2006-12-19 00:16:52 +01:00
|
|
|
#
|
2011-03-16 08:59:53 +01:00
|
|
|
# spec file for package krb5
|
2006-12-19 00:16:52 +01:00
|
|
|
#
|
2019-12-12 12:10:52 +01:00
|
|
|
# Copyright (c) 2019 SUSE LLC
|
2006-12-19 00:16:52 +01:00
|
|
|
#
|
2008-10-06 19:00:36 +02:00
|
|
|
# All modifications and additions to the file contributed by third parties
|
|
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
|
|
# upon. The license for this file, and modifications and additions to the
|
|
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
|
|
# license for the pristine package is not an Open Source License, in which
|
|
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
|
|
# published by the Open Source Initiative.
|
|
|
|
|
2019-02-14 09:52:23 +01:00
|
|
|
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
2006-12-19 00:16:52 +01:00
|
|
|
#
|
|
|
|
|
|
|
|
|
2017-11-23 15:51:34 +01:00
|
|
|
#Compat macro for new _fillupdir macro introduced in Nov 2017
|
|
|
|
%if ! %{defined _fillupdir}
|
|
|
|
%define _fillupdir /var/adm/fillup-templates
|
|
|
|
%endif
|
|
|
|
|
2006-12-19 00:16:52 +01:00
|
|
|
Name: krb5
|
2019-12-12 12:10:52 +01:00
|
|
|
Version: 1.17.1
|
2011-12-25 22:43:39 +01:00
|
|
|
Release: 0
|
2017-10-03 01:37:48 +02:00
|
|
|
Summary: MIT Kerberos5 implementation
|
2012-02-08 09:11:14 +01:00
|
|
|
License: MIT
|
|
|
|
Group: Productivity/Networking/Security
|
2019-02-14 09:52:23 +01:00
|
|
|
URL: https://web.mit.edu/kerberos/www/
|
2014-07-15 10:18:37 +02:00
|
|
|
Obsoletes: krb5-plugin-preauth-pkinit-nss
|
2019-02-14 09:52:23 +01:00
|
|
|
BuildRequires: autoconf
|
|
|
|
BuildRequires: bison
|
|
|
|
BuildRequires: keyutils
|
|
|
|
BuildRequires: keyutils-devel
|
|
|
|
BuildRequires: libcom_err-devel
|
2011-12-25 22:43:39 +01:00
|
|
|
BuildRequires: libopenssl-devel
|
2019-02-14 09:52:23 +01:00
|
|
|
BuildRequires: libselinux-devel
|
2016-02-18 12:50:30 +01:00
|
|
|
BuildRequires: libverto-devel
|
2019-02-14 09:52:23 +01:00
|
|
|
BuildRequires: ncurses-devel
|
2011-12-25 22:43:39 +01:00
|
|
|
BuildRequires: openldap2-devel
|
2011-08-21 11:43:02 +02:00
|
|
|
BuildRequires: pam-devel
|
2012-10-17 09:48:12 +02:00
|
|
|
BuildRequires: pkgconfig(systemd)
|
2008-11-02 15:42:40 +01:00
|
|
|
# bug437293
|
|
|
|
%ifarch ppc64
|
|
|
|
Obsoletes: krb5-64bit
|
|
|
|
%endif
|
2013-04-02 17:33:04 +02:00
|
|
|
Conflicts: krb5-mini
|
2019-02-13 18:07:05 +01:00
|
|
|
Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}.tar.gz
|
|
|
|
Source1: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}.tar.gz.asc
|
2016-07-22 13:04:02 +02:00
|
|
|
Source2: krb5.keyring
|
|
|
|
Source3: vendor-files.tar.bz2
|
|
|
|
Source4: baselibs.conf
|
2011-08-21 11:43:02 +02:00
|
|
|
Source5: krb5-rpmlintrc
|
2016-11-24 15:43:00 +01:00
|
|
|
Source6: ksu-pam.d
|
Accepting request 670179 from home:scabrero:branches:network
- Upgrade to 1.17. Major changes:
Administrator experience:
* A new Kerberos database module using the Lightning Memory-Mapped
Database library (LMDB) has been added. The LMDB KDB module should
be more performant and more robust than the DB2 module, and may
become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific
principal names are requested.
Developer experience:
* The new krb5_get_etype_info() API can be used to retrieve enctype,
salt, and string-to-key parameters from the KDC for a client
principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the
log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should
perform better.
Protocol evolution:
* The SPAKE pre-authentication mechanism is now supported. This
mechanism protects against password dictionary attacks without
requiring any additional infrastructure such as certificates. SPAKE
is enabled by default on clients, but must be manually enabled on
the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can
protect against scenarios where an attacker uses temporary access to
a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid
spurious error messages about replays when a response packet is
dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a
third-party KDB module such as Samba's. The client code for
cross-realm S4U2Self requests is also now more robust.
User experience:
* The new ktutil addent -f flag can be used to fetch salt information
from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache
within a collection by client principal name.
* The Kerberos man page has been restored, and documents the
environment variables that affect programs using the Kerberos
library.
