|
@@ -20,15 +20,14 @@ BuildRequires: socket_wrapper
|
|
|
Summary: The Kerberos network authentication system
|
|
|
Summary(ja): Kerberos ネットワーク認証システム
|
|
|
Name: krb5
|
|
|
-Version: 1.16.1
|
|
|
+Version: 1.18
|
|
|
Release: 1%{_dist_release}
|
|
|
|
|
|
# Maybe we should explode from the now-available-to-everybody tarball instead?
|
|
|
# http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.1-signed.tar
|
|
|
-Source0: krb5-%{version}.tar.gz
|
|
|
+%global shortver %(echo "%{version}" | perl -p -e 's/^([0-9]+\.[0-9]+).*$/\\1/')
|
|
|
+Source0: https://web.mit.edu/kerberos/dist/krb5/%{shortver}/krb5-%{version}.tar.gz
|
|
|
# Source1: krb5-%{version}.tar.gz.asc
|
|
|
-Source3: krb5-%{version}-pdfs.tar
|
|
|
-Source1000: krb5-%{version}-man.tar
|
|
|
|
|
|
Source2: kpropd.init
|
|
|
Source4: kadmind.init
|
|
@@ -45,75 +44,34 @@ Source31: kerberos-adm.portreserve
|
|
|
Source32: krb5_prop.portreserve
|
|
|
Source33: krb5kdc.logrotate
|
|
|
Source34: kadmind.logrotate
|
|
|
-Source39: krb5-krb5kdc.conf
|
|
|
|
|
|
# Carry this locally until it's available in a packaged form.
|
|
|
Source100: noport.c
|
|
|
|
|
|
-Patch26: krb5-1.12.1-pam.patch
|
|
|
-Patch27: krb5-1.15.1-selinux-label.patch
|
|
|
-Patch28: krb5-1.12-ksu-path.patch
|
|
|
-Patch29: krb5-1.12-ktany.patch
|
|
|
-Patch30: krb5-1.15-beta1-buildconf.patch
|
|
|
-Patch31: krb5-1.3.1-dns.patch
|
|
|
-Patch32: krb5-1.12-api.patch
|
|
|
-Patch33: krb5-1.13-dirsrv-accountlock.patch
|
|
|
-Patch34: krb5-1.9-debuginfo.patch
|
|
|
-Patch35: krb5-1.11-run_user_0.patch
|
|
|
-Patch36: krb5-1.11-kpasswdtest.patch
|
|
|
-Patch40: Fix-hex-conversion-of-PKINIT-certid-strings.patch
|
|
|
-Patch41: Exit-with-status-0-from-kadmind.patch
|
|
|
-Patch42: Include-etype-info-in-for-hardware-preauth-hints.patch
|
|
|
-Patch43: Fix-securid_sam2-preauth-for-non-default-salt.patch
|
|
|
-Patch44: Refactor-KDC-krb5_pa_data-utility-functions.patch
|
|
|
-Patch45: Simplify-kdc_preauth.c-systems-table.patch
|
|
|
-Patch46: Add-PKINIT-client-support-for-freshness-token.patch
|
|
|
-Patch47: Add-PKINIT-KDC-support-for-freshness-token.patch
|
|
|
-Patch49: Fix-read-overflow-in-KDC-sort_pa_data.patch
|
|
|
-Patch50: Include-preauth-name-in-trace-output-if-possible.patch
|
|
|
-Patch51: Report-extended-errors-in-kinit-k-t-KDB.patch
|
|
|
-Patch52: Add-libkrb5support-hex-functions-and-tests.patch
|
|
|
-Patch53: Use-libkrb5support-hex-functions-where-appropriate.patch
|
|
|
-Patch54: Add-ASN.1-encoders-and-decoders-for-SPAKE-types.patch
|
|
|
-Patch55: Add-k5_buf_add_vfmt-to-k5buf-interface.patch
|
|
|
-Patch56: Add-vector-support-to-k5_sha256.patch
|
|
|
-Patch57: Move-zap-definition-to-k5-platform.h.patch
|
|
|
-Patch58: Implement-k5_buf_init_dynamic_zap.patch
|
|
|
-Patch59: Use-k5_buf_init_dynamic_zap-where-appropriate.patch
|
|
|
-Patch60: Add-SPAKE-preauth-support.patch
|
|
|
-Patch61: Add-doc-index-entries-for-SPAKE-constants.patch
|
|
|
-Patch62: Fix-SPAKE-memory-leak.patch
|
|
|
-Patch64: Zap-data-when-freeing-krb5_spake_factor.patch
|
|
|
-Patch65: Be-more-careful-asking-for-AS-key-in-SPAKE-client.patch
|
|
|
-Patch68: Restrict-pre-authentication-fallback-cases.patch
|
|
|
-Patch69: Remove-nodes-option-from-make-certs-scripts.patch
|
|
|
-Patch70: Fix-segfault-in-finish_dispatch.patch
|
|
|
-Patch71: Log-when-non-root-ksu-authorization-fails.patch
|
|
|
-Patch72: Add-k5_dir_filenames-to-libkrb5support.patch
|
|
|
