Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory
checked in at Wed Jul 8 19:41:36 CEST 2009.
--------
--- krb5/krb5-doc.changes 2008-12-11 16:32:15.000000000 +0100
+++ krb5/krb5-doc.changes 2009-06-03 10:47:36.000000000 +0200
@@ -1,0 +2,16 @@
+Wed Jun 3 10:47:07 CEST 2009 - mc@suse.de
+
+- update to final version 1.7
+
+-------------------------------------------------------------------
+Wed May 13 11:34:07 CEST 2009 - mc@suse.de
+
+- update to version 1.7 Beta2
+
+-------------------------------------------------------------------
+Mon Feb 16 13:08:05 CET 2009 - mc@suse.de
+
+- update to pre 1.7 version
+ * remove outdated documentation for kadm5 API
+
+-------------------------------------------------------------------
New Changes file:
--- /dev/null 2009-04-14 11:55:47.000000000 +0200
+++ krb5/krb5-mini.changes 2009-07-08 19:30:32.286899000 +0200
@@ -0,0 +1,693 @@
+-------------------------------------------------------------------
+Wed Jun 3 10:23:42 CEST 2009 - mc@suse.de
+
+- update to final 1.7 release
+
+-------------------------------------------------------------------
+Wed May 13 11:30:42 CEST 2009 - mc@suse.de
+
+- update to version 1.7 Beta2
+ * Incremental propagation support for the KDC database.
+ * Flexible Authentication Secure Tunneling (FAST), a preauthentiation
+ framework that can protect the AS exchange from dictionary attack.
+ * Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which
+ allows a GSS application to request credential delegation only if
+ permitted by KDC policy.
+ * Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 --
+ various vulnerabilities in SPNEGO and ASN.1 code.
+
+-------------------------------------------------------------------
+Mon Feb 16 13:04:26 CET 2009 - mc@suse.de
+
+- update to pre 1.7 version
+ * Remove support for version 4 of the Kerberos protocol (krb4).
+ * New libdefaults configuration variable "allow_weak_crypto".
+ * Client library now follows client principal referrals, for
+ compatibility with Windows.
+ * KDC can issue realm referrals for service principals based on domain
+ names.
+ * Encryption algorithm negotiation (RFC 4537).
+ * In the replay cache, use a hash over the complete ciphertext to
+ avoid false-positive replay indications.
+ * Microsoft GSS_WrapEX, implemented using the gss_iov API, which is
+ similar to the equivalent SSPI functionality.
+ * DCE RPC, including three-leg GSS context setup and unencapsulated
+ GSS tokens.
+ * NTLM recognition support in GSS-API, to facilitate dropping in an
+ NTLM implementation.
+ * KDC support for principal aliases, if the back end supports them.
+ * Microsoft set/change password (RFC 3244) protocol in kadmind.
+ * Master key rollover support.
+
+-------------------------------------------------------------------
+Wed Jan 14 09:21:36 CET 2009 - olh@suse.de
+
+- obsolete also old heimdal-lib-XXbit and heimdal-devel-XXbit
+
+-------------------------------------------------------------------
+Thu Dec 11 14:12:57 CET 2008 - mc@suse.de
+
+- do not query IPv6 addresses if no IPv6 address exists on this host
+ [bnc#449143]
+
+-------------------------------------------------------------------
+Wed Dec 10 12:34:56 CET 2008 - olh@suse.de
+
+- use Obsoletes: -XXbit only for ppc64 to help solver during distupgrade
+ (bnc#437293)
+
+-------------------------------------------------------------------
+Thu Oct 30 12:34:56 CET 2008 - olh@suse.de
+
+- obsolete old -XXbit packages (bnc#437293)
+
+-------------------------------------------------------------------
+Fri Sep 26 18:13:19 CEST 2008 - mc@suse.de
+
+- in case we use ldap as database backend, ldap should be
+ started before krb5kdc
+
+-------------------------------------------------------------------
+Mon Jul 28 10:43:29 CEST 2008 - mc@suse.de
+
+- add new fixes to post 1.6.3 patch
+ * fix mem leak in krb5_gss_accept_sec_context()
+ * keep minor_status
+ * kadm5_decrypt_key: A ktype of -1 is documented as meaning
+ "to be ignored"
+ * Reject socket fds > FD_SETSIZE
+
+-------------------------------------------------------------------
+Fri Jul 25 12:13:24 CEST 2008 - mc@suse.de
+
+- add patches from SVN post 1.6.3
+ * krb5_string_to_keysalts: Fix an infinite loop
+ * fix some mutex issues
+ * better recovery from corrupt rcache files
+ * some more small fixes
+
+-------------------------------------------------------------------
+Wed Jun 18 15:30:18 CEST 2008 - mc@suse.de
+
+- add case-insensitive.dif (FATE#300771)
+- minor fixes for ktutil man page
+- reduce rpmlint warnings
+
+-------------------------------------------------------------------
+Wed May 14 17:44:59 CEST 2008 - mc@suse.de
+
+- Fall back to TCP on kdc-unresolvable/unreachable errors.
+- restore valid sequence number before generating requests
+ (fix changing passwords in mixed ipv4/ipv6 enviroments)
+
+-------------------------------------------------------------------
+Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de
+
+- added baselibs.conf file to build xxbit packages
+ for multilib support
+
+-------------------------------------------------------------------
+Wed Apr 9 12:04:48 CEST 2008 - mc@suse.de
+
+- modify krb5-config to not output rpath and cflags in --libs
+ (bnc#378270)
+
+-------------------------------------------------------------------
+Fri Mar 14 11:27:55 CET 2008 - mc@suse.de
+
+- fix two security bugs:
+ * MITKRB5-SA-2008-001(CVE-2008-0062, CVE-2008-0063)
+ fix double free [bnc#361373]
+ * MITKRB5-SA-2008-002(CVE-2008-0947, CVE-2008-0948)
+ Memory corruption while too many open file descriptors
+ [bnc#363151]
+- change default config file. Comment out the examples.
+
+-------------------------------------------------------------------
+Fri Dec 14 10:48:52 CET 2007 - mc@suse.de
+
+- fix several security bugs:
+ * CVE-2007-5894 apparent uninit length
+ * CVE-2007-5902 integer overflow
+ * CVE-2007-5971 free of non-heap pointer and double-free
+ * CVE-2007-5972 double fclose()
+ [#346745, #346748, #346746, #346749, #346747]
+
+-------------------------------------------------------------------
+Tue Dec 4 16:36:07 CET 2007 - mc@suse.de
+
+- improve GSSAPI error messages
+
+-------------------------------------------------------------------
+Tue Nov 6 13:53:17 CET 2007 - mc@suse.de
+
+- add coreutils to PreReq
+
+-------------------------------------------------------------------
+Tue Oct 23 10:24:25 CEST 2007 - mc@suse.de
+
+- update to krb5 version 1.6.3
+ * fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow
+ * fix CVE-2007-4000 modify_policy vulnerability
+ * Add PKINIT support
+- remove patches which are upstream now
+- enhance init scripts and xinetd profiles
+
+-------------------------------------------------------------------
+Fri Sep 14 12:08:55 CEST 2007 - mc@suse.de
+
+- update krb5-1.6.2-post.dif
+ * If a KDC returns KDC_ERR_SVC_UNAVAILABLE, it appears that
+ that the client library will not failover to the next KDC.
+ [#310540]
+
+-------------------------------------------------------------------
+Tue Sep 11 15:09:14 CEST 2007 - mc@suse.de
+
+- update krb5-1.6.2-post.dif
+ * new -S sname option for kvno
+ * read_entropy_from_device on partial read will not fill buffer
+ * Bail out if encoded "ticket" doesn't decode correctly.