Code quality:
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it
easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work
with more recent versions of Visual Studio. A large volume of
unused Windows-specific code has been removed. Visual Studio 2013
or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
by transactional updates; (bsc#1100126);
- Rename patches:
* krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
* krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
* krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
* krb5-1.6.3-gssapi_improve_errormessages.dif to
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
* krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
* krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
* krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch
* krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
- Upgrade to 1.17. Major changes:
Administrator experience:
* A new Kerberos database module using the Lightning Memory-Mapped
Database library (LMDB) has been added. The LMDB KDB module should
be more performant and more robust than the DB2 module, and may
become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific
principal names are requested.
Developer experience:
* The new krb5_get_etype_info() API can be used to retrieve enctype,
salt, and string-to-key parameters from the KDC for a client
principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the
log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should
perform better.
Protocol evolution:
* The SPAKE pre-authentication mechanism is now supported. This
mechanism protects against password dictionary attacks without
requiring any additional infrastructure such as certificates. SPAKE
is enabled by default on clients, but must be manually enabled on
the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can
protect against scenarios where an attacker uses temporary access to
a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid
spurious error messages about replays when a response packet is
dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a
third-party KDB module such as Samba's. The client code for
cross-realm S4U2Self requests is also now more robust.
User experience:
* The new ktutil addent -f flag can be used to fetch salt information
from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache
within a collection by client principal name.
* The Kerberos man page has been restored, and documents the
environment variables that affect programs using the Kerberos
library.
Code quality:
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it
easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work
with more recent versions of Visual Studio. A large volume of
unused Windows-specific code has been removed. Visual Studio 2013
or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
by transactional updates; (bsc#1100126);
- Rename patches:
* krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
* krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
* krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
* krb5-1.6.3-gssapi_improve_errormessages.dif to
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
* krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
* krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
* krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch
* krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
OBS-URL: https://build.opensuse.org/request/show/670179
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=212
2019-02-13 18:01:33 +01:00
|
|
|
Source7: krb5.tmpfiles
|
|
|
|
Patch1: 0001-krb5-1.12-pam.patch
|
|
|
|
Patch2: 0002-krb5-1.9-manpaths.patch
|
|
|
|
Patch3: 0003-krb5-1.12-buildconf.patch
|
|
|
|
Patch4: 0004-krb5-1.6.3-gssapi_improve_errormessages.patch
|
|
|
|
Patch5: 0005-krb5-1.6.3-ktutil-manpage.patch
|
|
|
|
Patch6: 0006-krb5-1.12-api.patch
|
|
|
|
Patch7: 0007-krb5-1.12-ksu-path.patch
|
|
|
|
Patch8: 0008-krb5-1.12-selinux-label.patch
|
|
|
|
Patch9: 0009-krb5-1.9-debuginfo.patch
|
2006-12-19 00:16:52 +01:00
|
|
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
|
|
|
|
|
|
|
%description
|
|
|
|
Kerberos V5 is a trusted-third-party network authentication system,
|
2017-10-03 01:37:48 +02:00
|
|
|
which can improve network security by eliminating the insecure
|
2006-12-19 00:16:52 +01:00
|
|
|
practice of clear text passwords.
|
|
|
|
|
|
|
|
%package client
|
2013-04-02 17:33:04 +02:00
|
|
|
Conflicts: krb5-mini
|
2017-10-03 01:37:48 +02:00
|
|
|
Summary: Client programs of the MIT Kerberos5 implementation
|
2006-12-19 00:16:52 +01:00
|
|
|
Group: Productivity/Networking/Security
|
|
|
|
|
|
|
|
%description client
|
|
|
|
Kerberos V5 is a trusted-third-party network authentication system,
|
2017-10-03 01:37:48 +02:00
|
|
|
which can improve network security by eliminating the insecure
|
2006-12-19 00:16:52 +01:00
|
|
|
practice of cleartext passwords. This package includes some required
|
|
|
|
client programs, like kinit, kadmin, ...
|
|
|
|
|
|
|
|
%package server
|
2017-10-03 01:37:48 +02:00
|
|
|
Summary: Server program of the MIT Kerberos5 implementation
|
2006-12-19 00:16:52 +01:00
|
|
|
Group: Productivity/Networking/Security
|
2012-06-06 16:55:51 +02:00
|
|
|
Requires: cron
|
2015-06-01 11:44:23 +02:00
|
|
|
Requires: libverto-libev1
|
2012-06-06 16:55:51 +02:00
|
|
|
Requires: logrotate
|
2006-12-19 00:16:52 +01:00
|
|
|
Requires: perl-Date-Calc
|
2016-07-02 09:38:07 +02:00
|
|
|
%if 0%{?suse_version} >= 1210
|
2012-10-05 16:25:10 +02:00
|
|
|
%{?systemd_requires}
|
2016-07-02 09:38:07 +02:00
|
|
|
%else
|
|
|
|
PreReq: %insserv_prereq
|
|
|
|
%endif
|
|
|
|
PreReq: %fillup_prereq
|
2006-12-19 00:16:52 +01:00
|
|
|
|
|
|
|
%description server
|
|
|
|
Kerberos V5 is a trusted-third-party network authentication system,
|
2017-10-03 01:37:48 +02:00
|
|
|
which can improve network security by eliminating the insecure
|
2006-12-19 00:16:52 +01:00
|
|
|
practice of cleartext passwords. This package includes the kdc, kadmind
|
|
|
|
and more.