-Patch73: Process-profile-includedir-in-sorted-order.patch
|
|
|
-Patch74: Make-docs-build-python3-compatible.patch
|
|
|
-Patch75: Add-flag-to-disable-encrypted-timestamp-on-client.patch
|
|
|
-Patch76: Explicitly-look-for-python2-in-configure.in.patch
|
|
|
-Patch77: Use-SHA-256-instead-of-MD5-for-audit-ticket-IDs.patch
|
|
|
-Patch78: Add-k5test-mark-function.patch
|
|
|
-Patch79: Convert-Python-tests-to-Python-3.patch
|
|
|
-Patch80: Zap-copy-of-secret-in-RC4-string-to-key.patch
|
|
|
-Patch81: Fix-some-broken-tests-for-Python-3.patch
|
|
|
-Patch82: Eliminate-preprocessor-disabled-dead-code.patch
|
|
|
-Patch83: Make-krb5kdc-p-affect-TCP-ports.patch
|
|
|
-Patch84: Remove-outdated-note-in-krb5kdc-man-page.patch
|
|
|
-Patch85: Fix-k5test-prompts-for-Python-3.patch
|
|
|
-Patch86: In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch
|
|
|
-Patch87: Prefer-TCP-to-UDP-for-password-changes.patch
|
|
|
-Patch88: Correct-kpasswd_server-description-in-krb5.conf-5.patch
|
|
|
-Patch89: Prevent-SIGPIPE-from-socket-writes-on-UNIX-likes.patch
|
|
|
-Patch90: Use-port-sockets.h-macros-in-cc_kcm-sendto_kdc.patch
|
|
|
-Patch91: Bring-back-general-kerberos-man-page.patch
|
|
|
-Patch92: Modernize-kerberos-7.patch
|
|
|
-Patch93: Update-man-pages-to-reference-kerberos-7.patch
|
|
|
+Source200: kprop.service
|
|
|
+Source201: kadmin.service
|
|
|
+Source202: krb5kdc.service
|
|
|
+Source203: krb5-krb5kdc.conf
|
|
|
+
|
|
|
+Patch0: downstream-ksu-pam-integration.patch
|
|
|
+Patch1: downstream-SELinux-integration.patch
|
|
|
+Patch2: downstream-Adjust-build-configuration.patch
|
|
|
+Patch3: downstream-netlib-and-dns.patch
|
|
|
+Patch4: downstream-fix-debuginfo-with-y.tab.c.patch
|
|
|
+Patch5: downstream-Remove-3des-support.patch
|
|
|
+#Patch6: downstream-Use-backported-version-of-OpenSSL-3-KDF-i.patch
|
|
|
+Patch7: downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch
|
|
|
+Patch8: Fix-AS-REQ-checking-of-KDB-modified-indicators.patch
|
|
|
+Patch9: Allow-certauth-modules-to-set-hw-authent-flag.patch
|
|
|
+Patch10: Allow-deletion-of-require_auth-with-LDAP-KDB.patch
|
|
|
+Patch11: Refresh-manually-acquired-creds-from-client-keytab.patch
|
|
|
+Patch12: Document-client-keytab-usage.patch
|
|
|
+Patch13: Add-finalization-safety-check-to-com_err.patch
|
|
|
+Patch14: Eliminate-redundant-PKINIT-responder-invocation.patch
|
|
|
+Patch15: Correctly-import-service-GSS-host-based-name.patch
|
|
|
+Patch16: Do-expiration-warnings-for-all-init_creds-APIs.patch
|
|
|
|
|
|
# Vine patch(es)
|
|
|
-Patch1000: krb5-1.16.1-fix-openssl-libs.patch
|
|
|
|
|
|
License: MIT
|
|
|
URL: http://web.mit.edu/kerberos/www/
|
|
@@ -125,7 +83,7 @@ BuildRequires: autoconf, bison, flex, gawk
|
|
|
BuildRequires: e2fsprogs-devel
|
|
|
# BuildRequires: gzip, ncurses-devel, rsh, texinfo, texinfo-tex, tar
|
|
|
BuildRequires: gzip, ncurses-devel, texinfo, tar, git
|
|
|
-# BuildRequires: python-sphinx
|
|
|
+BuildRequires: python-sphinx
|
|
|
# BuildRequires: texlive
|
|
|
# BuildRequires: texlive-latexrecommended
|
|
|
# BuildRequires: texlive-fontsrecommended
|
|
@@ -134,6 +92,9 @@ BuildRequires: keyutils-libs-devel
|
|
|
# BuildRequires: libselinux-devel
|
|
|
BuildRequires: pam-devel
|
|
|
BuildRequires: tcl-devel
|
|
|
+%if 0%{?with_systemd}
|
|
|
+BuildRequires: systemd-units
|
|
|
+%endif
|
|
|
|
|
|
%if %{WITH_LDAP}
|
|
|
BuildRequires: openldap-devel
|
|
@@ -183,18 +144,26 @@ Kerberos, you need to install this package.
