Initialize for krb5

.gitignore

@@ -0,0 +1,2 @@
+krb5-1.20.1.tar.gz
+vendor-files.tar.bz2

.krb5.metadata

@@ -0,0 +1,2 @@
+270df5df4c60e00b0b10d83b04b83741a9260c36509c062154a3cfcfe1fad628 krb5-1.20.1.tar.gz
+21fb5ee1f60ae28c2acfb7d5f4532d638a1edc9a195b65b47160327771c8ddc8 vendor-files.tar.bz2

0001-ksu-pam-integration.patch

@@ -0,0 +1,776 @@
+From cb49731c07ee57f64bd5a93a182446bc834b9057 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Tue, 23 Aug 2016 16:29:58 -0400
+Subject: [PATCH 1/8] ksu pam integration
+
+Modify ksu so that it performs account and session management on behalf of
+the target user account, mimicking the action of regular su.  The default
+service name is "ksu", because on Fedora at least the configuration used
+is determined by whether or not a login shell is being opened, and so
+this may need to vary, too.  At run-time, ksu's behavior can be reset to
+the earlier, non-PAM behavior by setting "use_pam" to false in the [ksu]
+section of /etc/krb5.conf.
+
+When enabled, ksu gains a dependency on libpam.
+
+Originally RT#5939, though it's changed since then to perform the account
+and session management before dropping privileges, and to apply on top of
+changes we're proposing for how it handles cache collections.
+
+Last-updated: krb5-1.18-beta1
+---
+ src/aclocal.m4              |  68 +++++++
+ src/clients/ksu/Makefile.in |   8 +-
+ src/clients/ksu/main.c      |  88 +++++++-
+ src/clients/ksu/pam.c       | 389 ++++++++++++++++++++++++++++++++++++
+ src/clients/ksu/pam.h       |  57 ++++++
+ src/configure.ac            |   2 +
+ 6 files changed, 609 insertions(+), 3 deletions(-)
+ create mode 100644 src/clients/ksu/pam.c
+ create mode 100644 src/clients/ksu/pam.h
+
+diff --git a/src/aclocal.m4 b/src/aclocal.m4
+index 024d6370c..43eed3b87 100644
+--- a/src/aclocal.m4
++++ b/src/aclocal.m4
+@@ -1677,3 +1677,71 @@ if test "$with_ldap" = yes; then
+   OPENLDAP_PLUGIN=yes
+ fi
+ ])dnl
++dnl
++dnl
++dnl Use PAM instead of local crypt() compare for checking local passwords,
++dnl and perform PAM account, session management, and password-changing where
++dnl appropriate.
++dnl
++AC_DEFUN(KRB5_WITH_PAM,[
++AC_ARG_WITH(pam,[AC_HELP_STRING(--with-pam,[compile with PAM support])],
++	    withpam="$withval",withpam=auto)
++AC_ARG_WITH(pam-ksu-service,[AC_HELP_STRING(--with-ksu-service,[PAM service name for ksu ["ksu"]])],
++	    withksupamservice="$withval",withksupamservice=ksu)
++old_LIBS="$LIBS"
++if test "$withpam" != no ; then
++	AC_MSG_RESULT([checking for PAM...])
++	PAM_LIBS=
++
++	AC_CHECK_HEADERS(security/pam_appl.h)
++	if test "x$ac_cv_header_security_pam_appl_h" != xyes ; then
++		if test "$withpam" = auto ; then
++			AC_MSG_RESULT([Unable to locate security/pam_appl.h.])
++			withpam=no
++		else
++			AC_MSG_ERROR([Unable to locate security/pam_appl.h.])
++		fi
++	fi
++
++	LIBS=
++	unset ac_cv_func_pam_start
++	AC_CHECK_FUNCS(putenv pam_start)
++	if test "x$ac_cv_func_pam_start" = xno ; then
++		unset ac_cv_func_pam_start
++		AC_CHECK_LIB(dl,dlopen)
++		AC_CHECK_FUNCS(pam_start)
++		if test "x$ac_cv_func_pam_start" = xno ; then
++			AC_CHECK_LIB(pam,pam_start)
++			unset ac_cv_func_pam_start
++			unset ac_cv_func_pam_getenvlist
++			AC_CHECK_FUNCS(pam_start pam_getenvlist)
++			if test "x$ac_cv_func_pam_start" = xyes ; then
++				PAM_LIBS="$LIBS"
++			else
++				if test "$withpam" = auto ; then
++					AC_MSG_RESULT([Unable to locate libpam.])
++					withpam=no
++				else
++					AC_MSG_ERROR([Unable to locate libpam.])
++				fi
++			fi
++		fi
++	fi
++	if test "$withpam" != no ; then
++		AC_MSG_NOTICE([building with PAM support])
++		AC_DEFINE(USE_PAM,1,[Define if Kerberos-aware tools should support PAM])
++		AC_DEFINE_UNQUOTED(KSU_PAM_SERVICE,"$withksupamservice",
++				   [Define to the name of the PAM service name to be used by ksu.])
++		PAM_LIBS="$LIBS"
++		NON_PAM_MAN=".\\\" "
++		PAM_MAN=
++	else
++		PAM_MAN=".\\\" "
++		NON_PAM_MAN=
++	fi
++fi
++LIBS="$old_LIBS"
++AC_SUBST(PAM_LIBS)
++AC_SUBST(PAM_MAN)
++AC_SUBST(NON_PAM_MAN)
++])dnl
+diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in
+index 8b4edce4d..9d58f29b5 100644
+--- a/src/clients/ksu/Makefile.in
++++ b/src/clients/ksu/Makefile.in
+@@ -3,12 +3,14 @@ BUILDTOP=$(REL)..$(S)..
+ DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin"'
+ 
+ KSU_LIBS=@KSU_LIBS@
++PAM_LIBS=@PAM_LIBS@
+ 
+ SRCS = \
+ 	$(srcdir)/krb_auth_su.c \
+ 	$(srcdir)/ccache.c \
+ 	$(srcdir)/authorization.c \
+ 	$(srcdir)/main.c \
++	$(srcdir)/pam.c \
+ 	$(srcdir)/heuristic.c \
+ 	$(srcdir)/xmalloc.c \
+ 	$(srcdir)/setenv.c
+@@ -17,13 +19,17 @@ OBJS = \
+ 	ccache.o \
+ 	authorization.o \
+ 	main.o \
++	pam.o \
+ 	heuristic.o \
+ 	xmalloc.o @SETENVOBJ@
+ 
+ all: ksu
+ 
+ ksu: $(OBJS) $(KRB5_BASE_DEPLIBS)
+-	$(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS)
++	$(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS)
++
++pam.o: pam.c
++	$(CC) $(ALL_CFLAGS) -c $<
+ 
+ clean:
+ 	$(RM) ksu
+diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
+index af1286172..931f05404 100644
+--- a/src/clients/ksu/main.c
++++ b/src/clients/ksu/main.c
+@@ -26,6 +26,7 @@
+  * KSU was written by:  Ari Medvinsky, ari@isi.edu
+  */
+ 
++#include "autoconf.h"
+ #include "ksu.h"
+ #include "adm_proto.h"
+ #include <sys/types.h>
+@@ -33,6 +34,10 @@
+ #include <signal.h>
+ #include <grp.h>
+ 
++#ifdef USE_PAM
++#include "pam.h"
++#endif
++
+ /* globals */
+ char * prog_name;
+ int auth_debug =0;
+@@ -40,6 +45,7 @@ char k5login_path[MAXPATHLEN];
+ char k5users_path[MAXPATHLEN];
+ char * gb_err = NULL;
+ int quiet = 0;
++int force_fork = 0;
+ /***********/
+ 
+ #define KS_TEMPORARY_CACHE "MEMORY:_ksu"
+@@ -536,6 +542,23 @@ main (argc, argv)
+                prog_name,target_user,client_name,
+                source_user,ontty());
+ 
++#ifdef USE_PAM
++        if (appl_pam_enabled(ksu_context, "ksu")) {
++            if (appl_pam_acct_mgmt(KSU_PAM_SERVICE, 1, target_user, NULL,
++                                   NULL, source_user,
++                                   ttyname(STDERR_FILENO)) != 0) {
++                fprintf(stderr, "Access denied for %s.\n", target_user);
++                exit(1);
++            }
++            if (appl_pam_requires_chauthtok()) {
++                fprintf(stderr, "Password change required for %s.\n",
++                        target_user);
++                exit(1);
++            }
++            force_fork++;
++        }
++#endif
++
+         /* Run authorization as target.*/
+         if (krb5_seteuid(target_uid)) {
+             com_err(prog_name, errno, _("while switching to target for "
+@@ -596,6 +619,24 @@ main (argc, argv)
+ 
+             exit(1);
+         }
++#ifdef USE_PAM
++    } else {
++        /* we always do PAM account management, even for root */
++        if (appl_pam_enabled(ksu_context, "ksu")) {
++            if (appl_pam_acct_mgmt(KSU_PAM_SERVICE, 1, target_user, NULL,
++                                   NULL, source_user,
++                                   ttyname(STDERR_FILENO)) != 0) {
++                fprintf(stderr, "Access denied for %s.\n", target_user);
++                exit(1);
++            }
++            if (appl_pam_requires_chauthtok()) {
++                fprintf(stderr, "Password change required for %s.\n",
++                        target_user);
++                exit(1);
++            }
++            force_fork++;
++        }
++#endif
+     }
+ 
+     if( some_rest_copy){
+@@ -653,6 +694,30 @@ main (argc, argv)
+         exit(1);
+     }
+ 