+ * patch for referrals loop
+
+-------------------------------------------------------------------
+Thu Sep 6 10:43:39 CEST 2007 - mc@suse.de
+
+- fix a problem with the originally published patch
+ for MITKRB5-SA-2007-006 - CVE-2007-3999
+ [#302377]
+
+-------------------------------------------------------------------
+Wed Sep 5 12:18:21 CEST 2007 - mc@suse.de
+
+- fix execute arbitrary code
+ (MITKRB5-SA-2007-006 - CVE-2007-3999,2007-4000)
+ [#302377]
+
+-------------------------------------------------------------------
+Tue Aug 7 11:56:41 CEST 2007 - mc@suse.de
+
+- add krb5-1.6.2-post.dif
+ * during the referrals loop, check to see if the
+ session key enctype of a returned credential for the final
+ service is among the enctypes explicitly selected by the
+ application, and retry with old_use_conf_ktypes if it is not.
+ * If mkstemp() is available, the new ccache file gets created but
+ the subsequent open(O_CREAT|O_EXCL) call fails because the file
+ was already created by mkstemp(). Apply patch from Apple to keep
++++ 496 more lines (skipped)
++++ between /dev/null
++++ and krb5/krb5-mini.changes
--- krb5/krb5.changes 2009-01-14 09:21:54.000000000 +0100
+++ krb5/krb5.changes 2009-06-03 10:26:19.000000000 +0200
@@ -1,0 +2,41 @@
+Wed Jun 3 10:23:42 CEST 2009 - mc@suse.de
+
+- update to final 1.7 release
+
+-------------------------------------------------------------------
+Wed May 13 11:30:42 CEST 2009 - mc@suse.de
+
+- update to version 1.7 Beta2
+ * Incremental propagation support for the KDC database.
+ * Flexible Authentication Secure Tunneling (FAST), a preauthentiation
+ framework that can protect the AS exchange from dictionary attack.
+ * Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which
+ allows a GSS application to request credential delegation only if
+ permitted by KDC policy.
+ * Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 --
+ various vulnerabilities in SPNEGO and ASN.1 code.
+
+-------------------------------------------------------------------
+Mon Feb 16 13:04:26 CET 2009 - mc@suse.de
+
+- update to pre 1.7 version
+ * Remove support for version 4 of the Kerberos protocol (krb4).
+ * New libdefaults configuration variable "allow_weak_crypto".
+ * Client library now follows client principal referrals, for
+ compatibility with Windows.
+ * KDC can issue realm referrals for service principals based on domain
+ names.
+ * Encryption algorithm negotiation (RFC 4537).
+ * In the replay cache, use a hash over the complete ciphertext to
+ avoid false-positive replay indications.
+ * Microsoft GSS_WrapEX, implemented using the gss_iov API, which is
+ similar to the equivalent SSPI functionality.
+ * DCE RPC, including three-leg GSS context setup and unencapsulated
+ GSS tokens.
+ * NTLM recognition support in GSS-API, to facilitate dropping in an
+ NTLM implementation.
+ * KDC support for principal aliases, if the back end supports them.
+ * Microsoft set/change password (RFC 3244) protocol in kadmind.
+ * Master key rollover support.
+
+-------------------------------------------------------------------
calling whatdependson for head-i586
Old:
----
EncryptWithMasterKey.c
Makefile.kadm5
baselibs.conf
gssapi_improve_errormessages.dif
kprop-use-mkstemp.dif
krb5-1.3.3-rcp-markus.dif
krb5-1.4-fix-segfault.dif
krb5-1.5.1-fix-strncat-warning.dif
krb5-1.5.1-fix-too-few-arguments.dif
krb5-1.6-MITKRB5-SA-2008-001.dif
krb5-1.6-MITKRB5-SA-2008-002.dif
krb5-1.6-fix-CVE-2007-5894.dif
krb5-1.6-fix-CVE-2007-5902.dif
krb5-1.6-fix-CVE-2007-5971.dif
krb5-1.6-fix-CVE-2007-5972.dif
krb5-1.6-ldap-man.dif
krb5-1.6.1-init-salt-length.dif
krb5-1.6.3-case-insensitive.dif
krb5-1.6.3-post.dif
krb5-1.6.3-rpmlintrc
krb5-1.6.3.tar.bz2
krb5-doc-1.6.3-rpmlintrc
krb5-plugins-1.6.3-rpmlintrc
krb5-plugins.changes
krb5-plugins.spec
krb5-trunk-kpasswd_tcp.patch
krb5-trunk-manpaths.txt
krb5-trunk-seqnum.patch
trunk-EncryptWithMasterKey.dif
trunk-manpaths.dif
warning-fix-lib-crypto-des.dif
warning-fix-lib-crypto-dk.dif
warning-fix-lib-crypto-enc_provider.dif
warning-fix-lib-crypto-yarrow_arcfour.dif
warning-fix-lib-crypto.dif
New:
----
krb5-1.6.3-gssapi_improve_errormessages.dif
krb5-1.6.3-kpasswd_tcp.patch
krb5-1.6.3-kprop-use-mkstemp.dif
krb5-1.7-manpaths.dif
krb5-1.7-manpaths.txt
krb5-1.7-rpmlintrc
krb5-1.7.tar.bz2
krb5-doc-1.7-rpmlintrc
krb5-mini.changes
krb5-mini.spec
pre_checkin.sh
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ krb5-doc.spec ++++++
--- /var/tmp/diff_new_pack.geL5D2/_old 2009-07-08 19:31:21.000000000 +0200
+++ /var/tmp/diff_new_pack.geL5D2/_new 2009-07-08 19:31:21.000000000 +0200
@@ -1,5 +1,5 @@
#
-# spec file for package krb5-doc (Version 1.6.3)
+# spec file for package krb5-doc (Version 1.7)
#
# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
@@ -20,20 +20,18 @@
Name: krb5-doc
BuildRequires: ghostscript-library latex2html texlive
-Version: 1.6.3
-Release: 133
-%define srcRoot krb5-1.6.3
+Version: 1.7
+Release: 4
+%define srcRoot krb5-1.7
Summary: MIT Kerberos5 Implementation--Documentation
-License: X11/MIT
+License: MIT License (or similar)
Url: http://web.mit.edu/kerberos/www/
Group: Documentation/Other
-Source: krb5-1.6.3.tar.bz2
+Source: krb5-%{version}.tar.bz2
Source1: README.Source
-Source2: Makefile.kadm5
Source3: %{name}-%{version}-rpmlintrc
Patch0: krb5-1.3.5-perlfix.dif
Patch1: krb5-1.6.3-texi2dvi-fix.dif
-Patch2: krb5-1.6.3-post.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildArch: noarch
@@ -56,8 +54,6 @@
%setup -n %{srcRoot}
%patch0
%patch1
-%patch2
-cp %{_sourcedir}/Makefile.kadm5 %{_builddir}/%{srcRoot}/doc/kadm5/Makefile
%build
@@ -68,17 +64,13 @@
make implementor.ps
make -C api
make -C implement
-make -C kadm5
-cd api
-latex2html -dir ../html/library -mkdir library.tex
-latex2html -dir ../html/libdes -mkdir libdes.tex
-cd ../implement
-latex2html -dir ../html/implement -mkdir implement.tex
-cd ..