|
|
|
Group: System Environment/Daemons
|
|
|
Summary: The KDC and related programs for Kerberos 5
|
|
|
Requires: %{name}-libs = %{version}-%{release}
|
|
|
-Requires(post): /sbin/install-info, chkconfig
|
|
|
-# we need 'status -l' to work, and that option was added in 8.91.3-1vl6
|
|
|
-Requires: initscripts >= 8.91.3-1
|
|
|
-Requires(preun): /sbin/install-info, chkconfig, initscripts
|
|
|
-Requires(postun): initscripts
|
|
|
-# portreserve is used by init scripts for kadmind, kpropd, and krb5kdc
|
|
|
-Requires: portreserve
|
|
|
%if %{WITH_SYSVERTO}
|
|
|
# for run-time, and for parts of the test suite
|
|
|
BuildRequires: libverto-module-base
|
|
|
Requires: libverto-module-base
|
|
|
%endif
|
|
|
+Requires(preun): /sbin/install-info
|
|
|
+Requires(post): /sbin/install-info
|
|
|
+%if 0%{?with_systemd}
|
|
|
+Requires(post): systemd
|
|
|
+Requires(preun): systemd
|
|
|
+Requires(postun): systemd
|
|
|
+%else
|
|
|
+# we need 'status -l' to work, and that option was added in 8.91.3-1vl6
|
|
|
+# portreserve is used by init scripts for kadmind, kpropd, and krb5kdc
|
|
|
+Requires: portreserve
|
|
|
+Requires: initscripts >= 8.91.3-1
|
|
|
+Requires(post): chkconfig
|
|
|
+Requires(preun): chkconfig, initscripts
|
|
|
+Requires(postun): initscripts
|
|
|
+%endif
|
|
|
|
|
|
%description server
|
|
|
Kerberos is a network authentication system. The krb5-server package
|
|
@@ -288,14 +257,9 @@ certificate.
|
|
|
|
|
|
%prep
|
|
|
%autosetup -S git -n %{name}-%{version}
|
|
|
-tar xvf %{SOURCE3}
|
|
|
-tar xvf %{SOURCE1000}
|
|
|
|
|
|
ln -s NOTICE LICENSE
|
|
|
|
|
|
-# Take the execute bit off of documentation.
|
|
|
-chmod -x doc/ccapi/*.html
|
|
|
-
|
|
|
# Generate an FDS-compatible LDIF file.
|
|
|
inldif=src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
|
|
|
cat > '60kerberos.ldif' << EOF
|
|
@@ -413,6 +377,10 @@ fi
|
|
|
## new krb5-%{version}-pdf
|
|
|
#tar -cf "krb5-%{version}-pdfs.tar.new" build-pdf/*.pdf
|
|
|
|
|
|
+cd src/man
|
|
|
+make -f Makefile.in top_srcdir=.. srcdir=. man
|
|
|
+
|
|
|
+
|
|
|
# We need to cut off any access to locally-running nameservers, too.
|
|
|
%{__cc} -fPIC -shared -o noport.so -Wall -Wextra $RPM_SOURCE_DIR/noport.c
|
|
|
|
|
@@ -482,7 +450,22 @@ grep default_ccache_name $RPM_BUILD_ROOT/etc/krb5.conf
|
|
|
|
|
|
|
|
|
|
|
|
+
|
|
|
# Server init scripts (krb5kdc,kadmind,kpropd) and their sysconfig files.
|
|
|
+%if %{with systemd}
|
|
|
+mkdir -p $RPM_BUILD_ROOT%{_unitdir}
|
|
|
+for unit in \
|
|
|
+ %{SOURCE200} \
|
|
|
+ %{SOURCE201} \
|
|
|
+ %{SOURCE202} ; do
|
|
|
+ # In the past, the init script was supposed to be named after the service
|
|
|
+ # that the started daemon provided. Changing their names is an
|
|
|
+ # upgrade-time problem I'm in no hurry to deal with.
