diff --git a/krb5-1.6.3-post.dif b/krb5-1.6.3-post.dif new file mode 100644 index 0000000..d136ad3 --- /dev/null +++ b/krb5-1.6.3-post.dif @@ -0,0 +1,2869 @@ +Index: src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c +=================================================================== +--- src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c.orig ++++ src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c +@@ -303,6 +303,11 @@ int main(argc, argv) + krb5_boolean realm_name_required = TRUE; + krb5_boolean print_help_message = FALSE; + ++ /* ++ * Ensure that "progname" is set before calling com_err. ++ */ ++ progname = (strrchr(argv[0], '/') ? strrchr(argv[0], '/')+1 : argv[0]); ++ + retval = krb5_init_context(&util_context); + set_com_err_hook(extended_com_err_fn); + if (retval) { +@@ -311,8 +316,6 @@ int main(argc, argv) + goto cleanup; + } + +- progname = (strrchr(argv[0], '/') ? strrchr(argv[0], '/')+1 : argv[0]); +- + cmd_argv = (char **) malloc(sizeof(char *)*argc); + if (cmd_argv == NULL) { + com_err(progname, ENOMEM, "while creating sub-command arguments"); +@@ -344,7 +347,7 @@ int main(argc, argv) + } + } else if (strcmp(*argv, "-k") == 0 && ARG_VAL) { + if (krb5_string_to_enctype(koptarg, &global_params.enctype)) +- com_err(argv[0], 0, "%s is an invalid enctype", koptarg); ++ com_err(progname, 0, "%s is an invalid enctype", koptarg); + else + global_params.mask |= KADM5_CONFIG_ENCTYPE; + } else if (strcmp(*argv, "-M") == 0 && ARG_VAL) { +@@ -466,7 +469,7 @@ int main(argc, argv) + retval = kadm5_get_config_params(util_context, 1, + &global_params, &global_params); + if (retval) { +- com_err(argv[0], retval, "while retreiving configuration parameters"); ++ com_err(progname, retval, "while retreiving configuration parameters"); + exit_status++; + goto cleanup; + } +@@ -474,7 +477,7 @@ int main(argc, argv) + } + + if ((retval = krb5_ldap_lib_init()) != 0) { +- com_err(argv[0], retval, "while initializing error handling"); ++ com_err(progname, retval, "while initializing error handling"); + exit_status++; + goto cleanup; + } +@@ -482,7 +485,7 @@ int main(argc, argv) + /* Initialize the ldap context */ + ldap_context = calloc(sizeof(krb5_ldap_context), 1); + if (ldap_context == NULL) { +- com_err(argv[0], ENOMEM, "while initializing ldap handle"); ++ com_err(progname, ENOMEM, "while initializing ldap handle"); + exit_status++; + goto cleanup; + } +@@ -495,7 +498,7 @@ int main(argc, argv) + if (passwd == NULL) { + passwd = (char *)malloc(MAX_PASSWD_LEN); + if (passwd == NULL) { +- com_err(argv[0], ENOMEM, "while retrieving ldap configuration"); ++ com_err(progname, ENOMEM, "while retrieving ldap configuration"); + exit_status++; + goto cleanup; + } +@@ -503,7 +506,7 @@ int main(argc, argv) + if (prompt == NULL) { + free(passwd); + passwd = NULL; +- com_err(argv[0], ENOMEM, "while retrieving ldap configuration"); ++ com_err(progname, ENOMEM, "while retrieving ldap configuration"); + exit_status++; + goto cleanup; + } +@@ -514,7 +517,7 @@ int main(argc, argv) + db_retval = krb5_read_password(util_context, prompt, NULL, passwd, &passwd_len); + + if ((db_retval) || (passwd_len == 0)) { +- com_err(argv[0], ENOMEM, "while retrieving ldap configuration"); ++ com_err(progname, ENOMEM, "while retrieving ldap configuration"); + free(passwd); + passwd = NULL; + exit_status++; +@@ -530,14 +533,14 @@ int main(argc, argv) + + ldap_context->server_info_list = (krb5_ldap_server_info **) calloc (2, sizeof (krb5_ldap_server_info *)) ; + if (ldap_context->server_info_list == NULL) { +- com_err(argv[0], ENOMEM, "while initializing server list"); ++ com_err(progname, ENOMEM, "while initializing server list"); + exit_status++; + goto cleanup; + } + + ldap_context->server_info_list[0] = (krb5_ldap_server_info *) calloc (1, sizeof (krb5_ldap_server_info)); + if (ldap_context->server_info_list[0] == NULL) { +- com_err(argv[0], ENOMEM, "while initializing server list"); ++ com_err(progname, ENOMEM, "while initializing server list"); + exit_status++; + goto cleanup; + } +@@ -546,7 +549,7 @@ int main(argc, argv) + + ldap_context->server_info_list[0]->server_name = strdup(ldap_server); + if (ldap_context->server_info_list[0]->server_name == NULL) { +- com_err(argv[0], ENOMEM, "while initializing server list"); ++ com_err(progname, ENOMEM, "while initializing server list"); + exit_status++; + goto cleanup; + } +@@ -554,7 +557,7 @@ int main(argc, argv) + if (bind_dn) { + ldap_context->bind_dn = strdup(bind_dn); + if (ldap_context->bind_dn == NULL) { +- com_err(argv[0], ENOMEM, "while retrieving ldap configuration"); ++ com_err(progname, ENOMEM, "while retrieving ldap configuration"); + exit_status++; + goto cleanup; + } +@@ -566,7 +569,7 @@ int main(argc, argv) + if (realm_name_required) { + if ((global_params.enctype != ENCTYPE_UNKNOWN) && + (!krb5_c_valid_enctype(global_params.enctype))) { +- com_err(argv[0], KRB5_PROG_KEYTYPE_NOSUPP, ++ com_err(progname, KRB5_PROG_KEYTYPE_NOSUPP, + "while setting up enctype %d", global_params.enctype); + } + } +@@ -583,7 +586,7 @@ int main(argc, argv) + + db_retval = krb5_ldap_read_server_params(util_context, conf_section, KRB5_KDB_SRV_TYPE_OTHER); + if (db_retval) { +- com_err(argv[0], db_retval, "while reading ldap configuration"); ++ com_err(progname, db_retval, "while reading ldap configuration"); + exit_status++; + goto cleanup; + } +Index: src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c +=================================================================== +--- src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c.orig ++++ src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c +@@ -67,7 +67,7 @@ static krb5_error_code init_ldap_realm ( + retval = krb5_ldap_read_krbcontainer_params (util_context, + &(ldap_context->krbcontainer)); + if (retval != 0) { +- com_err(argv[0], retval, "while reading kerberos container information"); ++ com_err(progname, retval, "while reading kerberos container information"); + goto cleanup; + } + } +@@ -95,7 +95,7 @@ kdb5_ldap_create_policy(argc, argv) + int argc; + char *argv[]; + { +- char *me = argv[0]; ++ char *me = progname; + krb5_error_code retval = 0; + krb5_ldap_policy_params *policyparams = NULL; + krb5_boolean print_usage = FALSE; +@@ -322,7 +322,7 @@ kdb5_ldap_destroy_policy(argc, argv) + int argc; + char *argv[]; + { +- char *me = argv[0]; ++ char *me = progname; + krb5_error_code retval = 0; + krb5_ldap_policy_params *policyparams = NULL; + krb5_boolean print_usage = FALSE; +@@ -426,7 +426,7 @@ kdb5_ldap_modify_policy(argc, argv) + int argc; + char *argv[]; + { +- char *me = argv[0]; ++ char *me = progname; + krb5_error_code retval = 0; + krb5_ldap_policy_params *policyparams = NULL; + krb5_boolean print_usage = FALSE; +@@ -683,7 +683,7 @@ kdb5_ldap_view_policy(argc, argv) + int argc; + char *argv[]; + { +- char *me = argv[0]; ++ char *me = progname; + krb5_ldap_policy_params *policyparams = NULL; + krb5_error_code retval = 0; + krb5_boolean print_usage = FALSE; +@@ -804,7 +804,7 @@ void kdb5_ldap_list_policies(argc, argv) + int argc; + char *argv[]; + { +- char *me = argv[0]; ++ char *me = progname; + krb5_error_code retval = 0; + krb5_boolean print_usage = FALSE; + char *basedn = NULL; +Index: src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c +=================================================================== +--- src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c.orig ++++ src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c +@@ -152,7 +152,7 @@ static int get_ticket_policy(rparams,i,a + krb5_boolean no_msg = FALSE; + + krb5_boolean print_usage = FALSE; +- char *me = argv[0]; ++ char *me = progname; + + time(&now); + if (!strcmp(argv[*i], "-maxtktlife")) { +@@ -364,7 +364,7 @@ void kdb5_ldap_create(argc, argv) + rparams->subtree = list; + } else if(strncmp(argv[i], "", strlen(argv[i]))==0) { + /* dont allow subtree value to be set at the root(NULL, "") of the tree */ +- com_err(argv[0], EINVAL, ++ com_err(progname, EINVAL, + "for subtree while creating realm '%s'", + global_params.realm); + goto err_nomsg; +@@ -376,7 +376,7 @@ void kdb5_ldap_create(argc, argv) + goto err_usage; + if(strncmp(argv[i], "", strlen(argv[i]))==0) { + /* dont allow containerref value to be set at the root(NULL, "") of the tree */ +- com_err(argv[0], EINVAL, ++ com_err(progname, EINVAL, + "for container reference while creating realm '%s'", + global_params.realm); + goto err_nomsg; +@@ -401,7 +401,7 @@ void kdb5_ldap_create(argc, argv) + rparams->search_scope = atoi(argv[i]); + if ((rparams->search_scope != 1) && + (rparams->search_scope != 2)) { +- com_err(argv[0], EINVAL, ++ com_err(progname, EINVAL, + "invalid search scope while creating realm '%s'", + global_params.realm); + goto err_nomsg; +@@ -498,7 +498,7 @@ void kdb5_ldap_create(argc, argv) + retval = krb5_read_password(util_context, KRB5_KDC_MKEY_1, KRB5_KDC_MKEY_2, + pw_str, &pw_size); + if (retval) { +- com_err(argv[0], retval, "while reading master key from keyboard"); ++ com_err(progname, retval, "while reading master key from keyboard"); + goto err_nomsg; + } + mkey_password = pw_str; +@@ -516,7 +516,7 @@ void kdb5_ldap_create(argc, argv) + rparams->realm_name = strdup(global_params.realm); + if (rparams->realm_name == NULL) { + retval = ENOMEM; +- com_err(argv[0], ENOMEM, "while creating realm '%s'", ++ com_err(progname, ENOMEM, "while creating realm '%s'", + global_params.realm); + goto err_nomsg; + } +@@ -588,11 +588,11 @@ void kdb5_ldap_create(argc, argv) + retval = krb5_ldap_read_krbcontainer_params(util_context, + &(ldap_context->krbcontainer)); + if (retval) { +- com_err(argv[0], retval, "while reading kerberos container information"); ++ com_err(progname, retval, "while reading kerberos container information"); + goto cleanup; + } + } else if (retval) { +- com_err(argv[0], retval, "while reading kerberos container information"); ++ com_err(progname, retval, "while reading kerberos container information"); + goto cleanup; + } + +@@ -608,7 +608,7 @@ void kdb5_ldap_create(argc, argv) + global_params.realm, + &(ldap_context->lrparams), + &mask))) { +- com_err(argv[0], retval, "while reading information of realm '%s'", ++ com_err(progname, retval, "while reading information of realm '%s'", + global_params.realm); + goto err_nomsg; + } +@@ -623,7 +623,7 @@ void kdb5_ldap_create(argc, argv) + global_params.mkey_name, + global_params.realm, + 0, &master_princ))) { +- com_err(argv[0], retval, "while setting up master key name"); ++ com_err(progname, retval, "while setting up master key name"); + goto err_nomsg; + } + +@@ -635,7 +635,7 @@ void kdb5_ldap_create(argc, argv) + pwd.length = strlen(mkey_password); + retval = krb5_principal2salt(util_context, master_princ, &master_salt); + if (retval) { +- com_err(argv[0], retval, "while calculating master key salt"); ++ com_err(progname, retval, "while calculating master key salt"); + goto err_nomsg; + } + +@@ -646,7 +646,7 @@ void kdb5_ldap_create(argc, argv) + free(master_salt.data); + + if (retval) { +- com_err(argv[0], retval, "while transforming master key from password"); ++ com_err(progname, retval, "while transforming master key from password"); + goto err_nomsg; + } + +@@ -689,28 +689,28 @@ void kdb5_ldap_create(argc, argv) + /* Create 'K/M' ... */ + rblock.flags |= KRB5_KDB_DISALLOW_ALL_TIX; + if ((retval = kdb_ldap_create_principal(util_context, master_princ, MASTER_KEY, &rblock))) { +- com_err(argv[0], retval, "while adding entries to the database"); ++ com_err(progname, retval, "while adding entries to the database"); + goto err_nomsg; + } + + /* Create 'krbtgt' ... */ + rblock.flags = 0; /* reset the flags */ + if ((retval = kdb_ldap_create_principal(util_context, &tgt_princ, TGT_KEY, &rblock))) { +- com_err(argv[0], retval, "while adding entries to the database"); ++ com_err(progname, retval, "while adding entries to the database"); + goto err_nomsg; + } + + /* Create 'kadmin/admin' ... */ + snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_ADMIN_SERVICE, global_params.realm); + if ((retval = krb5_parse_name(util_context, princ_name, &p))) { +- com_err(argv[0], retval, "while adding entries to the database"); ++ com_err(progname, retval, "while adding entries to the database"); + goto err_nomsg; + } + rblock.max_life = ADMIN_LIFETIME; + rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED; + if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) { + krb5_free_principal(util_context, p); +- com_err(argv[0], retval, "while adding entries to the database"); ++ com_err(progname, retval, "while adding entries to the database"); + goto