-#mv krb5-admin html/
-#mv krb5-install html/
-#mv krb5-user html/
-#mv krb425 html/
+#make -C kadm5
+#cd api
+#latex2html -dir ../html/library -mkdir library.tex
+#latex2html -dir ../html/libdes -mkdir libdes.tex
+#cd ../implement
+#latex2html -dir ../html/implement -mkdir implement.tex
+#cd ..
mv *.html html/
cd ..
find . -type f -name '*.ps' -exec gzip -9 {} \;
@@ -89,134 +81,34 @@
rm -f /usr/share/man/man1/tmac.doc*
rm -rf /usr/lib/mit/share
rm -rf %{buildroot}/usr/lib/mit/share
-rm -f doc/html/*/WARNINGS
-rm -f doc/html/*/images.aux
-rm -f doc/html/*/labels.pl
-# check for duplicate files and replace them with a link
-cd doc/html/api-funcspec
-if cmp --quiet api-funcspec.html index.html ; then
- rm -f index.html
- ln -s api-funcspec.html index.html
-fi
-cd ../library
-if cmp --quiet library.html index.html ; then
- rm -f index.html
- ln -s library.html index.html
-fi
-cd ../api-server-design
-if cmp --quiet api-server-design.html index.html ; then
- rm -f index.html
- ln -s api-server-design.html index.html
-fi
-cd ../adb-unit-test
-if cmp --quiet adb-unit-test.html index.html ; then
- rm -f index.html
- ln -s adb-unit-test.html index.html
-fi
-cd ../api-unit-test
-if cmp --quiet api-unit-test.html index.html ; then
- rm -f index.html
- ln -s api-unit-test.html index.html
-fi
-cd ../libdes
-if cmp --quiet libdes.html index.html ; then
- rm -f index.html
- ln -s libdes.html index.html
-fi
-cd ../implement
-if cmp --quiet implement.html index.html ; then
- rm -f index.html
- ln -s implement.html index.html
-fi
-cd ../..
+#rm -f doc/html/*/WARNINGS
+#rm -f doc/html/*/images.aux
+#rm -f doc/html/*/labels.pl
+#### check for duplicate files and replace them with a link
+#cd doc/html/library
+#if cmp --quiet library.html index.html ; then
+# rm -f index.html
+# ln -s library.html index.html
+#fi
+#cd ../libdes
+#if cmp --quiet libdes.html index.html ; then
+# rm -f index.html
+# ln -s libdes.html index.html
+#fi
+#cd ../implement
+#if cmp --quiet implement.html index.html ; then
+# rm -f index.html
+# ln -s implement.html index.html
+#fi
+#cd ../..
%clean
rm -rf %{buildroot}
%files
%defattr(-,root,root)
-%doc doc/*.ps.gz doc/api/*.ps.gz doc/implement/*.ps.gz doc/kadm5/*.ps.gz
+%doc doc/*.ps.gz doc/api/*.ps.gz doc/implement/*.ps.gz
%doc doc/krb5-protocol doc/kadmin
%doc doc/html
%changelog
-* Fri Jul 25 2008 mc@suse.de
-- add patches from SVN post 1.6.3
- * some fixes in the man pages
-* Wed Jun 18 2008 mc@suse.de
-- reduce rpmlint warnings
-* Tue Oct 23 2007 mc@suse.de
-- update to krb5 version 1.6.3
- * fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow
- * fix CVE-2007-4000 modify_policy vulnerability
- * Add PKINIT support
-- remove patches which are upstream now
-- enhance init scripts and xinetd profiles
-* Thu Jul 12 2007 mc@suse.de
-- update to version 1.6.2
-- remove krb5-1.6.1-post.dif all fixes are included in this release
-* Wed Jun 13 2007 sschober@suse.de
-- removed executable permission from doc file
-* Mon Apr 23 2007 mc@suse.de
-- update to final 1.6.1 version
-- replace te_ams with texlive in BuildRequires
-* Wed Apr 18 2007 mc@suse.de
-- build implementor.ps
-* Mon Apr 16 2007 mc@suse.de
-- update to version 1.6.1 Beta1
-- remove obsolete patches
- (krb5-1.6-post.dif, krb5-1.6-patchlevel.dif)
-* Mon Feb 19 2007 mc@suse.de
-- add krb5-1.6-post.dif
-* Mon Jan 22 2007 mc@suse.de
-- update to version 1.6
- * Major changes in 1.6 include
- * Partial client implementation to handle server name referrals.
- * Pre-authentication plug-in framework, donated by Red Hat.
- * LDAP KDB plug-in, donated by Novell.
-* Thu Aug 24 2006 mc@suse.de
-- update to version 1.5.1
-- remove obsolete patches which are now included upstream
- * krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif
- * trunk-fix-uninitialized-vars.dif
-* Mon Jul 03 2006 mc@suse.de
-- update to version 1.5
- * KDB abstraction layer, donated by Novell.
- * plug-in architecture, allowing for extension modules to be
- loaded at run-time.
- * multi-mechanism GSS-API implementation ("mechglue"),
- donated by Sun Microsystems
- * Simple and Protected GSS-API negotiation mechanism ("SPNEGO")
- implementation, donated by Sun Microsystems
-- remove obsolete patches and add some new
-* Mon Mar 13 2006 mc@suse.de
-- set BuildArchitectures to noarch
-- set norootforbuild
-* Wed Jan 25 2006 mls@suse.de
-- converted neededforbuild to BuildRequires
-* Fri Nov 18 2005 mc@suse.de
-- update to version 1.4.3
-- fix tex for kadm5 documentation (krb5-1.4.3-kadm5-tex.dif)
-* Wed Oct 12 2005 mc@suse.de
-- build kadm5 documentation
-- build documentation also as html
-- include the text only documentation
-* Tue Oct 11 2005 mc@suse.de
-- update to version 1.4.2
-- remove some obsolet patches
-* Mon Jun 27 2005 mc@suse.de
-- update to version 1.4.1
-- remove obsolet patches
- - krb5-1.4-VUL-0-telnet.dif
-* Thu Feb 10 2005 ro@suse.de
-- added libpng to neededforbuild (for tetex)
-* Fri Feb 04 2005 mc@suse.de
-- remove spx.c from tarball because of legal risk
-- add README.Source which tell the user about this
- action.
-* Fri Jan 28 2005 mc@suse.de
-- update to version 1.4
-* Mon Jan 10 2005 mc@suse.de
-- update to version 1.3.6
-* Tue Dec 14 2004 mc@suse.de
-- initial release
++++++ krb5-mini.spec ++++++
++++ 686 lines (skipped)
++++++ krb5.spec ++++++
++++ 731 lines (skipped)
++++ between krb5/krb5.spec
++++ and krb5/krb5.spec
++++++ krb5-1.4.3-enospc.dif ++++++
--- /var/tmp/diff_new_pack.geL5D2/_old 2009-07-08 19:31:22.000000000 +0200
+++ /var/tmp/diff_new_pack.geL5D2/_new 2009-07-08 19:31:22.000000000 +0200
@@ -1,21 +1,13 @@
If the error message is going to be ambiguous, try to give the user some clue
by returning the last error reported by the OS.