|
|
|
|
|
2009-07-08 19:41:43 +02:00
|
|
|
%package plugin-kdb-ldap
|
2017-10-03 01:37:48 +02:00
|
|
|
Summary: LDAP database plugin for MIT Kerberos5
|
2006-12-19 00:16:52 +01:00
|
|
|
Group: Productivity/Networking/Security
|
2009-07-08 19:41:43 +02:00
|
|
|
Requires: krb5-server = %{version}
|
2006-12-19 00:16:52 +01:00
|
|
|
|
2009-07-08 19:41:43 +02:00
|
|
|
%description plugin-kdb-ldap
|
2006-12-19 00:16:52 +01:00
|
|
|
Kerberos V5 is a trusted-third-party network authentication system,
|
2017-10-03 01:37:48 +02:00
|
|
|
which can improve network security by eliminating the insecure
|
2009-07-08 19:41:43 +02:00
|
|
|
practice of clear text passwords. This package contains the LDAP
|
|
|
|
database plugin.
|
|
|
|
|
|
|
|
%package plugin-preauth-pkinit
|
2017-10-03 01:37:48 +02:00
|
|
|
Summary: PKINIT preauthentication plugin for MIT Kerberos5
|
2009-07-08 19:41:43 +02:00
|
|
|
Group: Productivity/Networking/Security
|
|
|
|
|
|
|
|
%description plugin-preauth-pkinit
|
|
|
|
Kerberos V5 is a trusted-third-party network authentication system,
|
2017-10-03 01:37:48 +02:00
|
|
|
which can improve network security by eliminating the insecure
|
2009-07-08 19:41:43 +02:00
|
|
|
practice of cleartext passwords. This package includes a PKINIT plugin.
|
|
|
|
|
2014-01-15 15:14:20 +01:00
|
|
|
%package plugin-preauth-otp
|
2017-10-03 01:37:48 +02:00
|
|
|
Summary: OTP preauthentication plugin for MIT Kerberos5
|
2014-01-15 15:14:20 +01:00
|
|
|
Group: Productivity/Networking/Security
|
|
|
|
|
|
|
|
%description plugin-preauth-otp
|
|
|
|
Kerberos V5 is a trusted-third-party network authentication system,
|
2017-10-03 01:37:48 +02:00
|
|
|
which can improve network security by eliminating the insecure
|
2014-01-15 15:14:20 +01:00
|
|
|
practice of cleartext passwords. This package includes a OTP plugin.
|
|
|
|
|
Accepting request 670179 from home:scabrero:branches:network
- Upgrade to 1.17. Major changes:
Administrator experience:
* A new Kerberos database module using the Lightning Memory-Mapped
Database library (LMDB) has been added. The LMDB KDB module should
be more performant and more robust than the DB2 module, and may
become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific
principal names are requested.
Developer experience:
* The new krb5_get_etype_info() API can be used to retrieve enctype,
salt, and string-to-key parameters from the KDC for a client
principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the
log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should
perform better.
Protocol evolution:
* The SPAKE pre-authentication mechanism is now supported. This
mechanism protects against password dictionary attacks without
requiring any additional infrastructure such as certificates. SPAKE
is enabled by default on clients, but must be manually enabled on
the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can
protect against scenarios where an attacker uses temporary access to
a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid
spurious error messages about replays when a response packet is
dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a
third-party KDB module such as Samba's. The client code for
cross-realm S4U2Self requests is also now more robust.
User experience:
* The new ktutil addent -f flag can be used to fetch salt information
from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache
within a collection by client principal name.
* The Kerberos man page has been restored, and documents the
environment variables that affect programs using the Kerberos
library.
Code quality:
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it
easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work
with more recent versions of Visual Studio. A large volume of
unused Windows-specific code has been removed. Visual Studio 2013
or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
by transactional updates; (bsc#1100126);
- Rename patches:
* krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
* krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
* krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
* krb5-1.6.3-gssapi_improve_errormessages.dif to
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
* krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
* krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
* krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch
* krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
- Upgrade to 1.17. Major changes:
Administrator experience:
* A new Kerberos database module using the Lightning Memory-Mapped
Database library (LMDB) has been added. The LMDB KDB module should
be more performant and more robust than the DB2 module, and may
become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific
principal names are requested.
Developer experience:
* The new krb5_get_etype_info() API can be used to retrieve enctype,
salt, and string-to-key parameters from the KDC for a client
principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the
log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should
perform better.
Protocol evolution:
* The SPAKE pre-authentication mechanism is now supported. This
mechanism protects against password dictionary attacks without
requiring any additional infrastructure such as certificates. SPAKE
is enabled by default on clients, but must be manually enabled on
the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can
protect against scenarios where an attacker uses temporary access to
a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid
spurious error messages about replays when a response packet is
dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a
third-party KDB module such as Samba's. The client code for
cross-realm S4U2Self requests is also now more robust.
User experience:
* The new ktutil addent -f flag can be used to fetch salt information
from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache
within a collection by client principal name.
