-
Notifications
You must be signed in to change notification settings - Fork 0
/
krb5.spec
4041 lines (3118 loc) · 160 KB
/
krb5.spec
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
%bcond_without check
%if %{without check}
%global skipcheck 1
%endif
# COPR doesn't work right with the tests. I suspect keyring issues,
# but can't actually debug, so...
%if 0%{?copr_username:1}
%global skipcheck 1
%endif
# There are 0 test machines for this architecture, very few builders, and
# they're not very well provisioned / maintained. I can't support it.
# Patches welcome, but there's nothing I can do - it fails more than half the
# for "infrastructure issues" that I can't hope to debug.
%ifarch s390x
%global skipcheck 1
%endif
# RHEL runs upstream's test suite in a separate pass after build.
%if 0%{?rhel}
%global skipcheck 1
%endif
# Set this so that find-lang.sh will recognize the .po files.
%global gettext_domain mit-krb5
# Guess where the -libs subpackage's docs are going to go.
%define libsdocdir %{?_pkgdocdir:%(echo %{_pkgdocdir} | sed -e s,krb5,krb5-libs,g)}%{!?_pkgdocdir:%{_docdir}/%{name}-libs-%{version}}
# Figure out where the default ccache lives and how we set it.
%global configure_default_ccache_name 1
%global configured_default_ccache_name KEYRING:persistent:%%{uid}
# for prereleases, % global prerelease beta1
%if %{defined prerelease}
%global dashpre -%{prerelease}
%global zdpd 0.%{prerelease}.
%endif
# Should be in form 5.0, 6.1, etc.
%global kdbversion 8.0
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.19.1
Release: %{?zdpd}4%{?dist}
# rharwood has trust path to signing key and verifies on check-in
Source0: https://web.mit.edu/kerberos/dist/krb5/%{version}/krb5-%{version}%{?dashpre}.tar.gz
Source1: https://web.mit.edu/kerberos/dist/krb5/%{version}/krb5-%{version}%{?dashpre}.tar.gz.asc
# Numbering is a relic of old init systems etc. It's easiest to just leave.
Source2: kprop.service
Source4: kadmin.service
Source5: krb5kdc.service
Source6: krb5.conf
Source10: kdc.conf
Source11: kadm5.acl
Source19: krb5kdc.sysconfig
Source20: kadmin.sysconfig
Source21: kprop.sysconfig
Source29: ksu.pamd
Source33: krb5kdc.logrotate
Source34: kadmind.logrotate
Source39: krb5-krb5kdc.conf
Patch0: downstream-ksu-pam-integration.patch
Patch1: downstream-SELinux-integration.patch
Patch3: downstream-netlib-and-dns.patch
Patch4: downstream-fix-debuginfo-with-y.tab.c.patch
Patch5: downstream-Remove-3des-support.patch
Patch6: downstream-Use-backported-version-of-OpenSSL-3-KDF-i.patch
Patch7: downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch
Patch8: Add-APIs-for-marshalling-credentials.patch
Patch9: Add-hostname-canonicalization-helper-to-k5test.py.patch
Patch10: Support-host-based-GSS-initiator-names.patch
License: MIT
URL: https://web.mit.edu/kerberos/www/
BuildRequires: autoconf, bison, make, flex, gawk, gettext, pkgconfig, sed
BuildRequires: gcc, gcc-c++
BuildRequires: libcom_err-devel, libedit-devel, libss-devel
BuildRequires: gzip, ncurses-devel
BuildRequires: python3, python3-sphinx
BuildRequires: keyutils, keyutils-libs-devel >= 1.5.8
BuildRequires: libselinux-devel
BuildRequires: pam-devel
BuildRequires: systemd-units
BuildRequires: tcl-devel
BuildRequires: libverto-devel
BuildRequires: openldap-devel
BuildRequires: lmdb-devel
BuildRequires: perl-interpreter
# For autosetup
BuildRequires: git
%if 0%{?skipcheck}
%else
BuildRequires: dejagnu
BuildRequires: net-tools, rpcbind
BuildRequires: hostname
BuildRequires: iproute
BuildRequires: python3-pyrad
%endif
# Need KDFs. This is the backported version
BuildRequires: openssl-devel >= 1:1.1.1d-4
BuildRequires: openssl-devel < 1:3.0.0
%description
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of sending passwords over the network in unencrypted form.