-Index: krb5-1.6.3/src/clients/kinit/kinit.c
+Index: trunk/src/clients/kinit/kinit.c
===================================================================
---- krb5-1.6.3.orig/src/clients/kinit/kinit.c
-+++ krb5-1.6.3/src/clients/kinit/kinit.c
-@@ -35,6 +35,7 @@
- #else
- #undef HAVE_KRB524
- #endif
-+#include
- #include
- #include
- #include
-@@ -921,8 +922,14 @@ k5_kinit(opts, k5)
-
- code = krb5_cc_initialize(k5->ctx, k5->cc, k5->me);
+--- trunk.orig/src/clients/kinit/kinit.c
++++ trunk/src/clients/kinit/kinit.c
+@@ -658,8 +658,14 @@ k5_kinit(opts, k5)
+ code = krb5_cc_initialize(k5->ctx, k5->cc,
+ opts->canonicalize ? my_creds.client : k5->me);
if (code) {
- com_err(progname, code, "when initializing cache %s",
- opts->k5_cache_name?opts->k5_cache_name:"");
++++++ krb5-1.5.1-fix-ftp-var-used-uninitialized.dif ++++++
--- /var/tmp/diff_new_pack.geL5D2/_old 2009-07-08 19:31:22.000000000 +0200
+++ /var/tmp/diff_new_pack.geL5D2/_new 2009-07-08 19:31:22.000000000 +0200
@@ -2,7 +2,7 @@
===================================================================
--- src/appl/gssftp/ftp/ftp.c.orig
+++ src/appl/gssftp/ftp/ftp.c
-@@ -1986,7 +1986,7 @@ int do_auth()
+@@ -1912,7 +1912,7 @@ int do_auth()
#ifdef GSSAPI
if (command("AUTH %s", "GSSAPI") == CONTINUE) {
++++++ krb5-1.6.1-compile_pie.dif ++++++
--- /var/tmp/diff_new_pack.geL5D2/_old 2009-07-08 19:31:22.000000000 +0200
+++ /var/tmp/diff_new_pack.geL5D2/_new 2009-07-08 19:31:22.000000000 +0200
@@ -2,7 +2,7 @@
===================================================================
--- src/krb5-config.in.orig
+++ src/krb5-config.in
-@@ -186,6 +186,8 @@ if test -n "$do_libs"; then
+@@ -188,6 +188,8 @@ if test -n "$do_libs"; then
-e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
-e 's#\$(CFLAGS)#'"$CFLAGS"'#'`
@@ -15,13 +15,13 @@
===================================================================
--- src/config/shlib.conf.orig
+++ src/config/shlib.conf
-@@ -378,7 +378,8 @@ mips-*-netbsd*)
- SHLIB_EXPFLAGS='-Wl,-R$(SHLIB_RDIRS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
+@@ -420,7 +420,8 @@ mips-*-netbsd*)
PROFFLAGS=-pg
RPATH_FLAG='-Wl,-rpath -Wl,'
-- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(RPATH_FLAG)$(PROG_RPATH) $(CFLAGS) $(LDFLAGS)'
-+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(RPATH_FLAG)$(PROG_RPATH) $(CFLAGS) -pie $(LDFLAGS)'
-+ INSTALL_SHLIB='${INSTALL} -m755'
+ PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
+- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
++ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie $(LDFLAGS)'
++ INSTALL_SHLIB='${INSTALL} -m755'
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
- RUN_ENV='LD_LIBRARY_PATH=`echo $(PROG_LIBPATH) | sed -e "s/-L//g" -e "s/ /:/g"`; export LD_LIBRARY_PATH; '
-
+ CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
+ CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
++++++ krb5-1.6.3-fix-ipv6-query.dif ++++++
--- /var/tmp/diff_new_pack.geL5D2/_old 2009-07-08 19:31:22.000000000 +0200
+++ /var/tmp/diff_new_pack.geL5D2/_new 2009-07-08 19:31:22.000000000 +0200
@@ -1,7 +1,7 @@
-Index: krb5-1.6.3/src/lib/krb5/os/hostaddr.c
+Index: trunk/src/lib/krb5/os/hostaddr.c
===================================================================
---- krb5-1.6.3.orig/src/lib/krb5/os/hostaddr.c
-+++ krb5-1.6.3/src/lib/krb5/os/hostaddr.c
+--- trunk.orig/src/lib/krb5/os/hostaddr.c
++++ trunk/src/lib/krb5/os/hostaddr.c
@@ -43,7 +43,7 @@ krb5_os_hostaddr(krb5_context context, c
return KRB5_ERR_BAD_HOSTNAME;
@@ -11,11 +11,11 @@
/* We don't care what kind at this point, really, but without
this, we can get back multiple sockaddrs per address, for
SOCK_DGRAM, SOCK_STREAM, and SOCK_RAW. I haven't checked if
-Index: krb5-1.6.3/src/lib/krb5/os/hst_realm.c
+Index: trunk/src/lib/krb5/os/hst_realm.c
===================================================================
---- krb5-1.6.3.orig/src/lib/krb5/os/hst_realm.c
-+++ krb5-1.6.3/src/lib/krb5/os/hst_realm.c
-@@ -167,7 +167,7 @@ krb5int_get_fq_hostname (char *buf, size
+--- trunk.orig/src/lib/krb5/os/hst_realm.c
++++ trunk/src/lib/krb5/os/hst_realm.c
+@@ -171,7 +171,7 @@ krb5int_get_fq_hostname (char *buf, size
int err;
memset (&hints, 0, sizeof (hints));
@@ -24,10 +24,10 @@
err = getaddrinfo (name, 0, &hints, &ai);
if (err)
return krb5int_translate_gai_error (err);
-Index: krb5-1.6.3/src/lib/krb5/os/locate_kdc.c
+Index: trunk/src/lib/krb5/os/locate_kdc.c
===================================================================
---- krb5-1.6.3.orig/src/lib/krb5/os/locate_kdc.c
-+++ krb5-1.6.3/src/lib/krb5/os/locate_kdc.c
+--- trunk.orig/src/lib/krb5/os/locate_kdc.c
++++ trunk/src/lib/krb5/os/locate_kdc.c
@@ -254,8 +254,9 @@ krb5int_add_host_to_list (struct addrlis
memset(&hint, 0, sizeof(hint));
hint.ai_family = family;
@@ -37,17 +37,18 @@
- hint.ai_flags = AI_NUMERICSERV;
+ hint.ai_flags |= AI_NUMERICSERV;
#endif
- sprintf(portbuf, "%d", ntohs(port));
- sprintf(secportbuf, "%d", ntohs(secport));
-Index: krb5-1.6.3/src/lib/krb5/os/sn2princ.c
+ if (snprintf(portbuf, sizeof(portbuf), "%d", ntohs(port)) >= sizeof(portbuf))
+ /* XXX */
+Index: trunk/src/lib/krb5/os/sn2princ.c
===================================================================
---- krb5-1.6.3.orig/src/lib/krb5/os/sn2princ.c
-+++ krb5-1.6.3/src/lib/krb5/os/sn2princ.c
-@@ -107,6 +107,7 @@ krb5_sname_to_principal(krb5_context con
+--- trunk.orig/src/lib/krb5/os/sn2princ.c
++++ trunk/src/lib/krb5/os/sn2princ.c
+@@ -107,7 +107,7 @@ krb5_sname_to_principal(krb5_context con
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_INET;
-+ hints.ai_flags = AI_ADDRCONFIG;
+- hints.ai_flags = AI_CANONNAME;
++ hints.ai_flags = AI_CANONNAME|AI_ADDRCONFIG;
try_getaddrinfo_again:
err = getaddrinfo(hostname, 0, &hints, &ai);
if (err) {
++++++ krb5-1.6.3-gssapi_improve_errormessages.dif ++++++
Index: trunk/src/lib/gssapi/generic/disp_com_err_status.c
===================================================================
--- trunk.orig/src/lib/gssapi/generic/disp_com_err_status.c
+++ trunk/src/lib/gssapi/generic/disp_com_err_status.c
@@ -54,7 +54,7 @@ g_display_com_err_status(minor_status, s
status_string->value = NULL;
if (! g_make_string_buffer(((status_value == 0)?no_error:
- error_message(status_value)),
+ error_message((long)status_value)),
status_string)) {
*minor_status = ENOMEM;
return(GSS_S_FAILURE);
++++++ krb5-trunk-kpasswd_tcp.patch -> krb5-1.6.3-kpasswd_tcp.patch ++++++
--- krb5/krb5-trunk-kpasswd_tcp.patch 2008-12-11 16:32:15.000000000 +0100
+++ krb5/krb5-1.6.3-kpasswd_tcp.patch 2009-02-16 16:04:53.000000000 +0100
@@ -3,9 +3,9 @@
Index: src/lib/krb5/os/changepw.c
===================================================================
---- src/lib/krb5/os/changepw.c (revision 20199)
-+++ src/lib/krb5/os/changepw.c (working copy)
-@@ -251,11 +251,22 @@
+--- src/lib/krb5/os/changepw.c.orig
++++ src/lib/krb5/os/changepw.c
+@@ -261,11 +261,22 @@ krb5_change_set_password(krb5_context co
NULL,
NULL
))) {
++++++ krb5-1.6.3-kprop-use-mkstemp.dif ++++++
