- pull in fix from master to avoid a memory leak in a couple of error
cases which could occur while obtaining acceptor credentials (RT#7805, part
of #1043962)
- pull in fix from master to return a NULL pointer rather than allocating
zero bytes of memory if we read a zero-length input token (RT#7794, part of
#1043962)
- drop patches from master to not test GSSRPC-over-UDP and to not
depend on the portmapper, which are areas where our build systems
often give us trouble, too; obsolete
- check more thorougly for errors when resolving KEYRING ccache names of type
"persistent", which should only have a numeric UID as the next part of the
name (#1029110)
- drop patch to add additional access() checks to ksu - they add to breakage
when non-FILE: caches are in use (#1026099), shouldn't be resulting in any
benefit, and clash with proposed changes to fix its cache handling
Rebuild against a keyutils which tags the new symbols we're using with a
newer symbol version, so that RPM can tell the difference between
versions of the package which contain a shared library that doesn't
include them and versions of the package which contain a shared library
which does.
- switch to the version of persistent-keyring that was just merged to
master (RT#7711), along with related changes to kinit (RT#7689)
- go back to setting default_ccache_name to a KEYRING type
- pull up fix for not calling a kdb plugin's check-transited-path
method before calling the library's default version, which only knows
how to read what's in the configuration file (RT#7709, #1013664)
- configure --without-krb5-config so that we don't pull in the old default
ccache name when we want to stop setting a default ccache name at configure-
time
- back out setting default_ccache_name to the new default for now, resetting
it to the old default while the kernel/keyutils bits get sorted (sgallagh)
- don't let comments intended for one scriptlet become part of the "script"
that gets passed to ldconfig as part of another one (Mattias Ellert, #1005675)
- on releases where we expect krb5.conf to be configured with a
default_ccache_name, add it whenever we upgrade from an older version of
the package that wouldn't have included it in its default configuration
file (#991148)
- drop a patch we're not applying
- wrap kadmind and kpropd in scripts which check for the presence/absence
of files which dictate particular exit codes before exec'ing the actual
binaries, instead of trying to use ConditionPathExists in the unit files
to accomplish that, so that we exit with failure properly when what we
expect isn't actually in effect on the system (#800343)
- tweak configuration files used during tests to try to reduce the number
of conflicts encountered when builds for multiple arches land on the same
builder
Use nss_wrapper (from cwrap.org) to be able to run more of the
self-tests during %%check. Help it along a little bit by being
more emphatic about cutting off access to DNS.
This reverts commit 8a5a8d492c.
Special-case /run/user/0, attempting to create it when resolving a
directory cache below it fails due to ENOENT and we find that it doesn't
already exist, either, before attempting to create the directory cache
(maybe helping, maybe just making things more confusing for #961235).
- update to 1.11.3
- drop patch for RT#7605, fixed in this release
- drop patch for CVE-2002-2443, fixed in this release
- drop patch for RT#7369, fixed in this release
- pull upstream fix for breaking t_skew.py by adding the patch for #961221
It's not a complete fix, and it may only muddy things further on systems
that are having the kind of trouble it's trying to avoid, so hold off.
For now, at least.
- pull in proposed fix for attempts to get initial creds, which end up
following referrals, incorrectly trying to always use master KDCs if
they talked to a master at any point (should fix RT#7650)
Add a patch to create /run/user/0 if we're trying to resolve a
DIR: ccache somewhere below it and neither the target location
nor /run/user/0 exist yet.
The better workaround is to set the location's owner to "linger"
via logind, since even after we do what we're doing here, if
the user logs in and logs back out, our location is still removed.
- pull in patches from master to not test GSSRPC-over-UDP and to not
depend on the portmapper, which are areas where our build systems
often give us trouble, too
In addition to basing the contents of an encrypted-timestamp preauth
data item on the server's idea of the current time, go ahead and do the
same for the times in the request.
- pull in upstream fix to start treating a KRB5CCNAME value that begins
with DIR:: the same as it would a DIR: value with just one ccache file
in it (RT#7172, #965574)
- pull the changing of the compiled-in default ccache location to
DIR:/run/user/%%{uid}/krb5cc back into F19, in line with SSSD and
the most recent pam_krb5 build
- when testing the RPC library, treat denials from the local portmapper the
same as a portmapper-not-running situation, to allow other library tests
to be run while building the package
- create and own /var/kerberos/krb5/user instead of /var/kerberos/kdc/user,
since that's what the libraries actually look for
- add buildrequires on nss-myhostname, in an attempt to get more of the tests
to run properly during builds
- go back to using reconf to run autoconf and autoheader (part of #925640)
- add temporary patch to use newer config.guess/config.sub (more of #925640)
drop the kerberos-iv portreserve file (long overdue), and drop the rest
on systemd systems, since we don't currently poke portreserve when we're
starting a service
- update to the 1.11 final release
- drop the rawbuild tag from a couple of patches which we don't actually
need to apply to get things to compile the way the package expects
- handle releases where texlive packaging wasn't yet as complicated as it
is in Fedora 18
- fix an uninitialized-variable error building one of the test programs
- move the rather large pile of html and pdf docs to -workstation, so
that just having something that links to the libraries won't drag
them onto a system
- actually create %%{_var}/kerberos/kdc/user, so that it can be packaged
- correct the list of packaged man pages
- drop backported patches to make keytab-based authentication attempts
work better when the client tells the KDC that it supports a particular
cipher, but doesn't have a key for it in the keytab
- drop backported fix for teaching PKINIT clients which trust the KDC's
certificate directly to verify signed-data messages that are signed with
the KDC's certificate, when the blobs don't include a copy of the KDC's
certificate
- add a backport of more patches to set the client's list of supported enctypes
when using a keytab to be the list of types of keys in the keytab, plus the
list of other types the client supports but for which it doesn't have keys,
in that order, so that KDCs have a better chance of being able to issue
tickets with session keys of types that the client can use (#837855)
- pull up patch for RT#7063, in which not noticing a prompt for a long
time throws the client library's idea of the time difference between it
and the KDC really far out of whack (#773496)