++#ifdef USE_PAM
++    if (appl_pam_enabled(ksu_context, "ksu")) {
++        if (appl_pam_session_open() != 0) {
++            fprintf(stderr, "Error opening session for %s.\n", target_user);
++            exit(1);
++        }
++#ifdef DEBUG
++        if (auth_debug){
++            printf(" Opened PAM session.\n");
++        }
++#endif
++        if (appl_pam_cred_init()) {
++            fprintf(stderr, "Error initializing credentials for %s.\n",
++                    target_user);
++            exit(1);
++        }
++#ifdef DEBUG
++        if (auth_debug){
++            printf(" Initialized PAM credentials.\n");
++        }
++#endif
++    }
++#endif
++
+     /* set permissions */
+     if (setgid(target_pwd->pw_gid) < 0) {
+         perror("ksu: setgid");
+@@ -750,7 +815,7 @@ main (argc, argv)
+         fprintf(stderr, "program to be execed %s\n",params[0]);
+     }
+ 
+-    if( keep_target_cache ) {
++    if( keep_target_cache && !force_fork ) {
+         execv(params[0], params);
+         com_err(prog_name, errno, _("while trying to execv %s"), params[0]);
+         sweep_up(ksu_context, cc_target);
+@@ -780,16 +845,35 @@ main (argc, argv)
+             if (ret_pid == -1) {
+                 com_err(prog_name, errno, _("while calling waitpid"));
+             }
+-            sweep_up(ksu_context, cc_target);
++            if( !keep_target_cache ) {
++                sweep_up(ksu_context, cc_target);
++            }
+             exit (statusp);
+         case -1:
+             com_err(prog_name, errno, _("while trying to fork."));
+             sweep_up(ksu_context, cc_target);
+             exit (1);
+         case 0:
++#ifdef USE_PAM
++            if (appl_pam_enabled(ksu_context, "ksu")) {
++                if (appl_pam_setenv() != 0) {
++                    fprintf(stderr, "Error setting up environment for %s.\n",
++                            target_user);
++                    exit (1);
++                }
++#ifdef DEBUG
++                if (auth_debug){
++                    printf(" Set up PAM environment.\n");
++                }
++#endif
++            }
++#endif
+             execv(params[0], params);
+             com_err(prog_name, errno, _("while trying to execv %s"),
+                     params[0]);
++            if( keep_target_cache ) {
++                sweep_up(ksu_context, cc_target);
++            }
+             exit (1);
+         }
+     }
+diff --git a/src/clients/ksu/pam.c b/src/clients/ksu/pam.c
+new file mode 100644
+index 000000000..eb5d03bbf
+--- /dev/null
++++ b/src/clients/ksu/pam.c
+@@ -0,0 +1,389 @@
++/*
++ * src/clients/ksu/pam.c
++ *
++ * Copyright 2007,2009,2010 Red Hat, Inc.
++ *
++ * All Rights Reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions are met:
++ *
++ *  Redistributions of source code must retain the above copyright notice, this
++ *  list of conditions and the following disclaimer.
++ *
++ *  Redistributions in binary form must reproduce the above copyright notice,
++ *  this list of conditions and the following disclaimer in the documentation
++ *  and/or other materials provided with the distribution.
++ *
++ *  Neither the name of Red Hat, Inc. nor the names of its contributors may be
++ *  used to endorse or promote products derived from this software without
++ *  specific prior written permission.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
++ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
++ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
++ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
++ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
++ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
++ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
++ * POSSIBILITY OF SUCH DAMAGE.
++ *
++ * Convenience wrappers for using PAM.
++ */
++
++#include "autoconf.h"
++#ifdef USE_PAM
++#include <sys/types.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <unistd.h>
++#include "k5-int.h"
++#include "pam.h"
++
++#ifndef MAXPWSIZE
++#define MAXPWSIZE 128
++#endif
++
++static int appl_pam_started;
++static pid_t appl_pam_starter = -1;
++static int appl_pam_session_opened;
++static int appl_pam_creds_initialized;
++static int appl_pam_pwchange_required;
++static pam_handle_t *appl_pamh;
++static struct pam_conv appl_pam_conv;
++static char *appl_pam_user;
++struct appl_pam_non_interactive_args {
++	const char *user;
++	const char *password;
++};
++
++int
++appl_pam_enabled(krb5_context context, const char *section)
++{
++	int enabled = 1;
++	if ((context != NULL) && (context->profile != NULL)) {
++		if (profile_get_boolean(context->profile,
++					section,
++					USE_PAM_CONFIGURATION_KEYWORD,
++					NULL,
++					enabled, &enabled) != 0) {
++			enabled = 1;
++		}
++	}
++	return enabled;
++}
++
++void
++appl_pam_cleanup(void)
++{
++	if (getpid() != appl_pam_starter) {
++		return;
++	}
++#ifdef DEBUG
++	printf("Called to clean up PAM.\n");
++#endif
++	if (appl_pam_creds_initialized) {
++#ifdef DEBUG
++		printf("Deleting PAM credentials.\n");
++#endif
++		pam_setcred(appl_pamh, PAM_DELETE_CRED);
++		appl_pam_creds_initialized = 0;
++	}
++	if (appl_pam_session_opened) {
++#ifdef DEBUG
++		printf("Closing PAM session.\n");
++#endif
++		pam_close_session(appl_pamh, 0);
++		appl_pam_session_opened = 0;
++	}
++	appl_pam_pwchange_required = 0;
++	if (appl_pam_started) {
++#ifdef DEBUG
++		printf("Shutting down PAM.\n");
++#endif
++		pam_end(appl_pamh, 0);
++		appl_pam_started = 0;
++		appl_pam_starter = -1;
++		free(appl_pam_user);
++		appl_pam_user = NULL;
++	}
++}
++static int
++appl_pam_interactive_converse(int num_msg, const struct pam_message **msg,
++			      struct pam_response **presp, void *appdata_ptr)
++{
++	const struct pam_message *message;
++	struct pam_response *resp;
++	int i, code;
++	char *pwstring, pwbuf[MAXPWSIZE];
++	unsigned int pwsize;
++	resp = malloc(sizeof(struct pam_response) * num_msg);
++	if (resp == NULL) {
++		return PAM_BUF_ERR;
++	}
++	memset(resp, 0, sizeof(struct pam_response) * num_msg);
++	code = PAM_SUCCESS;
++	for (i = 0; i < num_msg; i++) {
++		message = &(msg[0][i]); /* XXX */
++		message = msg[i]; /* XXX */
++		pwstring = NULL;
++		switch (message->msg_style) {
++		case PAM_TEXT_INFO:
++		case PAM_ERROR_MSG:
++			printf("[%s]\n", message->msg ? message->msg : "");
++			fflush(stdout);
++			resp[i].resp = NULL;
++			resp[i].resp_retcode = PAM_SUCCESS;
++			break;
++		case PAM_PROMPT_ECHO_ON:
++		case PAM_PROMPT_ECHO_OFF:
++			if (message->msg_style == PAM_PROMPT_ECHO_ON) {
++				if (fgets(pwbuf, sizeof(pwbuf),
++					  stdin) != NULL) {
++					pwbuf[strcspn(pwbuf, "\r\n")] = '\0';
++					pwstring = pwbuf;
++				}
++			} else {
++				pwstring = getpass(message->msg ?
++						   message->msg :
++						   "");
++			}
++			if ((pwstring != NULL) && (pwstring[0] != '\0')) {
++				pwsize = strlen(pwstring);
++				resp[i].resp = malloc(pwsize + 1);
++				if (resp[i].resp == NULL) {
++					resp[i].resp_retcode = PAM_BUF_ERR;
++				} else {
++					memcpy(resp[i].resp, pwstring, pwsize);
++					resp[i].resp[pwsize] = '\0';
++					resp[i].resp_retcode = PAM_SUCCESS;
++				}
++			} else {
++				resp[i].resp_retcode = PAM_CONV_ERR;
++				code = PAM_CONV_ERR;
++			}
++			break;
++		default:
++			break;
++		}
++	}
++	*presp = resp;
++	return code;
++}
++static int
++appl_pam_non_interactive_converse(int num_msg,
++				  const struct pam_message **msg,
++				  struct pam_response **presp,
++				  void *appdata_ptr)
++{
++	const struct pam_message *message;
++	struct pam_response *resp;