|
|
|
+ install -pm 644 ${unit} $RPM_BUILD_ROOT%{_unitdir}
|
|
|
+done
|
|
|
+mkdir -p $RPM_BUILD_ROOT/%{_tmpfilesdir}
|
|
|
+install -pm 644 %{SOURCE203} $RPM_BUILD_ROOT/%{_tmpfilesdir}/
|
|
|
+%else
|
|
|
mkdir -p $RPM_BUILD_ROOT/etc/rc.d/init.d
|
|
|
for init in \
|
|
|
%{SOURCE5}\
|
|
@@ -495,6 +478,7 @@ for init in \
|
|
|
install -pm 755 ${init} \
|
|
|
$RPM_BUILD_ROOT/etc/rc.d/init.d/${service%d}
|
|
|
done
|
|
|
+%endif
|
|
|
mkdir -p $RPM_BUILD_ROOT/etc/sysconfig
|
|
|
for sysconfig in \
|
|
|
%{SOURCE19}\
|
|
@@ -504,6 +488,7 @@ for sysconfig in \
|
|
|
$RPM_BUILD_ROOT/etc/sysconfig/`basename ${sysconfig} .sysconfig`
|
|
|
done
|
|
|
|
|
|
+%if !%{with systemd}
|
|
|
# portreserve configuration files.
|
|
|
mkdir -p $RPM_BUILD_ROOT/etc/portreserve
|
|
|
for portreserve in \
|
|
@@ -513,6 +498,7 @@ for portreserve in \
|
|
|
install -pm 644 ${portreserve} \
|
|
|
$RPM_BUILD_ROOT/etc/portreserve/`basename ${portreserve} .portreserve`
|
|
|
done
|
|
|
+%endif
|
|
|
|
|
|
# logrotate configuration files
|
|
|
mkdir -p $RPM_BUILD_ROOT/etc/logrotate.d/
|
|
@@ -555,7 +541,7 @@ fi
|
|
|
|
|
|
# Install processed man pages.
|
|
|
for section in 1 5 8 ; do
|
|
|
- install -m 644 build-man/*.${section} \
|
|
|
+ install -m 644 src/man/rst_man/*.${section} \
|
|
|
$RPM_BUILD_ROOT/%{_mandir}/man${section}/
|
|
|
done
|
|
|
|
|
@@ -601,14 +587,23 @@ rm -f -- "$RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/preauth/test.so"