err_nomsg; + } + krb5_free_principal(util_context, p); +@@ -718,7 +718,7 @@ void kdb5_ldap_create(argc, argv) + /* Create 'kadmin/changepw' ... */ + snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_CHANGEPW_SERVICE, global_params.realm); + if ((retval = krb5_parse_name(util_context, princ_name, &p))) { +- com_err(argv[0], retval, "while adding entries to the database"); ++ com_err(progname, retval, "while adding entries to the database"); + goto err_nomsg; + } + rblock.max_life = CHANGEPW_LIFETIME; +@@ -726,7 +726,7 @@ void kdb5_ldap_create(argc, argv) + KRB5_KDB_PWCHANGE_SERVICE; + if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) { + krb5_free_principal(util_context, p); +- com_err(argv[0], retval, "while adding entries to the database"); ++ com_err(progname, retval, "while adding entries to the database"); + goto err_nomsg; + } + krb5_free_principal(util_context, p); +@@ -734,26 +734,26 @@ void kdb5_ldap_create(argc, argv) + /* Create 'kadmin/history' ... */ + snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_HIST_PRINCIPAL, global_params.realm); + if ((retval = krb5_parse_name(util_context, princ_name, &p))) { +- com_err(argv[0], retval, "while adding entries to the database"); ++ com_err(progname, retval, "while adding entries to the database"); + goto err_nomsg; + } + rblock.max_life = global_params.max_life; + rblock.flags = 0; + if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) { + krb5_free_principal(util_context, p); +- com_err(argv[0], retval, "while adding entries to the database"); ++ com_err(progname, retval, "while adding entries to the database"); + goto err_nomsg; + } + krb5_free_principal(util_context, p); + + /* Create 'kadmin/' ... */ + if ((retval=krb5_sname_to_principal(util_context, NULL, "kadmin", KRB5_NT_SRV_HST, &p))) { +- com_err(argv[0], retval, "krb5_sname_to_principal, while adding entries to the database"); ++ com_err(progname, retval, "krb5_sname_to_principal, while adding entries to the database"); + goto err_nomsg; + } + + if ((retval=krb5_copy_principal(util_context, p, &temp_p))) { +- com_err(argv[0], retval, "krb5_copy_principal, while adding entries to the database"); ++ com_err(progname, retval, "krb5_copy_principal, while adding entries to the database"); + goto err_nomsg; + } + +@@ -762,7 +762,7 @@ void kdb5_ldap_create(argc, argv) + temp_p->realm.length = strlen(util_context->default_realm); + temp_p->realm.data = strdup(util_context->default_realm); + if (temp_p->realm.data == NULL) { +- com_err(argv[0], ENOMEM, "while adding entries to the database"); ++ com_err(progname, ENOMEM, "while adding entries to the database"); + goto err_nomsg; + } + +@@ -770,7 +770,7 @@ void kdb5_ldap_create(argc, argv) + rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED; + if ((retval = kdb_ldap_create_principal(util_context, temp_p, TGT_KEY, &rblock))) { + krb5_free_principal(util_context, p); +- com_err(argv[0], retval, "while adding entries to the database"); ++ com_err(progname, retval, "while adding entries to the database"); + goto err_nomsg; + } + krb5_free_principal(util_context, temp_p); +@@ -798,7 +798,7 @@ void kdb5_ldap_create(argc, argv) + LDAP_KDC_SERVICE, rparams->kdcservers[i], + rparams->realm_name, rparams->subtree, rightsmask)) != 0) { + printf("failed\n"); +- com_err(argv[0], retval, "while assigning rights to '%s'", ++ com_err(progname, retval, "while assigning rights to '%s'", + rparams->realm_name); + goto err_nomsg; + } +@@ -814,7 +814,7 @@ void kdb5_ldap_create(argc, argv) + LDAP_ADMIN_SERVICE, rparams->adminservers[i], + rparams->realm_name, rparams->subtree, rightsmask)) != 0) { + printf("failed\n"); +- com_err(argv[0], retval, "while assigning rights to '%s'", ++ com_err(progname, retval, "while assigning rights to '%s'", + rparams->realm_name); + goto err_nomsg; + } +@@ -830,7 +830,7 @@ void kdb5_ldap_create(argc, argv) + LDAP_PASSWD_SERVICE, rparams->passwdservers[i], + rparams->realm_name, rparams->subtree, rightsmask)) != 0) { + printf("failed\n"); +- com_err(argv[0], retval, "while assigning rights to '%s'", ++ com_err(progname, retval, "while assigning rights to '%s'", + rparams->realm_name); + goto err_nomsg; + } +@@ -850,7 +850,7 @@ void kdb5_ldap_create(argc, argv) + master_princ, + &master_keyblock, NULL); + if (retval) { +- com_err(argv[0], errno, "while storing key"); ++ com_err(progname, errno, "while storing key"); + printf("Warning: couldn't stash master key.\n"); + } + } +@@ -879,7 +879,7 @@ cleanup: + + if (retval) { + if (!no_msg) { +- com_err(argv[0], retval, "while creating realm '%s'", ++ com_err(progname, retval, "while creating realm '%s'", + global_params.realm); + } + exit_status++; +@@ -932,7 +932,7 @@ void kdb5_ldap_modify(argc, argv) + + if ((retval = krb5_ldap_read_krbcontainer_params(util_context, + &(ldap_context->krbcontainer)))) { +- com_err(argv[0], retval, "while reading Kerberos container information"); ++ com_err(progname, retval, "while reading Kerberos container information"); + goto err_nomsg; + } + +@@ -986,7 +986,7 @@ void kdb5_ldap_modify(argc, argv) + rparams->subtree = slist; + } else if(strncmp(argv[i], "", strlen(argv[i]))==0) { + /* dont allow subtree value to be set at the root(NULL, "") of the tree */ +- com_err(argv[0], EINVAL, ++ com_err(progname, EINVAL, + "for subtree while modifying realm '%s'", + global_params.realm); + goto err_nomsg; +@@ -998,7 +998,7 @@ void kdb5_ldap_modify(argc, argv) + goto err_usage; + if(strncmp(argv[i], "", strlen(argv[i]))==0) { + /* dont allow containerref value to be set at the root(NULL, "") of the tree */ +- com_err(argv[0], EINVAL, ++ com_err(progname, EINVAL, + "for container reference while modifying realm '%s'", + global_params.realm); + goto err_nomsg; +@@ -1024,7 +1024,7 @@ void kdb5_ldap_modify(argc, argv) + if ((rparams->search_scope != 1) && + (rparams->search_scope != 2)) { + retval = EINVAL; +- com_err(argv[0], retval, ++ com_err(progname, retval, + "specified for search scope while modifying information of realm '%s'", + global_params.realm); + goto err_nomsg; +@@ -1529,7 +1529,7 @@ void kdb5_ldap_modify(argc, argv) + LDAP_KDC_SERVICE, oldkdcdns[i], + rparams->realm_name, oldsubtrees, rightsmask)) != 0) { + printf("failed\n"); +- com_err(argv[0], retval, "while assigning rights '%s'", ++ com_err(progname, retval, "while assigning rights '%s'", + rparams->realm_name); + goto err_nomsg; + } +@@ -1546,7 +1546,7 @@ void kdb5_ldap_modify(argc, argv) + LDAP_KDC_SERVICE, newkdcdns[i], rparams->realm_name, + rparams->subtree, rightsmask)) != 0) { + printf("failed\n"); +- com_err(argv[0], retval, "while assigning rights to '%s'", ++ com_err(progname, retval, "while assigning rights to '%s'", + rparams->realm_name); + goto err_nomsg; + } +@@ -1608,7 +1608,7 @@ void kdb5_ldap_modify(argc, argv) + LDAP_ADMIN_SERVICE, oldadmindns[i], + rparams->realm_name, oldsubtrees, rightsmask)) != 0) { + printf("failed\n"); +- com_err(argv[0], retval, "while assigning rights '%s'", ++ com_err(progname, retval, "while assigning rights '%s'", + rparams->realm_name); + goto err_nomsg; + } +@@ -1626,7 +1626,7 @@ void kdb5_ldap_modify(argc, argv) + LDAP_ADMIN_SERVICE, newadmindns[i], + rparams->realm_name, rparams->subtree, rightsmask)) != 0) { + printf("failed\n"); +- com_err(argv[0], retval, "while assigning rights to '%s'", ++ com_err(progname, retval, "while assigning rights to '%s'", + rparams->realm_name); + goto err_nomsg; + } +@@ -1688,7 +1688,7 @@ void kdb5_ldap_modify(argc, argv) + LDAP_PASSWD_SERVICE, oldpwddns[i], + rparams->realm_name, oldsubtrees, rightsmask))) { + printf("failed\n"); +- com_err(argv[0], retval, "while assigning rights '%s'", ++ com_err(progname, retval, "while assigning rights '%s'", + rparams->realm_name); + goto err_nomsg; + } +@@ -1705,7 +1705,7 @@ void kdb5_ldap_modify(argc, argv) + LDAP_PASSWD_SERVICE, newpwddns[i], + rparams->realm_name, rparams->subtree, rightsmask))) { + printf("failed\n"); +- com_err(argv[0], retval, "while assigning rights to '%s'", ++ com_err(progname, retval, "while assigning rights to '%s'", + rparams->realm_name); + goto err_nomsg; + } +@@ -1777,7 +1777,7 @@ cleanup: + + if (retval) { + if (!no_msg) +- com_err(argv[0], retval, "while modifying information of realm '%s'", ++ com_err(progname, retval, "while modifying information of realm '%s'", + global_params.realm); + exit_status++; + } +@@ -1804,7 +1804,7 @@ void kdb5_ldap_view(argc, argv) + ldap_context = (krb5_ldap_context *) dal_handle->db_context; + if (!(ldap_context)) { + retval = EINVAL; +- com_err(argv[0], retval, "while initializing database"); ++ com_err(progname, retval, "while initializing database"); + exit_status++; + return; + } +@@ -1812,14 +1812,14 @@ void kdb5_ldap_view(argc, argv) + /* Read the kerberos container information */ + if ((retval = krb5_ldap_read_krbcontainer_params(util_context, + &(ldap_context->krbcontainer))) != 0) { +- com_err(argv[0], retval, "while reading kerberos container information"); ++ com_err(progname, retval, "while reading kerberos container information"); + exit_status++; + return; + } + + if ((retval = krb5_ldap_read_realm_params(util_context, + global_params.realm, &rparams, &mask)) || (!rparams)) { +- com_err(argv[0], retval, "while reading information of realm '%s'", ++ com_err(progname, retval, "while reading information of realm '%s'", + global_params.realm); + exit_status++; + return; +@@ -2009,7 +2009,7 @@ void kdb5_ldap_list(argc, argv) + /* Read the kerberos container information */ + if ((retval = krb5_ldap_read_krbcontainer_params(util_context, + &(ldap_context->krbcontainer))) != 0) { +- com_err(argv[0], retval, "while reading kerberos container information"); ++ com_err(progname, retval, "while reading kerberos container information"); + exit_status++; + return; + } +@@ -2018,7 +2018,7 @@ void kdb5_ldap_list(argc, argv) + if (retval != 0) { + krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer); + ldap_context->krbcontainer = NULL; +- com_err (argv[0], retval, "while listing realms"); ++ com_err (progname, retval, "while listing realms"); + exit_status++; + return; + } +@@ -2434,7 +2434,7 @@ kdb5_ldap_destroy(argc, argv) + dal_handle = (kdb5_dal_handle *)util_context->db_context; + ldap_context = (krb5_ldap_context *) dal_handle->db_context; + if (!(ldap_context)) { +- com_err(argv[0], EINVAL, "while initializing database"); ++ com_err(progname, EINVAL, "while initializing database"); + exit_status++; + return; + } +@@ -2442,7 +2442,7 @@ kdb5_ldap_destroy(argc, argv) + /* Read the kerberos container from the LDAP Server */ + if ((retval = krb5_ldap_read_krbcontainer_params(util_context, + &(ldap_context->krbcontainer))) != 0) { +- com_err(argv[0], retval, "while reading kerberos container information"); ++ com_err(progname, retval, "while reading kerberos container information"); + exit_status++; + return; + } +@@ -2450,7 +2450,7 @@ kdb5_ldap_destroy(argc, argv) + /* Read the Realm information from the LDAP Server */ + if ((retval = krb5_ldap_read_realm_params(util_context, global_params.realm, + &(ldap_context->lrparams), &mask)) != 0) { +- com_err(argv[0], retval, "while reading realm information"); ++ com_err(progname, retval, "while reading realm information"); + exit_status++; + return; + } +@@ -2472,7 +2472,7 @@ kdb5_ldap_destroy(argc, argv) + LDAP_KDC_SERVICE, rparams->kdcservers[i], + rparams->realm_name, rparams->subtree, rightsmask)) != 0) { + printf("failed\n"); +- com_err(argv[0], retval, "while assigning rights to '%s'", ++ com_err(progname, retval, "while assigning rights to '%s'", + rparams->realm_name); + return; + } +@@ -2487,7 +2487,7 @@ kdb5_ldap_destroy(argc, argv) + LDAP_ADMIN_SERVICE, rparams->adminservers[i], + rparams->realm_name, rparams->subtree, rightsmask)) != 0) { + printf("failed\n"); +- com_err(argv[0], retval, "while assigning rights to '%s'", ++ com_err(progname, retval, "while assigning rights to '%s'", + rparams->realm_name); + return; + } +@@ -2502,7 +2502,7 @@ kdb5_ldap_destroy(argc, argv) + LDAP_PASSWD_SERVICE, rparams->passwdservers[i], + rparams->realm_name, rparams->subtree, rightsmask)) != 0) { + printf("failed\n"); +- com_err(argv[0], retval, "while assigning rights to '%s'", ++ com_err(progname, retval, "while assigning rights to '%s'", + rparams->realm_name); + return; + } +@@ -2514,7 +2514,7 @@ kdb5_ldap_destroy(argc, argv) + /* Delete the realm container and all the associated principals */ + retval = krb5_ldap_delete_realm(util_context, global_params.realm); + if (retval) { +- com_err(argv[0], retval, "deleting database of '%s'", global_params.realm); ++ com_err(progname, retval, "deleting database of '%s'", global_params.realm); + exit_status++; + return; + } +Index: src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.h +=================================================================== +--- src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.h.orig ++++ src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.h +@@ -58,6 +58,8 @@ + #define DESTROY_POLICY 14 + #define LIST_POLICY 15 + ++extern char *progname; ++ + extern int exit_status; + extern krb5_context util_context; + +Index: src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +=================================================================== +--- src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c.orig ++++ src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +@@ -198,7 +198,7 @@ void kdb5_ldap_create_service(argc, argv + int argc; + char *argv[]; + { +- char *me = argv[0]; ++ char *me = progname; + krb5_error_code retval = 0; + krb5_ldap_service_params *srvparams = NULL; + krb5_boolean print_usage = FALSE; +@@ -496,7 +496,7 @@ void kdb5_ldap_modify_service(argc, argv + int argc; + char *argv[]; + { +- char *me = argv[0]; ++ char *me = progname; + krb5_error_code retval = 0; + krb5_ldap_service_params *srvparams = NULL; + krb5_boolean print_usage = FALSE; +@@ -569,7 +569,7 @@ void kdb5_ldap_modify_service(argc, argv + + retval = krb5_ldap_read_service(util_context, servicedn, &srvparams, &in_mask); + if (retval) { +- com_err(argv[0], retval, "while reading information of service '%s'", ++ com_err(me, retval, "while reading information of service '%s'", + servicedn); + goto err_nomsg; + } +@@ -1061,7 +1061,7 @@ rem_service_entry_from_file(argc, argv, + char *service_object; + { + int st = EINVAL; +- char *me = argv[0]; ++ char *me = progname; + char *tmp_file = NULL; + int tmpfd = -1; + FILE *pfile = NULL; +@@ -1175,7 +1175,7 @@ kdb5_ldap_destroy_service(argc, argv) + if (argv[i+1]) { + stashfilename=strdup(argv[i+1]); + if (stashfilename == NULL) { +- com_err(argv[0], ENOMEM, "while destroying service"); ++ com_err(progname, ENOMEM, "while destroying service"); + exit_status++; + goto cleanup; + } +@@ -1188,7 +1188,7 @@ kdb5_ldap_destroy_service(argc, argv) + if ((argv[i]) && (servicedn == NULL)) { + servicedn=strdup(argv[i]); + if (servicedn == NULL) { +- com_err(argv[0], ENOMEM, "while destroying service"); ++ com_err(progname, ENOMEM, "while destroying service"); + exit_status++; + goto cleanup; + } +@@ -1219,7 +1219,7 @@ kdb5_ldap_destroy_service(argc, argv) + + if ((retval = krb5_ldap_read_service(util_context, servicedn, + &lserparams, &mask))) { +- com_err(argv[0], retval, "while destroying service '%s'",servicedn); ++ com_err(progname, retval, "while destroying service '%s'",servicedn); + exit_status++; + goto cleanup; + } +@@ -1227,7 +1227,7 @@ kdb5_ldap_destroy_service(argc, argv) + retval = krb5_ldap_delete_service(util_context, lserparams, servicedn); + + if (retval) { +- com_err(argv[0], retval, "while destroying service '%s'", servicedn); ++ com_err(progname, retval, "while destroying service '%s'", servicedn); + exit_status++; + goto cleanup; + } +@@ -1235,7 +1235,7 @@ kdb5_ldap_destroy_service(argc, argv) + if (stashfilename == NULL) { + stashfilename = strdup(DEF_SERVICE_PASSWD_FILE); + if (stashfilename == NULL) { +- com_err(argv[0], ENOMEM, "while destroying service"); ++ com_err(progname, ENOMEM, "while destroying service"); + exit_status++; + goto cleanup; + } +@@ -1295,13 +1295,13 @@ void kdb5_ldap_view_service(argc, argv) + + servicedn=strdup(argv[1]); + if (servicedn == NULL) { +- com_err(argv[0], ENOMEM, "while viewing service"); ++ com_err(progname, ENOMEM, "while viewing service"); + exit_status++; + goto cleanup; + } + + if ((retval = krb5_ldap_read_service(util_context, servicedn, &lserparams, &mask))) { +- com_err(argv[0], retval, "while viewing service '%s'",servicedn); ++ com_err(progname, retval, "while viewing service '%s'",servicedn); + exit_status++; + goto cleanup; + } +@@ -1338,7 +1338,7 @@ void kdb5_ldap_list_services(argc, argv) + int argc; + char *argv[]; + { +- char *me = argv[0]; ++ char *me = progname; + krb5_error_code retval = 0; + char *basedn = NULL; + char **list = NULL; +@@ -1519,7 +1519,7 @@ kdb5_ldap_set_service_password(argc, arg + krb5_ldap_context *lparams = NULL; + char *file_name = NULL; + char *tmp_file = NULL; +- char *me = argv[0]; ++ char *me = progname; + int filelen = 0; + int random_passwd = 0; + int set_dir_pwd = 1; +@@ -1902,7 +1902,7 @@ kdb5_ldap_stash_service_password(argc, a + { + int ret = 0; + unsigned int passwd_len = 0; +- char *me = argv[0]; ++ char *me = progname; + char *service_object = NULL; + char *file_name = NULL, *tmp_file = NULL; + char passwd[MAX_SERVICE_PASSWD_LEN]; +Index: src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M +=================================================================== +--- src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M.orig ++++ src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M +@@ -73,7 +73,7 @@ set. This means all the ticket options w + The various flags are: + .TP + {\fB\-\fP|\fB+\fP}\fBallow_postdated\fP +-.B -allow_postdated ++.B \-allow_postdated + prohibits principals from obtaining postdated tickets. (Sets the + .SM KRB5_KDB_DISALLOW_POSTDATED + flag.) +@@ -81,7 +81,7 @@ flag.) + clears this flag. + .TP + {\fB\-\fP|\fB+\fP}\fBallow_forwardable\fP +-.B -allow_forwardable ++.B \-allow_forwardable + prohibits principals from obtaining forwardable tickets. (Sets the + .SM KRB5_KDB_DISALLOW_FORWARDABLE + flag.) +@@ -89,7 +89,7 @@ flag.) + clears this flag. + .TP + {\fB\-\fP|\fB+\fP}\fBallow_renewable\fP +-.B -allow_renewable ++.B \-allow_renewable + prohibits principals from obtaining renewable tickets. (Sets the + .SM KRB5_KDB_DISALLOW_RENEWABLE + flag.) +@@ -97,7 +97,7 @@ flag.) + clears this flag. + .TP + {\fB\-\fP|\fB+\fP}\fBallow_proxiable\fP +-.B -allow_proxiable ++.B \-allow_proxiable + prohibits principals from obtaining proxiable tickets. (Sets the + .SM KRB5_KDB_DISALLOW_PROXIABLE + flag.) +@@ -105,7 +105,7 @@ flag.) + clears this flag. + .TP + {\fB\-\fP|\fB+\fP}\fBallow_dup_skey\fP +-.B -allow_dup_skey ++.B \-allow_dup_skey + Disables user-to-user authentication for principals by prohibiting + principals from obtaining a session key for another user. (Sets the + .SM KRB5_KDB_DISALLOW_DUP_SKEY +@@ -119,7 +119,7 @@ requires principals to preauthenticate b + kinit. (Sets the + .SM KRB5_KDB_REQUIRES_PRE_AUTH + flag.) +-.B -requires_preauth ++.B \-requires_preauth + clears this flag. + .TP + {\fB\-\fP|\fB+\fP}\fBrequires_hwauth\fP +@@ -128,11 +128,11 @@ requires principals to preauthenticate u + before being allowed to kinit. (Sets the + .SM KRB5_KDB_REQUIRES_HW_AUTH + flag.) +-.B -requires_hwauth ++.B \-requires_hwauth + clears this flag. + .TP + {\fB\-\fP|\fB+\fP}\fBallow_svr\fP +-.B -allow_svr ++.B \-allow_svr + prohibits the issuance of service tickets for principals. (Sets the + .SM KRB5_KDB_DISALLOW_SVR + flag.) +@@ -208,9 +208,9 @@ Specifies the list of Administration ser + of the Administration service objects separated by colon(:). + .TP + EXAMPLE: +-\fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu +-create -subtrees o=org -sscope SUB +--r ATHENA.MIT.EDU\fP ++\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu ++create \-subtrees o=org \-sscope SUB ++\-r ATHENA.MIT.EDU\fP + .nf + Password for "cn=admin,o=org": + Initializing database for realm 'ATHENA.MIT.EDU' +@@ -255,7 +255,7 @@ and no restriction will be set. + The various flags are: + .TP + {\fB\-\fP|\fB+\fP}\fBallow_postdated\fP +-.B -allow_postdated ++.B \-allow_postdated + prohibits principals from obtaining postdated tickets. (Sets the + .SM KRB5_KDB_DISALLOW_POSTDATED + flag.) +@@ -263,7 +263,7 @@ flag.) + clears this flag. + .TP + {\fB\-\fP|\fB+\fP}\fBallow_forwardable\fP +-.B -allow_forwardable ++.B \-allow_forwardable + prohibits principals from obtaining forwardable tickets. (Sets the + .SM KRB5_KDB_DISALLOW_FORWARDABLE + flag.) +@@ -271,7 +271,7 @@ flag.) + clears this flag. + .TP + {\fB\-\fP|\fB+\fP}\fBallow_renewable\fP +-.B -allow_renewable ++.B \-allow_renewable + prohibits principals from obtaining renewable tickets. (Sets the + .SM KRB5_KDB_DISALLOW_RENEWABLE + flag.) +@@ -279,7 +279,7 @@ flag.) + clears this flag. + .TP + {\fB\-\fP|\fB+\fP}\fBallow_proxiable\fP +-.B -allow_proxiable ++.B \-allow_proxiable + prohibits principals from obtaining proxiable tickets. (Sets the + .SM KRB5_KDB_DISALLOW_PROXIABLE + flag.) +@@ -287,7 +287,7 @@ flag.) + clears this flag. + .TP + {\fB\-\fP|\fB+\fP}\fBallow_dup_skey\fP +-.B -allow_dup_skey ++.B \-allow_dup_skey + Disables user-to-user authentication for principals by prohibiting + principals from obtaining a session key for another user. (Sets the + .SM KRB5_KDB_DISALLOW_DUP_SKEY +@@ -301,7 +301,7 @@ requires principals to preauthenticate b + kinit. (Sets the + .SM KRB5_KDB_REQUIRES_PRE_AUTH + flag.) +-.B -requires_preauth ++.B \-requires_preauth + clears this flag. + .TP + {\fB\-\fP|\fB+\fP}\fBrequires_hwauth\fP +@@ -310,11 +310,11 @@ requires principals to preauthenticate u + before being allowed to kinit. (Sets the + .SM KRB5_KDB_REQUIRES_HW_AUTH + flag.) +-.B -requires_hwauth ++.B \-requires_hwauth + clears this flag. + .TP + {\fB\-\fP|\fB+\fP}\fBallow_svr\fP +-.B -allow_svr ++.B \-allow_svr + prohibits the issuance of service tickets for principals. (Sets the + .SM KRB5_KDB_DISALLOW_SVR + flag.) +@@ -406,8 +406,8 @@ Specifies the list of Administration ser + contains the DNs of the Administration service objects separated by a colon (:). + .TP + EXAMPLE: +-\fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu modify +-+requires_preauth -r ATHENA.MIT.EDU \fP ++\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu modify +++requires_preauth \-r ATHENA.MIT.EDU \fP + .nf + Password for "cn=admin,o=org": + .fi +@@ -423,8 +423,8 @@ Specifies the Kerberos realm of the data + is used. + .TP + EXAMPLE: +-\fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu view +--r ATHENA.MIT.EDU\fP ++\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu view ++\-r ATHENA.MIT.EDU\fP + .nf + Password for "cn=admin,o=org": + Realm Name: ATHENA.MIT.EDU +@@ -450,8 +450,8 @@ Specifies the Kerberos realm of the data + is used. + .TP + EXAMPLE: +-\fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu destroy +--r ATHENA.MIT.EDU\fP ++\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu destroy ++\-r ATHENA.MIT.EDU\fP + .nf + Password for "cn=admin,o=org": + Deleting KDC database of 'ATHENA.MIT.EDU', are you sure? +@@ -467,7 +467,7 @@ Lists the name of realms. + .nf + .TP + EXAMPLE: +-\fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list\fP ++\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu list\fP + Password for "cn=admin,o=org": + ATHENA.MIT.EDU + OPENLDAP.MIT.EDU +@@ -487,7 +487,7 @@ Specifies the complete path of the servi + Specifies Distinguished name (DN) of the service object whose password is to be stored in file. + .TP + EXAMPLE: +-\fBkdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org\fP ++\fBkdb5_ldap_util stashsrvpw \-f /home/andrew/conf_keyfile cn=service-kdc,o=org\fP + .nf + Password for "cn=service-kdc,o=org": + Re-enter password for "cn=service-kdc,o=org": +@@ -517,7 +517,7 @@ set. This means all the ticket options w + The various flags are: + .TP + {\fB\-\fP|\fB+\fP}\fBallow_postdated\fP +-.B -allow_postdated ++.B \-allow_postdated + prohibits principals from obtaining postdated tickets. (Sets the + .SM KRB5_KDB_DISALLOW_POSTDATED + flag.) +@@ -525,7 +525,7 @@ flag.) + clears this flag. + .TP + {\fB\-\fP|\fB+\fP}\fBallow_forwardable\fP +-.B -allow_forwardable ++.B \-allow_forwardable + prohibits principals from obtaining forwardable tickets. (Sets the + .SM KRB5_KDB_DISALLOW_FORWARDABLE + flag.) +@@ -533,7 +533,7 @@ flag.) + clears this flag. + .TP + {\fB\-\fP|\fB+\fP}\fBallow_renewable\fP +-.B -allow_renewable ++.B \-allow_renewable + prohibits principals from obtaining renewable tickets. (Sets the + .SM KRB5_KDB_DISALLOW_RENEWABLE + flag.) +@@ -541,7 +541,7 @@ flag.) + clears this flag. + .TP + {\fB\-\fP|\fB+\fP}\fBallow_proxiable\fP +-.B -allow_proxiable ++.B \-allow_proxiable + prohibits principals from obtaining proxiable tickets. (Sets the + .SM KRB5_KDB_DISALLOW_PROXIABLE + flag.) +@@ -549,7 +549,7 @@ flag.) + clears this flag. + .TP + {\fB\-\fP|\fB+\fP}\fBallow_dup_skey\fP +-.B -allow_dup_skey ++.B \-allow_dup_skey + Disables user-to-user authentication for principals by prohibiting + principals from obtaining a session key for another user. (Sets the + .SM KRB5_KDB_DISALLOW_DUP_SKEY +@@ -563,7 +563,7 @@ requires principals to preauthenticate b + kinit. (Sets the + .SM KRB5_KDB_REQUIRES_PRE_AUTH + flag.) +-.B -requires_preauth ++.B \-requires_preauth + clears this flag. + .TP + {\fB\-\fP|\fB+\fP}\fBrequires_hwauth\fP +@@ -572,11 +572,11 @@ requires principals to preauthenticate u + before being allowed to kinit. (Sets the + .SM KRB5_KDB_REQUIRES_HW_AUTH + flag.) +-.B -requires_hwauth ++.B \-requires_hwauth + clears this flag. + .TP + {\fB\-\fP|\fB+\fP}\fBallow_svr\fP +-.B -allow_svr ++.B \-allow_svr + prohibits the issuance of service tickets for principals. (Sets the + .SM KRB5_KDB_DISALLOW_SVR + flag.) +@@ -639,7 +639,7 @@ flag on principals in the database. + Specifies the name of the ticket policy. + .TP + EXAMPLE: +-\fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu create_policy -r ATHENA.MIT.EDU -maxtktlife "1 day" -maxrenewlife "1 week" -allow_postdated +needchange -allow_forwardable tktpolicy\fP ++\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu create_policy \-r ATHENA.MIT.EDU \-maxtktlife "1 day" \-maxrenewlife "1 week" \-allow_postdated +needchange \-allow_forwardable tktpolicy\fP + .nf + Password for "cn=admin,o=org": + .fi +@@ -657,7 +657,7 @@ returned by + is used. + .TP + EXAMPLE: +-\fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu modify_policy -r ATHENA.MIT.EDU -maxtktlife "60 minutes" -maxrenewlife "10 hours" +allow_postdated -requires_preauth tktpolicy\fP ++\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu modify_policy \-r ATHENA.MIT.EDU \-maxtktlife "60 minutes" \-maxrenewlife "10 hours" +allow_postdated \-requires_preauth tktpolicy\fP + .nf + Password for "cn=admin,o=org": + .fi +@@ -671,7 +671,7 @@ Displays the attributes of a ticket poli + Specifies the name of the ticket policy. + .TP + EXAMPLE: +-\fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu view_policy -r ATHENA.MIT.EDU tktpolicy\fP ++\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu view_policy \-r ATHENA.MIT.EDU tktpolicy\fP + .nf + Password for "cn=admin,o=org": + Ticket policy: tktpolicy +@@ -700,7 +700,7 @@ to confirm the deletion. + Specifies the name of the ticket policy. + .TP + EXAMPLE: +-\fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu destroy_policy -r ATHENA.MIT.EDU tktpolicy\fP ++\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu destroy_policy \-r ATHENA.MIT.EDU tktpolicy\fP + .nf + Password for "cn=admin,o=org": + This will delete the policy object 'tktpolicy', are you sure? +@@ -720,7 +720,7 @@ returned by + is used. + .TP + EXAMPLE: +-\fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list_policy -r ATHENA.MIT.EDU\fP ++\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu list_policy \-r ATHENA.MIT.EDU\fP + .nf + Password for "cn=admin,o=org": + tktpolicy +@@ -735,22 +735,22 @@ userpolicy + \fBsetsrvpw\fP [\fB\-randpw\fP|\fB\-fileonly\fP] [\fB\-f\fP\ \fIfilename\fP] \fIservice_dn\fP + Allows an administrator to set password for service objects such as KDC and Administration server in + eDirectory and store them in a file. The +-.I -fileonly ++.I \-fileonly + option stores the password in a file and not in the eDirectory object. Options: + .RS + .TP + \fB\-randpw \fP + Generates and sets a random password. This options can be specified to store the password both in eDirectory and a file. The +-.I -fileonly ++.I \-fileonly + option can not be used if +-.I -randpw ++.I \-randpw + option is already specified. + .TP + \fB\-fileonly\fP + Stores the password only in a file and not in eDirectory. The +-.I -randpw ++.I \-randpw + option can not be used when +-.I -fileonly ++.I \-fileonly + options is specified. + .TP + \fB\-f\fP\ \fIfilename\fP +@@ -760,7 +760,7 @@ Specifies complete path of the service p + Specifies Distinguished name (DN) of the service object whose password is to be set. + .TP + EXAMPLE: +-\fBkdb5_ldap_util setsrvpw -D cn=admin,o=org setsrvpw -fileonly -f /home/andrew/conf_keyfile ++\fBkdb5_ldap_util setsrvpw \-D cn=admin,o=org setsrvpw \-fileonly \-f /home/andrew/conf_keyfile + cn=service-kdc,o=org\fP + .nf + Password for "cn=admin,o=org": +@@ -792,16 +792,16 @@ separated by a colon (:). + .TP + \fB\-randpw \fP + Generates and sets a random password. This option is used to set the random password for the service object in directory and also to store it in the file. The +-.I -fileonly ++.I \-fileonly + option can not be used if +-.I -randpw ++.I \-randpw + option is specified. + .TP + \fB\-fileonly\fP + Stores the password only in a file and not in eDirectory. The +-.I -randpw ++.I \-randpw + option can not be used when +-.I -fileonly ++.I \-fileonly + option is specified. + .TP + \fB\-f\fP\ \fIfilename\fP +@@ -811,7 +811,7 @@ Specifies the complete path of the file + Specifies Distinguished name (DN) of the Kerberos service to be created. + .TP + EXAMPLE: +-\fBkdb5_ldap_util -D cn=admin,o=org create_service -kdc -randpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org\fP ++\fBkdb5_ldap_util \-D cn=admin,o=org create_service \-kdc \-randpw \-f /home/andrew/conf_keyfile cn=service-kdc,o=org\fP + .nf + Password for "cn=admin,o=org": + File does not exist. Creating the file /home/andrew/conf_keyfile... +@@ -855,7 +855,7 @@ realms separated by a colon (:). + Specifies Distinguished name (DN) of the Kerberos service to be modified. + .TP + EXAMPLE: +-\fBkdb5_ldap_util -D cn=admin,o=org modify_service -realm ATHENA.MIT.EDU ++\fBkdb5_ldap_util \-D cn=admin,o=org modify_service \-realm ATHENA.MIT.EDU + cn=service-kdc,o=org\fP + .nf + Password for "cn=admin,o=org": +@@ -871,7 +871,7 @@ Displays the attributes of a service. O + Specifies Distinguished name (DN) of the Kerberos service to be viewed. + .TP + EXAMPLE: +-\fBkdb5_ldap_util -D cn=admin,o=org view_service cn=service-kdc,o=org\fP ++\fBkdb5_ldap_util \-D cn=admin,o=org view_service cn=service-kdc,o=org\fP + .nf + Password for "cn=admin,o=org": + Service dn: cn=service-kdc,o=org +@@ -897,7 +897,7 @@ needs to be removed. + Specifies Distinguished name (DN) of the Kerberos service to be destroyed. + .TP + EXAMPLE: +-\fBkdb5_ldap_util -D cn=admin,o=org destroy_service cn=service-kdc,o=org\fP ++\fBkdb5_ldap_util \-D cn=admin,o=org destroy_service cn=service-kdc,o=org\fP + .nf + Password for "cn=admin,o=org": + This will delete the service object 'cn=service-kdc,o=org', are you sure? +@@ -922,7 +922,7 @@ for the base DN is + .B Root. + .TP + EXAMPLE: +-\fBkdb5_ldap_util -D cn=admin,o=org list_service\fP ++\fBkdb5_ldap_util \-D cn=admin,o=org list_service\fP + .nf + Password for "cn=admin,o=org": + cn=service-kdc,o=org +Index: src/plugins/kdb/db2/libdb2/test/run.test +=================================================================== +--- src/plugins/kdb/db2/libdb2/test/run.test.orig ++++ src/plugins/kdb/db2/libdb2/test/run.test +@@ -34,7 +34,7 @@ main() + bindir=/bin/. + + if [ $# -eq 0 ]; then +- for t in 1 2 3 4 5 6 7 8 9 10 11 12 13 20; do ++ for t in 1 2 3 4 5 6 7 8 9 10 11 12 13 20 40 41; do + test$t + done + else +@@ -45,7 +45,7 @@ main() + [0-9]*) + test$1;; + btree) +- for t in 1 2 3 7 8 9 10 12 13; do ++ for t in 1 2 3 7 8 9 10 12 13 40 41; do + test$t + done;; + hash) +@@ -743,4 +743,162 @@ bsize=$bsize ffactor=$ffactor nelem=2500 + done + } + ++# Test for a weird page split condition where an insertion into index ++# 0 of a page that would cause the new item to be the only item on the ++# left page results in index 0 of the right page being erroneously ++# skipped; this only happens with one particular key+data length for ++# each page size. ++test40 () { ++ echo "Test 40: btree: page split on index 0" ++ e=: ++ for psize in 512 1024 2048 4096 8192; do ++ echo " page size $psize" ++ kdsizes=`awk 'BEGIN { ++ psize = '$psize'; hsize = int(psize/2); ++ for (kdsize = hsize-40; kdsize <= hsize; kdsize++) { ++ print kdsize; ++ } ++ }' /dev/null` ++ ++ # Use a series of keylen+datalen values in the right ++ # neighborhood to find the one that triggers the bug. ++ # We could compute the exact size that triggers the ++ # bug but this additional fuzz may be useful. ++ ++ # Insert keys in reverse order to maximize the chances ++ # for a split on index 0. ++ ++ for kdsize in $kdsizes; do ++ awk 'BEGIN { ++ kdsize = '$kdsize'; ++ for (i = 8; i-- > 0; ) { ++ s = sprintf("a%03d:%09d", i, kdsize); ++ for (j = 0; j < kdsize-20; j++) { ++ s = s "x"; ++ } ++ printf("p\nka%03d\nd%s\n", i, s); ++ } ++ print "o"; ++ }' /dev/null > $TMP2 ++ sed -n 's/^d//p' $TMP2 | sort > $TMP1 ++ $PROG -o $TMP3 -i psize=$psize btree $TMP2 ++ if (cmp -s $TMP1 $TMP3); then : ++ else ++ echo "test40: btree: page size $psize, \ ++keylen+datalen=$kdsize failed" ++ e='exit 1' ++ fi ++ done ++ done ++ $e ++} ++ ++# Extremely tricky test attempting to replicate some unusual database ++# corruption seen in the field: pieces of the database becoming ++# inaccessible to random access, sequential access, or both. The ++# hypothesis is that at least some of these are triggered by the bug ++# in page splits on index 0 with a particular exact keylen+datalen. ++# (See Test 40.) For psize=4096, this size is exactly 2024. ++ ++# The order of operations here relies on very specific knowledge of ++# the internals of the btree access method in order to place records ++# at specific offsets in a page and to create certain keys on internal ++# pages. The to-be-split page immediately prior to the bug-triggering ++# split has the following properties: ++# ++# * is not the leftmost leaf page ++# * key on the parent page is compares less than the key of the item ++# on index 0 ++# * triggering record's key also compares greater than the key on the ++# parent page ++ ++# Additionally, we prime the mpool LRU chain so that the head page on ++# the chain has the following properties: ++# ++# * record at index 0 is located where it will not get overwritten by ++# items written to the right-hand page during the split ++# * key of the record at index 0 compares less than the key of the ++# bug-triggering record ++ ++# If the page-split bug exists, this test appears to create a database ++# where some records are inaccessible to a search, but still remain in ++# the file and are accessible by sequential traversal. At least one ++# record gets duplicated out of sequence. ++ ++test41 () { ++ echo "Test 41: btree: no unsearchables due to page split on index 0" ++ # list of individual retrievals in a variable for easy reuse ++ list=`(for i in a b c d; do ++ for j in 990 998 999; do ++ echo g ${i}${j} 1024 ++ done ++ done; ++ echo g y997 2014 ++ for i in y z; do ++ for j in 998 999; do ++ echo g ${i}${j} 1024 ++ done ++ done)` ++ # Exact number for trigger condition accounts for newlines ++ # retained by dbtest with -ofile but not without; we use ++ # -ofile, so count newlines. keylen=5,datalen=5+2014 for ++ # psize=4096 here. ++ (cat - < $TMP2 ++ (echo "$list"; echo "$list") | awk '{ ++ s = $2; ++ for (i = 0; i < $3; i++) { ++ s = s "x"; ++ } ++ print s; ++ }' > $TMP1 ++ $PROG -o $TMP3 -i psize=4096 btree $TMP2 ++ if (cmp -s $TMP1 $TMP3); then : ++ else ++ echo "test41: btree: failed" ++ exit 1 ++ fi ++} ++ + main $* +Index: src/plugins/kdb/db2/libdb2/mpool/mpool.c +=================================================================== +--- src/plugins/kdb/db2/libdb2/mpool/mpool.c.orig ++++ src/plugins/kdb/db2/libdb2/mpool/mpool.c +@@ -377,7 +377,7 @@ mpool_bkt(mp) + head = &mp->hqh[HASHKEY(bp->pgno)]; + CIRCLEQ_REMOVE(head, bp, hq); + CIRCLEQ_REMOVE(&mp->lqh, bp, q); +-#ifdef DEBUG ++#if defined(DEBUG) && !defined(DEBUG_IDX0SPLIT) + { void *spage; + spage = bp->page; + memset(bp, 0xff, sizeof(BKT) + mp->pagesize); +Index: src/plugins/kdb/db2/libdb2/btree/bt_debug.c +=================================================================== +--- src/plugins/kdb/db2/libdb2/btree/bt_debug.c.orig ++++ src/plugins/kdb/db2/libdb2/btree/bt_debug.c +@@ -257,7 +257,8 @@ __bt_dpage(dbp, h) + *(db_pgno_t *)bl->bytes, + *(u_int32_t *)(bl->bytes + sizeof(db_pgno_t))); + else if (bl->ksize) +- (void)fprintf(tracefp, "%s/", bl->bytes); ++ (void)fprintf(tracefp, "%.