mark-the-doc-kadm5-tex-files-as-historic.patch
@ -1,4 +1,4 @@
-From 7385ae430280e839a2a0b5a7c5a6be1b2b24aef4 Mon Sep 17 00:00:00 2001
+From 28a605c2411c3def3e5eaa19be5326777e959a1a Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Thu, 11 Apr 2019 18:33:04 -0400
 Subject: [PATCH] Mark the doc/kadm5 tex files as historic
--- a/Modernize-example-enctypes-in-documentation.patch
+++ b/Modernize-example-enctypes-in-documentation.patch
@ -1,4 +1,4 @@
-From 6eb0931738f26890952de08d4ea9de24b0f684f5 Mon Sep 17 00:00:00 2001
+From cef9a57dc094bb2ca57d5b765981fbb2ab93adde Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Thu, 11 Apr 2019 18:25:41 -0400
 Subject: [PATCH] Modernize example enctypes in documentation
--- a/Modernize-exit-path-in-gss_krb5int_copy_ccache.patch
+++ b/Modernize-exit-path-in-gss_krb5int_copy_ccache.patch
@ -1,4 +1,4 @@
-From bca13182a78bc3c62bd7e616c9b69ce96fe00b98 Mon Sep 17 00:00:00 2001
+From 894bcbfcf27c9bc1117bb624f27123eb25fcd7bf Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Thu, 2 May 2019 14:32:33 -0400
 Subject: [PATCH] Modernize exit path in gss_krb5int_copy_ccache()
--- a/Properly-size-ifdef-in-k5_cccol_lock.patch
+++ b/Properly-size-ifdef-in-k5_cccol_lock.patch
@ -1,4 +1,4 @@
-From 5601f9e0291feedeba7a420396d83b38c7332e86 Mon Sep 17 00:00:00 2001
+From 6f9bd0a292f1b84e16cab8c89efee87359b007d2 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Thu, 14 Feb 2019 11:50:35 -0500
 Subject: [PATCH] Properly size #ifdef in k5_cccol_lock()
--- a/Remove-Kerberos-v4-support-vestiges-from-ccapi.patch
+++ b/Remove-Kerberos-v4-support-vestiges-from-ccapi.patch
@ -1,4 +1,4 @@
-From ff88e21470d374f057107148de8b972a04f59641 Mon Sep 17 00:00:00 2001
+From ff011e05cfb28b408778f4ace22a745f19c0bdd2 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Thu, 4 Apr 2019 14:37:38 -0400
 Subject: [PATCH] Remove Kerberos v4 support vestiges from ccapi
--- a/Remove-ccapi-related-comments-in-configure.ac.patch
+++ b/Remove-ccapi-related-comments-in-configure.ac.patch
@ -1,4 +1,4 @@
-From 32b05ffd5f0d6eff5f989a8c30a030a3e1972e5d Mon Sep 17 00:00:00 2001
+From 7f015c7ed945d1d51ffd0ba1dd5b89c150eacf83 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Wed, 3 Apr 2019 16:01:22 -0400
 Subject: [PATCH] Remove ccapi-related comments in configure.ac
--- a/Remove-checksum-type-profile-variables.patch
+++ b/Remove-checksum-type-profile-variables.patch
@ -1,4 +1,4 @@
-From e3de3f9916acc4ba0ac2e15c2d9a6826802170d2 Mon Sep 17 00:00:00 2001
+From a642ac26ca00d4cfaae84398372035b0c1e444ed Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Mon, 13 May 2019 14:19:57 -0400
 Subject: [PATCH] Remove checksum type profile variables
--- a/Remove-confvalidator-utility.patch
+++ b/Remove-confvalidator-utility.patch
@ -1,4 +1,4 @@
-From 2ea1badfb30f8549a5ec00dc8c5f5e58caea5a03 Mon Sep 17 00:00:00 2001
+From ecab56bca80824913e98a5b25f34a5ebe483990d Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Wed, 3 Apr 2019 14:58:19 -0400
 Subject: [PATCH] Remove confvalidator utility
--- a/Remove-dead-variable-def_kslist-from-two-files.patch
+++ b/Remove-dead-variable-def_kslist-from-two-files.patch
@ -1,4 +1,4 @@
-From a37470b4f45cd40318c8ad84d92f56bdaac4993e Mon Sep 17 00:00:00 2001