++	int i, code;
++	unsigned int pwsize;
++	struct appl_pam_non_interactive_args *args;
++	const char *pwstring;
++	resp = malloc(sizeof(struct pam_response) * num_msg);
++	if (resp == NULL) {
++		return PAM_BUF_ERR;
++	}
++	args = appdata_ptr;
++	memset(resp, 0, sizeof(struct pam_response) * num_msg);
++	code = PAM_SUCCESS;
++	for (i = 0; i < num_msg; i++) {
++		message = &((*msg)[i]);
++		message = msg[i];
++		pwstring = NULL;
++		switch (message->msg_style) {
++		case PAM_TEXT_INFO:
++		case PAM_ERROR_MSG:
++			break;
++		case PAM_PROMPT_ECHO_ON:
++		case PAM_PROMPT_ECHO_OFF:
++			if (message->msg_style == PAM_PROMPT_ECHO_ON) {
++				/* assume "user" */
++				pwstring = args->user;
++			} else {
++				/* assume "password" */
++				pwstring = args->password;
++			}
++			if ((pwstring != NULL) && (pwstring[0] != '\0')) {
++				pwsize = strlen(pwstring);
++				resp[i].resp = malloc(pwsize + 1);
++				if (resp[i].resp == NULL) {
++					resp[i].resp_retcode = PAM_BUF_ERR;
++				} else {
++					memcpy(resp[i].resp, pwstring, pwsize);
++					resp[i].resp[pwsize] = '\0';
++					resp[i].resp_retcode = PAM_SUCCESS;
++				}
++			} else {
++				resp[i].resp_retcode = PAM_CONV_ERR;
++				code = PAM_CONV_ERR;
++			}
++			break;
++		default:
++			break;
++		}
++	}
++	*presp = resp;
++	return code;
++}
++static int
++appl_pam_start(const char *service, int interactive,
++	       const char *login_username,
++	       const char *non_interactive_password,
++	       const char *hostname,
++	       const char *ruser,
++	       const char *tty)
++{
++	static int exit_handler_registered;
++	static struct appl_pam_non_interactive_args args;
++	int ret = 0;
++	if (appl_pam_started &&
++	    (strcmp(login_username, appl_pam_user) != 0)) {
++		appl_pam_cleanup();
++		appl_pam_user = NULL;
++	}
++	if (!appl_pam_started) {
++#ifdef DEBUG
++		printf("Starting PAM up (service=\"%s\",user=\"%s\").\n",
++		       service, login_username);
++#endif
++		memset(&appl_pam_conv, 0, sizeof(appl_pam_conv));
++		appl_pam_conv.conv = interactive ?
++				     &appl_pam_interactive_converse :
++				     &appl_pam_non_interactive_converse;
++		memset(&args, 0, sizeof(args));
++		args.user = strdup(login_username);
++		args.password = non_interactive_password ?
++				strdup(non_interactive_password) :
++				NULL;
++		appl_pam_conv.appdata_ptr = &args;
++		ret = pam_start(service, login_username,
++				&appl_pam_conv, &appl_pamh);
++		if (ret == 0) {
++			if (hostname != NULL) {
++#ifdef DEBUG
++				printf("Setting PAM_RHOST to \"%s\".\n", hostname);
++#endif
++				pam_set_item(appl_pamh, PAM_RHOST, hostname);
++			}
++			if (ruser != NULL) {
++#ifdef DEBUG
++				printf("Setting PAM_RUSER to \"%s\".\n", ruser);
++#endif
++				pam_set_item(appl_pamh, PAM_RUSER, ruser);
++			}
++			if (tty != NULL) {
++#ifdef DEBUG
++				printf("Setting PAM_TTY to \"%s\".\n", tty);
++#endif
++				pam_set_item(appl_pamh, PAM_TTY, tty);
++			}
++			if (!exit_handler_registered &&
++			    (atexit(appl_pam_cleanup) != 0)) {
++				pam_end(appl_pamh, 0);
++				appl_pamh = NULL;
++				ret = -1;
++			} else {
++				appl_pam_started = 1;
++				appl_pam_starter = getpid();
++				appl_pam_user = strdup(login_username);
++				exit_handler_registered = 1;
++			}
++		}
++	}
++	return ret;
++}
++int
++appl_pam_acct_mgmt(const char *service, int interactive,
++		   const char *login_username,
++		   const char *non_interactive_password,
++		   const char *hostname,
++		   const char *ruser,
++		   const char *tty)
++{
++	int ret;
++	appl_pam_pwchange_required = 0;
++	ret = appl_pam_start(service, interactive, login_username,
++			     non_interactive_password, hostname, ruser, tty);
++	if (ret == 0) {
++#ifdef DEBUG
++		printf("Calling pam_acct_mgmt().\n");
++#endif
++		ret = pam_acct_mgmt(appl_pamh, 0);
++		switch (ret) {
++		case PAM_IGNORE:
++			ret = 0;
++			break;
++		case PAM_NEW_AUTHTOK_REQD:
++			appl_pam_pwchange_required = 1;
++			ret = 0;
++			break;
++		default:
++			break;
++		}
++	}
++	return ret;
++}
++int
++appl_pam_requires_chauthtok(void)
++{
++	return appl_pam_pwchange_required;
++}
++int
++appl_pam_session_open(void)
++{
++	int ret = 0;
++	if (appl_pam_started) {
++#ifdef DEBUG
++		printf("Opening PAM session.\n");
++#endif
++		ret = pam_open_session(appl_pamh, 0);
++		if (ret == 0) {
++			appl_pam_session_opened = 1;
++		}
++	}
++	return ret;
++}
++int
++appl_pam_setenv(void)
++{
++	int ret = 0;
++#ifdef HAVE_PAM_GETENVLIST
++#ifdef HAVE_PUTENV
++	int i;
++	char **list;
++	if (appl_pam_started) {
++		list = pam_getenvlist(appl_pamh);
++		for (i = 0; ((list != NULL) && (list[i] != NULL)); i++) {
++#ifdef DEBUG
++			printf("Setting \"%s\" in environment.\n", list[i]);
++#endif
++			putenv(list[i]);
++		}
++	}
++#endif
++#endif
++	return ret;
++}
++int
++appl_pam_cred_init(void)
++{
++	int ret = 0;
++	if (appl_pam_started) {
++#ifdef DEBUG
++		printf("Initializing PAM credentials.\n");
++#endif
++		ret = pam_setcred(appl_pamh, PAM_ESTABLISH_CRED);
++		if (ret == 0) {
++			appl_pam_creds_initialized = 1;
++		}
++	}
++	return ret;
++}
++#endif
+diff --git a/src/clients/ksu/pam.h b/src/clients/ksu/pam.h
+new file mode 100644
+index 000000000..d45b9fd84
+--- /dev/null
++++ b/src/clients/ksu/pam.h
+@@ -0,0 +1,57 @@
++/*
++ * src/clients/ksu/pam.h
++ *
++ * Copyright 2007,2009,2010 Red Hat, Inc.
++ *
++ * All Rights Reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions are met:
++ *
++ *  Redistributions of source code must retain the above copyright notice, this
++ *  list of conditions and the following disclaimer.
++ *
++ *  Redistributions in binary form must reproduce the above copyright notice,
++ *  this list of conditions and the following disclaimer in the documentation
++ *  and/or other materials provided with the distribution.
++ *
++ *  Neither the name of Red Hat, Inc. nor the names of its contributors may be
++ *  used to endorse or promote products derived from this software without
++ *  specific prior written permission.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
++ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
++ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
++ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
++ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
++ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
++ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
++ * POSSIBILITY OF SUCH DAMAGE.
++ *
++ * Convenience wrappers for using PAM.
++ */
++
++#include <krb5.h>
++#ifdef HAVE_SECURITY_PAM_APPL_H
++#include <security/pam_appl.h>
++#endif
++
++#define USE_PAM_CONFIGURATION_KEYWORD "use_pam"
++
++#ifdef USE_PAM
++int appl_pam_enabled(krb5_context context, const char *section);
++int appl_pam_acct_mgmt(const char *service, int interactive,
++		       const char *local_username,
++		       const char *non_interactive_password,
++		       const char *hostname,
++		       const char *ruser,
++		       const char *tty);
++int appl_pam_requires_chauthtok(void);
++int appl_pam_session_open(void);
++int appl_pam_setenv(void);
++int appl_pam_cred_init(void);
++void appl_pam_cleanup(void);
++#endif
+diff --git a/src/configure.ac b/src/configure.ac
+index 4eb080784..693f76a81 100644
+--- a/src/configure.ac
++++ b/src/configure.ac
+@@ -1389,6 +1389,8 @@ AC_SUBST([VERTO_VERSION])
+ 
+ AC_PATH_PROG(GROFF, groff)
+ 
++KRB5_WITH_PAM
++
+ # Make localedir work in autoconf 2.5x.
+ if test "${localedir+set}" != set; then
+     localedir='$(datadir)/locale'
+-- 
+2.30.0
+