*s/", ++ (int)bl->ksize, bl->bytes); + if (bl->flags & P_BIGDATA) + (void)fprintf(tracefp, + "big data page %lu size %u", +Index: src/plugins/kdb/db2/libdb2/btree/bt_split.c +=================================================================== +--- src/plugins/kdb/db2/libdb2/btree/bt_split.c.orig ++++ src/plugins/kdb/db2/libdb2/btree/bt_split.c +@@ -727,7 +727,7 @@ bt_psplit(t, h, l, r, pskip, ilen) + * the right page. + */ + if (skip <= off) { +- skip = 0; ++ skip = (indx_t)-1; + rval = l; + } else { + rval = r; +@@ -737,7 +737,7 @@ bt_psplit(t, h, l, r, pskip, ilen) + for (off = 0; nxt < top; ++off) { + if (skip == nxt) { + ++off; +- skip = 0; ++ skip = (indx_t)-1; + } + switch (h->flags & P_TYPE) { + case P_BINTERNAL: +Index: src/plugins/preauth/pkinit/configure.in +=================================================================== +--- src/plugins/preauth/pkinit/configure.in.orig ++++ src/plugins/preauth/pkinit/configure.in +@@ -6,8 +6,6 @@ AC_CHECK_HEADERS(unistd.h) + AC_TYPE_MODE_T + AC_TYPE_OFF_T + +-AC_CHECK_FUNCS() +- + # XXX This is incorrect, but should cause -lcrypto to be included by default + AC_CHECK_LIB(crypto, PKCS7_get_signer_info) + +Index: src/appl/gssftp/ftp/ftp.M +=================================================================== +--- src/appl/gssftp/ftp/ftp.M.orig ++++ src/appl/gssftp/ftp/ftp.M +@@ -537,7 +537,7 @@ $1.$2 and the remote file name "mydata.d + "mydata", and $2 would have the value "data". The + .I outpattern + determines the resulting mapped filename. The sequences `$1', `$2', +-...., `$9' are replaced by any value resulting from the ++\&..., `$9' are replaced by any value resulting from the + .I inpattern + template. The sequence `$0' is replace by the original filename. + Additionally, the sequence `[\fIseq1\fP, \fIseq2\fP]' is replaced by +Index: src/appl/bsd/v4rcp.M +=================================================================== +--- src/appl/bsd/v4rcp.M.orig ++++ src/appl/bsd/v4rcp.M +@@ -1,5 +1,5 @@ + .\" appl/bsd/v4rcp.M +-.TH RCP 1 \*h ++.TH V4RCP 1 + .SH NAME + v4rcp \- back end for Kerberos V4 rcp + .SH SYNOPSIS +Index: src/appl/telnet/telnet/telnet.1 +=================================================================== +--- src/appl/telnet/telnet/telnet.1.orig ++++ src/appl/telnet/telnet/telnet.1 +@@ -625,7 +625,7 @@ Sends the + .TP + .B escape + Sends the current +-.b telnet ++.B telnet + escape character (initially ``^''. + .TP + .B ga +@@ -761,7 +761,7 @@ character. + If + .B telnet + is in +-.b localchars ++.B localchars + mode (see + .B toggle localchars + below), +@@ -1296,9 +1296,9 @@ is omitted, then an interactive subshell + .TP + \fB\&?\fP \fIcommand\fP + Get help. With no arguments, +-.b telnet ++.B telnet + prints a help summary. If a command is specified, +-.b telnet ++.B telnet + will print the help information for just that command. + .SH ENVIRONMENT + .B Telnet +Index: src/clients/kpasswd/kpasswd.M +=================================================================== +--- src/clients/kpasswd/kpasswd.M.orig ++++ src/clients/kpasswd/kpasswd.M +@@ -21,8 +21,7 @@ + .\" this software for any purpose. It is provided "as is" without express + .\" or implied warranty. + .\" " +-.\.so man1/header.doc +-.TH KPASSWD 1 \*h ++.TH KPASSWD 1 + .SH NAME + kpasswd \- change a user's Kerberos password + .SH SYNOPSIS +Index: src/gen-manpages/k5login.M +=================================================================== +--- src/gen-manpages/k5login.M.orig ++++ src/gen-manpages/k5login.M +@@ -1,6 +1,6 @@ + .TH .K5LOGIN 5 + .SH NAME +-.k5login \- Kerberos V5 acl file for host access. ++\&.k5login \- Kerberos V5 acl file for host access. + .SH DESCRIPTION + The + .B .k5login +Index: src/kadmin/dbutil/kdb5_destroy.c +=================================================================== +--- src/kadmin/dbutil/kdb5_destroy.c.orig ++++ src/kadmin/dbutil/kdb5_destroy.c +@@ -60,19 +60,16 @@ kdb5_destroy(argc, argv) + retval1 = kadm5_init_krb5_context(&context); + if( retval1 ) + { +- com_err(argv[0], retval1, "while initializing krb5_context"); ++ com_err(progname, retval1, "while initializing krb5_context"); + exit(1); + } + + if ((retval1 = krb5_set_default_realm(context, + util_context->default_realm))) { +- com_err(argv[0], retval1, "while setting default realm name"); ++ com_err(progname, retval1, "while setting default realm name"); + exit(1); + } + +- if (strrchr(argv[0], '/')) +- argv[0] = strrchr(argv[0], '/')+1; +- + dbname = global_params.dbname; + + optind = 1; +@@ -102,7 +99,7 @@ kdb5_destroy(argc, argv) + + retval1 = krb5_db_destroy(context, db5util_db_args); + if (retval1) { +- com_err(argv[0], retval1, "deleting database '%s'",dbname); ++ com_err(progname, retval1, "deleting database '%s'",dbname); + exit_status++; return; + } + +Index: src/kadmin/dbutil/dump.c +=================================================================== +--- src/kadmin/dbutil/dump.c.orig ++++ src/kadmin/dbutil/dump.c +@@ -1016,7 +1016,6 @@ dump_db(argc, argv) + { + FILE *f; + struct dump_args arglist; +- char *programname; + char *ofile; + krb5_error_code kret, retval; + dump_version *dump; +@@ -1027,9 +1026,6 @@ dump_db(argc, argv) + /* + * Parse the arguments. + */ +- programname = argv[0]; +- if (strrchr(programname, (int) '/')) +- programname = strrchr(argv[0], (int) '/') + 1; + ofile = (char *) NULL; + dump = &r1_3_version; + arglist.verbose = 0; +@@ -1081,7 +1077,7 @@ dump_db(argc, argv) + * to be opened if we try a dump that uses it. + */ + if (!dbactive) { +- com_err(argv[0], 0, Err_no_database); ++ com_err(progname, 0, Err_no_database); + exit_status++; + return; + } +@@ -1099,7 +1095,7 @@ dump_db(argc, argv) + (char *) NULL, 0, + &master_keyblock); + if (retval) { +- com_err(argv[0], retval, ++ com_err(progname, retval, + "while reading master key"); + exit(1); + } +@@ -1107,7 +1103,7 @@ dump_db(argc, argv) + master_princ, + &master_keyblock); + if (retval) { +- com_err(argv[0], retval, ++ com_err(progname, retval, + "while verifying master key"); + exit(1); + } +@@ -1124,7 +1120,7 @@ dump_db(argc, argv) + TRUE, + new_mkey_file, 0, + &new_master_keyblock))) { +- com_err(argv[0], retval, "while reading new master key"); ++ com_err(progname, retval, "while reading new master key"); + exit(1); + } + } +@@ -1150,7 +1146,7 @@ dump_db(argc, argv) + unlink(ofile); + if (!(f = fopen(ofile, "w"))) { + fprintf(stderr, ofopen_error, +- programname, ofile, error_message(errno)); ++ progname, ofile, error_message(errno)); + exit_status++; + return; + } +@@ -1158,7 +1154,7 @@ dump_db(argc, argv) + fileno(f), + KRB5_LOCKMODE_EXCLUSIVE))) { + fprintf(stderr, oflock_error, +- programname, ofile, error_message(kret)); ++ progname, ofile, error_message(kret)); + exit_status++; + } + else +@@ -1167,7 +1163,7 @@ dump_db(argc, argv) + f = stdout; + } + if (f && !(kret)) { +- arglist.programname = programname; ++ arglist.programname = progname; + arglist.ofile = f; + arglist.kcontext = util_context; + fprintf(arglist.ofile, "%s", dump->header); +@@ -1179,13 +1175,13 @@ dump_db(argc, argv) + dump->dump_princ, + (krb5_pointer) &arglist))) { /* TBD: backwards and recursive not supported */ + fprintf(stderr, dumprec_err, +- programname, dump->name, error_message(kret)); ++ progname, dump->name, error_message(kret)); + exit_status++; + } + if (dump->dump_policy && + (kret = krb5_db_iter_policy( util_context, "*", dump->dump_policy, + &arglist))) { +- fprintf(stderr, dumprec_err, programname, dump->name, ++ fprintf(stderr, dumprec_err, progname, dump->name, + error_message(kret)); + exit_status++; + } +@@ -2126,7 +2122,6 @@ load_db(argc, argv) + FILE *f; + extern char *optarg; + extern int optind; +- char *programname; + char *dumpfile; + char *dbname; + char *dbname_tmp; +@@ -2140,9 +2135,6 @@ load_db(argc, argv) + /* + * Parse the arguments. + */ +- programname = argv[0]; +- if (strrchr(programname, (int) '/')) +- programname = strrchr(argv[0], (int) '/') + 1; + dumpfile = (char *) NULL; + dbname = global_params.dbname; + load = NULL; +@@ -2180,7 +2172,7 @@ load_db(argc, argv) + + if (!(dbname_tmp = (char *) malloc(strlen(dbname)+ + strlen(dump_tmptrail)+1))) { +- fprintf(stderr, no_name_mem_fmt, argv[0]); ++ fprintf(stderr, no_name_mem_fmt, progname); + exit_status++; + return; + } +@@ -2191,7 +2183,7 @@ load_db(argc, argv) + * Initialize the Kerberos context and error tables. + */ + if ((kret = kadm5_init_krb5_context(&kcontext))) { +- fprintf(stderr, ctx_err_fmt, programname); ++ fprintf(stderr, ctx_err_fmt, progname); + free(dbname_tmp); + exit_status++; + return; +@@ -2199,7 +2191,7 @@ load_db(argc, argv) + + if( (kret = krb5_set_default_realm(kcontext, util_context->default_realm)) ) + { +- fprintf(stderr, "%s: Unable to set the default realm\n", programname); ++ fprintf(stderr, "%s: Unable to set the default realm\n", progname); + free(dbname_tmp); + exit_status++; + return; +@@ -2210,14 +2202,14 @@ load_db(argc, argv) + */ + if (dumpfile) { + if ((f = fopen(dumpfile, "r")) == NULL) { +- fprintf(stderr, dfile_err_fmt, programname, dumpfile, ++ fprintf(stderr, dfile_err_fmt, progname, dumpfile, + error_message(errno)); + exit_status++; + return; + } + if ((kret = krb5_lock_file(kcontext, fileno(f), + KRB5_LOCKMODE_SHARED))) { +- fprintf(stderr, "%s: Cannot lock %s: %s\n", programname, ++ fprintf(stderr, "%s: Cannot lock %s: %s\n", progname, + dumpfile, error_message(errno)); + exit_status++; + return; +@@ -2233,7 +2225,7 @@ load_db(argc, argv) + if (load) { + /* only check what we know; some headers only contain a prefix */ + if (strncmp(buf, load->header, strlen(load->header)) != 0) { +- fprintf(stderr, head_bad_fmt, programname, dumpfile); ++ fprintf(stderr, head_bad_fmt, progname, dumpfile); + exit_status++; + if (dumpfile) fclose(f); + return; +@@ -2252,7 +2244,7 @@ load_db(argc, argv) + strlen(ov_version.header)) == 0) + load = &ov_version; + else { +- fprintf(stderr, head_bad_fmt, programname, dumpfile); ++ fprintf(stderr, head_bad_fmt, progname, dumpfile); + exit_status++; + if (dumpfile) fclose(f); + return; +@@ -2260,7 +2252,7 @@ load_db(argc, argv) + } + if (load->updateonly && !update) { + fprintf(stderr, "%s: dump version %s can only be loaded with the " +- "-update flag\n", programname, load->name); ++ "-update flag\n", progname, load->name); + exit_status++; + return; + } +@@ -2277,7 +2269,7 @@ load_db(argc, argv) + + if ((kret = kadm5_get_config_params(kcontext, 1, + &newparams, &newparams))) { +- com_err(argv[0], kret, ++ com_err(progname, kret, + "while retreiving new configuration parameters"); + exit_status++; + return; +@@ -2301,11 +2293,11 @@ load_db(argc, argv) + */ + + if (emsg != NULL) { +- fprintf(stderr, "%s: %s\n", programname, emsg); ++ fprintf(stderr, "%s: %s\n", progname, emsg); + krb5_free_error_message (kcontext, emsg); + } else { + fprintf(stderr, dbcreaterr_fmt, +- programname, dbname, error_message(kret)); ++ progname, dbname, error_message(kret)); + } + exit_status++; + kadm5_free_config_params(kcontext, &newparams); +@@ -2326,11 +2318,11 @@ load_db(argc, argv) + */ + + if (emsg != NULL) { +- fprintf(stderr, "%s: %s\n", programname, emsg); ++ fprintf(stderr, "%s: %s\n", progname, emsg); + krb5_free_error_message (kcontext, emsg); + } else { + fprintf(stderr, dbinit_err_fmt, +- programname, error_message(kret)); ++ progname, error_message(kret)); + } + exit_status++; + goto error; +@@ -2349,7 +2341,7 @@ load_db(argc, argv) + */ + if (kret != KRB5_PLUGIN_OP_NOTSUPP) { + fprintf(stderr, "%s: %s while permanently locking database\n", +- programname, error_message(kret)); ++ progname, error_message(kret)); + exit_status++; + goto error; + } +@@ -2357,10 +2349,10 @@ load_db(argc, argv) + else + db_locked = 1; + +- if (restore_dump(programname, kcontext, (dumpfile) ? dumpfile : stdin_name, ++ if (restore_dump(progname, kcontext, (dumpfile) ? dumpfile : stdin_name, + f, verbose, load)) { + fprintf(stderr, restfail_fmt, +- programname, load->name); ++ progname, load->name); + exit_status++; + } + +@@ -2373,14 +2365,14 @@ load_db(argc, argv) + if (db_locked && (kret = krb5_db_unlock(kcontext))) { + /* change this error? */ + fprintf(stderr, dbunlockerr_fmt, +- programname, dbname, error_message(kret)); ++ progname, dbname, error_message(kret)); + exit_status++; + } + + #if 0 + if ((kret = krb5_db_fini(kcontext))) { + fprintf(stderr, close_err_fmt, +- programname, error_message(kret)); ++ progname, error_message(kret)); + exit_status++; + } + #endif +@@ -2395,7 +2387,7 @@ load_db(argc, argv) + */ + if (kret != 0 && kret != KRB5_PLUGIN_OP_NOTSUPP) { + fprintf(stderr, "%s: cannot make newly loaded database live (%s)\n", +- programname, error_message(kret)); ++ progname, error_message(kret)); + exit_status++; + } + } +@@ -2416,7 +2408,7 @@ error: + */ + if (kret != 0 && kret != KRB5_PLUGIN_OP_NOTSUPP) { + fprintf(stderr, dbdelerr_fmt, +- programname, dbname, error_message(kret)); ++ progname, dbname, error_message(kret)); + exit_status++; + } + } +Index: src/kadmin/dbutil/kdb5_create.c +=================================================================== +--- src/kadmin/dbutil/kdb5_create.c.orig ++++ src/kadmin/dbutil/kdb5_create.c +@@ -162,9 +162,6 @@ void kdb5_create(argc, argv) + int