OpenPKG CVS Repository http://cvs.openpkg.org/ ____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 05-Oct-2007 12:33:59 Branch: HEAD Handle: 2007100511335801 Added files: openpkg-src/heimdal heimdal.patch Modified files: openpkg-src/heimdal heimdal-setup.sh heimdal.spec kdc.conf krb5.conf Log: align, bugfix and extend the Heimdal Kerberos packaging with the MIT Kerberos packaging Summary: Revision Changes Path 1.2 +11 -12 openpkg-src/heimdal/heimdal-setup.sh 1.4 +74 -0 openpkg-src/heimdal/heimdal.patch 1.9 +70 -18 openpkg-src/heimdal/heimdal.spec 1.2 +13 -8 openpkg-src/heimdal/kdc.conf 1.2 +14 -13 openpkg-src/heimdal/krb5.conf ____________________________________________________________________________ patch -p0 <<'@@ .' Index: openpkg-src/heimdal/heimdal-setup.sh ============================================================================ $ cvs diff -u -r1.1 -r1.2 heimdal-setup.sh --- openpkg-src/heimdal/heimdal-setup.sh 13 Jan 2007 21:18:16 -0000 1.1 +++ openpkg-src/heimdal/heimdal-setup.sh 5 Oct 2007 10:33:58 -0000 1.2 @@ -1,6 +1,6 @@ [EMAIL PROTECTED]@ ## -## heimdal-setup -- Kerberos database setup procedure +## heimdal-setup -- Kerberos setup procedure ## if [ $# -ne 2 ]; then @@ -29,8 +29,8 @@ cp -p @l_prefix@/etc/heimdal/krb5.conf.new @l_prefix@/etc/heimdal/krb5.conf rm -f @l_prefix@/etc/heimdal/krb5.conf.new -echo "++ initialize Kerberos database" [EMAIL PROTECTED]@/sbin/kstash --random-key [EMAIL PROTECTED]@/var/heimdal/heimdal.mkey +echo "++ creating Kerberos database" [EMAIL PROTECTED]@/sbin/kstash --random-key [EMAIL PROTECTED]@/var/heimdal/db/$realm.mkey ( echo -n "init" echo -n " --realm-max-ticket-life=unlimited" echo -n " --realm-max-renewable-life=unlimited" @@ -38,31 +38,30 @@ echo "" ) | @l_prefix@/sbin/kadmin -l -p admin/admin -echo "++ adding administrator \"[EMAIL PROTECTED]" to the ACL" -echo "*/[EMAIL PROTECTED] all" >@l_prefix@/etc/heimdal/heimdal.acl -chmod 600 @l_prefix@/etc/heimdal/heimdal.acl - -echo "++ adding administrator \"[EMAIL PROTECTED]" to the Kerberos database" +echo "++ adding administrator \"[EMAIL PROTECTED]" to Kerberos database" +echo "*/[EMAIL PROTECTED] all" >@l_prefix@/var/heimdal/db/$realm.acl +chmod 600 @l_prefix@/var/heimdal/db/$realm.acl +chown @l_susr@:@l_mgrp@ @l_prefix@/var/heimdal/db/$realm.acl ( echo -n "add" echo -n " --password=admin" echo -n " --max-ticket-life=1day --max-renewable-life=1week" echo -n " --expiration-time=never --pw-expiration-time=never" - echo -n " --attributes=" + echo -n " --attributes=\"\"" echo -n " admin/[EMAIL PROTECTED]" echo "" ) | @l_prefix@/sbin/kadmin -l -p admin/admin -echo "++ adding local host \"host/$host\" to the Kerberos database" +echo "++ adding host \"host/$host\" to Kerberos database" ( echo -n "add" echo -n " --random-key" echo -n " --max-ticket-life=1day --max-renewable-life=1week" echo -n " --expiration-time=never --pw-expiration-time=never" - echo -n " --attributes=" + echo -n " --attributes=\"\"" echo -n " host/$host" echo "" ) | @l_prefix@/sbin/kadmin -l -p admin/admin -echo "++ creating keytab file for local host \"host/$host\"" +echo "++ exporting keytab file for \"host/$host\" from Kerberos database" ( echo "ext_keytab host/$host" ) | @l_prefix@/sbin/kadmin -l -p admin/admin @@ . patch -p0 <<'@@ .' Index: openpkg-src/heimdal/heimdal.patch ============================================================================ $ cvs diff -u -r0 -r1.4 heimdal.patch --- /dev/null 2007-10-05 12:33:00 +0200 +++ heimdal.patch 2007-10-05 12:33:59 +0200 @@ -0,0 +1,74 @@ +Bugfixes from upstream SVN between 1.0.1 and 1.0.2. +Can be removed once Heimdal 1.0.2 is released. + +Index: lib/krb5/rd_req.c +--- lib/krb5/rd_req.c (revision 21873) ++++ lib/krb5/rd_req.c (working copy) +@@ -826,14 +826,15 @@ + goto out; + } + +- ret = krb5_verify_ap_req(context, +- auth_context, +- &ap_req, +- server, +- o->keyblock, +- 0, +- &o->ap_req_options, +- &o->ticket); ++ ret = krb5_verify_ap_req2(context, ++ auth_context, ++ &ap_req, ++ server, ++ o->keyblock, ++ 0, ++ &o->ap_req_options, ++ &o->ticket, ++ KRB5_KU_AP_REQ_AUTH); + + if (ret) + goto out; +Index: lib/krb5/init_creds_pw.c +--- lib/krb5/init_creds_pw.c (revision 21873) ++++ lib/krb5/init_creds_pw.c (working copy) +@@ -1547,9 +1547,15 @@ + char buf[BUFSIZ]; + krb5_error_code ret; + +- if (in_options == NULL) ++ if (in_options == NULL) { ++ const char *realm = krb5_principal_get_realm(context, client); + ret = krb5_get_init_creds_opt_alloc(context, &options); +- else ++ if (ret == 0) ++ krb5_get_init_creds_opt_set_default_flags(context, ++ NULL, ++ realm, ++ options); ++ } else + ret = _krb5_get_init_creds_opt_copy(context, in_options, &options); + if (ret) + return ret; +Index: lib/krb5/crypto.c +--- lib/krb5/crypto.c (revision 21873) ++++ lib/krb5/crypto.c (working copy) +@@ -2751,6 +2751,7 @@ + if(e == NULL) { + krb5_set_error_string (context, "encryption type %d not supported", + etype); ++ *string = NULL; + return KRB5_PROG_ETYPE_NOSUPP; + } + *string = strdup(e->name); +Index: lib/krb5/context.c +--- lib/krb5/context.c (revision 21873) ++++ lib/krb5/context.c (working copy) +@@ -251,6 +251,8 @@ + { + if (context->default_cc_name) + free(context->default_cc_name); ++ if (context->default_cc_name_env) ++ free(context->default_cc_name_env); + free(context->etypes); + free(context->etypes_des); + krb5_free_host_realm (context, context->default_realms); @@ . patch -p0 <<'@@ .' Index: openpkg-src/heimdal/heimdal.spec ============================================================================ $ cvs diff -u -r1.8 -r1.9 heimdal.spec --- openpkg-src/heimdal/heimdal.spec 9 Aug 2007 15:03:53 -0000 1.8 +++ openpkg-src/heimdal/heimdal.spec 5 Oct 2007 10:33:59 -0000 1.9 @@ -33,10 +33,11 @@ Group: Cryptography License: BSD Version: 1.0.1 -Release: 20070809 +Release: 20071005 # package options -%option with_fsl yes +%option with_fsl yes +%option with_ldap no # list of sources Source0: ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-%{version}.tar.gz @@ -45,6 +46,7 @@ Source3: krb5.conf Source4: kdc.conf Source5: heimdal-setup.sh +Patch0: heimdal.patch # build information Prefix: %{l_prefix} @@ -57,6 +59,10 @@ %endif BuildPreReq: readline, openssl, db PreReq: readline, openssl, db +%if "%{with_ldap}" == "yes" +BuildPreReq: openldap +PreReq: openldap +%endif AutoReq: no AutoReqProv: no Conflicts: kerberos @@ -77,17 +83,18 @@ %prep %setup -q + %patch -p0 + +%build + # configure toolkit %{l_shtool} subst \ - -e 's;^\(DIST_SUBDIRS = \) appl \(.*\)$;\1\2;' \ + -e 's;^\(DIST_SUBDIRS.*\) appl \(.*\)$;\1\2;' \ Makefile.in %{l_shtool} subst \ - -e 's;^\(SUBDIRS = \) appl \(.*\)$;\1\2;' \ + -e 's;^\(SUBDIRS.*\) appl \(.