0002-krb5-1.9-manpaths.patch

@@ -0,0 +1,29 @@
+From 191084a19585fbc99e11b6ef4f00ce9df7f45e2f Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Mon, 14 Jan 2019 13:06:55 +0100
+Subject: [PATCH 2/9] Import krb5-1.9-manpaths.dif
+
+Change the absolute paths included in the man pages so that the correct
+values can be dropped in by config.status.  After applying this patch,
+these files should be renamed to their ".in" counterparts, and then the
+configure scripts should be rebuilt.  Originally RT#6525
+---
+ src/man/kpropd.man | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/man/kpropd.man b/src/man/kpropd.man
+index d80e43ad7..949407edd 100644
+--- a/src/man/kpropd.man
++++ b/src/man/kpropd.man
+@@ -66,7 +66,7 @@ the \fB/etc/inetd.conf\fP file which looks like this:
+ .sp
+ .nf
+ .ft C
+-kprop  stream  tcp  nowait  root  /usr/local/sbin/kpropd  kpropd
++kprop  stream  tcp  nowait  root  @SBINDIR@/kpropd  kpropd
+ .ft P
+ .fi
+ .UNINDENT
+-- 
+2.20.1
+

0003-Adjust-build-configuration.patch

@@ -0,0 +1,75 @@
+From 48abdf7c7b28611c1135b35dfa23ac61899e80b2 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Tue, 23 Aug 2016 16:45:26 -0400
+Subject: [PATCH 3/8] Adjust build configuration
+
+Build binaries in this package as RELRO PIEs, libraries as partial RELRO,
+and install shared libraries with the execute bit set on them.  Prune out
+the -L/usr/lib* and PIE flags where they might leak out and affect
+apps which just want to link with the libraries. FIXME: needs to check and
+not just assume that the compiler supports using these flags.
+
+Last-updated: krb5-1.15-beta1
+---
+ src/build-tools/krb5-config.in | 7 +++++++
+ src/config/pre.in              | 2 +-
+ src/config/shlib.conf          | 5 +++--
+ 3 files changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in
+index f6184da3f..0edf6a1a5 100755
+--- a/src/build-tools/krb5-config.in
++++ b/src/build-tools/krb5-config.in
+@@ -225,6 +225,13 @@ if test -n "$do_libs"; then
+ 	    -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
+ 	    -e 's#\$(CFLAGS)##'`
+ 
++    if test `dirname $libdir` = /usr ; then
++        lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"`
++    fi
++    lib_flags=`echo $lib_flags | sed -e "s#-fPIE##g" -e "s#-pie##g"`
++    lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro##g"`
++    lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,now##g"`
++
+     if test $library = 'kdb'; then
+ 	lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
+ 	library=krb5
+diff --git a/src/config/pre.in b/src/config/pre.in
+index ce87e21ca..164bf8301 100644
+--- a/src/config/pre.in
++++ b/src/config/pre.in
+@@ -184,7 +184,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INSTALL_STRIP)
+ INSTALL_SCRIPT=@INSTALL_PROGRAM@
+ INSTALL_DATA=@INSTALL_DATA@
+ INSTALL_SHLIB=@INSTALL_SHLIB@
+-INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 -o root
++INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755
+ ## This is needed because autoconf will sometimes define @exec_prefix@ to be
+ ## ${prefix}.
+ prefix=@prefix@
+diff --git a/src/config/shlib.conf b/src/config/shlib.conf
+index 3e4af6c02..2b20c3fda 100644
+--- a/src/config/shlib.conf
++++ b/src/config/shlib.conf
+@@ -423,7 +423,7 @@ mips-*-netbsd*)
+ 	# Linux ld doesn't default to stuffing the SONAME field...
+ 	# Use objdump -x to examine the fields of the library
+ 	# UNDEF_CHECK is suppressed by --enable-asan
+-	LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)'
++	LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)  -Wl,-z,relro -Wl,--warn-shared-textrel'
+ 	UNDEF_CHECK='-Wl,--no-undefined'
+ 	# $(EXPORT_CHECK) runs export-check.pl when in maintainer mode.
+ 	LDCOMBINE_TAIL='-Wl,--version-script binutils.versions $(EXPORT_CHECK)'
+@@ -435,7 +435,8 @@ mips-*-netbsd*)
+ 	SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
+ 	PROFFLAGS=-pg
+ 	PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
+-	CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
++	CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)'
++	INSTALL_SHLIB='${INSTALL} -m755'
+ 	CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
+ 	CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
+ 	CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
+-- 
+2.25.0
+

0004-krb5-1.6.3-gssapi_improve_errormessages.patch

@@ -0,0 +1,25 @@
+From 48b7d6a58b6efab9578ef160767aaed86168d046 Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Mon, 14 Jan 2019 13:09:05 +0100
+Subject: [PATCH 4/9] Import krb5-1.6.3-gssapi_improve_errormessages.dif
+
+---
+ src/lib/gssapi/generic/disp_com_err_status.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/lib/gssapi/generic/disp_com_err_status.c b/src/lib/gssapi/generic/disp_com_err_status.c
+index bc416107e..22612f970 100644
+--- a/src/lib/gssapi/generic/disp_com_err_status.c
++++ b/src/lib/gssapi/generic/disp_com_err_status.c
+@@ -52,7 +52,7 @@ g_display_com_err_status(OM_uint32 *minor_status, OM_uint32 status_value,
+     status_string->value = NULL;
+ 
+     if (! g_make_string_buffer(((status_value == 0)?no_error:
+-                                error_message(status_value)),
++                                error_message((long)status_value)),
+                                status_string)) {
+         *minor_status = ENOMEM;
+         return(GSS_S_FAILURE);
+-- 
+2.20.1
+

0005-krb5-1.6.3-ktutil-manpage.patch

@@ -0,0 +1,35 @@
+From 08b99cc69debeb8da38854ddd09f62f854f29309 Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Mon, 14 Jan 2019 13:14:47 +0100
+Subject: [PATCH 5/9] Import krb5-1.6.3-ktutil-manpage.dif
+
+---
+ src/man/ktutil.man | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/src/man/ktutil.man b/src/man/ktutil.man
+index 75dee9c56..85a121f5b 100644
+--- a/src/man/ktutil.man
++++ b/src/man/ktutil.man
+@@ -166,6 +166,18 @@ ktutil:
+ .sp
+ See kerberos(7) for a description of Kerberos environment
+ variables.
++.SH REMARKS
++Changes to the keytab are appended to the keytab file (i.e., the keytab file
++is never overwritten).  To directly modify a keytab, save the changes to a
++temporary file and then overwrite the keytab file of interest.
++.TP
++.nf
++Example:
++ktutil> rkt /etc/krb5.keytab
++(modifications to keytab)
++ktutil> wkt /tmp/krb5.newtab
++ktutil> q
++# mv /tmp/krb5.newtab /etc/krb5.keytab
+ .SH SEE ALSO
+ .sp
+ kadmin(1), kdb5_util(8), kerberos(7)
+-- 
+2.20.1
+