do_stash = 0; + krb5_data pwd, seed; + +- if (strrchr(argv[0], '/')) +- argv[0] = strrchr(argv[0], '/')+1; +- + while ((optchar = getopt(argc, argv, "s")) != -1) { + switch(optchar) { + case 's': +@@ -193,7 +190,7 @@ void kdb5_create(argc, argv) + printf ("Loading random data\n"); + retval = krb5_c_random_os_entropy (util_context, 1, NULL); + if (retval) { +- com_err (argv[0], retval, "Loading random data"); ++ com_err (progname, retval, "Loading random data"); + exit_status++; return; + } + +@@ -203,7 +200,7 @@ void kdb5_create(argc, argv) + global_params.mkey_name, + global_params.realm, + &mkey_fullname, &master_princ))) { +- com_err(argv[0], retval, "while setting up master key name"); ++ com_err(progname, retval, "while setting up master key name"); + exit_status++; return; + } + +@@ -229,7 +226,7 @@ master key name '%s'\n", + retval = krb5_read_password(util_context, KRB5_KDC_MKEY_1, KRB5_KDC_MKEY_2, + pw_str, &pw_size); + if (retval) { +- com_err(argv[0], retval, "while reading master key from keyboard"); ++ com_err(progname, retval, "while reading master key from keyboard"); + exit_status++; return; + } + mkey_password = pw_str; +@@ -239,14 +236,14 @@ master key name '%s'\n", + pwd.length = strlen(mkey_password); + retval = krb5_principal2salt(util_context, master_princ, &master_salt); + if (retval) { +- com_err(argv[0], retval, "while calculating master key salt"); ++ com_err(progname, retval, "while calculating master key salt"); + exit_status++; return; + } + + retval = krb5_c_string_to_key(util_context, master_keyblock.enctype, + &pwd, &master_salt, &master_keyblock); + if (retval) { +- com_err(argv[0], retval, "while transforming master key from password"); ++ com_err(progname, retval, "while transforming master key from password"); + exit_status++; return; + } + +@@ -256,28 +253,28 @@ master key name '%s'\n", + seed.data = master_keyblock.contents; + + if ((retval = krb5_c_random_seed(util_context, &seed))) { +- com_err(argv[0], retval, "while initializing random key generator"); ++ com_err(progname, retval, "while initializing random key generator"); + exit_status++; return; + } + if ((retval = krb5_db_create(util_context, + db5util_db_args))) { +- com_err(argv[0], retval, "while creating database '%s'", ++ com_err(progname, retval, "while creating database '%s'", + global_params.dbname); + exit_status++; return; + } + /* if ((retval = krb5_db_fini(util_context))) { */ +-/* com_err(argv[0], retval, "while closing current database"); */ ++/* com_err(progname, retval, "while closing current database"); */ + /* exit_status++; return; */ + /* } */ + /* if ((retval = krb5_db_open(util_context, db5util_db_args, KRB5_KDB_OPEN_RW))) { */ +-/* com_err(argv[0], retval, "while initializing the database '%s'", */ ++/* com_err(progname, retval, "while initializing the database '%s'", */ + /* global_params.dbname); */ + /* exit_status++; return; */ + /* } */ + if ((retval = add_principal(util_context, master_princ, MASTER_KEY, &rblock)) || + (retval = add_principal(util_context, &tgt_princ, TGT_KEY, &rblock))) { + (void) krb5_db_fini(util_context); +- com_err(argv[0], retval, "while adding entries to the database"); ++ com_err(progname, retval, "while adding entries to the database"); + exit_status++; return; + } + /* +@@ -291,7 +288,7 @@ master key name '%s'\n", + &master_keyblock, + mkey_password); + if (retval) { +- com_err(argv[0], errno, "while storing key"); ++ com_err(progname, errno, "while storing key"); + printf("Warning: couldn't stash master key.\n"); + } + /* clean up */ +Index: src/kadmin/dbutil/kdb5_util.c +=================================================================== +--- src/kadmin/dbutil/kdb5_util.c.orig ++++ src/kadmin/dbutil/kdb5_util.c +@@ -186,16 +186,18 @@ int main(argc, argv) + + set_com_err_hook(extended_com_err_fn); + ++ /* ++ * Ensure that "progname" is set before calling com_err. ++ */ ++ progname = (strrchr(argv[0], '/') ? ++ strrchr(argv[0], '/') + 1 : argv[0]); ++ + retval = kadm5_init_krb5_context(&util_context); + if (retval) { + com_err (progname, retval, "while initializing Kerberos code"); + exit(1); + } + +-/* initialize_adb_error_table(); */ +- +- progname = (strrchr(argv[0], '/') ? strrchr(argv[0], '/')+1 : argv[0]); +- + cmd_argv = (char **) malloc(sizeof(char *)*argc); + if (cmd_argv == NULL) { + com_err(progname, ENOMEM, "while creating sub-command arguments"); +@@ -245,7 +247,7 @@ int main(argc, argv) + } + } else if (strcmp(*argv, "-k") == 0 && ARG_VAL) { + if (krb5_string_to_enctype(koptarg, &global_params.enctype)) +- com_err(argv[0], 0, "%s is an invalid enctype", koptarg); ++ com_err(progname, 0, "%s is an invalid enctype", koptarg); + else + global_params.mask |= KADM5_CONFIG_ENCTYPE; + } else if (strcmp(*argv, "-M") == 0 && ARG_VAL) { +@@ -287,7 +289,7 @@ int main(argc, argv) + retval = kadm5_get_config_params(util_context, 1, + &global_params, &global_params); + if (retval) { +- com_err(argv[0], retval, "while retreiving configuration parameters"); ++ com_err(progname, retval, "while retreiving configuration parameters"); + exit(1); + } + +@@ -300,7 +302,7 @@ int main(argc, argv) + master_keyblock.enctype = global_params.enctype; + if ((master_keyblock.enctype != ENCTYPE_UNKNOWN) && + (!krb5_c_valid_enctype(master_keyblock.enctype))) { +- com_err(argv[0], KRB5_PROG_KEYTYPE_NOSUPP, ++ com_err(progname, KRB5_PROG_KEYTYPE_NOSUPP, + "while setting up enctype %d", master_keyblock.enctype); + } + +@@ -334,13 +336,13 @@ void set_dbname(argc, argv) + + if (argc < 3) { + com_err(argv[0], 0, "Too few arguments"); +- com_err(argv[0], 0, "Usage: %s dbpathname realmname", argv[0]); ++ com_err(progname, 0, "Usage: %s dbpathname realmname", argv[0]); + exit_status++; + return; + } + if (dbactive) { + if ((retval = krb5_db_fini(util_context)) && retval!= KRB5_KDB_DBNOTINITED) { +- com_err(argv[0], retval, "while closing previous database"); ++ com_err(progname, retval, "while closing previous database"); + exit_status++; + return; + } +@@ -353,7 +355,7 @@ void set_dbname(argc, argv) + dbactive = FALSE; + } + +- (void) set_dbname_help(argv[0], argv[1]); ++ (void) set_dbname_help(progname, argv[1]); + return; + } + #endif +@@ -425,6 +427,7 @@ static int open_db_and_mkey() + retval = krb5_principal2salt(util_context, master_princ, &scratch); + if (retval) { + com_err(progname, retval, "while calculated master key salt"); ++ exit_status++; + return(1); + } + +@@ -442,6 +445,7 @@ static int open_db_and_mkey() + if (retval) { + com_err(progname, retval, + "while transforming master key from password"); ++ exit_status++; + return(1); + } + free(scratch.data); +@@ -519,7 +523,7 @@ add_random_key(argc, argv) + krb5_int32 num_keysalts = 0; + + int free_keysalts; +- char *me = argv[0]; ++ char *me = progname; + char *ks_str = NULL; + char *pr_str; + +Index: src/kadmin/dbutil/kdb5_stash.c +=================================================================== +--- src/kadmin/dbutil/kdb5_stash.c.orig ++++ src/kadmin/dbutil/kdb5_stash.c +@@ -82,19 +82,16 @@ kdb5_stash(argc, argv) + char *keyfile = 0; + krb5_context context; + +- if (strrchr(argv[0], '/')) +- argv[0] = strrchr(argv[0], '/')+1; +- + retval = kadm5_init_krb5_context(&context); + if( retval ) + { +- com_err(argv[0], retval, "while initializing krb5_context"); ++ com_err(progname, retval, "while initializing krb5_context"); + exit(1); + } + + if ((retval = krb5_set_default_realm(context, + util_context->default_realm))) { +- com_err(argv[0], retval, "while setting default realm name"); ++ com_err(progname, retval, "while setting default realm name"); + exit(1); + } + +@@ -119,10 +116,10 @@ kdb5_stash(argc, argv) + if (!krb5_c_valid_enctype(master_keyblock.enctype)) { + char tmp[32]; + if (krb5_enctype_to_string(master_keyblock.enctype, tmp, sizeof(tmp))) +- com_err(argv[0], KRB5_PROG_KEYTYPE_NOSUPP, ++ com_err(progname, KRB5_PROG_KEYTYPE_NOSUPP, + "while setting up enctype %d", master_keyblock.enctype); + else +- com_err(argv[0], KRB5_PROG_KEYTYPE_NOSUPP, tmp); ++ com_err(progname, KRB5_PROG_KEYTYPE_NOSUPP, tmp); + exit_status++; return; + } + +@@ -130,14 +127,14 @@ kdb5_stash(argc, argv) + retval = krb5_db_setup_mkey_name(context, mkey_name, realm, + &mkey_fullname, &master_princ); + if (retval) { +- com_err(argv[0], retval, "while setting up master key name"); ++ com_err(progname, retval, "while setting up master key name"); + exit_status++; return; + } + + retval = krb5_db_open(context, db5util_db_args, + KRB5_KDB_OPEN_RW | KRB5_KDB_SRV_TYPE_OTHER); + if (retval) { +- com_err(argv[0], retval, "while initializing the database '%s'", ++ com_err(progname, retval, "while initializing the database '%s'", + dbname); + exit_status++; return; + } +@@ -148,7 +145,7 @@ kdb5_stash(argc, argv) + TRUE, FALSE, (char *) NULL, + 0, &master_keyblock); + if (retval) { +- com_err(argv[0], retval, "while reading master key"); ++ com_err(progname, retval, "while reading master key"); + (void) krb5_db_fini(context); + exit_status++; return; + } +@@ -156,7 +153,7 @@ kdb5_stash(argc, argv) + retval = krb5_db_verify_master_key(context, master_princ, + &master_keyblock); + if (retval) { +- com_err(argv[0], retval, "while verifying master key"); ++ com_err(progname, retval, "while verifying master key"); + (void) krb5_db_fini(context); + exit_status++; return; + } +@@ -164,7 +161,7 @@ kdb5_stash(argc, argv) + retval = krb5_db_store_master_key(context, keyfile, master_princ, + &master_keyblock, NULL); + if (retval) { +- com_err(argv[0], errno, "while storing key"); ++ com_err(progname, errno, "while storing key"); + memset((char *)master_keyblock.contents, 0, master_keyblock.length); + (void) krb5_db_fini(context); + exit_status++; return; +@@ -173,7 +170,7 @@ kdb5_stash(argc, argv) + + retval = krb5_db_fini(context); + if (retval) { +- com_err(argv[0], retval, "closing database '%s'", dbname); ++ com_err(progname, retval, "closing database '%s'", dbname); + exit_status++; return; + } + +Index: src/kadmin/cli/kadmin.M +=================================================================== +--- src/kadmin/cli/kadmin.M.orig ++++ src/kadmin/cli/kadmin.M +@@ -206,12 +206,12 @@ Specifying "ago" in a duration may resul + creates the principal + .IR newprinc , + prompting twice for a password. If no policy is specified with the +--policy option, and the policy named "default" exists, then that ++\-policy option, and the policy named "default" exists, then that + policy is assigned to the principal; note that the assignment of the + policy "default" only occurs automatically when a principal is first + created, so the policy "default" must already exist for the assignment + to occur. This assignment of "default" can be suppressed with the +--clearpolicy option. This command requires the ++\-clearpolicy option. This command requires the + .I add + privilege. This command has the aliases + .B addprinc +@@ -411,7 +411,7 @@ Re-enter password for principal tlyu/adm + Principal "tlyu/admin@BLEEP.COM" created. + kadmin: + +-kadmin: addprinc -x dn=cn=mwm_user,o=org mwm_user ++kadmin: addprinc \-x dn=cn=mwm_user,o=org mwm_user + WARNING: no policy specified for "mwm_user@BLEEP.COM"; + defaulting to no policy. + Enter password for principal mwm_user@BLEEP.COM: +@@ -639,7 +639,7 @@ sets the number of past keys kept for a + .nf + .TP + EXAMPLES: +-kadmin: add_policy -maxlife "2 days" -minlength 5 guests ++kadmin: add_policy \-maxlife "2 days" \-minlength 5 guests + kadmin: + .TP + ERRORS: +Index: src/lib/crypto/enc_provider/aes.c +=================================================================== +--- src/lib/crypto/enc_provider/aes.c.orig ++++ src/lib/crypto/enc_provider/aes.c +@@ -1,3 +1,29 @@ ++/* ++ * lib/crypto/enc_provider/aes.h ++ * ++ * Copyright (C) 2003, 2007 by the Massachusetts Institute of Technology. ++ * All rights reserved. ++ * ++ * Export of this software from the United States of America may ++ * require a specific license from the United States Government. ++ * It is the responsibility of any person or organization contemplating ++ * export to obtain such a license before exporting. ++ * ++ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and ++ * distribute this software and its documentation for any purpose and ++ * without fee is hereby granted, provided that the above copyright ++ * notice appear in all copies and that both that copyright notice and ++ * this permission notice appear in supporting documentation, and that ++ * the name of M.I.T. not be used in advertising or publicity pertaining ++ * to distribution of the software without specific, written prior ++ * permission. Furthermore