* The Kerberos man page has been restored, and documents the
environment variables that affect programs using the Kerberos
library.
Code quality:
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it
easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work
with more recent versions of Visual Studio. A large volume of
unused Windows-specific code has been removed. Visual Studio 2013
or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
by transactional updates; (bsc#1100126);
- Rename patches:
* krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
* krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
* krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
* krb5-1.6.3-gssapi_improve_errormessages.dif to
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
* krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
* krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
* krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch
* krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
OBS-URL: https://build.opensuse.org/request/show/670179
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=212
2019-02-13 18:01:33 +01:00
|
|
|
%package plugin-preauth-spake
|
|
|
|
Summary: SPAKE preauthentication plugin for MIT Kerberos5
|
|
|
|
Group: Productivity/Networking/Security
|
|
|
|
|
|
|
|
%description plugin-preauth-spake
|
|
|
|
Kerberos V5 is a trusted-third-party network authentication system,
|
|
|
|
which can improve network security by eliminating the insecure
|
|
|
|
practice of cleartext passwords. This package includes a SPAKE plugin.
|
|
|
|
|
2013-03-15 11:21:16 +01:00
|
|
|
%package doc
|
2017-10-03 01:37:48 +02:00
|
|
|
Summary: Documentation for the MIT Kerberos5 implementation
|
2013-03-15 11:21:16 +01:00
|
|
|
Group: Documentation/Other
|
|
|
|
|
|
|
|
%description doc
|
|
|
|
Kerberos V5 is a trusted-third-party network authentication
|
2017-10-03 01:37:48 +02:00
|
|
|
system,which can improve network security by eliminating the
|
2013-03-15 11:21:16 +01:00
|
|
|
insecurepractice of clear text passwords. This package includes
|
|
|
|
extended documentation for MIT Kerberos.
|
|
|
|
|
2009-07-08 19:41:43 +02:00
|
|
|
%package devel
|
2017-10-03 01:37:48 +02:00
|
|
|
Summary: Development files for MIT Kerberos5
|
2009-07-08 19:41:43 +02:00
|
|
|
Group: Development/Libraries/C and C++
|
|
|
|
PreReq: %{name} = %{version}
|
|
|
|
Requires: keyutils-devel
|
2012-06-06 16:55:51 +02:00
|
|
|
Requires: libcom_err-devel
|
2015-05-11 13:41:14 +02:00
|
|
|
Requires: libverto-devel
|
2009-07-08 19:41:43 +02:00
|
|
|
# bug437293
|
|
|
|
%ifarch ppc64
|
|
|
|
Obsoletes: krb5-devel-64bit
|
|
|
|
%endif
|
2013-04-04 15:10:58 +02:00
|
|
|
Conflicts: krb5-mini-devel
|
2009-07-08 19:41:43 +02:00
|
|
|
|
|
|
|
%description devel
|
|
|
|
Kerberos V5 is a trusted-third-party network authentication system,
|
2017-10-03 01:37:48 +02:00
|
|
|
which can improve network security by eliminating the insecure
|
2009-07-08 19:41:43 +02:00
|
|
|
practice of cleartext passwords. This package includes Libraries and
|
|
|
|
Include Files for Development
|
2006-12-19 00:16:52 +01:00
|
|
|
|
2016-04-01 09:50:43 +02:00
|
|
|
%define srcRoot krb5-%{version}
|
|
|
|
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
|
|
|
|
%define krb5docdir %{_defaultdocdir}/krb5
|
|
|
|
|
2006-12-19 00:16:52 +01:00
|
|
|
%prep
|
2012-06-06 16:55:51 +02:00
|
|
|
%setup -q -n %{srcRoot}
|
2016-07-22 13:04:02 +02:00
|
|
|
%setup -a 3 -T -D -n %{srcRoot}
|
2013-01-25 15:25:26 +01:00
|
|
|
%patch1 -p1
|
2013-03-15 11:21:16 +01:00
|
|
|
%patch2 -p1
|
|
|
|
%patch3 -p1
|
|
|
|
%patch4 -p1
|
Accepting request 670179 from home:scabrero:branches:network
- Upgrade to 1.17. Major changes:
Administrator experience:
* A new Kerberos database module using the Lightning Memory-Mapped
Database library (LMDB) has been added. The LMDB KDB module should
be more performant and more robust than the DB2 module, and may
become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific
principal names are requested.
Developer experience:
* The new krb5_get_etype_info() API can be used to retrieve enctype,
salt, and string-to-key parameters from the KDC for a client
principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the
log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should
perform better.
Protocol evolution:
* The SPAKE pre-authentication mechanism is now supported. This
mechanism protects against password dictionary attacks without
requiring any additional infrastructure such as certificates. SPAKE
is enabled by default on clients, but must be manually enabled on
the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can
protect against scenarios where an attacker uses temporary access to
a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid
spurious error messages about replays when a response packet is
dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a
third-party KDB module such as Samba's. The client code for
cross-realm S4U2Self requests is also now more robust.
User experience:
* The new ktutil addent -f flag can be used to fetch salt information
from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache
within a collection by client principal name.
* The Kerberos man page has been restored, and documents the
environment variables that affect programs using the Kerberos
library.