%package devel
Summary: Development files needed to compile Kerberos 5 programs
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Requires: libkadm5%{?_isa} = %{version}-%{release}
Requires: libcom_err-devel
Requires: keyutils-libs-devel, libselinux-devel
Requires: libverto-devel
Provides: krb5-kdb-devel-version = %{kdbversion}
# IPA wants ^ to be a separate symbol because they don't trust package
# managers to match -server and -devel in version. Just go with it.
%description devel
Kerberos is a network authentication system. The krb5-devel package
contains the header files and libraries needed for compiling Kerberos
5 programs. If you want to develop Kerberos-aware programs, you need
to install this package.
%package libs
Summary: The non-admin shared libraries used by Kerberos 5
Requires: openssl-libs >= 1:1.1.1d-4
Requires: coreutils, gawk, grep, sed
Requires: keyutils-libs >= 1.5.8
Requires: /etc/crypto-policies/back-ends/krb5.config
%description libs
Kerberos is a network authentication system. The krb5-libs package
contains the shared libraries needed by Kerberos 5. If you are using
Kerberos, you need to install this package.
%package server
Summary: The KDC and related programs for Kerberos 5
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-pkinit%{?_isa} = %{version}-%{release}
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
# we drop files in its directory, but we don't want to own that directory
Requires: logrotate
# we specify /usr/share/dict/words as the default dict_file in kdc.conf
Requires: /usr/share/dict/words
# for run-time, and for parts of the test suite
BuildRequires: libverto-module-base
Requires: libverto-module-base
Requires: libkadm5%{?_isa} = %{version}-%{release}
Provides: krb5-kdb-version = %{kdbversion}
%description server
Kerberos is a network authentication system. The krb5-server package
contains the programs that must be installed on a Kerberos 5 key
distribution center (KDC). If you are installing a Kerberos 5 KDC,
you need to install this package (in other words, most people should
NOT install this package).
%package server-ldap
Summary: The LDAP storage plugin for the Kerberos 5 KDC
Requires: %{name}-server%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Requires: libkadm5%{?_isa} = %{version}-%{release}
%description server-ldap
Kerberos is a network authentication system. The krb5-server package
contains the programs that must be installed on a Kerberos 5 key
distribution center (KDC). If you are installing a Kerberos 5 KDC,
and you wish to use a directory server to store the data for your
realm, you need to install this package.
%package workstation
Summary: Kerberos 5 programs for use on workstations
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-pkinit%{?_isa} = %{version}-%{release}
Requires: libkadm5%{?_isa} = %{version}-%{release}
%description workstation
Kerberos is a network authentication system. The krb5-workstation
package contains the basic Kerberos programs (kinit, klist, kdestroy,
kpasswd). If your network uses Kerberos, this package should be
installed on every workstation.
%package pkinit
Summary: The PKINIT module for Kerberos 5
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Obsoletes: krb5-pkinit-openssl < %{version}-%{release}
Provides: krb5-pkinit-openssl = %{version}-%{release}
%description pkinit
Kerberos is a network authentication system. The krb5-pkinit
package contains the PKINIT plugin, which allows clients
to obtain initial credentials from a KDC using a private key and a
certificate.
%package -n libkadm5
Summary: Kerberos 5 Administrative libraries
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
%description -n libkadm5
Kerberos is a network authentication system. The libkadm5 package
contains only the libkadm5clnt and libkadm5serv shared objects. This
interface is not considered stable.