0006-krb5-1.12-api.patch

@@ -0,0 +1,40 @@
+From a853fd08ebbb8b46b15abb11c8e11c0390f139b1 Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Mon, 14 Jan 2019 13:15:50 +0100
+Subject: [PATCH 6/9] Import krb5-1.12-api.patch
+
+Reference docs don't define what happens if you call krb5_realm_compare() with
+malformed krb5_principal structures.  Define a behavior which keeps it from
+crashing if applications don't check ahead of time.
+---
+ src/lib/krb5/krb/princ_comp.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/lib/krb5/krb/princ_comp.c b/src/lib/krb5/krb/princ_comp.c
+index a6936107d..0ed78833b 100644
+--- a/src/lib/krb5/krb/princ_comp.c
++++ b/src/lib/krb5/krb/princ_comp.c
+@@ -36,6 +36,10 @@ realm_compare_flags(krb5_context context,
+     const krb5_data *realm1 = &princ1->realm;
+     const krb5_data *realm2 = &princ2->realm;
+ 
++    if (princ1 == NULL || princ2 == NULL)
++        return FALSE;
++    if (realm1 == NULL || realm2 == NULL)
++        return FALSE;
+     if (realm1->length != realm2->length)
+         return FALSE;
+     if (realm1->length == 0)
+@@ -88,6 +92,9 @@ krb5_principal_compare_flags(krb5_context context,
+     krb5_principal upn2 = NULL;
+     krb5_boolean ret = FALSE;
+ 
++    if (princ1 == NULL || princ2 == NULL)
++        return FALSE;
++
+     if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) {
+         /* Treat UPNs as if they were real principals */
+         if (princ1->type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
+-- 
+2.20.1
+

0008-krb5-1.9-debuginfo.patch

@@ -0,0 +1,42 @@
+From 24f176ead80418642bc9a6898f122c03dfb223d1 Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Mon, 14 Jan 2019 13:18:16 +0100
+Subject: [PATCH 9/9] Import krb5-1.9-debuginfo.patch
+
+We want to keep these y.tab.c files around because the debuginfo points to
+them.  It would be more elegant at the end to use symbolic links, but that
+could mess up people working in the tree on other things.
+---
+ src/kadmin/cli/Makefile.in                 | 5 +++++
+ src/plugins/kdb/ldap/ldap_util/Makefile.in | 2 +-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/kadmin/cli/Makefile.in b/src/kadmin/cli/Makefile.in
+index adfea6e2b..d1327e400 100644
+--- a/src/kadmin/cli/Makefile.in
++++ b/src/kadmin/cli/Makefile.in
+@@ -37,3 +37,8 @@ clean-unix::
+ # CC_LINK is not meant for compilation and this use may break in the future.
+ datetest: getdate.c
+ 	$(CC_LINK) $(ALL_CFLAGS) -DTEST -o datetest getdate.c
++
++%.c: %.y
++	$(RM) y.tab.c $@
++	$(YACC.y) $< 
++	$(CP) y.tab.c $@
+diff --git a/src/plugins/kdb/ldap/ldap_util/Makefile.in b/src/plugins/kdb/ldap/ldap_util/Makefile.in
+index 8669c2436..a22f23c02 100644
+--- a/src/plugins/kdb/ldap/ldap_util/Makefile.in
++++ b/src/plugins/kdb/ldap/ldap_util/Makefile.in
+@@ -20,7 +20,7 @@ $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIB) $(GETDATE)
+ getdate.c: $(GETDATE)
+ 	$(RM) getdate.c y.tab.c
+ 	$(YACC) $(GETDATE)
+-	$(MV) y.tab.c getdate.c
++	$(CP) y.tab.c getdate.c
+ 
+ install:
+ 	$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)
+-- 
+2.20.1
+

0009-Ensure-array-count-consistency-in-kadm5-RPC.patch

@@ -0,0 +1,67 @@
+From c93242bd934a1e4b6f21aae08fbbbd1984d1c653 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Wed, 21 Jun 2023 10:57:39 -0400
+Subject: [PATCH] Ensure array count consistency in kadm5 RPC
+
+In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the
+key_data array count when decoding.  Otherwise when the structure is
+later freed, xdr_array() could iterate over the wrong number of
+elements, either leaking some memory or freeing uninitialized
+pointers.  Reported by Robert Morris.
+
+CVE-2023-36054:
+
+An authenticated attacker can cause a kadmind process to crash by
+freeing uninitialized pointers.  Remote code execution is unlikely.
+An attacker with control of a kadmin server can cause a kadmin client
+to crash by freeing uninitialized pointers.
+
+(cherry picked from commit ef08b09c9459551aabbe7924fb176f1583053cdd)
+
+ticket: 9099
+version_fixed: 1.20.2
+
+(cherry picked from commit c81ffb6c8578a9b55c9d0a10342b5bc1bc6ec4df)
+---
+ src/lib/kadm5/kadm_rpc_xdr.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
+index 0411c3fd3..287cae750 100644
+--- a/src/lib/kadm5/kadm_rpc_xdr.c
++++ b/src/lib/kadm5/kadm_rpc_xdr.c
+@@ -390,6 +390,7 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
+ 			     int v)
+ {
+ 	unsigned int n;
++	bool_t r;
+ 
+ 	if (!xdr_krb5_principal(xdrs, &objp->principal)) {
+ 		return (FALSE);
+@@ -443,6 +444,9 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
+ 	if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) {
+ 		return (FALSE);
+ 	}
++	if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) {
++		return (FALSE);
++	}
+ 	if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) {
+ 		return (FALSE);
+ 	}
+@@ -451,9 +455,10 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
+ 		return FALSE;
+ 	}
+ 	n = objp->n_key_data;
+-	if (!xdr_array(xdrs, (caddr_t *) &objp->key_data,
+-		       &n, ~0, sizeof(krb5_key_data),
+-		       xdr_krb5_key_data_nocontents)) {
++	r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data,
++		      sizeof(krb5_key_data), xdr_krb5_key_data_nocontents);
++	objp->n_key_data = n;
++	if (!r) {
+ 		return (FALSE);
+ 	}
+ 
+-- 
+2.41.0
+

baselibs.conf

@@ -0,0 +1,4 @@
+krb5
+  obsoletes "heimdal-lib-<targettype>"
+  provides  "heimdal-lib-<targettype>"
+krb5-devel

krb5-1.20.1.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmNvED8ACgkQDLoIV1+D
+ct9uKw/8C5GS8mdh335lB+bkfjYYCZLD+oQToDAAbdCddrIcuLftvnTfXJ8cMtMc
+UT2hsp8u7ZupjJRevdhaH7fFwomc0V8iSES5J2cQHTNd9aK93j/W6NaMoqWLrQWg
+jx99oqLn7orvp8N5RufEQcNMNWhFIX4XSfrA3vPfHbbffA2vkjJzOGno4UHi8zUn
+6nye7jbrBpiQIeFIJSS3VPsvGrKdRgb9BqGTUsqPIuFvr3Qvo42lKr5X8CWYSXjK
+0aKlOpfbWdkteEe2o84/wyMpuGvmYkmOgaMB5xQ3jfEuvPNAWX2CWHNDamiqwBT/
+YxwhZimNa1B9r3P1yDHvpUu8cJaRzw2UDRi2f3Kztrmn2jlqzmoZ31WBALJA7lmL
+SrVFdXi7AcWwppMp1kbe9SvurCXID8/Q4n+qAdzSvqrXbeWerVUkdYFvtxQ1bMJR
+jnqN11iZFYaoCaaR2lFEhjoMdR80jUa2m6vdF7a7xhH1UvuPHDnzLT9X/TiPvx0R
+Itrp5MMIrUQHcZUL9hM5hrg3nxEsGsSCnjB0zWDmgXdLGwd4CvcOF4HPQR3BBlEH
+CLtAa27bBXMJTYVvmmKt06hw+U3ALDfUlFrV6ZNLr9ug69l29n7JoChAbZ97Hx1m
+twPwJpKd8AiUz+j3KCfgGU21qMbHNP3jEn3q9tkq0qcs/z7RCmU=
+=1WIq
+-----END PGP SIGNATURE-----