Code quality:
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it
easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work
with more recent versions of Visual Studio. A large volume of
unused Windows-specific code has been removed. Visual Studio 2013
or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
by transactional updates; (bsc#1100126);
- Rename patches:
* krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
* krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
* krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
* krb5-1.6.3-gssapi_improve_errormessages.dif to
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
* krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
* krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
* krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch
* krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
- Upgrade to 1.17. Major changes:
Administrator experience:
* A new Kerberos database module using the Lightning Memory-Mapped
Database library (LMDB) has been added. The LMDB KDB module should
be more performant and more robust than the DB2 module, and may
become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific
principal names are requested.
Developer experience:
* The new krb5_get_etype_info() API can be used to retrieve enctype,
salt, and string-to-key parameters from the KDC for a client
principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the
log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should
perform better.
Protocol evolution:
* The SPAKE pre-authentication mechanism is now supported. This
mechanism protects against password dictionary attacks without
requiring any additional infrastructure such as certificates. SPAKE
is enabled by default on clients, but must be manually enabled on
the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can
protect against scenarios where an attacker uses temporary access to
a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid
spurious error messages about replays when a response packet is
dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a
third-party KDB module such as Samba's. The client code for
cross-realm S4U2Self requests is also now more robust.
User experience:
* The new ktutil addent -f flag can be used to fetch salt information
from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache
within a collection by client principal name.
* The Kerberos man page has been restored, and documents the
environment variables that affect programs using the Kerberos
library.
Code quality:
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it
easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work
with more recent versions of Visual Studio. A large volume of
unused Windows-specific code has been removed. Visual Studio 2013
or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
by transactional updates; (bsc#1100126);
- Rename patches:
* krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
* krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
* krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
* krb5-1.6.3-gssapi_improve_errormessages.dif to
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
* krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
* krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
* krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch
* krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
OBS-URL: https://build.opensuse.org/request/show/670179
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=212
2019-02-13 18:01:33 +01:00
|
|
|
%patch5 -p1
|
2012-06-06 16:55:51 +02:00
|
|
|
%patch6 -p1
|
Accepting request 670179 from home:scabrero:branches:network
- Upgrade to 1.17. Major changes:
Administrator experience:
* A new Kerberos database module using the Lightning Memory-Mapped
Database library (LMDB) has been added. The LMDB KDB module should
be more performant and more robust than the DB2 module, and may
become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific
principal names are requested.
Developer experience:
* The new krb5_get_etype_info() API can be used to retrieve enctype,
salt, and string-to-key parameters from the KDC for a client
principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the
log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should
perform better.
Protocol evolution:
* The SPAKE pre-authentication mechanism is now supported. This
mechanism protects against password dictionary attacks without
requiring any additional infrastructure such as certificates. SPAKE
is enabled by default on clients, but must be manually enabled on
the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can
protect against scenarios where an attacker uses temporary access to
a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid
spurious error messages about replays when a response packet is
dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a
third-party KDB module such as Samba's. The client code for
cross-realm S4U2Self requests is also now more robust.
User experience:
* The new ktutil addent -f flag can be used to fetch salt information
from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache
within a collection by client principal name.
* The Kerberos man page has been restored, and documents the
environment variables that affect programs using the Kerberos
library.
Code quality:
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it
easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work
with more recent versions of Visual Studio. A large volume of
unused Windows-specific code has been removed. Visual Studio 2013
or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
by transactional updates; (bsc#1100126);
- Rename patches:
* krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
* krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
* krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
* krb5-1.6.3-gssapi_improve_errormessages.dif to
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
* krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
* krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
* krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch
* krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
- Upgrade to 1.17. Major changes:
Administrator experience:
* A new Kerberos database module using the Lightning Memory-Mapped
Database library (LMDB) has been added. The LMDB KDB module should
be more performant and more robust than the DB2 module, and may
become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific
principal names are requested.
Developer experience:
* The new krb5_get_etype_info() API can be used to retrieve enctype,
salt, and string-to-key parameters from the KDC for a client
principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the
log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should
perform better.
Protocol evolution:
* The SPAKE pre-authentication mechanism is now supported. This
mechanism protects against password dictionary attacks without
requiring any additional infrastructure such as certificates. SPAKE
is enabled by default on clients, but must be manually enabled on
the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can
protect against scenarios where an attacker uses temporary access to
a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid
spurious error messages about replays when a response packet is
dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a
third-party KDB module such as Samba's. The client code for
cross-realm S4U2Self requests is also now more robust.
User experience:
* The new ktutil addent -f flag can be used to fetch salt information
from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache
within a collection by client principal name.
* The Kerberos man page has been restored, and documents the
environment variables that affect programs using the Kerberos
library.