%prep
%autosetup -S git_am -n %{name}-%{version}%{?dashpre}
ln NOTICE LICENSE
# Generate an FDS-compatible LDIF file.
inldif=src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
cat > '60kerberos.ldif' << EOF
# This is a variation on kerberos.ldif which 389 Directory Server will like.
dn: cn=schema
EOF
grep -Eiv '(^$|^dn:|^changetype:|^add:)' $inldif >> 60kerberos.ldif
touch -r $inldif 60kerberos.ldif
# Rebuild the configure scripts.
pushd src
autoreconf -fiv
popd
# Mess with some of the default ports that we use for testing, so that multiple
# builds going on the same host don't step on each other.
cfg="src/kadmin/testing/proto/kdc.conf.proto \
src/kadmin/testing/proto/krb5.conf.proto \
src/lib/kadm5/unit-test/api.current/init-v2.exp \
src/util/k5test.py"
LONG_BIT=`getconf LONG_BIT`
PORT=`expr 61000 + $LONG_BIT - 48`
sed -i -e s,61000,`expr "$PORT" + 0`,g $cfg
PORT=`expr 1750 + $LONG_BIT - 48`
sed -i -e s,1750,`expr "$PORT" + 0`,g $cfg
sed -i -e s,1751,`expr "$PORT" + 1`,g $cfg
sed -i -e s,1752,`expr "$PORT" + 2`,g $cfg
PORT=`expr 8888 + $LONG_BIT - 48`
sed -i -e s,8888,`expr "$PORT" - 0`,g $cfg
sed -i -e s,8887,`expr "$PORT" - 1`,g $cfg
sed -i -e s,8886,`expr "$PORT" - 2`,g $cfg
PORT=`expr 7777 + $LONG_BIT - 48`
sed -i -e s,7777,`expr "$PORT" + 0`,g $cfg
sed -i -e s,7778,`expr "$PORT" + 1`,g $cfg
%build
# Go ahead and supply tcl info, because configure doesn't know how to find it.
source %{_libdir}/tclConfig.sh
pushd src
# This should be safe to remove once we have autoconf >= 2.70
export runstatedir=/run
# Work out the CFLAGS and CPPFLAGS which we intend to use.
INCLUDES=-I%{_includedir}/et
CFLAGS="`echo $RPM_OPT_FLAGS $DEFINES $INCLUDES -fPIC -fno-strict-aliasing -fstack-protector-all`"
CPPFLAGS="`echo $DEFINES $INCLUDES`"
%configure \
CC="%{__cc}" \
CFLAGS="$CFLAGS" \
CPPFLAGS="$CPPFLAGS" \
SS_LIB="-lss" \
--enable-shared \
--runstatedir=/run \
--localstatedir=%{_var}/kerberos \
--disable-rpath \
--without-krb5-config \
--with-system-et \
--with-system-ss \
--with-netlib=-lresolv \
--with-tcl \
--enable-dns-for-realm \
--with-ldap \
--with-dirsrv-account-locking \
--enable-pkinit \
--with-crypto-impl=openssl \
--with-tls-impl=openssl \
--with-system-verto \
--with-pam \
--with-selinux \
--with-prng-alg=os \
--with-lmdb \
|| (cat config.log; exit 1)
# Sanity check the KDC_RUN_DIR.
pushd include
make osconf.h
popd
configured_dir=`grep KDC_RUN_DIR include/osconf.h | awk '{print $NF}'`
configured_dir=`eval echo $configured_dir`
if test "$configured_dir" != /run/krb5kdc ; then
echo Failed to configure KDC_RUN_DIR.
exit 1
fi
# Build fast, but get better errors if we fail
make %{?_smp_mflags} || make -j1
popd
# Build the docs.
make -C src/doc paths.py version.py
cp src/doc/paths.py doc/
mkdir -p build-man build-html
sphinx-build -a -b man -t pathsubs doc build-man
sphinx-build -a -b html -t pathsubs doc build-html
rm -fr build-html/_sources
%if 0%{?skipcheck}
%else
%check
pushd src
# The build system may give us a revoked session keyring, so run affected
# tests with a new one.
keyctl session - make check OFFLINE=yes TMPDIR=%{_tmppath}
popd
%endif
%install
[ "$RPM_BUILD_ROOT" != '/' ] && rm -rf -- "$RPM_BUILD_ROOT"
# Sample KDC config files (bundled kdc.conf and kadm5.acl).
mkdir -p $RPM_BUILD_ROOT%{_var}/kerberos/krb5kdc
install -pm 600 %{SOURCE10} $RPM_BUILD_ROOT%{_var}/kerberos/krb5kdc/
install -pm 600 %{SOURCE11} $RPM_BUILD_ROOT%{_var}/kerberos/krb5kdc/
# Where per-user keytabs live by default.
mkdir -p $RPM_BUILD_ROOT%{_var}/kerberos/krb5/user
# Default configuration file for everything.
mkdir -p $RPM_BUILD_ROOT/etc
install -pm 644 %{SOURCE6} $RPM_BUILD_ROOT/etc/krb5.conf
# Default include on this directory
mkdir -p $RPM_BUILD_ROOT/etc/krb5.conf.d
ln -sv /etc/crypto-policies/back-ends/krb5.config $RPM_BUILD_ROOT/etc/krb5.conf.d/crypto-policies