+From 85416629f6d120bf272d9aaa9c661b8a849c40b3 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Thu, 2 May 2019 16:57:51 -0400
 Subject: [PATCH] Remove dead variable def_kslist from two files
--- a/Remove-doxygen-generated-HTML-output-for-ccapi.patch
+++ b/Remove-doxygen-generated-HTML-output-for-ccapi.patch
@ -1,4 +1,4 @@
-From 90324f46fe8aed4054ecad4f3a0357ffa3716852 Mon Sep 17 00:00:00 2001
+From cf25d152b2b1f54bbd92e235a30de20e154f3e7a Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Thu, 4 Apr 2019 14:15:58 -0400
 Subject: [PATCH] Remove doxygen-generated HTML output for ccapi
--- a/Remove-kadmin-RPC-support-for-setting-v4-key.patch
+++ b/Remove-kadmin-RPC-support-for-setting-v4-key.patch
@ -1,4 +1,4 @@
-From 962e49c0ef0faf00210a1f88044782f6fa47a779 Mon Sep 17 00:00:00 2001
+From 12e48c208c042f219d5cb8fb984094c5c958c99b Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Thu, 4 Apr 2019 16:14:46 -0400
 Subject: [PATCH] Remove kadmin RPC support for setting v4 key
--- a/Remove-more-dead-code.patch
+++ b/Remove-more-dead-code.patch
@ -1,4 +1,4 @@
-From f708c93e82dc34c6ab2bd04be2149bd539faec4d Mon Sep 17 00:00:00 2001
+From 98e6b0ada15075ea017fe8086f21b95fc2280fcd Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Thu, 9 May 2019 14:07:24 -0400
 Subject: [PATCH] Remove more dead code
--- a/Remove-ovsec_adm_export-dump-format-support.patch
+++ b/Remove-ovsec_adm_export-dump-format-support.patch
@ -1,4 +1,4 @@
-From 56be395114bed8e8dd41b91e41e233637488d3ab Mon Sep 17 00:00:00 2001
+From 6f9222fb372af6d7988c65cc4ec3cb56f6cc747a Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 22 Jan 2019 18:34:58 -0500
 Subject: [PATCH] Remove ovsec_adm_export dump format support
--- a/Remove-srvtab-support.patch
+++ b/Remove-srvtab-support.patch
@ -1,4 +1,4 @@
-From 42b1d879cf0705d3bc76c4b546275f1c608ebda9 Mon Sep 17 00:00:00 2001
+From 0869d133743446612c512ce9aec5832ce10e282b Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Mon, 9 Oct 2017 15:58:33 -0400
 Subject: [PATCH] Remove srvtab support
--- a/Simplify-SAM-2-as_key-handling.patch
+++ b/Simplify-SAM-2-as_key-handling.patch
@ -1,4 +1,4 @@
-From 251694f155bd132a162f876e59abf5caf7140c70 Mon Sep 17 00:00:00 2001
+From 48cca5e6134e6137cab7d592dfb31f0a19e4e7ea Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Sun, 5 May 2019 18:53:27 -0400
 Subject: [PATCH] Simplify SAM-2 as_key handling
--- a/Simply-OpenSSL-PKCS7-decryption-code.patch
+++ b/Simply-OpenSSL-PKCS7-decryption-code.patch
@ -1,4 +1,4 @@
-From 02c3a9756cba8676a3074ae8c1c96b26e1b47c98 Mon Sep 17 00:00:00 2001
+From 0b4433c4ab9653eb298e2b7d959e957d468fd3f9 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Mon, 6 May 2019 13:13:06 -0400
 Subject: [PATCH] Simply OpenSSL PKCS7 decryption code
--- a/Support-389ds-s-lockout-model.patch
+++ b/Support-389ds-s-lockout-model.patch
@ -0,0 +1,63 @@
+From 5673f1c22b602ac4b72e59c84b70ecedf3132c11 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Tue, 23 Aug 2016 16:47:44 -0400
+Subject: [PATCH] Support 389ds's lockout model
+
+Handle the attribute 'nsAccountLock' from Netscape derivatives.  Based
+on a patch by Nalin Dahyabhai and Simo Sorce.