if you modify this software you must label ++ * your software as modified software and not distribute it in such a ++ * fashion that it might be confused with the original M.I.T. software. ++ * M.I.T. makes no representations about the suitability of ++ * this software for any purpose. It is provided "as is" without express ++ * or implied warranty. ++ */ ++ + #include "k5-int.h" + #include "enc_provider.h" + #include "aes.h" +Index: src/lib/rpc/auth_gssapi.c +=================================================================== +--- src/lib/rpc/auth_gssapi.c.orig ++++ src/lib/rpc/auth_gssapi.c +@@ -164,6 +164,11 @@ AUTH *auth_gssapi_create( + auth = (AUTH *) malloc(sizeof(*auth)); + pdata = (struct auth_gssapi_data *) malloc(sizeof(*pdata)); + if (auth == NULL || pdata == NULL) { ++ /* They needn't both have failed; clean up. */ ++ free(auth); ++ free(pdata); ++ auth = NULL; ++ pdata = NULL; + rpc_createerr.cf_stat = RPC_SYSTEMERROR; + rpc_createerr.cf_error.re_errno = ENOMEM; + goto cleanup; +@@ -436,12 +441,14 @@ next_token: + + cleanup: + PRINTF(("gssapi_create: bailing\n\n")); +- +- if (AUTH_PRIVATE(auth)) +- auth_gssapi_destroy(auth); +- else if (auth) +- free(auth); +- auth = NULL; ++ ++ if (auth) { ++ if (AUTH_PRIVATE(auth)) ++ auth_gssapi_destroy(auth); ++ else ++ free(auth); ++ auth = NULL; ++ } + + /* don't assume the caller will want to change clnt->cl_auth */ + clnt->cl_auth = save_auth; +Index: src/lib/gssapi/krb5/lucid_context.c +=================================================================== +--- src/lib/gssapi/krb5/lucid_context.c.orig ++++ src/lib/gssapi/krb5/lucid_context.c +@@ -231,7 +231,7 @@ make_external_lucid_ctx_v1( + &lctx->cfx_kd.ctx_key))) + goto error_out; + if (gctx->have_acceptor_subkey) { +- if ((retval = copy_keyblock_to_lucid_key(gctx->enc, ++ if ((retval = copy_keyblock_to_lucid_key(gctx->acceptor_subkey, + &lctx->cfx_kd.acceptor_subkey))) + goto error_out; + lctx->cfx_kd.have_acceptor_subkey = 1; +Index: src/lib/kadm5/str_conv.c +=================================================================== +--- src/lib/kadm5/str_conv.c.orig ++++ src/lib/kadm5/str_conv.c +@@ -310,7 +310,7 @@ krb5_string_to_keysalts(string, tuplesep + septmp = ksseplist; + for (sp = strchr(kp, (int) *septmp); + *(++septmp) && !sp; +- ep = strchr(kp, (int) *septmp)); ++ sp = strchr(kp, (int) *septmp)); + + if (sp) { + /* Separate enctype from salttype */ +Index: src/lib/krb5/keytab/kt_file.c +=================================================================== +--- src/lib/krb5/keytab/kt_file.c.orig ++++ src/lib/krb5/keytab/kt_file.c +@@ -53,10 +53,30 @@ typedef struct _krb5_ktfile_data { + FILE *openf; /* open file, if any. */ + char iobuf[BUFSIZ]; /* so we can zap it later */ + int version; /* Version number of keytab */ ++ unsigned int iter_count; /* Number of active iterators */ ++ long start_offset; /* Starting offset after version */ + k5_mutex_t lock; /* Protect openf, version */ + } krb5_ktfile_data; + + /* ++ * Some limitations: ++ * ++ * If the file OPENF is left open between calls, we have an iterator ++ * active, and OPENF is opened in read-only mode. So, no changes ++ * can be made via that handle. ++ * ++ * An advisory file lock is used while the file is open. Thus, ++ * multiple handles on the same underlying file cannot be used without ++ * disrupting the locking in effect. ++ * ++ * The start_offset field is only valid if the file is open. It will ++ * almost certainly always be the same constant. It's used so that ++ * if an iterator is active, and we start another one, we don't have ++ * to seek back to the start and re-read the version number to set ++ * the position for the iterator. ++ */ ++ ++/* + * Macros + */ + #define KTPRIVATE(id) ((krb5_ktfile_data *)(id)->data) +@@ -64,6 +84,8 @@ typedef struct _krb5_ktfile_data { + #define KTFILEP(id) (((krb5_ktfile_data *)(id)->data)->openf) + #define KTFILEBUFP(id) (((krb5_ktfile_data *)(id)->data)->iobuf) + #define KTVERSION(id) (((krb5_ktfile_data *)(id)->data)->version) ++#define KTITERS(id) (((krb5_ktfile_data *)(id)->data)->iter_count) ++#define KTSTARTOFF(id) (((krb5_ktfile_data *)(id)->data)->start_offset) + #define KTLOCK(id) k5_mutex_lock(&((krb5_ktfile_data *)(id)->data)->lock) + #define KTUNLOCK(id) k5_mutex_unlock(&((krb5_ktfile_data *)(id)->data)->lock) + #define KTCHECKLOCK(id) k5_mutex_assert_locked(&((krb5_ktfile_data *)(id)->data)->lock) +@@ -208,6 +230,7 @@ krb5_ktfile_resolve(krb5_context context + (void) strcpy(data->name, name); + data->openf = 0; + data->version = 0; ++ data->iter_count = 0; + + (*id)->data = (krb5_pointer)data; + (*id)->magic = KV5M_KEYTAB; +@@ -255,15 +278,27 @@ krb5_ktfile_get_entry(krb5_context conte + int found_wrong_kvno = 0; + krb5_boolean similar; + int kvno_offset = 0; ++ int was_open; + + kerror = KTLOCK(id); + if (kerror) + return kerror; + +- /* Open the keyfile for reading */ +- if ((kerror = krb5_ktfileint_openr(context, id))) { +- KTUNLOCK(id); +- return(kerror); ++ if (KTFILEP(id) != NULL) { ++ was_open = 1; ++ ++ if (fseek(KTFILEP(id), KTSTARTOFF(id), SEEK_SET) == -1) { ++ KTUNLOCK(id); ++ return errno; ++ } ++ } else { ++ was_open = 0; ++ ++ /* Open the keyfile for reading */ ++ if ((kerror = krb5_ktfileint_openr(context, id))) { ++ KTUNLOCK(id); ++ return(kerror); ++ } + } + + /* +@@ -370,12 +405,13 @@ krb5_ktfile_get_entry(krb5_context conte + kerror = KRB5_KT_NOTFOUND; + } + if (kerror) { +- (void) krb5_ktfileint_close(context, id); ++ if (was_open == 0) ++ (void) krb5_ktfileint_close(context, id); + KTUNLOCK(id); + krb5_kt_free_entry(context, &cur_entry); + return kerror; + } +- if ((kerror = krb5_ktfileint_close(context, id)) != 0) { ++ if (was_open == 0 && (kerror = krb5_ktfileint_close(context, id)) != 0) { + KTUNLOCK(id); + krb5_kt_free_entry(context, &cur_entry); + return kerror; +@@ -430,18 +466,30 @@ krb5_ktfile_start_seq_get(krb5_context c + if (retval) + return retval; + +- if ((retval = krb5_ktfileint_openr(context, id))) { +- KTUNLOCK(id); +- return retval; ++ if (KTITERS(id) == 0) { ++ if ((retval = krb5_ktfileint_openr(context, id))) { ++ KTUNLOCK(id); ++ return retval; ++ } + } + + if (!(fileoff = (long *)malloc(sizeof(*fileoff)))) { +- krb5_ktfileint_close(context, id); ++ if (KTITERS(id) == 0) ++ krb5_ktfileint_close(context, id); + KTUNLOCK(id); + return ENOMEM; + } +- *fileoff = ftell(KTFILEP(id)); ++ *fileoff = KTSTARTOFF(id); + *cursorp = (krb5_kt_cursor)fileoff; ++ KTITERS(id)++; ++ if (KTITERS(id) == 0) { ++ /* Wrapped?! */ ++ KTITERS(id)--; ++ KTUNLOCK(id); ++ krb5_set_error_message(context, KRB5_KT_IOERR, ++ "Too many keytab iterators active"); ++ return KRB5_KT_IOERR; /* XXX */ ++ } + KTUNLOCK(id); + + return 0; +@@ -490,7 +538,11 @@ krb5_ktfile_end_get(krb5_context context + + krb5_xfree(*cursor); + KTLOCK(id); +- kerror = krb5_ktfileint_close(context, id); ++ KTITERS(id)--; ++ if (KTFILEP(id) != NULL && KTITERS(id) == 0) ++ kerror = krb5_ktfileint_close(context, id); ++ else ++ kerror = 0; + KTUNLOCK(id); + return kerror; + } +@@ -811,6 +863,7 @@ krb5_ktfile_wresolve(krb5_context contex + (void) strcpy(data->name, name); + data->openf = 0; + data->version = 0; ++ data->iter_count = 0; + + (*id)->data = (krb5_pointer)data; + (*id)->magic = KV5M_KEYTAB; +@@ -830,6 +883,13 @@ krb5_ktfile_add(krb5_context context, kr + retval = KTLOCK(id); + if (retval) + return retval; ++ if (KTFILEP(id)) { ++ /* Iterator(s) active -- no changes. */ ++ KTUNLOCK(id); ++ krb5_set_error_message(context, KRB5_KT_IOERR, ++ "Cannot change keytab with keytab iterators active"); ++ return KRB5_KT_IOERR; /* XXX */ ++ } + if ((retval = krb5_ktfileint_openw(context, id))) { + KTUNLOCK(id); + return retval; +@@ -858,6 +918,13 @@ krb5_ktfile_remove(krb5_context context, + kerror = KTLOCK(id); + if (kerror) + return kerror; ++ if (KTFILEP(id)) { ++ /* Iterator(s) active -- no changes. */ ++ KTUNLOCK(id); ++ krb5_set_error_message(context, KRB5_KT_IOERR, ++ "Cannot change keytab with keytab iterators active"); ++ return KRB5_KT_IOERR; /* XXX */ ++ } + + if ((kerror = krb5_ktfileint_openw(context, id))) { + KTUNLOCK(id); +@@ -1114,6 +1181,7 @@ krb5_ktfileint_open(krb5_context context + return KRB5_KEYTAB_BADVNO; + } + } ++ KTSTARTOFF(id) = ftell(KTFILEP(id)); + return 0; + } + +@@ -1424,7 +1492,7 @@ krb5_ktfileint_write_entry(krb5_context + krb5_timestamp timestamp; + krb5_int32 princ_type; + krb5_int32 size_needed; +- krb5_int32 commit_point; ++ krb5_int32 commit_point = -1; + int i; + + KTCHECKLOCK(id); +Index: src/lib/krb5/os/toffset.c +=================================================================== +--- src/lib/krb5/os/toffset.c.orig ++++ src/lib/krb5/os/toffset.c +@@ -34,6 +34,9 @@ + * routines will return the correct time as corrected by difference + * between the system time and the "real time" as passed to this + * routine ++ * ++ * If the real time microseconds are given as -1 the caller doesn't ++ * know the microseconds value so the usec offset is always zero. + */ + krb5_error_code KRB5_CALLCONV + krb5_set_real_time(krb5_context context, krb5_timestamp seconds, krb5_int32 microseconds) +@@ -45,8 +48,10 @@ krb5_set_real_time(krb5_context context, + retval = krb5_crypto_us_timeofday(&sec, &usec); + if (retval) + return retval; ++ + os_ctx->time_offset = seconds - sec; +- os_ctx->usec_offset = microseconds - usec; ++ os_ctx->usec_offset = (microseconds > -1) ? microseconds - usec : 0; ++ + os_ctx->os_flags = ((os_ctx->os_flags & ~KRB5_OS_TOFFSET_TIME) | + KRB5_OS_TOFFSET_VALID); + return 0; +Index: src/lib/krb5/os/locate_kdc.c +=================================================================== +--- src/lib/krb5/os/locate_kdc.c.orig ++++ src/lib/krb5/os/locate_kdc.c +@@ -611,6 +611,7 @@ module_locate_server (krb5_context ctx, + krb5_error_code code; + struct krb5plugin_service_locate_ftable *vtbl = NULL; + void **ptrs; ++ char *realmz; /* NUL-terminated realm */ + int i; + struct module_callback_data cbdata = { 0, }; + +@@ -632,6 +633,17 @@ module_locate_server (krb5_context ctx, + return KRB5_PLUGIN_NO_HANDLE; + } + ++ if (realm->length >= UINT_MAX) { ++ krb5int_free_plugin_dir_data(ptrs); ++ return ENOMEM; ++ } ++ realmz = malloc(realm->length + 1); ++ if (realmz == NULL) { ++ krb5int_free_plugin_dir_data(ptrs); ++ return ENOMEM; ++ } ++ memcpy(realmz, realm->data, realm->length); ++ realmz[realm->length] = '\0'; + for (i = 0; ptrs[i]; i++) { + void *blob; + +@@ -644,7 +656,7 @@ module_locate_server (krb5_context ctx, + if (code) + continue; + +- code = vtbl->lookup(blob, svc, realm->data, socktype, family, ++ code = vtbl->lookup(blob, svc, realmz, socktype, family, + module_callback, &cbdata); + vtbl->fini(blob); + if (code == KRB5_PLUGIN_NO_HANDLE) { +@@ -657,6 +669,7 @@ module_locate_server (krb5_context ctx, + /* Module encountered an actual error. */ + Tprintf("plugin lookup routine returned error %d: %s\n", + code, error_message(code)); ++ free(realmz); + krb5int_free_plugin_dir_data (ptrs); + return code; + } +@@ -664,6 +677,7 @@ module_locate_server (krb5_context ctx, + } + if (ptrs[i] == NULL) { + Tprintf("ran off end of plugin list\n"); ++ free(realmz); + krb5int_free_plugin_dir_data (ptrs); + return KRB5_PLUGIN_NO_HANDLE; + } +@@ -672,6 +686,7 @@ module_locate_server (krb5_context ctx, + /* Got something back, yippee. */ + Tprintf("now have %d addrs in list %p\n", addrlist->naddrs, addrlist); + print_addrlist(addrlist); ++ free(realmz); + krb5int_free_plugin_dir_data (ptrs); + return 0; + } +Index: src/lib/krb5/rcache/rc_io.c +=================================================================== +--- src/lib/krb5/rcache/rc_io.c.orig ++++ src/lib/krb5/rcache/rc_io.c +@@ -83,6 +83,7 @@ krb5_rc_io_creat(krb5_context context, k + (void) strcpy(d->fn, dir); + (void) strcat(d->fn, PATH_SEPARATOR); + (void) strcat(d->fn, *fn); ++ unlink(d->fn); + d->fd = THREEPARAMOPEN(d->fn, O_WRONLY | O_CREAT | O_TRUNC | O_EXCL | + O_BINARY, 0600); + } +@@ -425,7 +426,7 @@ krb5_rc_io_read(krb5_context context, kr + strerror(errno)); + return KRB5_RC_IO_UNKNOWN; + } +- if (count == 0) ++ if (count != num) + return KRB5_RC_IO_EOF; + return 0; + } +Index: src/lib/krb5/ccache/cc_memory.c +=================================================================== +--- src/lib/krb5/ccache/cc_memory.c.orig ++++ src/lib/krb5/ccache/cc_memory.c +@@ -135,10 +135,18 @@ krb5_error_code KRB5_CALLCONV + krb5_mcc_initialize(krb5_context context, krb5_ccache id, krb5_principal princ) + { + krb5_error_code ret; ++ krb5_mcc_data *d; ++ ++ d = (krb5_mcc_data *)id->data; ++ ret = k5_mutex_lock(&d->lock); ++ if (ret) ++ return ret; + + krb5_mcc_free(context, id); + ret = krb5_copy_principal(context, princ, + &((krb5_mcc_data *)id->data)->prin); ++ ++ k5_mutex_unlock(&d->lock); + if (ret == KRB5_OK) + krb5_change_cache(); + return ret; +@@ -205,8 +213,13 @@ krb5_mcc_destroy(krb5_context context, k + } + k5_mutex_unlock(&krb5int_mcc_mutex); + ++ err = k5_mutex_lock(&d->lock); ++ if (err) ++ return err; ++ + krb5_mcc_free(context, id); + krb5_xfree(d->name); ++ k5_mutex_unlock(&d->lock); + k5_mutex_destroy(&d->lock); + krb5_xfree(d); + krb5_xfree(id); +@@ -244,12 +257,6 @@ krb5_mcc_resolve (krb5_context context, + krb5_error_code err; + krb5_mcc_data *d; + +- lid = (krb5_ccache) malloc(sizeof(struct _krb5_ccache)); +- if (lid == NULL) +- return KRB5_CC_NOMEM; +- +- lid->ops = &krb5_mcc_ops; +- + err = k5_mutex_lock(&krb5int_mcc_mutex); + if (err) + return err; +@@ -262,11 +269,16 @@ krb5_mcc_resolve (krb5_context context, + err = new_mcc_data(residual, &d); + if (err) { + k5_mutex_unlock(&krb5int_mcc_mutex); +- krb5_xfree(lid); + return err; + } + } + k5_mutex_unlock(&krb5int_mcc_mutex); ++ ++ lid = (krb5_ccache) malloc(sizeof(struct _krb5_ccache)); ++ if (lid == NULL) ++ return KRB5_CC_NOMEM; ++ ++ lid->ops = &krb5_mcc_ops; + lid->data = d; + *id = lid; + return KRB5_OK; +Index: src/lib/krb5/ccache/ccdefault.c +=================================================================== +--- src/lib/krb5/ccache/ccdefault.c.orig ++++ src/lib/krb5/ccache/ccdefault.c +@@ -1,7 +1,7 @@ + /* + * lib/krb5/ccache/ccdefault.c + * +- * Copyright 1990 by the Massachusetts Institute of Technology. ++ * Copyright 1990, 2007, 2008 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may +@@ -45,22 +45,30 @@ static HANDLE hLeashDLL = INVALID_HANDLE + krb5_error_code KRB5_CALLCONV + krb5_cc_default(krb5_context context, krb5_ccache *ccache) + { +- krb5_os_context os_ctx; ++ const char *default_name; + + if (!context || context->magic != KV5M_CONTEXT) + return KV5M_CONTEXT; ++ ++ default_name = krb5_cc_default_name(context); ++ if (default_name == NULL) { ++ /* Could be a bogus context, or an allocation failure, or ++ other things. Unfortunately the API doesn't allow us ++ to find out any specifics. */ ++ return KRB5_FCC_INTERNAL; ++ } + +- os_ctx = context->os_context; +- +- return krb5_cc_resolve(context, krb5_cc_default_name(context), ccache); ++ return krb5_cc_resolve(context, default_name, ccache); + } + +-/* This is the internal function which opens the default ccache. On platforms supporting +- the login library's automatic popup dialog to get tickets, this function also updated the +- library's internal view of the current principal associated with this cache. +- +- All krb5 and GSS functions which need to open a cache to get a tgt to obtain service tickets +- should call this function, not krb5_cc_default() */ ++/* This is the internal function which opens the default ccache. On ++ platforms supporting the login library's automatic popup dialog to ++ get tickets, this function also updated the library's internal view ++ of the current principal associated with this cache. ++ ++ All krb5 and GSS functions which need to open a cache to get a tgt ++ to obtain service tickets should call this function, not ++ krb5_cc_default(). */ + + krb5_error_code KRB5_CALLCONV + krb5int_cc_default(krb5_context context, krb5_ccache *ccache) +@@ -82,7 +90,8 @@ krb5int_cc_default(krb5_context context, + /* This function tries to get tickets and put them in the specified + cache, however, if the cache does not exist, it may choose to put + them elsewhere (ie: the system default) so we set that here */ +- if (strcmp (krb5_cc_default_name (context), outCacheName) != 0) { ++ char * ccdefname = krb5_cc_default_name (context); ++ if (!ccdefname || strcmp (ccdefname, outCacheName) != 0) { + krb5_cc_set_default_name (context, outCacheName); + } + KLDisposeString (outCacheName); +@@ -102,7 +111,8 @@ krb5int_cc_default(krb5_context context, + char ccname[256]=""; + pLeash_AcquireInitialTicketsIfNeeded(context, NULL, ccname, sizeof(ccname)); + if (ccname[0]) { +- if (strcmp (krb5_cc_default_name (context),ccname) != 0) { ++ char * ccdefname = krb5_cc_default_name (context); ++ if (!ccdefname || strcmp (ccdefname, ccname) != 0) { + krb5_cc_set_default_name (context, ccname); + } + } +Index: src/lib/krb5/krb/get_in_tkt.c +=================================================================== +--- src/lib/krb5/krb/get_in_tkt.c.orig ++++ src/lib/krb5/krb/get_in_tkt.c +@@ -290,7 +290,7 @@ verify_as_reply(krb5_context context, + + if (context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) { + retval = krb5_set_real_time(context, +- as_reply->enc_part2->times.authtime, 0); ++ as_reply->enc_part2->times.authtime, -1); + if (retval) + return retval; + } else { +Index: src/lib/krb5/krb/rd_safe.c +=================================================================== +--- src/lib/krb5/krb/rd_safe.c.orig ++++ src/lib/krb5/krb/rd_safe.c +@@ -1,7 +1,7 @@ + /* + * lib/krb5/krb/rd_safe.c + * +- * Copyright 1990,1991 by the Massachusetts Institute of Technology. ++ * Copyright 1990,1991,2007,2008 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may +@@ -114,11 +114,11 @@ krb5_rd_safe_basic(krb5_context context, + + message->checksum = &our_cksum; + +- if ((retval = encode_krb5_safe_with_body(message, &safe_body, &scratch))) ++ retval = encode_krb5_safe_with_body(message, &safe_body, &scratch); ++ message->checksum = his_cksum; ++ if (retval) + goto cleanup; + +- message->checksum = his_cksum; +- + retval = krb5_c_verify_checksum(context, keyblock, + KRB5_KEYUSAGE_KRB_SAFE_CKSUM, + scratch, his_cksum, &valid); +Index: src/lib/krb5/krb/gc_via_tkt.c +=================================================================== +--- src/lib/krb5/krb/gc_via_tkt.c.orig ++++ src/lib/krb5/krb/gc_via_tkt.c +@@ -1,7 +1,7 @@ + /* + * lib/krb5/krb/gc_via_tgt.c + * +- * Copyright 1990,1991 by the Massachusetts Institute of Technology. ++ * Copyright 1990,1991,2007,2008 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may +@@ -100,6 +100,7 @@ cleanup_keyblock: + + cleanup: + free (*ppcreds); ++ *ppcreds = NULL; + return retval; + } + +@@ -249,7 +250,8 @@ krb5_get_cred_via_tkt (krb5_context cont + switch (err_reply->error) { + case KRB_ERR_GENERIC: + krb5_set_error_message(context, retval, +- "KDC returned error string: %s", ++ "KDC returned error string: %.*s", ++ err_reply->text.length, + err_reply->text.data); + break; + default: +Index: src/slave/kpropd.M +=================================================================== +--- src/slave/kpropd.M.orig ++++ src/slave/kpropd.M +@@ -122,7 +122,7 @@ mode. + .TP + .B \-a + allows the user to specify the path to the +-.KR kpropd.acl ++kpropd.acl + file; by default the path used is KPROPD_ACL_FILE + (normally @manlocalstatedir@/krb5kdc/kpropd.acl). + .SH FILES +Index: src/util/depfix.pl +=================================================================== +--- src/util/depfix.pl.orig ++++ src/util/depfix.pl +@@ -214,6 +214,7 @@ my $buf = ''; + while () { + # Strip newline. + chop; ++ next if /^\s*#/; + # Do directory-specific path substitutions on each filename read. + $_ = &do_subs($_); + if (m/\\$/) { +Index: src/util/profile/prof_init.c +=================================================================== +--- src/util/profile/prof_init.c.orig ++++ src/util/profile/prof_init.c +@@ -34,8 +34,11 @@ profile_init(const_profile_filespec_t *f + memset(profile, 0, sizeof(struct _profile_t)); + profile->magic = PROF_MAGIC_PROFILE; + +- /* if the filenames list is not specified return an empty profile */ +- if ( files ) { ++ /* ++ * If the filenames list is not specified or empty, return an empty ++ * profile. ++ */ ++ if ( files && !PROFILE_LAST_FILESPEC(*files) ) { + for (fs = files; !PROFILE_LAST_FILESPEC(*fs); fs++) { + retval = profile_open_file(*fs, &new_file); + /* if this file is missing, skip to the next */ diff --git a/krb5-doc.changes b/krb5-doc.changes index 9f30e3a..244fa1c 100644 --- a/krb5-doc.changes +++ b/krb5-doc.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Jul 25 12:17:10 CEST 2008 - mc@suse.de + +- add patches from SVN post 1.6.3 + * some fixes in the man pages + ------------------------------------------------------------------- Wed Jun 18 15:34:16 CEST 2008 - mc@suse.de diff --git a/krb5-doc.spec b/krb5-doc.spec index 502a519..8af3980 100644 --- a/krb5-doc.spec +++ b/krb5-doc.spec @@ -14,7 +14,7 @@ Name: krb5-doc BuildRequires: ghostscript-library latex2html texlive Version: 1.6.3 -Release: 84 +Release: 96 %define srcRoot krb5-1.6.3 Summary: MIT Kerberos5 Implementation--Documentation License: X11/MIT @@ -26,6 +26,7 @@ Source2: Makefile.kadm5 Source3: %{name}-%{version}-rpmlintrc Patch0: krb5-1.3.5-perlfix.dif Patch1: krb5-1.6.3-texi2dvi-fix.dif +Patch2: krb5-1.6.3-post.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch @@ -48,6 +49,7 @@ Authors: %setup -n %{srcRoot} %patch0 %patch1 +%patch2 cp %{_sourcedir}/Makefile.kadm5 %{_builddir}/%{srcRoot}/doc/kadm5/Makefile %build @@ -131,6 +133,9 @@ rm -rf %{buildroot} %doc doc/html %changelog +* Fri Jul 25 2008 mc@suse.de +- add patches from SVN post 1.6.3 + * some fixes in the man pages * Wed Jun 18 2008 mc@suse.de - reduce rpmlint warnings * Tue Oct 23 2007 mc@suse.de diff --git a/krb5-plugins.changes b/krb5-plugins.changes index 6e45b18..f5a3046 100644 --- a/krb5-plugins.changes +++ b/krb5-plugins.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Fri Jul 25 12:17:44 CEST 2008 - mc@suse.de + +- add patches from SVN post 1.6.3 + * krb5_string_to_keysalts: Fix an infinite loop + * fix some mutex issues + * better recovery from corrupt rcache files + * some more small fixes + ------------------------------------------------------------------- Wed Jun 18 15:33:18 CEST 2008 - mc@suse.de diff --git a/krb5-plugins.spec b/krb5-plugins.spec index e10c1ed..16c3af4 100644 --- a/krb5-plugins.spec +++ b/krb5-plugins.spec @@ -14,7 +14,7 @@ Name: krb5-plugins Version: 1.6.3 -Release: 10 +Release: 11 BuildRequires: bison krb5-devel ncurses-devel openldap2-devel %define srcRoot krb5-1.6.3 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ @@ -60,6 +60,7 @@ Patch41: krb5-trunk-kpasswd_tcp.patch Patch42: krb5-trunk-seqnum.patch Patch43: krb5-1.6.3-case-insensitive.dif Patch44: krb5-1.6.3-ktutil-manpage.dif +Patch45: krb5-1.6.3-post.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -157,6 +158,7 @@ fi %patch42 %patch43 %patch44 -p1 +%patch45 cp %{_sourcedir}/EncryptWithMasterKey.c %{_builddir}/%{srcRoot}/src/kadmin/dbutil/EncryptWithMasterKey.c # Rename the man pages so that they'll get generated correctly. pushd src @@ -271,6 +273,12 @@ rm -rf %{buildroot} %{_libdir}/krb5/plugins/preauth/pkinit.so %changelog +* Fri Jul 25 2008 mc@suse.de +- add patches from SVN post 1.6.3 + * krb5_string_to_keysalts: Fix an infinite loop + * fix some mutex issues + * better recovery from corrupt rcache files + * some more small fixes * Wed Jun 18 2008 mc@suse.de - reduce rpmlint warnings * Tue Dec 04 2007 mc@suse.de diff --git a/krb5.changes b/krb5.changes index 0adad24..13f3a51 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Fri Jul 25 12:13:24 CEST 2008 - mc@suse.de + +- add patches from SVN post 1.6.3 + * krb5_string_to_keysalts: Fix an infinite loop + * fix some mutex issues + * better recovery from corrupt rcache files + * some more small fixes + ------------------------------------------------------------------- Wed Jun 18 15:30:18 CEST 2008 - mc@suse.de diff --git a/krb5.spec b/krb5.spec index a2e9e60..fa895d1 100644 --- a/krb5.spec +++ b/krb5.spec @@ -13,7 +13,7 @@ Name: krb5 Version: 1.6.3 -Release: 52 +Release: 58 BuildRequires: bison libcom_err-devel ncurses-devel %if %{suse_version} > 1010 BuildRequires: keyutils keyutils-devel @@ -63,6 +63,7 @@ Patch41: krb5-trunk-kpasswd_tcp.patch Patch42: krb5-trunk-seqnum.patch Patch43: krb5-1.6.3-case-insensitive.dif Patch44: krb5-1.6.3-ktutil-manpage.dif +Patch45: krb5-1.6.3-post.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -234,6 +235,7 @@ fi %patch42 %patch43 %patch44 -p1 +%patch45 cp %{_sourcedir}/EncryptWithMasterKey.c %{_builddir}/%{srcRoot}/src/kadmin/dbutil/EncryptWithMasterKey.c # Rename the man pages so that they'll get generated correctly. pushd src @@ -552,6 +554,12 @@ rm -rf %{buildroot} %{_mandir}/man1/krb5-config.1* %changelog +* Fri Jul 25 2008 mc@suse.de +- add patches from SVN post 1.6.3 + * krb5_string_to_keysalts: Fix an infinite loop + * fix some mutex issues + * better recovery from corrupt rcache files + * some more small fixes * Wed Jun 18 2008 mc@suse.de - add case-insensitive.dif (FATE#300771) - minor fixes for ktutil man page