svn merge -r21791:21820 svn+ssh://wfiveash@svn.mit.edu/krb5/trunk

All conflicts resolved, everything builds.  Did a quick test, seems to
work ok.


git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mkey_migrate@21822 dc483132-0cff-0310-8789-dd5450dbe970

README

@@ -1,26 +1,26 @@
-		   Kerberos Version 5, Release 1.6
+                   Kerberos Version 5, Release 1.7
 
-			    Release Notes
-			The MIT Kerberos Team
+                            Release Notes
+                        The MIT Kerberos Team
 
 Unpacking the Source Distribution
 ---------------------------------
 
 The source distribution of Kerberos 5 comes in a gzipped tarfile,
-krb5-1.6.tar.gz.  Instructions on how to extract the entire
+krb5-1.7.tar.gz.  Instructions on how to extract the entire
 distribution follow.
 
 If you have the GNU tar program and gzip installed, you can simply do:
 
-	gtar zxpf krb5-1.6.tar.gz
+        gtar zxpf krb5-1.7.tar.gz
 
 If you don't have GNU tar, you will need to get the FSF gzip
 distribution and use gzcat:
 
-	gzcat krb5-1.6.tar.gz | tar xpf -
+        gzcat krb5-1.7.tar.gz | tar xpf -
 
-Both of these methods will extract the sources into krb5-1.6/src and
-the documentation into krb5-1.6/doc.
+Both of these methods will extract the sources into krb5-1.7/src and
+the documentation into krb5-1.7/doc.
 
 Building and Installing Kerberos 5
 ----------------------------------
@@ -59,108 +59,38 @@ http://krbdev.mit.edu/rt/
 
 and logging in as "guest" with password "guest".
 