+
+ticket: 5891
+(cherry picked from commit 6ad061e24eca41a61eebed61db39768bfa51a084)
+---
+ src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c   | 18 ++++++++++++++++++
+ .../kdb/ldap/libkdb_ldap/ldap_principal.c      |  1 +
+ 2 files changed, 19 insertions(+)
+
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
+index 5b9d1e9fa..2ade63719 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
+@@ -1420,6 +1420,7 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context,
+     struct berval **ber_key_data = NULL, **ber_tl_data = NULL;
+     krb5_tl_data userinfo_tl_data = { NULL }, **endp, *tl;
+     osa_princ_ent_rec princ_ent;
+    char *is_login_disabled = NULL;
+ 
+     memset(&princ_ent, 0, sizeof(princ_ent));
+ 
+@@ -1653,6 +1654,23 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context,
+     if (ret)
+         goto cleanup;
+ 
+    /*
+     * 389ds and other Netscape directory server derivatives support an
+     * attribute "nsAccountLock" which functions similarly to eDirectory's
+     * "loginDisabled".  When the user's account object is also a
+     * krbPrincipalAux object, the kdb entry should be treated as if
+     * DISALLOW_ALL_TIX has been set.
+     */
+    ret = krb5_ldap_get_string(ld, ent, "nsAccountLock", &is_login_disabled,
+                               &attr_present);
+    if (ret)
+        goto cleanup;
+    if (attr_present == TRUE) {
+        if (strcasecmp(is_login_disabled, "TRUE") == 0)
+            entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
+        free(is_login_disabled);
+    }
+
+     ret = krb5_read_tkt_policy(context, ldap_context, entry, tktpolname);
+     if (ret)
+         goto cleanup;
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
+index d722dbfa6..a5180c73f 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
+@@ -54,6 +54,7 @@ char     *principal_attributes[] = { "krbprincipalname",
+                                      "krbLastFailedAuth",
+                                      "krbLoginFailedCount",
+                                      "krbLastSuccessfulAuth",
+                                     "nsAccountLock",
+                                      "krbLastPwdChange",
+                                      "krbLastAdminUnlock",
+                                      "krbPrincipalAuthInd",
--- a/Update-ASN.1-SAM-tests-to-use-a-modern-enctype.patch
+++ b/Update-ASN.1-SAM-tests-to-use-a-modern-enctype.patch
@ -1,4 +1,4 @@
-From f3f8effd4978bc6671adc85d98105ca10a67df1f Mon Sep 17 00:00:00 2001
+From a7db3ad8e75a865c2de8c522f582129051bbe958 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 16 Apr 2019 14:16:39 -0400
 Subject: [PATCH] Update ASN.1 SAM tests to use a modern enctype
--- a/Update-default-krb5kdc-mkey-manual-entry-enctype.patch
+++ b/Update-default-krb5kdc-mkey-manual-entry-enctype.patch
@ -0,0 +1,54 @@
+From 32d2b3e6dc3ab6aa9bb824701752ccfc23d61c1c Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Mon, 20 May 2019 16:52:57 -0400
+Subject: [PATCH] Update default krb5kdc mkey manual-entry enctype
+
+Change from the legacy des-cbc-crc to the default for kdb5_util and
+kadmind, which is currently aes256-cts-hmac-sha1-96.
+
+(cherry picked from commit 512f5cde625253cba1e6f87e037a00ef88178882)
+---
+ doc/admin/admin_commands/krb5kdc.rst | 2 +-
+ src/kdc/main.c                       | 2 +-
+ src/man/krb5kdc.man                  | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/doc/admin/admin_commands/krb5kdc.rst b/doc/admin/admin_commands/krb5kdc.rst
+index 0342d0d18..455bb6858 100644
+--- a/doc/admin/admin_commands/krb5kdc.rst
+++ b/doc/admin/admin_commands/krb5kdc.rst
+@@ -39,7 +39,7 @@ LDAP database.
+ 
+ The **-k** *keytype* option specifies the key type of the master key
+ to be entered manually as a password when **-m** is given; the default
+-is ``des-cbc-crc``.
+is |defmkey|.
+ 
+ The **-M** *mkeyname* option specifies the principal name for the
+ master key in the database (usually ``K/M`` in the KDC's realm).