*\)$;\1\2;' \ Makefile.in - -%build - # configure toolkit %{l_shtool} subst \ - -e 's;/krb5.conf:/etc/krb5.conf;%{l_prefix}/etc/heimdal/krb5.conf;g' \ + -e 's;/krb5.conf:/etc/krb5.conf;/krb5.conf;g' \ lib/krb5/constants.c %{l_shtool} subst \ -e 's;/var/heimdal;%{l_prefix}/var/heimdal/db;g' \ @@ -107,6 +114,9 @@ ./configure \ --cache-file=./config.cache \ --prefix=%{l_prefix} \ + --mandir=%{l_prefix}/man \ + --infodir=%{l_prefix}/info \ + --sysconfdir=%{l_prefix}/etc/heimdal \ --includedir=%{l_prefix}/include/heimdal \ --libdir=%{l_prefix}/lib/heimdal \ --libexecdir=%{l_prefix}/sbin \ @@ -120,6 +130,11 @@ --with-openssl-include=%{l_prefix}/include \ --enable-berkeley-db \ --disable-ndbm-db \ +%if "%{with_ldap}" == "yes" + --with-openldap=%{l_prefix} \ + --with-openldap-lib=%{l_prefix}/lib \ + --with-openldap-include=%{l_prefix}/include \ +%endif --enable-kcm \ --without-krb4 \ --enable-pthread-support \ @@ -152,6 +167,34 @@ strip $RPM_BUILD_ROOT%{l_prefix}/bin/* >/dev/null 2>&1 || true strip $RPM_BUILD_ROOT%{l_prefix}/sbin/* >/dev/null 2>&1 || true + # provide executable wrappers + %{l_shtool} mkdir -p -m 755 \ + $RPM_BUILD_ROOT%{l_prefix}/libexec/heimdal + for bin in \ + gss hxtool kdestroy kgetcred kinit klist \ + kpasswd mk_cmds string2key verify_krb5_conf; do + mv $RPM_BUILD_ROOT%{l_prefix}/bin/$bin \ + $RPM_BUILD_ROOT%{l_prefix}/libexec/heimdal/$bin + ( echo "#!/bin/sh" + echo "LD_LIBRARY_PATH=\"%{l_prefix}/lib/heimdal:/lib:/usr/lib\"" + echo "export LD_LIBRARY_PATH" + echo "exec %{l_prefix}/libexec/heimdal/$bin \${1+\"[EMAIL PROTECTED]"}" + ) >$RPM_BUILD_ROOT%{l_prefix}/bin/$bin + chmod 755 $RPM_BUILD_ROOT%{l_prefix}/bin/$bin + done + for bin in \ + hprop hpropd iprop-log ipropd-master ipropd-slave kadmin kadmind \ + kcm kdc kdigest kimpersonate kpasswdd kstash ktutil; do + mv $RPM_BUILD_ROOT%{l_prefix}/sbin/$bin \ + $RPM_BUILD_ROOT%{l_prefix}/libexec/heimdal/$bin + ( echo "#!/bin/sh" + echo "LD_LIBRARY_PATH=\"%{l_prefix}/lib/heimdal:/lib:/usr/lib\"" + echo "export LD_LIBRARY_PATH" + echo "exec %{l_prefix}/libexec/heimdal/$bin \${1+\"[EMAIL PROTECTED]"}" + ) >$RPM_BUILD_ROOT%{l_prefix}/sbin/$bin + chmod 755 $RPM_BUILD_ROOT%{l_prefix}/sbin/$bin + done + # install setup script %{l_shtool} install -c -m 755 %{l_value -s -a} \ -e 's;@l_bash@;%{l_bash};g' \ @@ -201,25 +244,34 @@ echo " \$ $RPM_INSTALL_PREFIX/sbin/heimdal-setup <realm> <domain>" echo "where <domain> is the primary DNS zone of this setup and" echo "<realm> by convention is the upper-case version of <domain>." + echo "" echo "After this you should start the Kerberos server with:" echo " \$ $RPM_INSTALL_PREFIX/bin/openpkg rc heimdal start" echo "" + echo "Then you should change the password of the admin/admin user" + echo "from the default \"admin\" to something secure:" + echo " \$ $RPM_INSTALL_PREFIX/sbin/kadmin -l -p admin/admin \\ " + echo " passwd -p <new-password> admin/admin" + echo "" echo "Then you should add and attach all remote hosts to Heimdal" - echo "by running the following command on each remote host:" - echo " \$ $RPM_INSTALL_PREFIX/sbin/kadmin -p admin/admin" - echo " kadmin> add host/<hostname>.<domain>" - echo " kadmin> ext_keytab host/<hostname>.<domain>" - echo " kadmin> exit" + echo "by running the following command on each *remote* host:" + echo " \$ $RPM_INSTALL_PREFIX/sbin/kadmin -p admin/admin \\ " + echo " add --random-key --attributes=\"\" \\ " + echo " --max-ticket-life=1day --max-renewable-life=1week \\ " + echo " --expiration-time=never --pw-expiration-time=never \\ " + echo " host/<hostname>.