krb5-rpmlintrc

@@ -0,0 +1,8 @@
+addFilter("devel-file-in-non-devel-package .*libgssapi_krb5.so")
+addFilter("hidden-file-or-dir .*/usr/share/man/man5/.k5login.5.gz")
+addFilter("hidden-file-or-dir .*/usr/share/man/man5/.k5identity.5.gz")
+addFilter("files-duplicate .*css")
+addFilter("files-duplicate .*img.*png")
+addFilter("devel-file-in-non-devel-package .*libkdb_ldap.so")
+addFilter("shlib-policy-missing-suffix")
+addFilter("non-etc-or-var-file-marked-as-conffile")

krb5.spec

@@ -0,0 +1,501 @@
+#
+# spec file for package krb5
+#
+# Copyright (c) 2022-2023 ZhuningOS
+#
+
+
+#Compat macro for new _fillupdir macro introduced in Nov 2017
+%if ! %{defined _fillupdir}
+  %define _fillupdir %{_localstatedir}/adm/fillup-templates
+%endif
+Name:           krb5
+Version:        1.20.1
+Release:        150500.3.3.1
+Summary:        MIT Kerberos5 implementation
+License:        MIT
+URL:            https://kerberos.org/dist/
+Source0:        https://kerberos.org/dist/krb5/1.20/krb5-%{version}.tar.gz
+Source1:        https://kerberos.org/dist/krb5/1.20/krb5-%{version}.tar.gz.asc
+Source2:        krb5.keyring
+Source3:        vendor-files.tar.bz2
+Source4:        baselibs.conf
+Source5:        krb5-rpmlintrc
+Source6:        ksu-pam.d
+Source7:        krb5.tmpfiles
+Patch1:         0001-ksu-pam-integration.patch
+Patch2:         0002-krb5-1.9-manpaths.patch
+Patch3:         0003-Adjust-build-configuration.patch
+Patch4:         0004-krb5-1.6.3-gssapi_improve_errormessages.patch
+Patch5:         0005-krb5-1.6.3-ktutil-manpage.patch
+Patch6:         0006-krb5-1.12-api.patch
+Patch7:         0007-SELinux-integration.patch
+Patch8:         0008-krb5-1.9-debuginfo.patch
+Patch9:         0009-Ensure-array-count-consistency-in-kadm5-RPC.patch
+BuildRequires:  autoconf
+BuildRequires:  bison
+BuildRequires:  cyrus-sasl-devel
+BuildRequires:  keyutils
+BuildRequires:  keyutils-devel
+BuildRequires:  openldap2-devel
+BuildRequires:  pam-devel
+BuildRequires:  pkgconfig
+BuildRequires:  pkgconfig(com_err)
+BuildRequires:  pkgconfig(libselinux)
+BuildRequires:  pkgconfig(libssl)
+BuildRequires:  pkgconfig(libverto)
+BuildRequires:  pkgconfig(ncurses)
+BuildRequires:  pkgconfig(ss)
+BuildRequires:  pkgconfig(systemd)
+# bug437293
+%ifarch ppc64
+Obsoletes:      krb5-64bit
+%endif
+Conflicts:      krb5-mini
+Obsoletes:      krb5-plugin-preauth-pkinit-nss
+
+%description
+Kerberos V5 is a trusted-third-party network authentication system,
+which can improve network security by eliminating the insecure
+practice of clear text passwords.
+
+%package client
+Summary:        Client programs of the MIT Kerberos5 implementation
+Conflicts:      krb5-mini
+
+%description client
+Kerberos V5 is a trusted-third-party network authentication system,
+which can improve network security by eliminating the insecure
+practice of cleartext passwords. This package includes some required
+client programs, like kinit, kadmin, ...
+
+%package server
+Summary:        Server program of the MIT Kerberos5 implementation
+Requires:       cron
+Requires:       libverto-libev1
+Requires:       logrotate
+Requires:       perl-Date-Calc
+Requires(post): %fillup_prereq
+%{?systemd_requires}
+
+%description server
+Kerberos V5 is a trusted-third-party network authentication system,
+which can improve network security by eliminating the insecure
+practice of cleartext passwords. This package includes the kdc, kadmind
+and more.
+
+%package plugin-kdb-ldap
+Summary:        LDAP database plugin for MIT Kerberos5
+Requires:       krb5-server = %{version}
+
+%description plugin-kdb-ldap
+Kerberos V5 is a trusted-third-party network authentication system,
+which can improve network security by eliminating the insecure
+practice of clear text passwords. This package contains the LDAP
+database plugin.
+
+%package plugin-preauth-pkinit
+Summary:        PKINIT preauthentication plugin for MIT Kerberos5
+
+%description plugin-preauth-pkinit
+Kerberos V5 is a trusted-third-party network authentication system,
+which can improve network security by eliminating the insecure
+practice of cleartext passwords. This package includes a PKINIT plugin.
+
+%package plugin-preauth-otp
+Summary:        OTP preauthentication plugin for MIT Kerberos5
+
+%description plugin-preauth-otp
+Kerberos V5 is a trusted-third-party network authentication system,
+which can improve network security by eliminating the insecure
+practice of cleartext passwords. This package includes a OTP plugin.
+
+%package plugin-preauth-spake
+Summary:        SPAKE preauthentication plugin for MIT Kerberos5
+
+%description plugin-preauth-spake
+Kerberos V5 is a trusted-third-party network authentication system,
+which can improve network security by eliminating the insecure
+practice of cleartext passwords. This package includes a SPAKE plugin.
+
+%package doc
+Summary:        Documentation for the MIT Kerberos5 implementation
+
+%description doc
+Kerberos V5 is a trusted-third-party network authentication
+system,which can improve network security by eliminating the
+insecurepractice of clear text passwords. This package includes
+extended documentation for MIT Kerberos.
+
+%package devel
+Summary:        Development files for MIT Kerberos5
+Requires:       %{name} = %{version}
+Requires:       keyutils-devel
+Requires:       pkgconfig(com_err)
+Requires:       pkgconfig(libverto)
+Requires:       pkgconfig(ss)
+# bug437293
+%ifarch ppc64
+Obsoletes:      krb5-devel-64bit
+%endif
+Conflicts:      krb5-mini-devel
+
+%description devel
+Kerberos V5 is a trusted-third-party network authentication system,
+which can improve network security by eliminating the insecure
+practice of cleartext passwords. This package includes Libraries and
+Include Files for Development
+
+%define srcRoot krb5-%{version}
+%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
+%define krb5docdir  %{_defaultdocdir}/krb5
+
+%prep
+%setup -q -n %{srcRoot}
+%setup -q -a 3 -T -D -n %{srcRoot}
+%autopatch -p1
+
+%build
+# needs to be re-generated
+rm -f src/lib/krb5/krb/deltat.c
+cd src
+autoreconf -fi
+DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME
+%configure \
+        CFLAGS="%{optflags} -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC $(getconf LFS_CFLAGS)" \
+        CPPFLAGS="-I%{_includedir}/et " \
+        SS_LIB="-lss" \
+	--prefix=/usr/lib/mit \
+	--sysconfdir=%{_sysconfdir} \
+	--mandir=%{_mandir} \
+	--infodir=%{_infodir} \
+	--libexecdir=/usr/lib/mit/sbin \
+	--bindir=%{_prefix}/lib/mit/bin \
+	--sbindir=%{_prefix}/lib/mit/sbin \
+	--datadir=%{_prefix}/lib/mit/share \