Code quality:
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it
easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work
with more recent versions of Visual Studio. A large volume of
unused Windows-specific code has been removed. Visual Studio 2013
or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
by transactional updates; (bsc#1100126);
- Rename patches:
* krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
* krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
* krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
* krb5-1.6.3-gssapi_improve_errormessages.dif to
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
* krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
* krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
* krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch
* krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
OBS-URL: https://build.opensuse.org/request/show/670179
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=212
2019-02-13 18:01:33 +01:00
|
|
|
%patch7 -p1
|
2013-03-15 11:21:16 +01:00
|
|
|
%patch8 -p1
|
Accepting request 670179 from home:scabrero:branches:network
- Upgrade to 1.17. Major changes:
Administrator experience:
* A new Kerberos database module using the Lightning Memory-Mapped
Database library (LMDB) has been added. The LMDB KDB module should
be more performant and more robust than the DB2 module, and may
become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific
principal names are requested.
Developer experience:
* The new krb5_get_etype_info() API can be used to retrieve enctype,
salt, and string-to-key parameters from the KDC for a client
principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the
log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should
perform better.
Protocol evolution:
* The SPAKE pre-authentication mechanism is now supported. This
mechanism protects against password dictionary attacks without
requiring any additional infrastructure such as certificates. SPAKE
is enabled by default on clients, but must be manually enabled on
the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can
protect against scenarios where an attacker uses temporary access to
a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid
spurious error messages about replays when a response packet is
dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a
third-party KDB module such as Samba's. The client code for
cross-realm S4U2Self requests is also now more robust.
User experience:
* The new ktutil addent -f flag can be used to fetch salt information
from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache
within a collection by client principal name.
* The Kerberos man page has been restored, and documents the
environment variables that affect programs using the Kerberos
library.
Code quality:
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it
easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work
with more recent versions of Visual Studio. A large volume of
unused Windows-specific code has been removed. Visual Studio 2013
or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
by transactional updates; (bsc#1100126);
- Rename patches:
* krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
* krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
* krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
* krb5-1.6.3-gssapi_improve_errormessages.dif to
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
* krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
* krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
* krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch
* krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
- Upgrade to 1.17. Major changes:
Administrator experience:
* A new Kerberos database module using the Lightning Memory-Mapped
Database library (LMDB) has been added. The LMDB KDB module should
be more performant and more robust than the DB2 module, and may
become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific
principal names are requested.
Developer experience:
* The new krb5_get_etype_info() API can be used to retrieve enctype,
salt, and string-to-key parameters from the KDC for a client
principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the
log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should
perform better.
Protocol evolution:
* The SPAKE pre-authentication mechanism is now supported. This
mechanism protects against password dictionary attacks without
requiring any additional infrastructure such as certificates. SPAKE
is enabled by default on clients, but must be manually enabled on
the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can
protect against scenarios where an attacker uses temporary access to
a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid
spurious error messages about replays when a response packet is
dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a
third-party KDB module such as Samba's. The client code for
cross-realm S4U2Self requests is also now more robust.
User experience:
* The new ktutil addent -f flag can be used to fetch salt information
from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache
within a collection by client principal name.
* The Kerberos man page has been restored, and documents the
environment variables that affect programs using the Kerberos
library.
Code quality:
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it
easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work
with more recent versions of Visual Studio. A large volume of
unused Windows-specific code has been removed. Visual Studio 2013
or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
by transactional updates; (bsc#1100126);
- Rename patches:
* krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
* krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
* krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
* krb5-1.6.3-gssapi_improve_errormessages.dif to
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
* krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
* krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
* krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch
* krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
OBS-URL: https://build.opensuse.org/request/show/670179
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=212
2019-02-13 18:01:33 +01:00
|
|
|
%patch9 -p1
|
2006-12-19 00:16:52 +01:00
|
|
|
|
|
|
|
%build
|
2012-06-07 13:40:00 +02:00
|
|
|
# needs to be re-generated
|
|
|
|
rm -f src/lib/krb5/krb/deltat.c
|
2006-12-19 00:16:52 +01:00
|
|
|
cd src
|
2016-12-05 18:34:31 +01:00
|
|
|
autoreconf -fi
|
2013-06-09 16:19:29 +02:00
|
|
|
DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME
|
2006-12-19 00:16:52 +01:00
|
|
|
./configure \
|
2013-06-09 16:19:29 +02:00
|
|
|
CC="%{__cc}" \
|
2019-02-14 09:52:23 +01:00
|
|
|
CFLAGS="%{optflags} -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC $(getconf LFS_CFLAGS)" \
|
2013-06-09 16:19:29 +02:00
|
|
|
CPPFLAGS="-I%{_includedir}/et " \
|
|
|
|
SS_LIB="-lss" \
|
2006-12-19 00:16:52 +01:00
|
|
|
--prefix=/usr/lib/mit \
|
|
|
|
--sysconfdir=%{_sysconfdir} \
|
|
|
|
--mandir=%{_mandir} \
|
|
|
|
--infodir=%{_infodir} \
|
|
|
|
--libexecdir=/usr/lib/mit/sbin \
|
|
|
|
--libdir=%{_libdir} \
|
|
|
|
--includedir=%{_includedir} \
|
2016-07-22 13:04:02 +02:00
|
|
|
--localstatedir=%{_localstatedir}/lib/kerberos \
|
|
|
|
--localedir=%{_datadir}/locale \
|
2006-12-19 00:16:52 +01:00
|
|
|
--enable-shared \
|
|
|
|
--disable-static \
|
2016-07-22 13:04:02 +02:00
|
|
|
--enable-dns-for-realm \
|
|
|
|
--disable-rpath \
|
|
|
|
--with-ldap \
|
|
|
|
--with-pam \
|
|
|
|
--enable-pkinit \
|
Accepting request 670179 from home:scabrero:branches:network
- Upgrade to 1.17. Major changes:
Administrator experience:
* A new Kerberos database module using the Lightning Memory-Mapped
Database library (LMDB) has been added. The LMDB KDB module should
be more performant and more robust than the DB2 module, and may
become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific
principal names are requested.
