krb5/0011_usr_etc.patch

diff -ur a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
--- a/doc/admin/conf_files/krb5_conf.rst	2025-07-01 17:17:19.392659240 +0200
+++ b/doc/admin/conf_files/krb5_conf.rst	2025-07-02 10:07:14.375303312 +0200
@@ -7,8 +7,14 @@
 including the locations of KDCs and admin servers for the Kerberos
 realms of interest, defaults for the current realm and for Kerberos
 applications, and mappings of hostnames onto Kerberos realms.
-Normally, you should install your krb5.conf file in the directory
-``/etc``.  You can override the default location by setting the
+Normally, you should install your indivual krb5.conf file in the directory
+``/etc``.
+
+.. only:: use_vendordir
+  If there is no individual one the dafault one |vendorkrb5conf| will
+  be taken.
+
+You can override the default location by setting the
 environment variable **KRB5_CONFIG**.  Multiple colon-separated
 filenames may be specified in **KRB5_CONFIG**; all files which are
 present will be read.  Starting in release 1.14, directory names can
@@ -1244,6 +1250,10 @@
 
 |krb5conf|
 
+.. only:: use_vendordir
+
+  |vendorkrb5conf| if |krb5conf| is not there.
+
 
 SEE ALSO
 --------
Nur in b/doc/admin/conf_files: krb5_conf.rst~.
diff -ur a/doc/conf.py b/doc/conf.py
--- a/doc/conf.py	2025-07-01 17:17:19.384659240 +0200
+++ b/doc/conf.py	2025-07-01 17:24:48.687885776 +0200
@@ -239,6 +239,7 @@
     localstatedir = '``@LOCALSTATEDIR@``'
     runstatedir = '``@RUNSTATEDIR@``'
     sysconfdir = '``@SYSCONFDIR@``'
+    vendordir = '``@VENDORDIR@``'
     ccache = '``@CCNAME@``'
     keytab = '``@KTNAME@``'
     ckeytab = '``@CKTNAME@``'
@@ -253,6 +254,7 @@
     localstatedir = ':ref:`LOCALSTATEDIR <paths>`'
     runstatedir = ':ref:`RUNSTATEDIR <paths>`'
     sysconfdir = ':ref:`SYSCONFDIR <paths>`'
+    vendordir = ':ref:`VENDORDIR <paths>`'
     ccache = ':ref:`DEFCCNAME <paths>`'
     keytab = ':ref:`DEFKTNAME <paths>`'
     ckeytab = ':ref:`DEFCKTNAME <paths>`'
@@ -278,8 +280,9 @@
     rst_epilog += '.. |keytab| replace:: %s\n' % keytab
     rst_epilog += '.. |ckeytab| replace:: %s\n' % ckeytab
     rst_epilog += '.. |pkcs11_modname| replace:: %s\n' % pkcs11_modname
+    rst_epilog += '.. |vendorkrb5conf| replace:: %s/krb5.conf\n' % vendordir
+    rst_epilog += '.. |krb5conf| replace:: %s/krb5.conf\n' % sysconfdir
     rst_epilog += '''
-.. |krb5conf| replace:: ``/etc/krb5.conf``
 .. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal``
 .. |defetypes| replace:: ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac``
 .. |defmkey| replace:: ``aes256-cts-hmac-sha1-96``
Nur in b/doc: conf.py~.
diff -ur a/src/configure.ac b/src/configure.ac
--- a/src/configure.ac	2025-07-01 17:17:19.456659239 +0200
+++ b/src/configure.ac	2025-07-01 18:20:01.582633776 +0200
@@ -1443,6 +1443,34 @@
 AC_SUBST(OSX)
 AC_SUBST(MACOS_FRAMEWORK)
 