|
|
|
|
|
|
%post server
|
|
|
# Remove the init script for older servers.
|
|
|
+%if %{with systemd}
|
|
|
+%systemd_post krb5kdc.service kadmin.service kprop.service
|
|
|
+# assert sanity. A cleaner solution probably exists but it is opaque
|
|
|
+/bin/systemctl daemon-reload
|
|
|
+%else
|
|
|
[ -x /etc/rc.d/init.d/krb5server ] && /sbin/chkconfig --del krb5server
|
|
|
# Install the new ones.
|
|
|
/sbin/chkconfig --add krb5kdc
|
|
|
/sbin/chkconfig --add kadmin
|
|
|
/sbin/chkconfig --add kprop
|
|
|
+%endif
|
|
|
exit 0
|
|
|
|
|
|
%preun server
|
|
|
+%if %{with systemd}
|
|
|
+%systemd_preun krb5kdc.service kadmin.service kprop.service
|
|
|
+%else
|
|
|
if [ "$1" -eq "0" ] ; then
|
|
|
/sbin/chkconfig --del krb5kdc
|
|
|
/sbin/chkconfig --del kadmin
|
|
@@ -617,23 +612,30 @@ if [ "$1" -eq "0" ] ; then
|
|
|
/sbin/service kadmin stop > /dev/null 2>&1 || :
|
|
|
/sbin/service kprop stop > /dev/null 2>&1 || :
|
|
|
fi
|
|
|
+%endif
|
|
|
exit 0
|
|
|
|
|
|
%postun server
|
|
|
+%if %{with systemd}
|
|
|
+%systemd_postun_with_restart krb5kdc.service kadmin.service kprop.service
|
|
|
+%else
|
|
|
if [ "$1" -ge 1 ] ; then
|
|
|
/sbin/service krb5kdc condrestart > /dev/null 2>&1 || :
|
|
|
/sbin/service kadmin condrestart > /dev/null 2>&1 || :
|
|
|
/sbin/service kprop condrestart > /dev/null 2>&1 || :
|
|
|
fi
|
|
|
+%endif
|
|
|
exit 0
|
|
|
|
|
|
%triggerun server -- krb5-server < 1.6.3-100
|
|
|
+%if !%{with systemd}
|
|
|
if [ "$2" -eq "0" ] ; then
|
|
|
/sbin/install-info --delete %{_infodir}/krb425.info.gz %{_infodir}/dir
|
|
|
/sbin/service krb524 stop > /dev/null 2>&1 || :
|
|
|
/sbin/chkconfig --del krb524 > /dev/null 2>&1 || :
|
|
|
fi
|
|
|
exit 0
|
|
|
+%endif
|
|
|
|
|
|
%triggerun libs -- krb5-libs < 1.16-2
|
|
|
if grep -q '^includedir /etc/krb5.conf.d' /etc/krb5.conf ; then
|
|
@@ -651,8 +653,6 @@ exit 0
|
|
|
%defattr(-,root,root,-)
|
|
|
%doc src/config-files/services.append
|
|
|
%doc src/config-files/krb5.conf
|
|
|
-%doc build-html/*
|
|
|
-%doc build-pdf/user.pdf build-pdf/basic.pdf
|
|
|
%attr(0755,root,root) %doc src/config-files/convert-config-files
|
|
|
|
|
|
# Clients of the KDC, including tools you're likely to need if you're running
|
|
@@ -685,22 +685,27 @@ exit 0
|
|
|
%files server
|
|
|
%defattr(-,root,root,-)
|
|
|
%docdir %{_mandir}
|
|
|
-%doc build-pdf/admin.pdf build-pdf/build.pdf
|
|
|
%doc src/config-files/kdc.conf
|
|
|
|
|
|
+%if %{with systemd}
|
|
|
+%{_unitdir}/krb5kdc.service
|
|
|
+%{_unitdir}/kadmin.service
|
|
|
+%{_unitdir}/kprop.service
|
|
|
+%else
|
|
|
/etc/rc.d/init.d/krb5kdc
|
|
|
/etc/rc.d/init.d/kadmin
|
|
|
/etc/rc.d/init.d/kprop
|
|
|
+%dir /etc/portreserve
|
|
|
+%config(noreplace) /etc/portreserve/kerberos-iv
|
|
|
+%config(noreplace) /etc/portreserve/kerberos-adm
|
|
|
+%config(noreplace) /etc/portreserve/krb5_prop
|
|
|
+%endif
|
|
|
%config(noreplace) /etc/sysconfig/krb5kdc
|
|
|
%config(noreplace) /etc/sysconfig/kadmin
|
|
|
%config(noreplace) /etc/sysconfig/kprop
|
|
|
%config(noreplace) /etc/logrotate.d/krb5kdc
|
|
|
%config(noreplace) /etc/logrotate.d/kadmind
|
|
|
|
|
|
-%config(noreplace) /etc/portreserve/kerberos-iv
|
|
|
-%config(noreplace) /etc/portreserve/kerberos-adm
|
|
|
-%config(noreplace) /etc/portreserve/krb5_prop
|
|
|
-
|
|
|
%dir %{_var}/kerberos
|
|
|
%dir %{_var}/kerberos/krb5kdc
|
|
|
%config(noreplace) %{_var}/kerberos/krb5kdc/kdc.conf
|
|
@@ -804,7 +809,6 @@ exit 0
|
|
|
%files devel
|
|
|
%defattr(-,root,root,-)
|
|
|
%docdir %{_mandir}
|
|
|
-%doc build-pdf/appdev.pdf build-pdf/plugindev.pdf
|
|
|
|
|
|
%{_includedir}/*
|
|
|
%{_libdir}/libgssapi_krb5.so
|
|
@@ -888,6 +892,12 @@ exit 0
|
|
|
%endif
|
|
|
|
|
|
%changelog
|
|
|
+* Wed Apr 08 2020 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.18-1
|
|
|
+- updated to 1.18.
|
|
|
+- added systemd support (disabled as default).
|
|
|
+- dropped all patches.
|
|
|
+- imported patches from rawhide.
|
|
|
+
|
|
|
* Thu Nov 01 2018 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.16.1-1
|
|
|
- updated to 1.16.1.
|
|
|
|