Developer experience:
* The new krb5_get_etype_info() API can be used to retrieve enctype,
salt, and string-to-key parameters from the KDC for a client
principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the
log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should
perform better.
Protocol evolution:
* The SPAKE pre-authentication mechanism is now supported. This
mechanism protects against password dictionary attacks without
requiring any additional infrastructure such as certificates. SPAKE
is enabled by default on clients, but must be manually enabled on
the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can
protect against scenarios where an attacker uses temporary access to
a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid
spurious error messages about replays when a response packet is
dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a
third-party KDB module such as Samba's. The client code for
cross-realm S4U2Self requests is also now more robust.
User experience:
* The new ktutil addent -f flag can be used to fetch salt information
from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache
within a collection by client principal name.
* The Kerberos man page has been restored, and documents the
environment variables that affect programs using the Kerberos
library.
Code quality:
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it
easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work
with more recent versions of Visual Studio. A large volume of
unused Windows-specific code has been removed. Visual Studio 2013
or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
by transactional updates; (bsc#1100126);
- Rename patches:
* krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
* krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
* krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
* krb5-1.6.3-gssapi_improve_errormessages.dif to
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
* krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
* krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
* krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch
* krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
- Upgrade to 1.17. Major changes:
Administrator experience:
* A new Kerberos database module using the Lightning Memory-Mapped
Database library (LMDB) has been added. The LMDB KDB module should
be more performant and more robust than the DB2 module, and may
become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific
principal names are requested.
Developer experience:
* The new krb5_get_etype_info() API can be used to retrieve enctype,
salt, and string-to-key parameters from the KDC for a client
principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the
log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should
perform better.
Protocol evolution:
* The SPAKE pre-authentication mechanism is now supported. This
mechanism protects against password dictionary attacks without
requiring any additional infrastructure such as certificates. SPAKE
is enabled by default on clients, but must be manually enabled on
the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can
protect against scenarios where an attacker uses temporary access to
a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid
spurious error messages about replays when a response packet is
dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a
third-party KDB module such as Samba's. The client code for
cross-realm S4U2Self requests is also now more robust.
User experience:
* The new ktutil addent -f flag can be used to fetch salt information
from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache
within a collection by client principal name.
* The Kerberos man page has been restored, and documents the
environment variables that affect programs using the Kerberos
library.
Code quality:
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it
easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work
with more recent versions of Visual Studio. A large volume of
unused Windows-specific code has been removed. Visual Studio 2013
or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
by transactional updates; (bsc#1100126);
- Rename patches:
* krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
* krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
* krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
* krb5-1.6.3-gssapi_improve_errormessages.dif to
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
* krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
* krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
* krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch
* krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
OBS-URL: https://build.opensuse.org/request/show/670179
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=212
2019-02-13 18:01:33 +01:00
|
|
|
--with-crypto-impl=openssl \
|
2016-07-22 13:04:02 +02:00
|
|
|
--with-selinux \
|
|
|
|
--with-system-et \
|
|
|
|
--with-system-ss \
|
|
|
|
--with-system-verto
|
|
|
|
|
|
|
|
make %{?_smp_mflags}
|
|
|
|
|
2015-10-29 19:14:03 +01:00
|
|
|
# Copy kadmin manual page into kadmin.local's due to the split between client and server package
|
|
|
|
cp man/kadmin.man man/kadmin.local.8
|
|
|
|
|
2006-12-19 00:16:52 +01:00
|
|
|
%install
|
2019-02-14 09:52:23 +01:00
|
|
|
mkdir -p %{buildroot}/%{_localstatedir}/log/krb5
|
|
|
|
%make_install -C src
|
2013-06-09 16:19:29 +02:00
|
|
|
# Munge krb5-config yet again. This is totally wrong for 64-bit, but chunks
|
|
|
|
# of the buildconf patch already conspire to strip out /usr/<anything> from the
|
|
|
|
# list of link flags, and it helps prevent file conflicts on multilib systems.
|
2019-02-14 09:52:23 +01:00
|
|
|
sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' %{buildroot}/usr/lib/mit/bin/krb5-config
|
2013-06-09 16:19:29 +02:00
|
|
|
|
2012-02-28 10:04:15 +01:00
|
|
|
# install autoconf macro
|
|
|
|
mkdir -p %{buildroot}/%{_datadir}/aclocal
|
|
|
|
install -m 644 src/util/ac_check_krb5.m4 %{buildroot}%{_datadir}/aclocal/
|
2006-12-19 00:16:52 +01:00
|
|
|
# install sample config files
|
|
|
|
# I'll probably do something about this later on
|
Accepting request 670179 from home:scabrero:branches:network
- Upgrade to 1.17. Major changes:
Administrator experience:
* A new Kerberos database module using the Lightning Memory-Mapped
Database library (LMDB) has been added. The LMDB KDB module should
be more performant and more robust than the DB2 module, and may
become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific
principal names are requested.