+# Vendordir
+AC_ARG_WITH([vendordir],
+  AS_HELP_STRING([--with-vendordir=DIR], [Directory for distribution provided configuration files]),
+  [ if test ! -z "$with_vendordir" ; then
+		case $with_vendordir in
+			yes|no)
+				VENDORDIR="/usr/etc"
+				;;
+			/*)
+				VENDORDIR="$with_vendordir"
+				;;
+			*)
+                                AC_MSG_ERROR(You must specify an absolute path to --with-vendordir=DIR)
+				;;
+		esac
+	fi
+  ],
+  [])
+
+AS_IF([test "x$with_vendordir" != x], [
+  AC_DEFINE([USE_VENDORDIR], [1], [Define to 1 to use vendordir])
+  AC_DEFINE_UNQUOTED(VENDORDIR, "$VENDORDIR", [location of vendor configuration files])
+  AC_SUBST(VENDORDIR)
+  USE_VENDORDIR="1"
+  AC_SUBST(USE_VENDORDIR)
+  AC_MSG_NOTICE([Used vendor dir: $with_vendordir])
+])
+
 # Build-time default ccache, keytab, and client keytab names.  These
 # can be given as variable arguments DEFCCNAME, DEFKTNAME, and
 # DEFCKTNAME.  Otherwise, we try to get the OS defaults from
Nur in b/src: configure.ac~.
diff -ur a/src/doc/Makefile.in b/src/doc/Makefile.in
--- a/src/doc/Makefile.in	2025-07-01 17:17:19.424659240 +0200
+++ b/src/doc/Makefile.in	2025-07-02 09:41:01.906440544 +0200
@@ -11,6 +11,8 @@
 DEFKTNAME=@DEFKTNAME@
 DEFCKTNAME=@DEFCKTNAME@
 PKCS11_MODNAME=@PKCS11_MODNAME@
+VENDORDIR=@VENDORDIR@
+USE_VENDORDIR=@USE_VENDORDIR@
 
 RST_SOURCES= _static \
 	_templates \
@@ -43,7 +45,11 @@
 #     make -f Makefile.in SPHINX_ARGS= htmlsrc
 html: composite
 	rm -rf $(docsrc)/html
-	$(SPHINX_BUILD) -q rst_composite $(docsrc)/html
+	if test "$(USE_VENDORDIR)" == "1" ; then \
+		$(SPHINX_BUILD) -q rst_composite -t use_vendordir $(docsrc)/html; \
+	else \
+		$(SPHINX_BUILD) -q rst_composite $(docsrc)/html; \
+	fi
 
 # Dummy target for use in an unconfigured source tree.
 htmlsrc:
@@ -55,17 +61,25 @@
 substhtml: composite paths.py
 	rm -rf html_subst
 	cp paths.py rst_composite
-	$(SPHINX_BUILD) -t pathsubs -q rst_composite html_subst
+	if test "$(USE_VENDORDIR)" == "1" ; then \
+		$(SPHINX_BUILD) -t pathsubs -q -t use_vendordir rst_composite html_subst; \
+	else \
+		$(SPHINX_BUILD) -t pathsubs -q rst_composite html_subst; \
+        fi
 
 # Create an ASCII (okay, UTF-8) version of the NOTICE file
 notice.txt: $(docsrc)/conf.py $(docsrc)/notice.rst $(docsrc)/version.py
-	$(SPHINX_BUILD) -b text -t notice -q $(docsrc) .
+	if test "$(USE_VENDORDIR)" == "1" ; then \
+		$(SPHINX_BUILD) -b text -t notice -t use_vendordir -q $(docsrc) .; \
+	else \
+		$(SPHINX_BUILD) -b text -t notice -q $(docsrc) .; \
+	fi
 
 NOTICE: notice.txt
 	cp notice.txt $(top_srcdir)/../NOTICE
 
 $(PDFDIR): composite
-	$(SPHINX_BUILD) -b latex -q rst_composite $(PDFDIR)
+	$(SPHINX_BUILD) -b latex -q -t $(USEVENDORDIR) rst_composite $(PDFDIR)
 	# sphinx-build generates a gmake-specific Makefile that we don't use
 	mv $(PDFDIR)/Makefile $(PDFDIR)/GMakefile
 
@@ -116,6 +130,7 @@
 	echo 'localstatedir = "``$(localstatedir)``"' >> $@
 	echo 'runstatedir = "``$(runstatedir)``"' >> $@
 	echo 'sysconfdir = "``$(sysconfdir)``"' >> $@
+	echo 'vendordir = "``$(VENDORDIR)``"' >> $@
 	echo 'ccache = "``$(DEFCCNAME)``"' >> $@
 	echo 'keytab = "``$(DEFKTNAME)``"' >> $@
 	echo 'ckeytab = "``$(DEFCKTNAME)``"' >> $@
Nur in b/src/doc: Makefile.in~.
diff -ur a/src/include/osconf.hin b/src/include/osconf.hin
--- a/src/include/osconf.hin	2025-07-01 17:17:19.456659239 +0200
+++ b/src/include/osconf.hin	2025-07-01 17:35:25.392460942 +0200
@@ -53,6 +53,7 @@
 #define DEFAULT_SECURE_PROFILE_PATH     "/etc/krb5.conf@SYSCONFCONF"
 #define DEFAULT_PROFILE_PATH        DEFAULT_SECURE_PROFILE_PATH
 #endif
+#define SYSCONFDIR "@SYSCONFDIR"
 #endif /* _WINDOWS  */
 