Index: src/slave/kprop.c
===================================================================
--- src/slave/kprop.c.orig
+++ src/slave/kprop.c
@@ -215,6 +215,7 @@ void get_tickets(context)
krb5_error_code retval;
static char tkstring[] = "/tmp/kproptktXXXXXX";
krb5_keytab keytab = NULL;
+ int ret = 0;
/*
* Figure out what tickets we'll be using to send stuff
@@ -240,7 +241,15 @@ void get_tickets(context)
/*
* Initialize cache file which we're going to be using
*/
+#ifdef HAVE_MKSTEMP
+ ret = mkstemp(tkstring);
+ if (ret == -1) {
+ com_err(progname, errno, "while initialize cache file");
+ exit(1);
+ } else close(ret);
+#else
(void) mktemp(tkstring);
+#endif
snprintf(buf, sizeof(buf), "FILE:%s", tkstring);
retval = krb5_cc_resolve(context, buf, &ccache);
++++++ krb5-1.7-manpaths.dif ++++++
Index: trunk/src/appl/bsd/klogind.M
===================================================================
--- trunk.orig/src/appl/bsd/klogind.M
+++ trunk/src/appl/bsd/klogind.M
@@ -27,7 +27,7 @@ server is invoked by \fIinetd(8)\fP when
the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf
configuration line for \fIklogind\fP might be:
-klogin stream tcp nowait root /usr/cygnus/sbin/klogind klogind -e5c
+klogin stream tcp nowait root @mansbindir@/klogind klogind -e5c
When a service request is received, the following protocol is initiated:
Index: trunk/src/appl/bsd/kshd.M
===================================================================
--- trunk.orig/src/appl/bsd/kshd.M
+++ trunk/src/appl/bsd/kshd.M
@@ -8,7 +8,7 @@
.SH NAME
kshd \- kerberized remote shell server
.SH SYNOPSIS
-.B /usr/local/sbin/kshd
+.B @mansbindir@/kshd
[
.B \-kr45ec
]
@@ -30,7 +30,7 @@ server is invoked by \fIinetd(8c)\fP whe
on the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf
configuration line for \fIkrshd\fP might be:
-kshell stream tcp nowait root /usr/local/sbin/kshd kshd -5c
+kshell stream tcp nowait root @mansbindir@/kshd kshd -5c
When a service request is received, the following protocol is initiated:
Index: trunk/src/appl/sample/sserver/sserver.M
===================================================================
--- trunk.orig/src/appl/sample/sserver/sserver.M
+++ trunk/src/appl/sample/sserver/sserver.M
@@ -59,7 +59,7 @@ option allows for a different keytab tha
using a line in
/etc/inetd.conf that looks like this:
.PP
-sample stream tcp nowait root /usr/local/sbin/sserver sserver
+sample stream tcp nowait root @mansbindir@/sserver sserver
.PP
Since \fBsample\fP is normally not a port defined in /etc/services, you will
usually have to add a line to /etc/services which looks like this:
Index: trunk/src/appl/telnet/telnetd/telnetd.8
===================================================================
--- trunk.orig/src/appl/telnet/telnetd/telnetd.8
+++ trunk/src/appl/telnet/telnetd/telnetd.8
@@ -37,7 +37,7 @@ telnetd \-
.SM DARPA TELNET
protocol server
.SH SYNOPSIS
-.B /usr/libexec/telnetd
+.B @manlibexecdir@/telnetd
[\fB\-a\fP \fIauthmode\fP] [\fB\-B\fP] [\fB\-D\fP] [\fIdebugmode\fP]
[\fB\-e\fP] [\fB\-h\fP] [\fB\-I\fP\fIinitid\fP] [\fB\-l\fP]
[\fB\-k\fP] [\fB\-n\fP] [\fB\-r\fP\fIlowpty-highpty\fP] [\fB\-s\fP]
Index: trunk/src/config-files/kdc.conf.M
===================================================================
--- trunk.orig/src/config-files/kdc.conf.M
+++ trunk/src/config-files/kdc.conf.M
@@ -82,14 +82,14 @@ This
.B string
specifies the location of the access control list (acl) file that
kadmin uses to determine which principals are allowed which permissions
-on the database. The default value is /usr/local/var/krb5kdc/kadm5.acl.
+on the database. The default value is @manlocalstatedir@/krb5kdc/kadm5.acl.
.IP admin_keytab
This
.B string
Specifies the location of the keytab file that kadmin uses to
authenticate to the database. The default value is
-/usr/local/var/krb5kdc/kadm5.keytab.
+@manlocalstatedir@/krb5kdc/kadm5.keytab.
.IP database_name
This
@@ -257,7 +257,7 @@ tickets should be checked against the tr
realm names and the [capaths] section of its krb5.conf file
.SH FILES
-/usr/local/var/krb5kdc/kdc.conf
+@manlocalstatedir@/krb5kdc/kdc.conf
.SH SEE ALSO
krb5.conf(5), krb5kdc(8)
Index: trunk/src/configure.in
===================================================================
--- trunk.orig/src/configure.in
+++ trunk/src/configure.in
@@ -1041,6 +1041,69 @@ dnl
AC_CONFIG_SUBDIRS(appl/libpty appl/bsd appl/gssftp appl/telnet)
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
+
+mansysconfdir=$sysconfdir
+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$prefix,g"`
+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$ac_default_prefix,g"`
+mansbindir=$sbindir
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$exec_prefix,g"`
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$prefix,g"`
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$ac_default_prefix,g"`
+manlocalstatedir=$localstatedir
+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$prefix,g"`
+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$ac_default_prefix,g"`
+manlibexecdir=$libexecdir
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$exec_prefix,g"`
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$prefix,g"`
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$ac_default_prefix,g"`
+AC_SUBST(mansysconfdir)
+AC_SUBST(mansbindir)
+AC_SUBST(manlocalstatedir)
+AC_SUBST(manlibexecdir)
+AC_OUTPUT([
+ appl/bsd/klogind.M
+ appl/bsd/kshd.M
+ appl/bsd/login.M
+ appl/bsd/rcp.M
+ appl/bsd/rlogin.M
+ appl/bsd/rsh.M
+ appl/gssftp/ftpd/ftpd.M
+ appl/gssftp/ftp/ftp.M
+ appl/sample/sclient/sclient.M
+ appl/sample/sserver/sserver.M
+ appl/telnet/telnetd/telnetd.8
+ appl/telnet/telnet/telnet.1
+ clients/kcpytkt/kcpytkt.M
+ clients/kdeltkt/kdeltkt.M
+ clients/kdestroy/kdestroy.M
+ clients/kinit/kinit.M
+ clients/klist/klist.M
+ clients/kpasswd/kpasswd.M
+ clients/ksu/ksu.M
+ clients/kvno/kvno.M
+ config-files/kdc.conf.M
+ config-files/krb5.conf.M
+ gen-manpages/k5login.M
+ gen-manpages/kerberos.M
+ kadmin/cli/k5srvutil.M
+ kadmin/cli/kadmin.local.M
+ kadmin/cli/kadmin.M
+ kadmin/dbutil/kdb5_util.M
+ kadmin/ktutil/ktutil.M
+ kadmin/passwd/kpasswd.M
+ kadmin/server/kadmind.M
+ kdc/krb5kdc.M
+ krb5-config.M
+ plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M
+ slave/kpropd.M
+ slave/kprop.M
+ tests/create/kdb5_mkdums.M
+ util/et/com_err.3
+ util/et/compile_et.1
+ util/profile/profile.5
+ util/send-pr/send-pr.1
+])
+
V5_AC_OUTPUT_MAKEFILE(.
util util/support util/profile util/send-pr
Index: trunk/src/kadmin/cli/kadmin.M
===================================================================
--- trunk.orig/src/kadmin/cli/kadmin.M
+++ trunk/src/kadmin/cli/kadmin.M
@@ -840,9 +840,9 @@ option is specified, less verbose status
.RS
.TP
EXAMPLE:
-kadmin: ktremove -k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin
+kadmin: ktremove -k @manlocalstatedir@/krb5kdc/kadmind.keytab kadmin/admin
Entry for principal kadmin/admin with kvno 3 removed
- from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab.