# Parent of configuration file for list of loadable GSS mechs ("mechs"). This
# location is not relative to sysconfdir, but is hard-coded in g_initialize.c.
mkdir -m 755 -p $RPM_BUILD_ROOT/etc/gss
# Parent of groups of configuration files for a list of loadable GSS mechs
# ("mechs"). This location is not relative to sysconfdir, and is also
# hard-coded in g_initialize.c.
mkdir -m 755 -p $RPM_BUILD_ROOT/etc/gss/mech.d
# If the default configuration needs to start specifying a default cache
# location, add it now, then fixup the timestamp so that it looks the same.
%if 0%{?configure_default_ccache_name}
export DEFCCNAME="%{configured_default_ccache_name}"
awk '{print}
/^# default_realm/{print " default_ccache_name =", ENVIRON["DEFCCNAME"]}' \
%{SOURCE6} > $RPM_BUILD_ROOT/etc/krb5.conf
touch -r %{SOURCE6} $RPM_BUILD_ROOT/etc/krb5.conf
grep default_ccache_name $RPM_BUILD_ROOT/etc/krb5.conf
%endif
# Server init scripts (krb5kdc,kadmind,kpropd) and their sysconfig files.
mkdir -p $RPM_BUILD_ROOT%{_unitdir}
for unit in \
%{SOURCE5}\
%{SOURCE4} \
%{SOURCE2} ; do
# In the past, the init script was supposed to be named after the service
# that the started daemon provided. Changing their names is an
# upgrade-time problem I'm in no hurry to deal with.
install -pm 644 ${unit} $RPM_BUILD_ROOT%{_unitdir}
done
mkdir -p $RPM_BUILD_ROOT/%{_tmpfilesdir}
install -pm 644 %{SOURCE39} $RPM_BUILD_ROOT/%{_tmpfilesdir}/
mkdir -p $RPM_BUILD_ROOT/%{_localstatedir}/run/krb5kdc
mkdir -p $RPM_BUILD_ROOT/etc/sysconfig
for sysconfig in %{SOURCE19} %{SOURCE20} %{SOURCE21} ; do
install -pm 644 ${sysconfig} \
$RPM_BUILD_ROOT/etc/sysconfig/`basename ${sysconfig} .sysconfig`
done
# logrotate configuration files
mkdir -p $RPM_BUILD_ROOT/etc/logrotate.d/
for logrotate in \
%{SOURCE33} \
%{SOURCE34} ; do
install -pm 644 ${logrotate} \
$RPM_BUILD_ROOT/etc/logrotate.d/`basename ${logrotate} .logrotate`
done
# PAM configuration files.
mkdir -p $RPM_BUILD_ROOT/etc/pam.d/
for pam in %{SOURCE29} ; do
install -pm 644 ${pam} \
$RPM_BUILD_ROOT/etc/pam.d/`basename ${pam} .pamd`
done
# Plug-in directories.
install -pdm 755 $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/preauth
install -pdm 755 $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/kdb
install -pdm 755 $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/authdata
# The rest of the binaries, headers, libraries, and docs.
%make_install -C src EXAMPLEDIR=%{libsdocdir}/examples
# Munge krb5-config yet again. This is totally wrong for 64-bit, but chunks
# of the buildconf patch already conspire to strip out /usr/<anything> from the
# list of link flags, and it helps prevent file conflicts on multilib systems.
sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' $RPM_BUILD_ROOT%{_bindir}/krb5-config
# Temporay workaround for krb5-config reading too much from LDFLAGS.
# Upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8159
sed -r -i -e "s/-specs=\/.+?\/redhat-hardened-ld//g" $RPM_BUILD_ROOT%{_bindir}/krb5-config
if [[ "$(< $RPM_BUILD_ROOT%{_bindir}/krb5-config )" == *redhat-hardened-ld* ]] ; then
