OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /v/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src Date: 05-Oct-2007 12:33:59
Branch: HEAD Handle: 2007100511335801
Added files:
openpkg-src/heimdal heimdal.patch
Modified files:
openpkg-src/heimdal heimdal-setup.sh heimdal.spec kdc.conf krb5.conf
Log:
align, bugfix and extend the Heimdal Kerberos packaging with the MIT
Kerberos packaging
Summary:
Revision Changes Path
1.2 +11 -12 openpkg-src/heimdal/heimdal-setup.sh
1.4 +74 -0 openpkg-src/heimdal/heimdal.patch
1.9 +70 -18 openpkg-src/heimdal/heimdal.spec
1.2 +13 -8 openpkg-src/heimdal/kdc.conf
1.2 +14 -13 openpkg-src/heimdal/krb5.conf
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/heimdal/heimdal-setup.sh
============================================================================
$ cvs diff -u -r1.1 -r1.2 heimdal-setup.sh
--- openpkg-src/heimdal/heimdal-setup.sh 13 Jan 2007 21:18:16 -0000
1.1
+++ openpkg-src/heimdal/heimdal-setup.sh 5 Oct 2007 10:33:58 -0000
1.2
@@ -1,6 +1,6 @@
[EMAIL PROTECTED]@
##
-## heimdal-setup -- Kerberos database setup procedure
+## heimdal-setup -- Kerberos setup procedure
##
if [ $# -ne 2 ]; then
@@ -29,8 +29,8 @@
cp -p @l_prefix@/etc/heimdal/krb5.conf.new @l_prefix@/etc/heimdal/krb5.conf
rm -f @l_prefix@/etc/heimdal/krb5.conf.new
-echo "++ initialize Kerberos database"
[EMAIL PROTECTED]@/sbin/kstash --random-key [EMAIL
PROTECTED]@/var/heimdal/heimdal.mkey
+echo "++ creating Kerberos database"
[EMAIL PROTECTED]@/sbin/kstash --random-key [EMAIL
PROTECTED]@/var/heimdal/db/$realm.mkey
( echo -n "init"
echo -n " --realm-max-ticket-life=unlimited"
echo -n " --realm-max-renewable-life=unlimited"
@@ -38,31 +38,30 @@
echo ""
) | @l_prefix@/sbin/kadmin -l -p admin/admin
-echo "++ adding administrator \"[EMAIL PROTECTED]" to the ACL"
-echo "*/[EMAIL PROTECTED] all" >@l_prefix@/etc/heimdal/heimdal.acl
-chmod 600 @l_prefix@/etc/heimdal/heimdal.acl
-
-echo "++ adding administrator \"[EMAIL PROTECTED]" to the Kerberos database"
+echo "++ adding administrator \"[EMAIL PROTECTED]" to Kerberos database"
+echo "*/[EMAIL PROTECTED] all" >@l_prefix@/var/heimdal/db/$realm.acl
+chmod 600 @l_prefix@/var/heimdal/db/$realm.acl
+chown @l_susr@:@l_mgrp@ @l_prefix@/var/heimdal/db/$realm.acl
( echo -n "add"
echo -n " --password=admin"
echo -n " --max-ticket-life=1day --max-renewable-life=1week"
echo -n " --expiration-time=never --pw-expiration-time=never"
- echo -n " --attributes="
+ echo -n " --attributes=\"\""
echo -n " admin/[EMAIL PROTECTED]"
echo ""
) | @l_prefix@/sbin/kadmin -l -p admin/admin
-echo "++ adding local host \"host/$host\" to the Kerberos database"
+echo "++ adding host \"host/$host\" to Kerberos database"
( echo -n "add"
echo -n " --random-key"
echo -n " --max-ticket-life=1day --max-renewable-life=1week"
echo -n " --expiration-time=never --pw-expiration-time=never"
- echo -n " --attributes="
+ echo -n " --attributes=\"\""
echo -n " host/$host"
echo ""
) | @l_prefix@/sbin/kadmin -l -p admin/admin
-echo "++ creating keytab file for local host \"host/$host\""
+echo "++ exporting keytab file for \"host/$host\" from Kerberos database"
( echo "ext_keytab host/$host"
) | @l_prefix@/sbin/kadmin -l -p admin/admin
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/heimdal/heimdal.patch
============================================================================
$ cvs diff -u -r0 -r1.4 heimdal.patch
--- /dev/null 2007-10-05 12:33:00 +0200
+++ heimdal.patch 2007-10-05 12:33:59 +0200
@@ -0,0 +1,74 @@
+Bugfixes from upstream SVN between 1.0.1 and 1.0.2.
+Can be removed once Heimdal 1.0.2 is released.