-Major changes in 1.6
-----------------------
-
-* Partial client implementation to handle server name referrals.
-
-* Pre-authentication plug-in framework, donated by Red Hat.
-
-* LDAP KDB plug-in, donated by Novell.
-
-krb5-1.6 changes by ticket ID
------------------------------
-
-Listed below are the RT tickets of bugs fixed in krb5-1.6.  Please see
-
-http://krbdev.mit.edu/rt/NoAuth/krb5-1.6/fixed-1.6.html
-
-for a current listing with links to the complete tickets.
-
-1204 	Unable to get a TGT cross-realm referral
-2087 	undocumented options for kpropd
-2240 	krb5-config --cflags gssapi when used by OpenSSH-snap-20040212
-2579 	kdc: add_to_transited may reference off end of array...
-2652 	Add support for referrals
-2876 	Tree does not compile with GCC 4.0
-2935 	KDB/LDAP backend
-3089 	krb5_verify_init_creds() is not thread safe
-3091 	add krb5_cc_new_unique()
-3276 	local array of structures not declared static
-3288 	NetIdMgr cannot obtain Kerberos 5 tickets containing addresses
-3322 	get_cred_via_tkt() checks too strict on server principal
-3522 	Error code definitions are outside macros to prevent multiple
-	inclusion in public headers
-3735 	Add TCP change/set password support
-3947 	allow multiple calls to krb5_get_error_message to retrieve message
-3955 	check calling conventions specified for Windows
-3961 	fix stdcc.c to build without USE_CCAPI_V3
-4021 	use GSS_C_NO_CHANNEL_BINDINGS not NULL in lib/rpc/auth_gss.c
-4023 	Turn off KLL automatic prompting support in kadmin
-4024 	gss_acquire_cred auto prompt support shouldn't break
-	gss_krb5_ccache_name()
-4025 	need to look harder for tclConfig.sh
-4055 	remove unused Metrowerks support from yarrow
-4056 	g_canon_name.c if-statement warning cleanup
-4057 	GSSAPI opaque types should be pointers to opaque structs, not void*
-4256 	Make process error
-4292 	LDAP error prevents KfM 6.0 from building on Tiger
-4294 	Bad loop logic in krb5_mcc_generate_new
-4304 	audit referals merge (R18598)
-4389 	cursor for iterating over ccaches
-4412 	Don't segfault if a preauth plugin module fails to load
-4455 	IRIX build fails w/ GCC 4.0 (really GNU ld)
-4482 	enabling LDAP mix-in support for kdb5_util load
-4488 	osf1 -oldstyle_liblookup typo
-4495 	Avoid segfault in krb5_do_preauth_tryagain
-4496 	fix invalid access found by valgrind
-4501 	fix krb5_ldap_iterate to handle NULL match_expr and
-	open_db_and_mkey to use KRB5_KDB_SRV_TYPE_ADMIN
-4534 	don't confuse profile iterator in 425 princ conversion
-4561 	UC Berkeley BSD license change
-4562 	latest Novell ldap patches and kdb5_util dump support for ldap
-4587 	Change preauth plugin context scope and lifetimes
-4624 	remove t_prf and t_prf.o on make clean
-4625 	Make clean in lib/kdb leaves error table files
-4657 	krb5.h not C++-safe due to "struct krb5_cccol_cursor"
-4683 	Remove obsolete/conflicting prototype for krb524_convert_princs
-4688 	Add public function to get keylenth associated with an enctype
-4689 	Update minor version numbers for 1.6
-4690 	Add "get_data" function to the client preauth plugin interface
-4692 	Document changing the krbtgt key
-4693 	Delay kadmind random number initialization until after fork
-4735 	more Novell ldap patches from Nov 6 and Fix for wrong password
-	policy reference count
-4737 	correct client preauth plugin request_context
-4738 	allow server preauth plugin verify_padata function to return e-data
-4739 	cccursor backend for CCAPI
-4755 	update copyrights and acknowledgments
-4770 	Add macros for __attribute__((deprecated)) for krb4 and des APIs
-4771 	LDAP patch from Novell, 2006-10-13
-4772 	fix some warnings in ldap code
-4774 	avoid double frees in ccache manipulation around gen_new
-4775 	include realm in "can't resolve KDC" error message
-4784 	krb5_stdccv3_generate_new returns NULL ccache
-4788 	ccache double free in krb5_fcc_read_addrs().
-4799 	krb5_c_keylength -> krb5_c_keylengths; add krb5_c_random_to_key
-4805 	replace existing calls of cc_gen_new()
-4841 	free error message when freeing context
-4846 	clean up preauth2 salt debug code
-4860 	fix LDAP plugin Makefile.in lib frag substitutions
-4928 	krb5int_copy_data_contents shouldn't free memory it didn't allocate
-4941 	referrals changes to telnet have unconditional debugging printfs
-4942 	skip all modules in plugin if init function fails
-4955 	Referrals code breaks krb5_set_password_using_ccache to Active
-	Directory
-4967 	referrals support assumes all rewrites produce TGS principals
-4972 	return edata from non-PA_REQUIRED preauth types
-4973 	send a new request with the new padata returned by
-	krb5_do_preauth_tryagain()
+Major changes in 1.7
+--------------------
+
+* Remove support for version 4 of the Kerberos protocol (krb4).
+
+* Client library now follows client principal referrals.
+
+* KDC can issue realm referrals for service principals based on domain
+  names.
+
+* Encryption algorithm negotiation (RFC 4537).
+
+* In the replay cache, use a hash over the complete ciphertext to
+  avoid false-positive replay indications.
+
+* Microsoft GSS_WrapEX, implemented using the gss_iov API, which is
+  similar to the equivalent SSPI functionality.
+
+* DCE RPC, including three-leg GSS context setup and unencapsulated
+  GSS tokens.
+
+* Microsoft set/change password (RFC 3244) protocol in kadmind.
+
+* Master key rollover support.
+
+Changes by ticket ID
+--------------------
 
 Copyright and Other Legal Notices
 ---------------------------------
 
-Copyright (C) 1985-2007 by the Massachusetts Institute of Technology.
+Copyright (C) 1985-2009 by the Massachusetts Institute of Technology.
 
 All rights reserved.
 
@@ -201,7 +131,7 @@ manner.  It does NOT prevent a commercial firm from referring to the
 MIT trademarks in order to convey information (although in doing so,
 recognition of their trademark status should be given).
 