printf '# redhat-hardened-ld for krb5-config failed' 1>&2
exit 1
fi
# Install processed man pages.
for section in 1 5 8 ; do
install -m 644 build-man/*.${section} \
$RPM_BUILD_ROOT/%{_mandir}/man${section}/
done
# I'm tired of warnings about these not having man pages
rm -- "$RPM_BUILD_ROOT/%{_sbindir}/krb5-send-pr"
rm -- "$RPM_BUILD_ROOT/%{_sbindir}/sim_server"
rm -- "$RPM_BUILD_ROOT/%{_sbindir}/gss-server"
rm -- "$RPM_BUILD_ROOT/%{_sbindir}/uuserver"
rm -- "$RPM_BUILD_ROOT/%{_bindir}/sim_client"
rm -- "$RPM_BUILD_ROOT/%{_bindir}/gss-client"
rm -- "$RPM_BUILD_ROOT/%{_bindir}/uuclient"
# These files are already packaged elsewhere
rm -- "$RPM_BUILD_ROOT/%{_docdir}/krb5-libs/examples/kdc.conf"
rm -- "$RPM_BUILD_ROOT/%{_docdir}/krb5-libs/examples/krb5.conf"
rm -- "$RPM_BUILD_ROOT/%{_docdir}/krb5-libs/examples/services.append"
# This is only needed for tests
rm -- "$RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/preauth/test.so"
%find_lang %{gettext_domain}
%ldconfig_scriptlets libs
%triggerun libs -- krb5-libs < 1.15.1-5
if ! grep -q 'includedir /etc/krb5.conf.d' /etc/krb5.conf ; then
sed -i '1i # To opt out of the system crypto-policies configuration of krb5, remove the\n# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.\nincludedir /etc/krb5.conf.d/\n' /etc/krb5.conf