+	--libdir=%{_libdir} \
+	--includedir=%{_includedir} \
+	--localstatedir=%{_localstatedir}/lib/kerberos \
+	--localedir=%{_datadir}/locale \
+	--enable-shared \
+	--disable-static \
+	--enable-dns-for-realm \
+	--disable-rpath \
+	--with-ldap \
+	--with-pam \
+	--enable-pkinit \
+	--with-crypto-impl=openssl \
+	--with-selinux \
+	--with-system-et \
+	--with-system-ss \
+	--with-system-verto
+
+%make_build
+
+# Copy kadmin manual page into kadmin.local's due to the split between client and server package
+cp man/kadmin.man man/kadmin.local.8
+
+%install
+mkdir -p %{buildroot}/%{_localstatedir}/log/krb5
+%make_install -C src
+# Munge krb5-config yet again.  This is totally wrong for 64-bit, but chunks
+# of the buildconf patch already conspire to strip out /usr/<anything> from the
+# list of link flags, and it helps prevent file conflicts on multilib systems.
+sed -r -i -e 's|^libdir=%{_prefix}/lib(64)?$|libdir=%{_prefix}/lib|g' %{buildroot}%{_prefix}/lib/mit/bin/krb5-config
+
+# And again. krb5-config does not distinguish between libdir, includedir,
+# just exec_prefix. Libraries and headers not installed under /usr/lib/mit
+# prefix (bsc#1174079).
+sed -r -i -e 's|^prefix=%{_prefix}/lib/mit$|prefix=/usr|g' %{buildroot}%{_prefix}/lib/mit/bin/krb5-config
+sed -r -i -e 's|^exec_prefix=\$\{prefix\}$|exec_prefix=%{_prefix}/lib/mit|g' %{buildroot}%{_prefix}/lib/mit/bin/krb5-config
+
+# install autoconf macro
+mkdir -p %{buildroot}/%{_datadir}/aclocal
+install -m 644 src/util/ac_check_krb5.m4 %{buildroot}%{_datadir}/aclocal/
+# install sample config files
+# I'll probably do something about this later on
+mkdir -p %{buildroot}%{_sysconfdir}
+mkdir -p %{buildroot}%{_sysconfdir}/krb5.conf.d
+mkdir -p %{buildroot}%{_sysconfdir}/profile.d/
+mkdir -p %{buildroot}%{_localstatedir}/log/krb5
+# create plugin directories
+mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/kdb
+mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth
+mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/libkrb5
+mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/tls
+install -m 644 %{vendorFiles}/krb5.conf %{buildroot}%{_sysconfdir}
+install -m 644 %{vendorFiles}/krb5.csh.profile %{buildroot}%{_sysconfdir}/profile.d/krb5.csh
+install -m 644 %{vendorFiles}/krb5.sh.profile %{buildroot}%{_sysconfdir}/profile.d/krb5.sh
+
+# Do not write directly to /var/lib/kerberos anymore as it breaks transactional
+# updates. Use systemd-tmpfiles to copy the files there when it doesn't exist
+install -d -m 0755 %{buildroot}%{_tmpfilesdir}
+install -m 644 %{SOURCE7} %{buildroot}%{_tmpfilesdir}/krb5.conf
+mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5kdc
+# Where per-user keytabs live by default.
+mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5/user
+install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_datadir}/kerberos/krb5kdc/
+install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_datadir}/kerberos/krb5kdc/
+install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_datadir}/kerberos/krb5kdc/
+
+# all libs must have permissions 0755
+for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"`
+do
+  chmod 0755 ${lib}
+done
+# and binaries too
+chmod 0755 %{buildroot}%{_prefix}/lib/mit/bin/ksu
+# install systemd files
+%if 0%{?suse_version} >= 1210
+mkdir -p %{buildroot}%{_unitdir}
+install -m 644 %{vendorFiles}/kadmind.service %{buildroot}%{_unitdir}
+install -m 644 %{vendorFiles}/krb5kdc.service %{buildroot}%{_unitdir}
+install -m 644 %{vendorFiles}/kpropd.service %{buildroot}%{_unitdir}
+%else
+# install init scripts
+mkdir -p %{buildroot}%{_sysconfdir}/init.d
+install -m 755 %{vendorFiles}/kadmind.init %{buildroot}%{_sysconfdir}/init.d/kadmind
+install -m 755 %{vendorFiles}/krb5kdc.init %{buildroot}%{_sysconfdir}/init.d/krb5kdc
+install -m 755 %{vendorFiles}/kpropd.init  %{buildroot}%{_sysconfdir}/init.d/kpropd
+%endif
+# install sysconfig templates
+mkdir -p %{buildroot}/%{_fillupdir}
+install -m 644 %{vendorFiles}/sysconfig.kadmind %{buildroot}/%{_fillupdir}/
+install -m 644 %{vendorFiles}/sysconfig.krb5kdc %{buildroot}/%{_fillupdir}/
+# install logrotate files
+mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
+install -m 644 %{vendorFiles}/krb5-server.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/krb5-server
+find . -type f -name '*.ps' -exec gzip -9 {} +
+# create rc* links
+mkdir -p %{buildroot}%{_bindir}/
+mkdir -p %{buildroot}%{_sbindir}/
+ln -s service %{buildroot}%{_sbindir}/rckadmind
+ln -s service %{buildroot}%{_sbindir}/rckrb5kdc
+ln -s service %{buildroot}%{_sbindir}/rckpropd
+# create links for kinit and klist, because of the java ones
+ln -sf ../../usr/lib/mit/bin/kinit   %{buildroot}%{_bindir}/kinit
+ln -sf ../../usr/lib/mit/bin/klist   %{buildroot}%{_bindir}/klist
+# install doc
+install -d -m 755 %{buildroot}/%{krb5docdir}
+install -m 644 %{_builddir}/%{srcRoot}/README %{buildroot}/%{krb5docdir}/README
+install -d -m 755 %{buildroot}/%{_datadir}/kerberos/ldap
+install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema %{buildroot}/%{_datadir}/kerberos/ldap/kerberos.schema
+install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif %{buildroot}/%{_datadir}/kerberos/ldap/kerberos.ldif
+# link pam-config for su to ksu
+mkdir -p %{buildroot}%{_sysconfdir}/pam.d/
+install -m 644 %{SOURCE6} %{buildroot}%{_sysconfdir}/pam.d/ksu
+
+# cleanup
+rm -f  %{buildroot}%{_mandir}/man1/tmac.doc*
+rm -f  %{_mandir}/man1/tmac.doc* html/.doctrees/environment.pickle
+rm -rf %{buildroot}%{_prefix}/lib/mit/share/examples
+# manually remove test plugin since configure doesn't support disabling it at build time
+rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
+
+%if "%{_lto_cflags}" != ""
+# Don't add the lto flags to the public link flags.
+sed -i "s/%{_lto_cflags}//" %{buildroot}%{_prefix}/lib/mit/bin/krb5-config
+%endif
+
+%find_lang mit-krb5
+
+%post -p /sbin/ldconfig
+%postun -p /sbin/ldconfig
+
+%preun server
+%service_del_preun krb5kdc.service kadmind.service kpropd.service
+
+%postun server
+%service_del_postun krb5kdc.service kadmind.service kpropd.service
+
+%post server
+%service_add_post krb5kdc.service kadmind.service kpropd.service
+%tmpfiles_create krb5.conf
+%{fillup_only -n kadmind}
+%{fillup_only -n krb5kdc}
+%{fillup_only -n kpropd}
+
+%pre server
+%service_add_pre krb5kdc.service kadmind.service kpropd.service
+
+%post plugin-kdb-ldap -p /sbin/ldconfig
+%postun plugin-kdb-ldap -p /sbin/ldconfig
+
+%files devel
+%dir %{_prefix}/lib/mit
+%dir %{_prefix}/lib/mit/bin
+%dir %{_prefix}/lib/mit/sbin