+
+Index: lib/krb5/rd_req.c
+--- lib/krb5/rd_req.c (revision 21873)
++++ lib/krb5/rd_req.c (working copy)
+@@ -826,14 +826,15 @@
+ goto out;
+ }
+
+- ret = krb5_verify_ap_req(context,
+- auth_context,
+- &ap_req,
+- server,
+- o->keyblock,
+- 0,
+- &o->ap_req_options,
+- &o->ticket);
++ ret = krb5_verify_ap_req2(context,
++ auth_context,
++ &ap_req,
++ server,
++ o->keyblock,
++ 0,
++ &o->ap_req_options,
++ &o->ticket,
++ KRB5_KU_AP_REQ_AUTH);
+
+ if (ret)
+ goto out;
+Index: lib/krb5/init_creds_pw.c
+--- lib/krb5/init_creds_pw.c (revision 21873)
++++ lib/krb5/init_creds_pw.c (working copy)
+@@ -1547,9 +1547,15 @@
+ char buf[BUFSIZ];
+ krb5_error_code ret;
+
+- if (in_options == NULL)
++ if (in_options == NULL) {
++ const char *realm = krb5_principal_get_realm(context, client);
+ ret = krb5_get_init_creds_opt_alloc(context, &options);
+- else
++ if (ret == 0)
++ krb5_get_init_creds_opt_set_default_flags(context,
++ NULL,
++ realm,
++ options);
++ } else
+ ret = _krb5_get_init_creds_opt_copy(context, in_options, &options);
+ if (ret)
+ return ret;
+Index: lib/krb5/crypto.c
+--- lib/krb5/crypto.c (revision 21873)
++++ lib/krb5/crypto.c (working copy)
+@@ -2751,6 +2751,7 @@
+ if(e == NULL) {
+ krb5_set_error_string (context, "encryption type %d not supported",
+ etype);
++ *string = NULL;
+ return KRB5_PROG_ETYPE_NOSUPP;
+ }
+ *string = strdup(e->name);
+Index: lib/krb5/context.c
+--- lib/krb5/context.c (revision 21873)
++++ lib/krb5/context.c (working copy)
+@@ -251,6 +251,8 @@
+ {
+ if (context->default_cc_name)
+ free(context->default_cc_name);
++ if (context->default_cc_name_env)
++ free(context->default_cc_name_env);
+ free(context->etypes);
+ free(context->etypes_des);
+ krb5_free_host_realm (context, context->default_realms);
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/heimdal/heimdal.spec
============================================================================
$ cvs diff -u -r1.8 -r1.9 heimdal.spec
--- openpkg-src/heimdal/heimdal.spec 9 Aug 2007 15:03:53 -0000 1.8
+++ openpkg-src/heimdal/heimdal.spec 5 Oct 2007 10:33:59 -0000 1.9
@@ -33,10 +33,11 @@
Group: Cryptography
License: BSD
Version: 1.0.1
-Release: 20070809
+Release: 20071005
# package options
-%option with_fsl yes
+%option with_fsl yes
+%option with_ldap no
# list of sources
Source0: ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-%{version}.tar.gz
@@ -45,6 +46,7 @@
Source3: krb5.conf
Source4: kdc.conf
Source5: heimdal-setup.sh
+Patch0: heimdal.patch
# build information
Prefix: %{l_prefix}
@@ -57,6 +59,10 @@
%endif
BuildPreReq: readline, openssl, db
PreReq: readline, openssl, db
+%if "%{with_ldap}" == "yes"
+BuildPreReq: openldap
+PreReq: openldap
+%endif
AutoReq: no
AutoReqProv: no
Conflicts: kerberos
@@ -77,17 +83,18 @@
%prep
%setup -q
+ %patch -p0