fi
exit 0
%ldconfig_scriptlets server-ldap
%post server
%systemd_post krb5kdc.service kadmin.service kprop.service
# assert sanity. A cleaner solution probably exists but it is opaque
/bin/systemctl daemon-reload
exit 0
%preun server
%systemd_preun krb5kdc.service kadmin.service kprop.service
exit 0
%postun server
%systemd_postun_with_restart krb5kdc.service kadmin.service kprop.service
exit 0
%ldconfig_scriptlets -n libkadm5
%files workstation
%doc src/config-files/services.append
%doc src/config-files/krb5.conf
%doc build-html/*
%attr(0755,root,root) %doc src/config-files/convert-config-files
# Clients of the KDC, including tools you're likely to need if you're running
# app servers other than those built from this source package.
%{_bindir}/kdestroy
%{_mandir}/man1/kdestroy.1*
%{_bindir}/kinit
%{_mandir}/man1/kinit.1*
%{_bindir}/klist
%{_mandir}/man1/klist.1*
%{_bindir}/kpasswd
%{_mandir}/man1/kpasswd.1*
%{_bindir}/kswitch
%{_mandir}/man1/kswitch.1*
%{_bindir}/kvno
%{_mandir}/man1/kvno.1*
%{_bindir}/kadmin
%{_mandir}/man1/kadmin.1*
%{_bindir}/k5srvutil
%{_mandir}/man1/k5srvutil.1*
%{_bindir}/ktutil
%{_mandir}/man1/ktutil.1*
# Doesn't really fit anywhere else.
%attr(4755,root,root) %{_bindir}/ksu
%{_mandir}/man1/ksu.1*
%config(noreplace) /etc/pam.d/ksu
%files server
%docdir %{_mandir}
%doc src/config-files/kdc.conf
%{_unitdir}/krb5kdc.service
%{_unitdir}/kadmin.service
%{_unitdir}/kprop.service
%{_tmpfilesdir}/krb5-krb5kdc.conf
%dir %{_localstatedir}/run/krb5kdc
%config(noreplace) /etc/sysconfig/krb5kdc
%config(noreplace) /etc/sysconfig/kadmin
%config(noreplace) /etc/sysconfig/kprop
%config(noreplace) /etc/logrotate.d/krb5kdc
%config(noreplace) /etc/logrotate.d/kadmind
%dir %{_var}/kerberos
%dir %{_var}/kerberos/krb5kdc
%config(noreplace) %{_var}/kerberos/krb5kdc/kdc.conf
%config(noreplace) %{_var}/kerberos/krb5kdc/kadm5.acl
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/kdb
%dir %{_libdir}/krb5/plugins/preauth
%dir %{_libdir}/krb5/plugins/authdata
%{_libdir}/krb5/plugins/preauth/otp.so
%{_libdir}/krb5/plugins/kdb/db2.so
%{_libdir}/krb5/plugins/kdb/klmdb.so
# KDC binaries and configuration.
%{_mandir}/man5/kadm5.acl.5*
%{_mandir}/man5/kdc.conf.5*
%{_sbindir}/kadmin.local
%{_mandir}/man8/kadmin.local.8*
%{_sbindir}/kadmind
%{_mandir}/man8/kadmind.8*
%{_sbindir}/kdb5_util
%{_mandir}/man8/kdb5_util.8*
%{_sbindir}/kprop
%{_mandir}/man8/kprop.8*
%{_sbindir}/kpropd
%{_mandir}/man8/kpropd.8*
%{_sbindir}/kproplog
%{_mandir}/man8/kproplog.8*
%{_sbindir}/krb5kdc
%{_mandir}/man8/krb5kdc.8*
# This is here for people who want to test their server. It was formerly also
# included in -devel.
%{_bindir}/sclient
%{_mandir}/man1/sclient.1*
%{_sbindir}/sserver
%{_mandir}/man8/sserver.8*
%files server-ldap
%docdir %{_mandir}
%doc src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
%doc src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
%doc 60kerberos.ldif
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/kdb
%{_libdir}/krb5/plugins/kdb/kldap.so
%{_libdir}/libkdb_ldap.so
%{_libdir}/libkdb_ldap.so.*
%{_mandir}/man8/kdb5_ldap_util.8.gz
%{_sbindir}/kdb5_ldap_util
%files libs -f %{gettext_domain}.lang
%doc README NOTICE
%{!?_licensedir:%global license %%doc}
%license LICENSE
%docdir %{_mandir}
# These are hard-coded, not-dependent-on-the-configure-script paths.
%dir /etc/gss
%dir /etc/gss/mech.d
%dir /etc/krb5.conf.d
%config(noreplace) /etc/krb5.conf
%config(noreplace,missingok) /etc/krb5.conf.d/crypto-policies
/%{_mandir}/man5/.k5identity.5*
/%{_mandir}/man5/.k5login.5*
/%{_mandir}/man5/k5identity.5*
/%{_mandir}/man5/k5login.5*
/%{_mandir}/man5/krb5.conf.5*
/%{_mandir}/man7/kerberos.7*
%{_libdir}/libgssapi_krb5.so.*
%{_libdir}/libgssrpc.so.*
%{_libdir}/libk5crypto.so.*
%{_libdir}/libkdb5.so.*
%{_libdir}/libkrad.so.*
%{_libdir}/libkrb5.so.*
%{_libdir}/libkrb5support.so.*
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/*
%{_libdir}/krb5/plugins/tls/k5tls.so
%{_libdir}/krb5/plugins/preauth/spake.so
%dir %{_var}/kerberos
%dir %{_var}/kerberos/krb5
%dir %{_var}/kerberos/krb5/user
%files pkinit
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/preauth
%{_libdir}/krb5/plugins/preauth/pkinit.so
%files devel
%docdir %{_mandir}
%{_includedir}/*
%{_libdir}/libgssapi_krb5.so
%{_libdir}/libgssrpc.so
%{_libdir}/libk5crypto.so
%{_libdir}/libkdb5.so
%{_libdir}/libkrad.so
%{_libdir}/libkrb5.so
%{_libdir}/libkrb5support.so
%{_libdir}/pkgconfig/*
%{_bindir}/krb5-config
%{_mandir}/man1/krb5-config.1*
%files -n libkadm5
%{_libdir}/libkadm5clnt.so
%{_libdir}/libkadm5clnt_mit.so
%{_libdir}/libkadm5srv.so
%{_libdir}/libkadm5srv_mit.so
%{_libdir}/libkadm5clnt_mit.so.*
%{_libdir}/libkadm5srv_mit.so.*
%changelog
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1.19.1-3.1
- Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
* Mon Mar 01 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-3
- Further test dependency fixes; no code changes
* Mon Mar 01 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-2
- Make test dependencies contingent on skipcheck; no code changes
* Thu Feb 18 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-1
- New upstream version (1.19.1)
* Wed Feb 17 2021 Robbie Harwood <rharwood@redhat.com> - 1.19-3
- Restore krb5_set_default_tgs_ktypes()
* Fri Feb 05 2021 Robbie Harwood <rharwood@redhat.com> - 1.19-2
- No code change; just coping with reverted autoconf
* Tue Feb 02 2021 Robbie Harwood <rharwood@redhat.com> - 1.19-1
- New upstream version (1.19)
* Thu Jan 28 2021 Robbie Harwood <rharwood@redhat.com> - 1.19-0.beta2.5
- Support host-based GSS initiator names
* Thu Jan 28 2021 Robbie Harwood <rharwood@redhat.com> - 1.19-0.beta2.4
- Require krb5-pkinit from krb5-{server,workstation}
* Thu Jan 28 2021 Robbie Harwood <rharwood@redhat.com> - 1.19-0.beta2.3
- Fix up weird mass rebuild versioning
* Thu Jan 28 2021 Robbie Harwood <rharwood@redhat.com> - 1.19-0.beta2.2.2
- Add APIs for marshalling credentials
* Wed Jan 27 2021 Robbie Harwood <rharwood@redhat.com> - 1.19-0.beta2.1.2
- Cope with new autotools behavior wrt runstatedir
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.19-0.beta2.1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Jan 12 2021 Robbie Harwood <rharwood@redhat.com> - 1.19-1
- New upstream version (1.19-beta2)
* Wed Dec 16 2020 Robbie Harwood <rharwood@redhat.com> - 1.19-0.beta1.2
- New upstream version (1.19-beta1)
* Wed Dec 16 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.3-5
- Fix runstatedir configuration
- Why couldn't systemd just leave it alone?