+# XXX %dir %{_prefix}/lib/mit/share
+%dir %{_datadir}/aclocal
+%{_libdir}/libgssrpc.so
+%{_libdir}/libk5crypto.so
+%{_libdir}/libkadm5clnt_mit.so
+%{_libdir}/libkadm5clnt.so
+%{_libdir}/libkadm5srv_mit.so
+%{_libdir}/libkadm5srv.so
+%{_libdir}/libkdb5.so
+%{_libdir}/libkrb5.so
+%{_libdir}/libkrb5support.so
+%{_libdir}/libkrad.so
+%{_libdir}/pkgconfig/gssrpc.pc
+%{_libdir}/pkgconfig/kadm-client.pc
+%{_libdir}/pkgconfig/kadm-server.pc
+%{_libdir}/pkgconfig/kdb.pc
+%{_libdir}/pkgconfig/krb5-gssapi.pc
+%{_libdir}/pkgconfig/krb5.pc
+%{_libdir}/pkgconfig/mit-krb5-gssapi.pc
+%{_libdir}/pkgconfig/mit-krb5.pc
+%{_includedir}/*
+%{_prefix}/lib/mit/bin/krb5-config
+%{_prefix}/lib/mit/sbin/krb5-send-pr
+%{_mandir}/man1/krb5-config.1%{?ext_man}
+%{_datadir}/aclocal/ac_check_krb5.m4
+
+%files -f mit-krb5.lang
+%dir %{krb5docdir}
+# add plugin directories
+%dir %{_libdir}/krb5
+%dir %{_libdir}/krb5/plugins
+%dir %{_libdir}/krb5/plugins/kdb
+%dir %{_libdir}/krb5/plugins/preauth
+%dir %{_libdir}/krb5/plugins/libkrb5
+%dir %{_libdir}/krb5/plugins/tls
+# add log directory
+%attr(0700,root,root) %dir %{_localstatedir}/log/krb5
+%doc %{krb5docdir}/README
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf
+%dir %{_sysconfdir}/krb5.conf.d
+%attr(0644,root,root) %config /etc/profile.d/krb5*
+%{_libdir}/libgssapi_krb5.*
+%{_libdir}/libgssrpc.so.*
+%{_libdir}/libk5crypto.so.*
+%{_libdir}/libkadm5clnt_mit.so.*
+%{_libdir}/libkadm5srv_mit.so.*
+%{_libdir}/libkdb5.so.*
+%{_libdir}/libkrb5.so.*
+%{_libdir}/libkrb5support.so.*
+%{_libdir}/libkrad.so.*
+%{_libdir}/krb5/plugins/tls/*.so
+
+%files server
+%attr(0700,root,root) %dir %{_localstatedir}/log/krb5
+%config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server
+%{_unitdir}/kadmind.service
+%{_unitdir}/krb5kdc.service
+%{_unitdir}/kpropd.service
+%{_tmpfilesdir}/krb5.conf
+%dir %{krb5docdir}
+%dir %{_prefix}/lib/mit
+%dir %{_prefix}/lib/mit/sbin
+%dir %{_datadir}/kerberos/
+%dir %{_datadir}/kerberos/krb5kdc
+%dir %{_datadir}/kerberos/krb5
+%dir %{_datadir}/kerberos/krb5/user
+%dir %{_libdir}/krb5
+%dir %{_libdir}/krb5/plugins
+%dir %{_libdir}/krb5/plugins/kdb
+%dir %{_libdir}/krb5/plugins/tls
+%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kdc.conf
+%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.acl
+%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.dict
+%ghost %dir %{_sharedstatedir}/kerberos/
+%ghost %dir %{_sharedstatedir}/kerberos/krb5kdc
+%ghost %dir %{_sharedstatedir}/kerberos/krb5
+%ghost %dir %{_sharedstatedir}/kerberos/krb5/user
+%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kdc.conf
+%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.acl
+%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.dict
+%{_fillupdir}/sysconfig.*
+%{_sbindir}/rc*
+%{_prefix}/lib/mit/sbin/kadmin.local
+%{_prefix}/lib/mit/sbin/kadmind
+%{_prefix}/lib/mit/sbin/kpropd
+%{_prefix}/lib/mit/sbin/kproplog
+%{_prefix}/lib/mit/sbin/kprop
+%{_prefix}/lib/mit/sbin/kdb5_util
+%{_prefix}/lib/mit/sbin/krb5kdc
+%{_prefix}/lib/mit/sbin/gss-server
+%{_prefix}/lib/mit/sbin/sim_server
+%{_prefix}/lib/mit/sbin/sserver
+%{_prefix}/lib/mit/sbin/uuserver
+%{_libdir}/krb5/plugins/kdb/db2.so
+%{_mandir}/man5/kdc.conf.5%{?ext_man}
+%{_mandir}/man5/kadm5.acl.5%{?ext_man}
+%{_mandir}/man8/kadmind.8%{?ext_man}
+%{_mandir}/man8/kadmin.local.8%{?ext_man}
+%{_mandir}/man8/kpropd.8%{?ext_man}
+%{_mandir}/man8/kprop.8%{?ext_man}
+%{_mandir}/man8/kproplog.8%{?ext_man}
+%{_mandir}/man8/kdb5_util.8%{?ext_man}
+%{_mandir}/man8/krb5kdc.8%{?ext_man}
+%{_mandir}/man8/sserver.8%{?ext_man}
+
+%files client
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/ksu
+%{_prefix}/lib/mit/bin/kvno
+%{_prefix}/lib/mit/bin/kinit
+%{_prefix}/lib/mit/bin/kdestroy
+%{_prefix}/lib/mit/bin/kpasswd
+%{_prefix}/lib/mit/bin/klist
+%{_prefix}/lib/mit/bin/kadmin
+%{_prefix}/lib/mit/bin/ktutil
+%{_prefix}/lib/mit/bin/k5srvutil
+%{_prefix}/lib/mit/bin/gss-client
+%{_prefix}/lib/mit/bin/ksu
+%{_prefix}/lib/mit/bin/sclient
+%{_prefix}/lib/mit/bin/sim_client
+%{_prefix}/lib/mit/bin/uuclient
+%{_prefix}/lib/mit/bin/kswitch
+%{_bindir}/kinit
+%{_bindir}/klist
+%{_mandir}/man1/kvno.1%{?ext_man}
+%{_mandir}/man1/kinit.1%{?ext_man}
+%{_mandir}/man1/kdestroy.1%{?ext_man}
+%{_mandir}/man1/kpasswd.1%{?ext_man}
+%{_mandir}/man1/klist.1%{?ext_man}
+%{_mandir}/man1/kadmin.1%{?ext_man}
+%{_mandir}/man1/ktutil.1%{?ext_man}
+%{_mandir}/man1/k5srvutil.1%{?ext_man}
+%{_mandir}/man1/kswitch.1%{?ext_man}
+%{_mandir}/man5/krb5.conf.5%{?ext_man}
+%{_mandir}/man5/.k5login.5%{?ext_man}
+%{_mandir}/man5/.k5identity.5%{?ext_man}
+%{_mandir}/man5/k5identity.5%{?ext_man}
+%{_mandir}/man5/k5login.5%{?ext_man}
+%{_mandir}/man1/ksu.1%{?ext_man}
+%{_mandir}/man1/sclient.1%{?ext_man}
+%{_mandir}/man7/kerberos.7%{?ext_man}
+
+%files plugin-kdb-ldap
+%dir %{_prefix}/lib/mit/sbin/
+%{_prefix}/lib/mit/sbin/kdb5_ldap_util
+%dir %{_datadir}/kerberos
+%dir %{_datadir}/kerberos/ldap
+%config %{_datadir}/kerberos/ldap/kerberos.schema
+%config %{_datadir}/kerberos/ldap/kerberos.ldif
+%dir %{_libdir}/krb5
+%dir %{_libdir}/krb5/plugins
+%dir %{_libdir}/krb5/plugins/kdb
+%{_libdir}/krb5/plugins/kdb/kldap.so
+%{_libdir}/libkdb_ldap*
+%{_mandir}/man8/kdb5_ldap_util.8%{?ext_man}
+
+%files plugin-preauth-pkinit
+%dir %{_libdir}/krb5
+%dir %{_libdir}/krb5/plugins
+%dir %{_libdir}/krb5/plugins/preauth
+%{_libdir}/krb5/plugins/preauth/pkinit.so
+
+%files plugin-preauth-otp
+%dir %{_libdir}/krb5
+%dir %{_libdir}/krb5/plugins
+%dir %{_libdir}/krb5/plugins/preauth
+%{_libdir}/krb5/plugins/preauth/otp.so
+
+%files plugin-preauth-spake
+%dir %{_libdir}/krb5
+%dir %{_libdir}/krb5/plugins
+%dir %{_libdir}/krb5/plugins/preauth
+%{_libdir}/krb5/plugins/preauth/spake.so
+
+%changelog

krb5.tmpfiles

@@ -0,0 +1,7 @@
+d /var/lib/kerberos 		0755	root	root	-
+d /var/lib/kerberos/krb5	0755	root	root	-
+d /var/lib/kerberos/krb5/user	0755	root	root	-
+d /var/lib/kerberos/krb5kdc	0755	root	root	-
+C /var/lib/kerberos/krb5kdc/kdc.conf	0600 root root - /usr/share/kerberos/krb5kdc/kdc.conf
+C /var/lib/kerberos/krb5kdc/kadm5.acl	0600 root root - /usr/share/kerberos/krb5kdc/kadm5.acl
+C /var/lib/kerberos/krb5kdc/kadm5.dict	0600 root root - /usr/share/kerberos/krb5kdc/kadm5.dict

ksu-pam.d

@@ -0,0 +1,9 @@
+#%PAM-1.0
+auth     sufficient     pam_rootok.so
+auth     include        common-auth
+account  sufficient     pam_rootok.so
+account  include        common-account
+password include        common-password
+session  optional       pam_keyinit.so force revoke
+session  include        common-session
+session  optional       pam_xauth.so