-			 --------------------
+                         --------------------
 
 Portions of src/lib/crypto have the following copyright:
 
@@ -230,7 +160,7 @@ Portions of src/lib/crypto have the following copyright:
   WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
 
 
-			 --------------------
+                         --------------------
 
 The following copyright and permission notice applies to the
 OpenVision Kerberos Administration system located in kadmin/create,
@@ -270,14 +200,14 @@ of lib/rpc:
   and our gratitude for the valuable work which has been 
   performed by MIT and the Kerberos community.
 
-			 --------------------
+                         --------------------
 
   Portions contributed by Matt Crawford <crawdad@fnal.gov> were
   work performed at Fermi National Accelerator Laboratory, which is
   operated by Universities Research Association, Inc., under
   contract DE-AC02-76CHO3000 with the U.S. Department of Energy.
 
-			 --------------------
+                         --------------------
 
 The implementation of the Yarrow pseudo-random number generator in
 src/lib/crypto/yarrow has the following copyright:
@@ -303,7 +233,7 @@ src/lib/crypto/yarrow has the following copyright:
   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTUOUS ACTION, ARISING OUT
   OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
-			 --------------------
+                         --------------------
 
 The implementation of the AES encryption algorithm in
 src/lib/crypto/aes has the following copyright:
@@ -332,7 +262,7 @@ src/lib/crypto/aes has the following copyright:
   in respect of any properties, including, but not limited to, correctness 
   and fitness for purpose.
 
-			 --------------------
+                         --------------------
 
 Portions contributed by Red Hat, including the pre-authentication
 plug-ins framework, contain the following copyright:
@@ -369,7 +299,7 @@ plug-ins framework, contain the following copyright:
   NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
   SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-			 --------------------
+                         --------------------
 
 The implementations of GSSAPI mechglue in GSSAPI-SPNEGO in
 src/lib/gssapi, including the following files:
@@ -452,7 +382,7 @@ are subject to the following license:
   TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
   SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
-			 --------------------
+                         --------------------
 
 MIT Kerberos includes documentation and software developed at the
 University of California at Berkeley, which includes this copyright
@@ -489,7 +419,7 @@ notice:
   OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   SUCH DAMAGE.
 
-			 --------------------
+                         --------------------
 
 Portions contributed by Novell, Inc., including the LDAP database
 backend, are subject to the following license:
@@ -501,12 +431,12 @@ backend, are subject to the following license:
   modification, are permitted provided that the following conditions are met:
 
     * Redistributions of source code must retain the above copyright notice,
-	this list of conditions and the following disclaimer.
+        this list of conditions and the following disclaimer.
     * Redistributions in binary form must reproduce the above copyright
-	notice, this list of conditions and the following disclaimer in the
-	documentation and/or other materials provided with the distribution.
+        notice, this list of conditions and the following disclaimer in the
+        documentation and/or other materials provided with the distribution.
     * The copyright holder's name is not used to endorse or promote products
-	derived from this software without specific prior written permission.
+        derived from this software without specific prior written permission.
 
   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
   AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -692,5 +622,5 @@ Matt Hancher, Sam Hartman, Paul Hill, Marc Horowitz, Eva Jacobus,
 Miroslav Jurisic, Barry Jaspan, Geoffrey King, Kevin Koch, John Kohl,
 Peter Litwack, Scott McGuire, Kevin Mitchell, Cliff Neuman, Paul Park,
 Ezra Peisach, Chris Provenzano, Ken Raeburn, Jon Rochlis, Jeff
-Schiller, Jen Selby, Brad Thompson, Harry Tsai, Ted Ts'o, Marshall
-Vale, Tom Yu.
+Schiller, Jen Selby, Robert Silk, Brad Thompson, Harry Tsai, Zhanna
+Tsitkova, Ted Ts'o, Marshall Vale, Tom Yu.