* Tue Nov 24 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.3-4
- Document -k option in kvno(1) synopsis
* Fri Nov 20 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.3-3
- Upstream executable shared libraries patch
* Wed Nov 18 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.3-2
- Fix build failure in -1
* Wed Nov 18 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.3-1
- New upstream version (1.18.3)
* Tue Nov 17 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-30
- Migrate /var/run to /run, an exercise in pointlessness
- Resolves: #1898410
* Thu Nov 05 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-29
- Add recursion limit for ASN.1 indefinite lengths (CVE-2020-28196)
* Fri Oct 23 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-28
- Fix minor static analysis defects
* Wed Oct 21 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-27
- Fix build of previous
* Wed Oct 21 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-26
- Cross-realm s4u fixes for samba (#1836630)
* Thu Oct 15 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-25
- Unify kvno option documentation
* Fri Oct 02 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-24
- Add md5 override to krad
* Thu Sep 10 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-23
- Use `systemctl reload` to HUP the KDC during logrotate
- Resolves: #1877692
* Wed Sep 09 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-22
- Fix input length checking in SPNEGO DER decoding
* Fri Aug 28 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-21
- Mark crypto-polices snippet as missingok
- Resolves: #1868379
* Thu Aug 13 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-20
- Temporarily dns_canonicalize_hostname=fallback changes
- Hopefully unbreak IPA while we debug further
* Fri Aug 07 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-19
- Expand dns_canonicalize_hostname=fallback support
* Tue Aug 04 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-18
- Fix leak in KERB_AP_OPTIONS_CBT server support
* Mon Aug 03 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-17
- Revert qualify_shortname removal
* Mon Aug 03 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-16
- Disable tests on s390x
- Resolves: #1863952
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.18.2-15
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Fri Jul 31 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-14
- Revert qualify_shortname changes
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.18.2-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jul 22 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-12
- Ignore bad enctypes in krb5_string_to_keysalts()
- Allow gss_unwrap_iov() of unpadded RC4 tokens
* Wed Jul 15 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-11
- Ignore bad enctypes in krb5_string_to_keysalts()
* Wed Jul 08 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-10
- Set qualify_shortname empty in default configuration
- Resolves: #1852041
* Mon Jun 15 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-9
- Use two queues for concurrent t_otp.py daemons
* Mon Jun 15 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-8
- Match Heimdal behavior for channel bindings
* Mon Jun 08 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-7
- Fix test suite by removing wrapper workarounds
* Mon Jun 08 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-6
- Omit PA_FOR_USER if we can't compute its checksum
* Sat May 30 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-5
- Replace gssrpc tests with a Python script
* Sat May 30 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-4
- Default dns_canonicalize_hostname to "fallback"
* Tue May 26 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-3
- dns_canonicalize_hostname = fallback
* Tue May 26 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-2
- Pass channel bindings through SPNEGO
* Fri May 22 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-1
- New upstream release (1.18.2)
* Fri May 22 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.1-6
- Fix SPNEGO acceptor mech filtering
* Mon May 18 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.1-5
- Fix typo ("in in") in the ksu man page
* Fri May 08 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.1-4
- Omit KDC indicator check for S4U2Self requests
* Tue Apr 28 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.1-3
- Pass gss_localname() through SPNEGO
* Tue Apr 14 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-1.1
- Drop yasm requirement since we don't use builtin crypto
* Tue Apr 14 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.1-1
- New upstream version (1.18.1)
* Tue Apr 07 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-12
- Make ksu honor KRB5CCNAME again
* Thu Apr 02 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-11
- Do expiration warnings for all init_creds APIs
* Wed Apr 01 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-10
- Correctly import "service@" GSS host-based name
* Thu Mar 26 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-9
- Eliminate redundant PKINIT responder invocation
* Thu Mar 26 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-8
- Add finalization safety check to com_err
* Fri Mar 20 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-7
- Add maximum openssl version in preparation for openssl 3
* Tue Mar 17 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-6
- Document client keytab usage
* Tue Mar 03 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-5
- Refresh manually acquired creds from client keytab
* Fri Feb 28 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-4
- Allow deletion of require_auth with LDAP KDB
* Thu Feb 27 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-3
- Allow certauth modules to set hw-authent flag