+diff --git a/src/kdc/main.c b/src/kdc/main.c
+index 60092a0df..04393772f 100644
+--- a/src/kdc/main.c
+++ b/src/kdc/main.c
+@@ -777,7 +777,7 @@ initialize_realms(krb5_context kcontext, int argc, char **argv,
+         case 'm':                       /* manual type-in of master key */
+             manual = TRUE;
+             if (menctype == ENCTYPE_UNKNOWN)
+-                menctype = ENCTYPE_DES_CBC_CRC;
+                menctype = DEFAULT_KDC_ENCTYPE;
+             break;
+         case 'M':                       /* master key name in DB */
+             mkey_name = optarg;
+diff --git a/src/man/krb5kdc.man b/src/man/krb5kdc.man
+index 8ace9662f..aa8614698 100644
+--- a/src/man/krb5kdc.man
+++ b/src/man/krb5kdc.man
+@@ -59,7 +59,7 @@ LDAP database.
+ .sp
+ The \fB\-k\fP \fIkeytype\fP option specifies the key type of the master key
+ to be entered manually as a password when \fB\-m\fP is given; the default
+-is \fBdes\-cbc\-crc\fP\&.
+is \fBaes256\-cts\-hmac\-sha1\-96\fP\&.
+ .sp
+ The \fB\-M\fP \fImkeyname\fP option specifies the principal name for the
+ master key in the database (usually \fBK/M\fP in the KDC\(aqs realm).
--- a/Use-secure_getenv-where-appropriate.patch
+++ b/Use-secure_getenv-where-appropriate.patch
@ -1,4 +1,4 @@
-From a46c1dd1be09217f9f19e9c70381893dc3995c45 Mon Sep 17 00:00:00 2001
+From 4ed88289e0b3c5a6fcda13078abf211fb8e4f84c Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Wed, 24 Apr 2019 16:19:50 -0400
 Subject: [PATCH] Use secure_getenv() where appropriate
--- a/krb5-1.11-kpasswdtest.patch
+++ b/krb5-1.11-kpasswdtest.patch
@ -1,4 +1,4 @@
-From d3e720a17e4284c791541840dcbc8652d33a75c4 Mon Sep 17 00:00:00 2001
+From 8e03102127701980c1ace62cbea93e4003a0ef5d Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:52:01 -0400
 Subject: [PATCH] krb5-1.11-kpasswdtest.patch
--- a/krb5-1.11-run_user_0.patch
+++ b/krb5-1.11-run_user_0.patch
@ -1,4 +1,4 @@
-From 75ba8f42c0e9426af80c71aaaa490cc6262e259c Mon Sep 17 00:00:00 2001
+From 44ecf1e570aacff7630334fbf1650e2f33f8675e Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:49:57 -0400
 Subject: [PATCH] krb5-1.11-run_user_0.patch
--- a/krb5-1.13-dirsrv-accountlock.patch
+++ b/krb5-1.13-dirsrv-accountlock.patch
@ -1,75 +0,0 @@
-From eb26e32b7cce535a7a70168b7f44aa07eb989264 Mon Sep 17 00:00:00 2001
-From: Robbie Harwood <rharwood@redhat.com>
-Date: Tue, 23 Aug 2016 16:47:44 -0400
-Subject: [PATCH] krb5-1.13-dirsrv-accountlock.patch
-
-Treat 'nsAccountLock: true' the same as 'loginDisabled: true'.  Updated from
-original version filed as RT#5891.
---
- src/aclocal.m4                                  |  9 +++++++++
- src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c    | 17 +++++++++++++++++
- .../kdb/ldap/libkdb_ldap/ldap_principal.c       |  3 +++
- 3 files changed, 29 insertions(+)
-
-diff --git a/src/aclocal.m4 b/src/aclocal.m4
-index db18226ed..518b1a547 100644
--- a/src/aclocal.m4
-+++ b/src/aclocal.m4
-@@ -1678,6 +1678,15 @@ if test "$with_ldap" = yes; then
-   AC_MSG_NOTICE(enabling OpenLDAP database backend module support)
-   OPENLDAP_PLUGIN=yes
- fi
-+AC_ARG_WITH([dirsrv-account-locking],
-+[  --with-dirsrv-account-locking       compile 389/Red Hat/Fedora/Netscape Directory Server database backend module],
-+[case "$withval" in
-+    yes | no) ;;
-+    *)  AC_MSG_ERROR(Invalid option value --with-dirsrv-account-locking="$withval") ;;
-+esac], with_dirsrv_account_locking=no)
-+if test $with_dirsrv_account_locking = yes; then
-+    AC_DEFINE(HAVE_DIRSRV_ACCOUNT_LOCKING,1,[Define if LDAP KDB interface should heed 389 DS's nsAccountLock attribute.])