<domain>" + echo " \$ $RPM_INSTALL_PREFIX/sbin/kadmin -p admin/admin \\ " + echo " ext_keytab host/<hostname>.<domain>" echo "" echo "Then you should add all your users to Heimdal via:" - echo " \$ $RPM_INSTALL_PREFIX/sbin/kadmin -p admin/admin" - echo " kadmin> add <user>/<user>@<realm>" - echo " kadmin> exit" + echo " \$ $RPM_INSTALL_PREFIX/sbin/kadmin -p admin/admin \\ " + echo " add --password=<password> --use-defaults \\ " + echo " <user>/<user>@<realm>" echo "" - echo "After this, your users can authenticate against" - echo "Heimdal on all attached hosts via:" + echo "After this, your users can use Kerberos all attached hosts:" echo " \$ $RPM_INSTALL_PREFIX/bin/kinit <user>/<user>" echo " \$ $RPM_INSTALL_PREFIX/bin/klist" + echo " \$ $RPM_INSTALL_PREFIX/bin/kdestroy" ) | %{l_rpmtool} msg -b -t notice fi # after upgrade, restore status @@ . patch -p0 <<'@@ .' Index: openpkg-src/heimdal/kdc.conf ============================================================================ $ cvs diff -u -r1.1 -r1.2 kdc.conf --- openpkg-src/heimdal/kdc.conf 13 Jan 2007 21:18:16 -0000 1.1 +++ openpkg-src/heimdal/kdc.conf 5 Oct 2007 10:33:59 -0000 1.2 @@ -1,12 +1,17 @@ [kdc] - addresses = 127.0.0.1 - ports = 750 88 - database = { - realm = EXAMPLE.COM - acl_file = @l_prefix@/etc/heimdal/heimdal.acl - dbname = @l_prefix@/var/heimdal/db/heimdal - mkey_file = @l_prefix@/var/heimdal/db/heimdal.mkey - log_file = @l_prefix@/var/heimdal/db/heimdal.log + addresses = 127.0.0.1 + ports = 750 88 + database = { + realm = EXAMPLE.COM + dbname = @l_prefix@/var/heimdal/db/EXAMPLE.COM.db + acl_file = @l_prefix@/var/heimdal/db/EXAMPLE.COM.acl + mkey_file = @l_prefix@/var/heimdal/db/EXAMPLE.COM.mkey + log_file = @l_prefix@/var/heimdal/db/EXAMPLE.COM.log } +[logging] + kdc = FILE:@l_prefix@/var/heimdal/log/kdc.log + kadmin = FILE:@l_prefix@/var/heimdal/log/kadmin.log + default = FILE:@l_prefix@/var/heimdal/log/heimdal.log + @@ . patch -p0 <<'@@ .' Index: openpkg-src/heimdal/krb5.conf ============================================================================ $ cvs diff -u -r1.1 -r1.2 krb5.conf --- openpkg-src/heimdal/krb5.conf 13 Jan 2007 21:18:16 -0000 1.1 +++ openpkg-src/heimdal/krb5.conf 5 Oct 2007 10:33:59 -0000 1.2 @@ -1,21 +1,22 @@ -[logging] - kdc = FILE:@l_prefix@/var/heimdal/log/kdc.log - kadmin = FILE:@l_prefix@/var/heimdal/log/kadmin.log - default = FILE:@l_prefix@/var/heimdal/log/heimdal.log - [libdefaults] - default_realm = EXAMPLE.COM + default_realm = EXAMPLE.COM + default_keytab_name = FILE:@l_prefix@/etc/heimdal/krb5.keytab + default_etypes = des3-cbc-sha1 aes256-cts-hmac-sha1-96 [realms] - EXAMPLE.COM = { - kdc = kerberos1.example.com - kdc = kerberos2.example.com - admin_server = kerberos1.example.com - default_domain = example.com + EXAMPLE.COM = { + kdc = 127.0.0.1 + kdc = kerberos1.example.com + kdc = kerberos2.example.com + admin_server = kerberos1.example.com + default_domain = example.com } [domain_realm] - .example.com = EXAMPLE.COM - example.com = EXAMPLE.COM + .example.com = EXAMPLE.COM + example.com = EXAMPLE.COM + +[logging] + default = STDERR @@ . ______________________________________________________________________ OpenPKG http://openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org