* Fri Feb 21 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-2
- Fix AS-REQ checking of KDB-modified indicators
* Wed Feb 12 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-1
- New upstream version (1.18)
* Fri Feb 07 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-0.beta2.3
- Don't assume OpenSSL failures are memory errors
* Thu Feb 06 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-0.beta2.2
- Put KDB authdata first
* Fri Jan 31 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-0.beta2.1
- New upstream beta release - 1.18-beta2
- Adjust naming convention for downstream patches
* Fri Jan 10 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-0.beta1.1
- New upstream beta release - 1.18-beta1
* Wed Jan 08 2020 Robbie Harwood <rharwood@redhat.com> - 1.17.1-5
- Fix LDAP policy enforcement of pw_expiration
- Fix handling of invalid CAMMAC service verifier
* Mon Jan 06 2020 Robbie Harwood <rharwood@redhat.com> - 1.17.1-4
- Fix xdr_bytes() strict-aliasing violations
* Fri Jan 03 2020 Robbie Harwood <rharwood@redhat.com> - 1.17.1-3
- Don't warn in kadmin when no policy is specified
- Do not always canonicalize enterprise principals
* Fri Dec 13 2019 Robbie Harwood <rharwood@redhat.com> - 1.17.1-2
- Enable the LMDB backend for the KDB
* Thu Dec 12 2019 Robbie Harwood <rharwood@redhat.com> - 1.17.1-1
- New upstream version - 1.17.1
- Stop building and packaging PDFs
* Fri Dec 06 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-54
- Qualify short hostnames when not using DNS
* Wed Nov 27 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-53
- Various gssalloc fixes
* Thu Nov 21 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-52
- Turns out openssl has an epoch
* Wed Nov 20 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-51
- Fix runtime openssl version to actually propogate
* Wed Nov 20 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-50
- Add runtime openssl version requirement too
* Wed Nov 20 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-49
- Fix kadmin addprinc -randkey -kvno
* Tue Nov 19 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-48
- Use OpenSSL's backported KDFs
- Restore MD4 in FIPS mode (for samba)
* Fri Nov 08 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-47
- Add default_principal_flags to example kdc.conf
* Wed Oct 02 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-46
- Log unknown enctypes as unsupported in KDC
* Wed Sep 25 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-45
- Fix KDC crash when logging PKINIT enctypes (CVE-2019-14844)
* Thu Sep 12 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-44
- Static analyzer appeasement
* Tue Aug 27 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-43
- Simplify krb5_dbe_def_search_enctype()
* Thu Aug 22 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-42
- Update FIPS patches to remove SPAKE
* Thu Aug 15 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-41
- Fix KCM client time offset propagation
* Fri Aug 09 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-40
- Initialize life/rlife in kdcpolicy interface
* Tue Aug 06 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-39
- Fix memory leaks in soft-pkcs11 code
* Tue Jul 30 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-38
- Add soft-pkcs11 and use it for testing
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.17-37
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu Jul 18 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-36
- Filter enctypes in gss_set_allowable_enctypes()
* Mon Jul 15 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-35
- Don't error on invalid enctypes in keytab
- Resolves: #1724380
* Tue Jul 02 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-34
- Remove now-unused checksum functions
* Wed Jun 26 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-33
- Fix typo in 3des commit
* Wed Jun 26 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-32
- Remove PKINIT draft9 support (compat with EOL, pre-2008 Windows)
* Mon Jun 10 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-31
- Remove strerror() calls from k5_get_error()
* Fri Jun 07 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-30
- Remove 3des from kdc.conf example
* Mon Jun 03 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-29
- Remove 3DES support
* Mon Jun 03 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-28
- Remove 3des support
* Thu May 30 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-27
- Remove krb5int_c_combine_keys() and no-flags SAM-2 preauth
* Tue May 28 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-26
- Remove support for single-DES and CRC
* Wed May 22 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-25
- Add missing newlines to deprecation warnings
- Switch to upstream's ksu path patch
* Tue May 21 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-24
- Update default krb5kdc mkey manual-entry enctype
- Also update account lockout patch to upstream version
* Mon May 20 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-23
- Test & docs fixes in preparation for DES removal
* Wed May 15 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-22
- Drop krb5_realm_compare() etc. NULL check patches
* Wed May 15 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-21
- Re-provide krb5-kdb-version in -devel as well (IPA wants it)
* Tue May 14 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-20
- (Patch consolidation; hopefully no changes)
* Tue May 14 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-19
- Remove checksum type profile variables
* Fri May 10 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-18
- Pull in 2019-05-02 static analysis updates
* Fri May 03 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-17
- Move krb5-kdb-version provide into krb5-server for freeipa