+ from keytab WRFILE:@manlocalstatedir@/krb5kdc/kadmind.keytab.
kadmin:
.RE
.fi
@@ -884,7 +884,7 @@ passwords.
.SH HISTORY
The
.B kadmin
-prorgam was originally written by Tom Yu at MIT, as an interface to the
+program was originally written by Tom Yu at MIT, as an interface to the
OpenVision Kerberos administration program.
.SH SEE ALSO
.IR kerberos (1),
Index: trunk/src/slave/kprop.M
===================================================================
--- trunk.orig/src/slave/kprop.M
+++ trunk/src/slave/kprop.M
@@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv
This is done by transmitting the dumped database file to the slave
server over an encrypted, secure channel. The dump file must be created
by kdb5_util, and is normally KPROP_DEFAULT_FILE
-(/usr/local/var/krb5kdc/slave_datatrans).
+(@manlocalstatedir@/krb5kdc/slave_datatrans).
.SH OPTIONS
.TP
\fB\-r\fP \fIrealm\fP
@@ -51,7 +51,7 @@ is used.
\fB\-f\fP \fIfile\fP
specifies the filename where the dumped principal database file is to be
found; by default the dumped database file is KPROP_DEFAULT_FILE
-(normally /usr/local/var/krb5kdc/slave_datatrans).
+(normally @manlocalstatedir@/krb5kdc/slave_datatrans).
.TP
\fB\-P\fP \fIport\fP
specifies the port to use to contact the
Index: trunk/src/slave/kpropd.M
===================================================================
--- trunk.orig/src/slave/kpropd.M
+++ trunk/src/slave/kpropd.M
@@ -74,7 +74,7 @@ Normally, kpropd is invoked out of
This is done by adding a line to the inetd.conf file which looks like
this:
-kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd
+kprop stream tcp nowait root @mansbindir@/kpropd kpropd
However, kpropd can also run as a standalone deamon, if the
.B \-S
@@ -111,13 +111,13 @@ is used.
\fB\-f\fP \fIfile\fP
specifies the filename where the dumped principal database file is to be
stored; by default the dumped database file is KPROPD_DEFAULT_FILE
-(normally /usr/local/var/krb5kdc/from_master).
+(normally @manlocalstatedir@/krb5kdc/from_master).
.TP
.B \-p
allows the user to specify the pathname to the
.IR kdb5_util (8)
program; by default the pathname used is KPROPD_DEFAULT_KDB5_UTIL
-(normally /usr/local/sbin/kdb5_util).
+(normally @mansbindir@/kdb5_util).
.TP
.B \-S
turn on standalone mode. Normally, kpropd is invoked out of
@@ -148,14 +148,14 @@ mode.
allows the user to specify the path to the
kpropd.acl
file; by default the path used is KPROPD_ACL_FILE
-(normally /usr/local/var/krb5kdc/kpropd.acl).
+(normally @manlocalstatedir@/krb5kdc/kpropd.acl).
.SH FILES
.TP "\w'kpropd.acl\ \ 'u"
kpropd.acl
Access file for
.BR kpropd ;
the default location is KPROPD_ACL_FILE (normally
-/usr/local/var/krb5kdc/kpropd.acl).
+@manlocalstatedir@/krb5kdc/kpropd.acl).
Each entry is a line containing the principal of a host from which the
local machine will allow Kerberos database propagation via kprop.
.SH SEE ALSO
++++++ krb5-trunk-manpaths.txt -> krb5-1.7-manpaths.txt ++++++
--- krb5/krb5-trunk-manpaths.txt 2008-12-11 16:32:15.000000000 +0100
+++ krb5/krb5-1.7-manpaths.txt 2009-02-16 16:04:53.000000000 +0100
@@ -4,7 +4,6 @@
appl/bsd/rcp.M
appl/bsd/rlogin.M
appl/bsd/rsh.M
-appl/bsd/v4rcp.M
appl/gssftp/ftpd/ftpd.M
appl/gssftp/ftp/ftp.M
appl/sample/sclient/sclient.M
@@ -30,10 +29,7 @@
kadmin/ktutil/ktutil.M
kadmin/passwd/kpasswd.M
kadmin/server/kadmind.M
-kdc/fakeka.M
kdc/krb5kdc.M
-krb524/k524init.M
-krb524/krb524d.M
krb5-config.M
plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M
slave/kpropd.M
++++++ krb5-1.6.3-rpmlintrc -> krb5-1.7-rpmlintrc ++++++
--- krb5/krb5-1.6.3-rpmlintrc 2008-12-11 16:32:14.000000000 +0100
+++ krb5/krb5-1.7-rpmlintrc 2009-02-16 16:04:53.000000000 +0100
@@ -1,2 +1,6 @@
addFilter("devel-file-in-non-devel-package .*libgssapi_krb5.so")
addFilter("hidden-file-or-dir .*/usr/share/man/man5/.k5login.5.gz")
+addFilter("files-duplicate .*css")
+addFilter("files-duplicate .*img.*png")
+addFilter("devel-file-in-non-devel-package .*libkdb_ldap.so")
+addFilter("shlib-policy-missing-suffix")
++++++ krb5-1.6.3.tar.bz2 -> krb5-1.7.tar.bz2 ++++++
krb5/krb5-1.6.3.tar.bz2 krb5/krb5-1.7.tar.bz2 differ: char 11, line 1
++++++ krb5-doc-1.6.3-rpmlintrc -> krb5-doc-1.7-rpmlintrc ++++++
++++++ pre_checkin.sh ++++++
#!/bin/sh
sed -e 's/Name:.*/Name: krb5-mini/g;' \
-e 's/%define.*build_mini.*/%define build_mini 1/g' krb5.spec > krb5-mini.spec
cp krb5.changes krb5-mini.changes
++++++ vendor-files.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/README.ConvertHeimdalMIT new/vendor-files/README.ConvertHeimdalMIT
--- old/vendor-files/README.ConvertHeimdalMIT 2007-06-11 16:12:27.000000000 +0200
+++ new/vendor-files/README.ConvertHeimdalMIT 1970-01-01 01:00:00.000000000 +0100
@@ -1,33 +0,0 @@
-
-How-To convert a heimdal kdc database to MIT krb5?
-==================================================
-
-Step 1) Dump the heimdal database _decrypted_ .
-
-Execute:
-
-$> kadmin -l dump -d > heimdal-decrypt.dump
-
-Step 2) Copy the dump file "heimdal-decrypt.dump" to a save place (e.g. to a USB stick)
-
-Step 3) Setup a MIT kdc with the same REALM as the heimdal kdc
-
-Read:
-
- http://web.mit.edu/kerberos/www/krb5-1.4/krb5-1.4.3/doc/krb5-install/Install...