src/appl/gssftp/ftpd/ftpd.M

@@ -122,12 +122,6 @@ file to use.  The default value is normally
 \fB\-u\fP \fIumask\fP
 Sets the umask for the ftpd process.  The default value is normally 027.
 .TP
-\fB\-r\fP \fIrealm-file\fP
-Sets the name of the
-.I krb.conf
-file to use.  The default value is normally set by
-.IR /etc/krb5.conf .
-.TP
 \fB\-w \fP{\fBip\fP|\fImaxhostlen\fP[\fB,\fP{\fBstriplocal\fP|\fBnostriplocal\fP}]}
 Controls the form of the remote hostname passed to login(1).
 Specifying \fBip\fP results in the numeric IP address always being

src/appl/gssftp/ftpd/ftpd.c

@@ -276,7 +276,7 @@ main(argc, argv, envp)
 	int addrlen, c, on = 1, tos, port = -1;
 	extern char *optarg;
 	extern int optopt;
-	char *option_string = "AaCcdElp:r:T:t:U:u:vw:";
+	char *option_string = "AaCcdElp:T:t:U:u:vw:";
 	ftpusers = _PATH_FTPUSERS_DEFAULT;
 
 	debug = 0;
@@ -334,10 +334,6 @@ main(argc, argv, envp)
 			port = atoi(optarg);
 			break;
 
-		case 'r':
-			setenv("KRB_CONF", optarg, 1);
-			break;
-
 		case 't':
 			timeout = atoi(optarg);
 			if (maxtimeout < timeout)

src/config-files/krb5.conf

@@ -1,7 +1,5 @@
 [libdefaults]
 	default_realm = ATHENA.MIT.EDU
-	krb4_config = /usr/kerberos/lib/krb.conf
-	krb4_realms = /usr/kerberos/lib/krb.realms
 
 [realms]
 	ATHENA.MIT.EDU = {

src/config-files/krb5.conf.M

@@ -176,18 +176,6 @@ do not support the default cache as created by this version of
 Kerberos. Use a value of 1 on DCE 1.0.3a systems, and a value of 2 on
 DCE 1.1 systems.
 
-.IP krb4_srvtab 
-Specifies the location of the Kerberos V4 srvtab file.  Default is
-"/etc/srvtab".
-
-.IP krb4_config
-Specifies the location of the Kerberos V4 configuration file.  Default
-is "/etc/krb.conf".
-
-.IP krb4_realms
-Specifies the location of the Kerberos V4 domain/realm translation
-file.  Default is "/etc/krb.realms".
-
 .IP dns_lookup_kdc
 Indicate whether DNS SRV records shoud be used to locate the KDCs and 
 other servers for a realm, if they are not listed in the information 

src/include/adm.h

@@ -1,7 +1,7 @@
 /*
  * include/krb5/adm.h
  *
- * Copyright 1995,2001 by the Massachusetts Institute of Technology.
+ * Copyright 1995,2001,2009 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -200,6 +200,8 @@ typedef struct __krb5_realm_params {
     char *		realm_kdc_ports;
     char *		realm_kdc_tcp_ports;
     char *		realm_acl_file;
+    char *              realm_host_based_services;
+    char *              realm_no_host_referral;
     krb5_int32		realm_kadmind_port;
     krb5_enctype	realm_enctype;
     krb5_deltat		realm_max_life;

src/include/adm_proto.h

@@ -1,7 +1,7 @@
 /*
  * include/krb5/adm_proto.h
  *
- * Copyright 1995, 2007 by the Massachusetts Institute of Technology.
+ * Copyright 1995, 2007,2008,2009 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -83,6 +83,8 @@ krb5_error_code krb5_aprof_get_deltat
 	 krb5_deltat *);
 krb5_error_code krb5_aprof_get_string
 	(krb5_pointer, const char **, krb5_boolean, char **);
+krb5_error_code krb5_aprof_get_string_all
+        (krb5_pointer, const char **,  char **);
 krb5_error_code krb5_aprof_get_int32
 	(krb5_pointer,
 	 const char **,

src/include/k5-int.h

@@ -527,6 +527,9 @@ krb5_error_code os_get_default_config_files
 krb5_error_code krb5_os_hostaddr
 	(krb5_context, const char *, krb5_address ***);
 
+krb5_error_code krb5int_get_domain_realm_mapping
+        (krb5_context , const char *, char ***);
+
 /* N.B.: You need to include fake-addrinfo.h *before* k5-int.h if you're
    going to use this structure.  */
 struct addrlist {