-+fi
- ])dnl
- dnl
- dnl If libkeyutils exists (on Linux) include it and use keyring ccache
-diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
-index 5b9d1e9fa..4e7270065 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
-+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
-@@ -1652,6 +1652,23 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context,
-     ret = krb5_dbe_update_tl_data(context, entry, &userinfo_tl_data);
-     if (ret)
-         goto cleanup;
-+#ifdef HAVE_DIRSRV_ACCOUNT_LOCKING
-+    {
-+        krb5_timestamp              expiretime=0;
-+        char                        *is_login_disabled=NULL;
-+
-+        /* LOGIN DISABLED */
-+        ret = krb5_ldap_get_string(ld, ent, "nsAccountLock", &is_login_disabled,
-+                                   &attr_present);
-+        if (ret)
-+            goto cleanup;
-+        if (attr_present == TRUE) {
-+            if (strcasecmp(is_login_disabled, "TRUE")== 0)
-+                entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
-+            free (is_login_disabled);
-+        }
-+    }
-+#endif
- 
-     ret = krb5_read_tkt_policy(context, ldap_context, entry, tktpolname);
-     if (ret)
-diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
-index d722dbfa6..5e8e9a897 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
-+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
-@@ -54,6 +54,9 @@ char     *principal_attributes[] = { "krbprincipalname",
-                                      "krbLastFailedAuth",
-                                      "krbLoginFailedCount",
-                                      "krbLastSuccessfulAuth",
-+#ifdef HAVE_DIRSRV_ACCOUNT_LOCKING
-+                                     "nsAccountLock",
-+#endif
-                                      "krbLastPwdChange",
-                                      "krbLastAdminUnlock",
-                                      "krbPrincipalAuthInd",
--- a/krb5-1.17post2-FIPS-with-PRNG-SPAKE-and-RADIUS.patch
+++ b/krb5-1.17post2-FIPS-with-PRNG-SPAKE-and-RADIUS.patch
@ -1,4 +1,4 @@
-From 853a9aacfbc842037b30607bacb5c60f5918cccb Mon Sep 17 00:00:00 2001
+From 3cd7636a824638f880e7512fa1f547ec379b8499 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Fri, 9 Nov 2018 15:12:21 -0500
 Subject: [PATCH] krb5-1.17post2 FIPS with PRNG, SPAKE, and RADIUS
--- a/krb5-1.9-debuginfo.patch
+++ b/krb5-1.9-debuginfo.patch
@ -1,4 +1,4 @@
-From 454b35ce48bb8de491cad93c8944c783d1c47fd1 Mon Sep 17 00:00:00 2001
+From 371770fc1d545414838685bcd2542450dfb0e097 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:49:25 -0400
 Subject: [PATCH] krb5-1.9-debuginfo.patch
--- a/krb5.spec
+++ b/krb5.spec
@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.17
 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
-Release: 23%{?dist}
+Release: 24%{?dist}

 # lookaside-cached sources; two downloads and a build artifact
 Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz
@ -54,7 +54,6 @@ Patch27: krb5-1.17-beta1-selinux-label.patch
 Patch28: krb5-1.12-ksu-path.patch
 Patch30: krb5-1.15-beta1-buildconf.patch
 Patch31: krb5-1.3.1-dns.patch
-Patch33: krb5-1.13-dirsrv-accountlock.patch
 Patch34: krb5-1.9-debuginfo.patch
 Patch35: krb5-1.11-run_user_0.patch
 Patch36: krb5-1.11-kpasswdtest.patch
@ -97,6 +96,8 @@ Patch129: Remove-dead-variable-def_kslist-from-two-files.patch
 Patch130: Mark-the-doc-kadm5-tex-files-as-historic.patch
 Patch131: Modernize-example-enctypes-in-documentation.patch
 Patch132: Update-ASN.1-SAM-tests-to-use-a-modern-enctype.patch
+Patch133: Update-default-krb5kdc-mkey-manual-entry-enctype.patch
+Patch134: Support-389ds-s-lockout-model.patch

 License: MIT
 URL: https://web.mit.edu/kerberos/www/
@ -706,6 +707,10 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*

 %changelog
+* Tue May 21 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-24
+- Update default krb5kdc mkey manual-entry enctype
+- Also update account lockout patch to upstream version
+
 * Mon May 20 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-23
 - Test & docs fixes in preparation for DES removal