-
-Step 4) convert the heimdal dump format to MIT dump format
-
-Execute:
-
-$> cd /usr/lib/mit/helper
-$> ./heimdal2mit-DumpConvert.pl -i -o -sf /var/lib/kerberos/krb5kdc/
-
-Step 5) load the mit.dump file into the MIT kdc with the _update_ mode
-
-Execute:
-
-$> kdb5_util load -update
-
-
-
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/heimdal2mit-DumpConvert.pl new/vendor-files/heimdal2mit-DumpConvert.pl
--- old/vendor-files/heimdal2mit-DumpConvert.pl 2006-01-13 12:04:10.000000000 +0100
+++ new/vendor-files/heimdal2mit-DumpConvert.pl 1970-01-01 01:00:00.000000000 +0100
@@ -1,283 +0,0 @@
-#! /usr/bin/perl -w
-
-use strict;
-use Data::Dumper;
-use Date::Calc qw(Mktime);
-use Getopt::Long;
-
-my @heimdal = ();
-my @mit = ();
-my $debug = 0;
-my $infile = "";
-my $outfile = "";
-my $stashfile = "";
-my $help = "";
-my $encProg = "/usr/lib/mit/sbin/EncryptWithMasterKey";
-my $encType = "des3-cbc-sha1";
-
-sub flags_to_attr {
- my $flags = shift;
- my $attr = 0;
-
- $attr |= 1<<2 if(!!($flags & 0x00000001)); # initial
- $attr |= 1<<1 if(!($flags & 0x00000002)); # forwardable
- $attr |= 1<<4 if(!($flags & 0x00000004)); # proxiable
- $attr |= 1<<3 if(!($flags & 0x00000008)); # renewable
- $attr |= 1<<0 if(!($flags & 0x00000010)); # postdate
- $attr |= 1<<12 if(!($flags & 0x00000020)); # server
- #$attr |= 1<<6 if(!!($flags & 0x00000040)); # client ???
-
- $attr |= 1<<6 if(!!($flags & 0x00000080)); # invalid
- $attr |= 1<<7 if(!!($flags & 0x00000100)); # require preauth
- $attr |= 1<<13 if(!!($flags & 0x00000200)); # change_pw
-
- print "FLAGS:$flags ATTR:$attr\n" if($debug);
-
- return $attr;
-}
-
-sub time2sec {
- my $date = shift;
-
- if($date eq "-") {
- return 0;
- }
-
- $date =~ /^(\d\d\d\d)(\d\d)(\d\d)(\d\d)(\d\d)(\d\d)$/;
- if(!defined $1 || !defined $2 || !defined $3 ||
- !defined $4 || !defined $5 || !defined $6 ) {
- print STDERR "Can not convert date($date)\n";
- exit 1;
- }
- my ($year, $mon, $day, $hour, $min, $sec) = ($1, $2, $3, $4, $5, $6);
-
- my $time = Mktime($year, $mon, $day, $hour, $min, $sec);
-
- return $time;
-}
-
-sub gen_tl_data {
- my $date = shift; # e.g. 20050112120600
- my $princ = shift;
-
- my $time = time2sec($date);
-
- my $hextime = sprintf("%08x", $time);
- print "HEXTIME: $hextime\n" if($debug);
- $hextime =~ /^([\da-fA-F]{2})([\da-fA-F]{2})([\da-fA-F]{2})([\da-fA-F]{2})$/ ;
- if(!defined $1 || !defined $2 || !defined $3 || !defined $4 ) {
- print STDERR "Can not convert date($date)\n";
- exit 1;
- }
-
- my $data = "$4$3$2$1".unpack("H*", "$princ")."00";
- print "Date: $date Princ: $princ ==>> Data: $data\n" if($debug);
- return $data;
-}
-
-sub usage {
- print "usage: heimdal2mit-DumpConvert.pl --infile \n";
- print " --outfile \n";
- print " --stashfile \n";
- print " [<other options>]\n";
- print " other options are:\n";
- print " --encProg -ep (default is /usr/lib/mit/sbin/EncryptWithMasterKey)\n";
- print " --encType -ec <encryption type> (default is des3-cbc-sha1)\n";
- print " --help -h print help\n";
- print " --debug -d enable debug\n\n";
- print "heimdal2mit-DumpConvert.pl converts a decrypted heimdal kerberos dump file into MIT kerberos\n";
- print "dump format.\n";
- exit 1;
-}
-
-
-my $result = GetOptions ("infile|i=s" => \$infile,
- "outfile|o=s" => \$outfile,
- "stashfile|sf=s" => \$stashfile,
- "encProg|ep=s" => \$encProg,
- "encType|ec=s" => \$encType,
- "help|h" => \$help,
- "debug|d" => \$debug
- );
-
-if($help ) {
- usage();
-}
-
-if(! defined $infile || $infile eq "" || ! -e $infile) {
- print "invalid infile: $infile\n\n";
- usage();
-}
-
-if(! defined $outfile || $outfile eq "" ) {
- print "Missing outfile\n\n";
- usage();
-}
-
-if(! defined $stashfile || $stashfile eq "" || ! -e $stashfile) {
- print "invalid stashfile: $stashfile\n\n";
- usage();
-}
-
-if(! -e $encProg) {
- print "Unable to find EncryptWithMasterKey program. Please use --encProg option\n\n";
- usage();
-}
-
-if(!defined $encType || $encType eq "") {
- $encType = "des3-cbc-sha1";
-}
-
-
-open(HEIMDAL, "< $infile") or die "Can not open heimdal dump:$!";
-@heimdal = <HEIMDAL>;
-close HEIMDAL;
-
-foreach my $line (@heimdal) {
-
- my @data = split(/\s/, $line);
-
- if($debug) {
- foreach (@data) {
- print $_."\n";
- }
- print "\n";
- }
-
- my $mitset = {};
- for(my $i=0; $i < @data; $i++) {
- if($i == 0) { # principal
- $mitset->{"princ"} = $data[$i];
- } elsif($i == 1) { # keys
- my @keyset = split(/:/, $data[$i]);
- $mitset->{"kvno"} = $keyset[0];
- my $j = 0;
- my $keycount = -1;
- my @keys = ();
- foreach my $dummy (@keyset) {
- if($j == 0) {
- $j++;
- next;
- }
-
- if(($j%4) == 1) { # mkvno
- $keycount++;
- $keys[$keycount]->{"mkvno"} = $dummy;
- } elsif(($j%4) == 2) { # enctype
- $keys[$keycount]->{"enctype"} = $dummy;
-
- } elsif(($j%4) == 3) { # keyvalue
- # encrypt keyvalue with mit stash file
- my $cmd = "$encProg -d $dummy -sf $stashfile -e $encType";
- print STDERR "CMD: $cmd\n" if($debug);
-
- my $ekey = `$cmd`;
- chomp($ekey);
-
- print STDERR "EKEY: $ekey\n" if($debug);
- if(! defined $ekey || $ekey eq "") {
- $ekey = $dummy;
- }
- $keys[$keycount]->{"keyvalue"} = $ekey;
-
- } elsif(($j%4) == 0) { # salt (- means use normal salt)
- $keys[$keycount]->{"salt"} = $dummy;
-
- } else {
- print STDERR "Somthing very strage happens\n";
- }
- $j++;
-
- }
- $mitset->{"keys"} = \@keys;
- }elsif($i == 2) { # creation date and principal
- my @ar = split(/:/, $data[$i]);
- $mitset->{"creatDate"} = $ar[0];
- $mitset->{"creatPrinc"} = $ar[1];
- } elsif($i == 3) { # modification date and principal
- my @ar = split(/:/, $data[$i]);
- $mitset->{"modifDate"} = $ar[0];
- $mitset->{"modifPrinc"} = $ar[1];
- } elsif($i == 4) { # not used
- #skip
- } elsif($i == 5) { # expire date
- $mitset->{expire} = time2sec($data[$i]);
- } elsif($i == 6) { # pw expire date
- $mitset->{pwexpire} = time2sec($data[$i]);
- } elsif($i == 7) { # max ticket life
- $mitset->{"maxlife"} = $data[$i];
- } elsif($i == 8) { # max renewable life
- $mitset->{"maxrenew"} = $data[$i];
- } elsif($i == 9) { # flags
- $mitset->{"flags"} = $data[$i];
- } elsif($i == 10) { # generation number
- $mitset->{"gennum"} = $data[$i];
- } else {
- die ("one field too much");
- }
- }
- push @mit, $mitset;
-}
-