+
+%build
+ # configure toolkit
%{l_shtool} subst \
- -e 's;^\(DIST_SUBDIRS = \) appl \(.*\)$;\1\2;' \
+ -e 's;^\(DIST_SUBDIRS.*\) appl \(.*\)$;\1\2;' \
Makefile.in
%{l_shtool} subst \
- -e 's;^\(SUBDIRS = \) appl \(.*\)$;\1\2;' \
+ -e 's;^\(SUBDIRS.*\) appl \(.*\)$;\1\2;' \
Makefile.in
-
-%build
- # configure toolkit
%{l_shtool} subst \
- -e 's;/krb5.conf:/etc/krb5.conf;%{l_prefix}/etc/heimdal/krb5.conf;g'
\
+ -e 's;/krb5.conf:/etc/krb5.conf;/krb5.conf;g' \
lib/krb5/constants.c
%{l_shtool} subst \
-e 's;/var/heimdal;%{l_prefix}/var/heimdal/db;g' \
@@ -107,6 +114,9 @@
./configure \
--cache-file=./config.cache \
--prefix=%{l_prefix} \
+ --mandir=%{l_prefix}/man \
+ --infodir=%{l_prefix}/info \
+ --sysconfdir=%{l_prefix}/etc/heimdal \
--includedir=%{l_prefix}/include/heimdal \
--libdir=%{l_prefix}/lib/heimdal \
--libexecdir=%{l_prefix}/sbin \
@@ -120,6 +130,11 @@
--with-openssl-include=%{l_prefix}/include \
--enable-berkeley-db \
--disable-ndbm-db \
+%if "%{with_ldap}" == "yes"
+ --with-openldap=%{l_prefix} \
+ --with-openldap-lib=%{l_prefix}/lib \
+ --with-openldap-include=%{l_prefix}/include \
+%endif
--enable-kcm \
--without-krb4 \
--enable-pthread-support \
@@ -152,6 +167,34 @@
strip $RPM_BUILD_ROOT%{l_prefix}/bin/* >/dev/null 2>&1 || true
strip $RPM_BUILD_ROOT%{l_prefix}/sbin/* >/dev/null 2>&1 || true
+ # provide executable wrappers
+ %{l_shtool} mkdir -p -m 755 \
+ $RPM_BUILD_ROOT%{l_prefix}/libexec/heimdal
+ for bin in \
+ gss hxtool kdestroy kgetcred kinit klist \
+ kpasswd mk_cmds string2key verify_krb5_conf; do
+ mv $RPM_BUILD_ROOT%{l_prefix}/bin/$bin \
+ $RPM_BUILD_ROOT%{l_prefix}/libexec/heimdal/$bin
+ ( echo "#!/bin/sh"
+ echo "LD_LIBRARY_PATH=\"%{l_prefix}/lib/heimdal:/lib:/usr/lib\""
+ echo "export LD_LIBRARY_PATH"
+ echo "exec %{l_prefix}/libexec/heimdal/$bin \${1+\"[EMAIL
PROTECTED]"}"
+ ) >$RPM_BUILD_ROOT%{l_prefix}/bin/$bin
+ chmod 755 $RPM_BUILD_ROOT%{l_prefix}/bin/$bin
+ done
+ for bin in \
+ hprop hpropd iprop-log ipropd-master ipropd-slave kadmin kadmind \
+ kcm kdc kdigest kimpersonate kpasswdd kstash ktutil; do
+ mv $RPM_BUILD_ROOT%{l_prefix}/sbin/$bin \
+ $RPM_BUILD_ROOT%{l_prefix}/libexec/heimdal/$bin
+ ( echo "#!/bin/sh"
+ echo "LD_LIBRARY_PATH=\"%{l_prefix}/lib/heimdal:/lib:/usr/lib\""
+ echo "export LD_LIBRARY_PATH"
+ echo "exec %{l_prefix}/libexec/heimdal/$bin \${1+\"[EMAIL
PROTECTED]"}"
+ ) >$RPM_BUILD_ROOT%{l_prefix}/sbin/$bin
+ chmod 755 $RPM_BUILD_ROOT%{l_prefix}/sbin/$bin
+ done
+
# install setup script
%{l_shtool} install -c -m 755 %{l_value -s -a} \
-e 's;@l_bash@;%{l_bash};g' \
@@ -201,25 +244,34 @@
echo " \$ $RPM_INSTALL_PREFIX/sbin/heimdal-setup <realm> <domain>"
echo "where <domain> is the primary DNS zone of this setup and"
echo "<realm> by convention is the upper-case version of <domain>."