 #ifdef _WIN32
Nur in b/src/include: osconf.hin~.
diff -ur a/src/lib/krb5/os/init_os_ctx.c b/src/lib/krb5/os/init_os_ctx.c
--- a/src/lib/krb5/os/init_os_ctx.c	2025-07-01 17:17:19.432659239 +0200
+++ b/src/lib/krb5/os/init_os_ctx.c	2025-07-02 14:54:25.799506632 +0200
@@ -25,12 +25,17 @@
  */
 
 #define NEED_WINDOWS
+#define KRB5_CONF "krb5.conf"
 
 #include "k5-int.h"
 #include "os-proto.h"
 #include "../krb/int-proto.h"
 #include "prof_int.h"        /* XXX for profile_copy, not public yet */
 
+#ifdef USE_VENDORDIR
+#include <sys/stat.h>
+#endif
+
 #if defined(_WIN32)
 #include <winsock.h>
 #include <Shlobj.h>
@@ -295,12 +300,34 @@
     unsigned int ent_len;
     const char *s, *t;
 
+#ifdef USE_VENDORDIR
+    int re = 0;
+    struct stat stats;
+
+    if (!secure)
+        filepath = secure_getenv("KRB5_CONFIG");
+
+    if (!filepath) {
+        re = asprintf(&filepath, "%s/%s", SYSCONFDIR, KRB5_CONF);
+        if(re<0)
+            return ENOMEM;
+
+        if (stat(filepath, &stats) < 0)
+        {
+            free(filepath);
+            re = asprintf(&filepath, "%s/%s", VENDORDIR, KRB5_CONF);
+            if(re<0)
+                return ENOMEM;
+        }
+    }
+#else
     if (secure) {
         filepath = DEFAULT_SECURE_PROFILE_PATH;
     } else {
         filepath = secure_getenv("KRB5_CONFIG");
         if (!filepath) filepath = DEFAULT_PROFILE_PATH;
     }
+#endif /* USE_VENDORDIR */    
 
     /* count the distinct filename components */
     for(s = filepath, n_entries = 1; *s; s++) {
Nur in b/src/lib/krb5/os: init_os_ctx.c~.
diff -ur a/src/man/Makefile.in b/src/man/Makefile.in
--- a/src/man/Makefile.in	2025-07-01 17:17:19.456659239 +0200
+++ b/src/man/Makefile.in	2025-07-02 10:14:21.558908755 +0200
@@ -9,6 +9,8 @@
 DEFKTNAME=@DEFKTNAME@
 DEFCKTNAME=@DEFCKTNAME@
 PKCS11_MODNAME=@PKCS11_MODNAME@
+vendordir=@VENDORDIR@
+USE_VENDORDIR=@USE_VENDORDIR@
 
 MANSUBS=k5identity.sub k5login.sub k5srvutil.sub kadm5.acl.sub kadmin.sub \
 	kadmind.sub kdb5_ldap_util.sub kdb5_util.sub kdc.conf.sub \
@@ -26,7 +28,11 @@
 # manpage writer outputs near the end of its output files.
 man: $(docsrc)/version.py
 	rm -rf rst_man
-	$(SPHINX_BUILD) -q -t mansubs -b man $(docsrc) rst_man
+	if test "$(USE_VENDORDIR)" == "1" ; then \
+		$(SPHINX_BUILD) -q -t mansubs -t use_vendordir -b man $(docsrc) rst_man; \
+	else \
+		$(SPHINX_BUILD) -q -t mansubs -b man $(docsrc) rst_man; \
+	fi
 	for f in rst_man/*.[0-9]; do \
 		name=`echo $$f | sed -e 's|^.*/\(.*\)\.[0-9]$$|\1|'`; \
 		sed -e '/^\.\\" $$/d' \
@@ -46,6 +52,7 @@
 	    -e 's|@LOCALSTATEDIR@|$(localstatedir)|g' \
 	    -e 's|@RUNSTATEDIR@|$(runstatedir)|g' \
 	    -e 's|@SYSCONFDIR@|$(sysconfdir)|g' \
+	    -e 's|@VENDOR_DIR@|$(vendordir)|g' \
 	    -e 's|@CCNAME@|$(DEFCCNAME)|g' \
 	    -e 's|@KTNAME@|$(DEFKTNAME)|g' \
 	    -e 's|@CKTNAME@|$(DEFCKTNAME)|g' \
Nur in b/src/man: Makefile.in~.