-print Data::Dumper->Dump([@mit])."\n" if($debug);
-
-my @mitout = ();
-
-foreach my $dataset (@mit) {
- my $keynum = @{$dataset->{"keys"}};
- my $data = "";
-
- #
- # special heimdal/kerberos principals do not convert these
- # we want to import with -update option
- #
- next if($dataset->{'princ'} =~ /^default@/);
- next if($dataset->{'princ'} =~ /^kadmin\//);
- next if($dataset->{'princ'} =~ /^krbtgt\//);
- next if($dataset->{'princ'} =~ /^changepw\/kerberos@/);
-
- my $line = "princ\t38\t";
- $line .= length($dataset->{'princ'})."\t";
- #$line .= "num-of-tl_data"."\t";
- $line .= "1"."\t";
- #$line .= "num-of-keys"."\t";
- $line .= $keynum."\t";
- $line .= "0"."\t"; # extra length
- $line .= $dataset->{"princ"}."\t";
- $line .= flags_to_attr($dataset->{"flags"})."\t";
- $line .= $dataset->{"maxlife"}."\t";
- $line .= $dataset->{"maxrenew"}."\t";
- $line .= $dataset->{"expire"}."\t"; # expiration
- $line .= $dataset->{"pwexpire"}."\t"; # passwd exp
- $line .= "0"."\t"; # last succ auth
- $line .= "0"."\t"; # last fail auth
- $line .= "0"."\t"; # faild auth count
-
- #################################################################
-
- $line .= "2"."\t"; # type
-
- if(! defined $dataset->{"modifPrinc"}) {
- $data = gen_tl_data($dataset->{"creatDate"}, $dataset->{"creatPrinc"});
- } else {
- $data = gen_tl_data($dataset->{"modifDate"}, $dataset->{"modifPrinc"});
- }
-
- $line .= int(length($data)/2)."\t"; # length data
- $line .= "$data"."\t"; # data
-
- foreach my $h_key (@{$dataset->{"keys"}}) {
-
- $line .= "1"."\t"; # key version
- $line .= $dataset->{"kvno"}."\t"; # kvno
- $line .= $h_key->{"enctype"}."\t"; # enctype / keytype
- $line .= int(length($h_key->{"keyvalue"})/2)."\t"; # key length
- $line .= $h_key->{"keyvalue"}."\t"; # key
- }
- push @mitout, $line."-1;\n"
-}
-
-open(MIT, "> $outfile") or die "Can not open file:$!";
-print MIT "kdb5_util load_dump version 5\n";
-print MIT @mitout;
-close MIT;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/krb524d.init new/vendor-files/krb524d.init
--- old/vendor-files/krb524d.init 2007-10-18 14:42:01.000000000 +0200
+++ new/vendor-files/krb524d.init 1970-01-01 01:00:00.000000000 +0100
@@ -1,114 +0,0 @@
-#! /bin/sh
-# Copyright (c) 1995-2002 SuSE LINUX Products GmbH, Nuernberg, Germany.
-# All rights reserved.
-#
-# Author: Michael Calmer
-#
-# /etc/init.d/krb524d
-#
-### BEGIN INIT INFO
-# Provides: krb524d
-# Required-Start: $syslog $remote_fs
-# Should-Start: $time
-# Required-Stop: $syslog $remote_fs
-# Should-Stop: $time
-# Default-Start: 3 5
-# Default-Stop: 0 1 2 6
-# Short-Description: Start and stop the krb524 service.
-# Description: Kerberos 5 is a trusted third-party authentication system.
-# This script starts and stops krb524d, which converts
-# Kerberos 5 credentials to Kerberos IV credentials.
-### END INIT INFO
-#
-# krb524 Start and stop the krb524 service.
-#
-# chkconfig: 35 35 65
-# description: Kerberos 5 is a trusted third-party authentication system. \
-# This script starts and stops krb524d, which converts \
-# Kerberos 5 credentials to Kerberos IV credentials.
-# processname: krb524d
-#
-
-RETVAL=0
-prog="Kerberos 5-to-4 Server"
-krb524d=/usr/lib/mit/sbin/krb524d
-krbdir=/var/lib/kerberos/krb5kdc
-
-. /etc/rc.status
-
-# Reset status of this service
-rc_reset
-
-
-# Shell functions to cut down on useless shell instances.
-start() {
- if [ ! -f $krbdir/principal ] ; then
- # Make an educated guess -- if they're using kldap somewhere,
- # then we don't know for sure that this is an error.
- if ! grep -q 'db_library.*=.*kldap' /etc/krb5.conf ; then
- echo "Error. Default principal database does not exist."
- exit 0
- fi
- fi
- echo -n "Starting $prog"
- startproc ${krb524d} -m
-
- # Remember status and be verbose
- rc_status -v
-
-}
-stop() {
- echo -n "Shutting down $prog"
- killproc -TERM ${krb524d}
-
- # Remember status and be verbose
- rc_status -v
-
-}
-reload() {
- echo -n "Reload service $prog"
- killproc ${krb524d} -HUP
-
- rc_status -v
-}
-
-# See how we were called.
-case "$1" in
- start)
- start
- ;;
- stop)
- stop
- ;;
- try-restart)
- $0 status
- if test $? = 0; then
- $0 restart
- else
- rc_reset # Not running is not a failure.
- fi
- # Remember status and be quiet
- rc_status
- ;;
-
- restart)
- $0 stop
- $0 start
-
- # Remember status and be quiet
- rc_status
- ;;
- reload|force-reload)
- reload
- ;;
- status)
- echo -n "Checking for service $prog"
- checkproc ${krb524d}
- rc_status -v
- ;;
- *)
- echo "Usage: $0 {start|stop|status|reload|force-reload|restart|try-restart}"
- exit 1
- ;;
-esac
-rc_exit
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/simple_convert_krb5conf.pl new/vendor-files/simple_convert_krb5conf.pl
--- old/vendor-files/simple_convert_krb5conf.pl 2006-02-03 18:13:29.000000000 +0100
+++ new/vendor-files/simple_convert_krb5conf.pl 1970-01-01 01:00:00.000000000 +0100
@@ -1,53 +0,0 @@
-#! /usr/bin/perl -w
-
-use strict;
-
-if( ! -e "/etc/krb5.conf.heimdal") {
- # nothing to do
- exit 0;
-}
-
-open(KRB5_H, "< /etc/krb5.conf.heimdal")
- or die "Can not open /etc/krb5.conf.heimdal: $!";
-
-my @krb5_h = ;
-
-close KRB5_H;
-
-open(KRB5, "> /etc/krb5.conf")
- or die "Can not open /etc/krb5.conf: $!";
-
-print KRB5 "# WARNING: this configuration file was automatically converted from Heimdal to MIT kerberos.\n";
-print KRB5 "# It is possible that this configuration file does not work\n";
-print KRB5 "# Please check the values.\n";
-
-my $loggingSect = 0;
-
-# replace kpasswd_server with admin_server
-foreach my $line (@krb5_h) {
-
- $line =~ s/kpasswd_server/admin_server/;
- $line =~ s/^\s+#/#/;
-
- if($line =~ /^\s*\[logging\]/) {
- $loggingSect = 1;
- print KRB5 $line;
- next;
- }
- if($loggingSect == 1 && $line =~ /^\s*\[/) {
- $loggingSect = 0;
- }
- if($loggingSect == 1 && $line =~ /^\s*kdc\s*=\s*/) {
- $line = " kdc = FILE:/var/log/krb5/krb5kdc.log\n";
- }
- if($loggingSect == 1 && $line =~ /^\s*kadmind\s*=\s*/) {
- $line = " admin_server = FILE:/var/log/krb5/kadmind.log\n";
- }
- if($loggingSect == 1 && $line =~ /^\s*default\s*=\s*/) {
- $line = " default = SYSLOG:NOTICE:DAEMON\n";
- }
-
- print KRB5 $line;
-}
-
-close KRB5;
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org