+ echo ""
echo "After this you should start the Kerberos server with:"
echo " \$ $RPM_INSTALL_PREFIX/bin/openpkg rc heimdal start"
echo ""
+ echo "Then you should change the password of the admin/admin user"
+ echo "from the default \"admin\" to something secure:"
+ echo " \$ $RPM_INSTALL_PREFIX/sbin/kadmin -l -p admin/admin \\ "
+ echo " passwd -p <new-password> admin/admin"
+ echo ""
echo "Then you should add and attach all remote hosts to Heimdal"
- echo "by running the following command on each remote host:"
- echo " \$ $RPM_INSTALL_PREFIX/sbin/kadmin -p admin/admin"
- echo " kadmin> add host/<hostname>.<domain>"
- echo " kadmin> ext_keytab host/<hostname>.<domain>"
- echo " kadmin> exit"
+ echo "by running the following command on each *remote* host:"
+ echo " \$ $RPM_INSTALL_PREFIX/sbin/kadmin -p admin/admin \\ "
+ echo " add --random-key --attributes=\"\" \\ "
+ echo " --max-ticket-life=1day --max-renewable-life=1week \\ "
+ echo " --expiration-time=never --pw-expiration-time=never \\ "
+ echo " host/<hostname>.<domain>"
+ echo " \$ $RPM_INSTALL_PREFIX/sbin/kadmin -p admin/admin \\ "
+ echo " ext_keytab host/<hostname>.<domain>"
echo ""
echo "Then you should add all your users to Heimdal via:"
- echo " \$ $RPM_INSTALL_PREFIX/sbin/kadmin -p admin/admin"
- echo " kadmin> add <user>/<user>@<realm>"
- echo " kadmin> exit"
+ echo " \$ $RPM_INSTALL_PREFIX/sbin/kadmin -p admin/admin \\ "
+ echo " add --password=<password> --use-defaults \\ "
+ echo " <user>/<user>@<realm>"
echo ""
- echo "After this, your users can authenticate against"
- echo "Heimdal on all attached hosts via:"
+ echo "After this, your users can use Kerberos all attached hosts:"
echo " \$ $RPM_INSTALL_PREFIX/bin/kinit <user>/<user>"
echo " \$ $RPM_INSTALL_PREFIX/bin/klist"
+ echo " \$ $RPM_INSTALL_PREFIX/bin/kdestroy"
) | %{l_rpmtool} msg -b -t notice
fi
# after upgrade, restore status
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/heimdal/kdc.conf
============================================================================
$ cvs diff -u -r1.1 -r1.2 kdc.conf
--- openpkg-src/heimdal/kdc.conf 13 Jan 2007 21:18:16 -0000 1.1
+++ openpkg-src/heimdal/kdc.conf 5 Oct 2007 10:33:59 -0000 1.2
@@ -1,12 +1,17 @@
[kdc]
- addresses = 127.0.0.1
- ports = 750 88
- database = {
- realm = EXAMPLE.COM
- acl_file = @l_prefix@/etc/heimdal/heimdal.acl
- dbname = @l_prefix@/var/heimdal/db/heimdal
- mkey_file = @l_prefix@/var/heimdal/db/heimdal.mkey
- log_file = @l_prefix@/var/heimdal/db/heimdal.log
+ addresses = 127.0.0.1
+ ports = 750 88
+ database = {
+ realm = EXAMPLE.COM
+ dbname = @l_prefix@/var/heimdal/db/EXAMPLE.COM.db
+ acl_file = @l_prefix@/var/heimdal/db/EXAMPLE.COM.acl
+ mkey_file = @l_prefix@/var/heimdal/db/EXAMPLE.COM.mkey
+ log_file = @l_prefix@/var/heimdal/db/EXAMPLE.COM.log
}
+[logging]
+ kdc = FILE:@l_prefix@/var/heimdal/log/kdc.log
+ kadmin = FILE:@l_prefix@/var/heimdal/log/kadmin.log
+ default = FILE:@l_prefix@/var/heimdal/log/heimdal.log
+
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/heimdal/krb5.conf
============================================================================
$ cvs diff -u -r1.1 -r1.2 krb5.conf
--- openpkg-src/heimdal/krb5.conf 13 Jan 2007 21:18:16 -0000 1.1
+++ openpkg-src/heimdal/krb5.conf 5 Oct 2007 10:33:59 -0000 1.2
@@ -1,21 +1,22 @@
-[logging]
- kdc = FILE:@l_prefix@/var/heimdal/log/kdc.log
- kadmin = FILE:@l_prefix@/var/heimdal/log/kadmin.log
- default = FILE:@l_prefix@/var/heimdal/log/heimdal.log
-
[libdefaults]
- default_realm = EXAMPLE.COM
+ default_realm = EXAMPLE.COM
+ default_keytab_name = FILE:@l_prefix@/etc/heimdal/krb5.keytab
+ default_etypes = des3-cbc-sha1 aes256-cts-hmac-sha1-96
[realms]
- EXAMPLE.COM = {
- kdc = kerberos1.example.com
- kdc = kerberos2.example.com
- admin_server = kerberos1.example.com
- default_domain = example.com
+ EXAMPLE.COM = {
+ kdc = 127.0.0.1
+ kdc = kerberos1.example.com
+ kdc = kerberos2.example.com
+ admin_server = kerberos1.example.com
+ default_domain = example.com
}
[domain_realm]
- .example.com = EXAMPLE.COM
- example.com = EXAMPLE.COM
+ .example.com = EXAMPLE.COM
+ example.com = EXAMPLE.COM
+
+[logging]
+ default = STDERR
@@ .
______________________________________________________________________
OpenPKG http://openpkg.org
CVS Repository Commit List openpkg-cvs@openpkg.org