Developer experience:
* The new krb5_get_etype_info() API can be used to retrieve enctype,
salt, and string-to-key parameters from the KDC for a client
principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the
log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should
perform better.
Protocol evolution:
* The SPAKE pre-authentication mechanism is now supported. This
mechanism protects against password dictionary attacks without
requiring any additional infrastructure such as certificates. SPAKE
is enabled by default on clients, but must be manually enabled on
the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can
protect against scenarios where an attacker uses temporary access to
a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid
spurious error messages about replays when a response packet is
dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a
third-party KDB module such as Samba's. The client code for
cross-realm S4U2Self requests is also now more robust.
User experience:
* The new ktutil addent -f flag can be used to fetch salt information
from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache
within a collection by client principal name.
* The Kerberos man page has been restored, and documents the
environment variables that affect programs using the Kerberos
library.
Code quality:
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it
easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work
with more recent versions of Visual Studio. A large volume of
unused Windows-specific code has been removed. Visual Studio 2013
or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
by transactional updates; (bsc#1100126);
- Rename patches:
* krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
* krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
* krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
* krb5-1.6.3-gssapi_improve_errormessages.dif to
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
* krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
* krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
* krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch
* krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
- Upgrade to 1.17. Major changes:
Administrator experience:
* A new Kerberos database module using the Lightning Memory-Mapped
Database library (LMDB) has been added. The LMDB KDB module should
be more performant and more robust than the DB2 module, and may
become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific
principal names are requested.
Developer experience:
* The new krb5_get_etype_info() API can be used to retrieve enctype,
salt, and string-to-key parameters from the KDC for a client
principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the
log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should
perform better.
Protocol evolution:
* The SPAKE pre-authentication mechanism is now supported. This
mechanism protects against password dictionary attacks without
requiring any additional infrastructure such as certificates. SPAKE
is enabled by default on clients, but must be manually enabled on
the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can
protect against scenarios where an attacker uses temporary access to
a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid
spurious error messages about replays when a response packet is
dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a
third-party KDB module such as Samba's. The client code for
cross-realm S4U2Self requests is also now more robust.
User experience:
* The new ktutil addent -f flag can be used to fetch salt information
from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache
within a collection by client principal name.
* The Kerberos man page has been restored, and documents the
environment variables that affect programs using the Kerberos
library.
Code quality:
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it
easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work
with more recent versions of Visual Studio. A large volume of
unused Windows-specific code has been removed. Visual Studio 2013
or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
by transactional updates; (bsc#1100126);
- Rename patches:
* krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
* krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
* krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
* krb5-1.6.3-gssapi_improve_errormessages.dif to
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
* krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
* krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
* krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch
* krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
OBS-URL: https://build.opensuse.org/request/show/670179
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=212
2019-02-13 18:01:33 +01:00
|
|
|
mkdir -p %{buildroot}%{_sysconfdir}
|
2018-05-01 05:19:15 +02:00
|
|
|
mkdir -p %{buildroot}%{_sysconfdir}/krb5.conf.d
|
2006-12-19 00:16:52 +01:00
|
|
|
mkdir -p %{buildroot}/etc/profile.d/
|
|
|
|
mkdir -p %{buildroot}/var/log/krb5
|
2007-04-20 01:22:05 +02:00
|
|
|
# create plugin directories
|
|
|
|
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/kdb
|
|
|
|
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth
|
|
|
|
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/libkrb5
|
2015-01-06 11:58:20 +01:00
|
|
|
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/tls
|
2006-12-19 00:16:52 +01:00
|
|
|
install -m 644 %{vendorFiles}/krb5.conf %{buildroot}%{_sysconfdir}
|
|
|
|
install -m 644 %{vendorFiles}/krb5.csh.profile %{buildroot}/etc/profile.d/krb5.csh
|
|
|
|
install -m 644 %{vendorFiles}/krb5.sh.profile %{buildroot}/etc/profile.d/krb5.sh
|
Accepting request 670179 from home:scabrero:branches:network
- Upgrade to 1.17. Major changes:
Administrator experience:
* A new Kerberos database module using the Lightning Memory-Mapped
Database library (LMDB) has been added. The LMDB KDB module should
be more performant and more robust than the DB2 module, and may
become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific
principal names are requested.
Developer experience:
* The new krb5_get_etype_info() API can be used to retrieve enctype,
salt, and string-to-key parameters from the KDC for a client
principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the
log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should
perform better.
Protocol evolution:
* The SPAKE pre-authentication mechanism is now supported. This
mechanism protects against password dictionary attacks without
requiring any additional infrastructure such as certificates. SPAKE
is enabled by default on clients, but must be manually enabled on
the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can
protect against scenarios where an attacker uses temporary access to
a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid
spurious error messages about replays when a response packet is
dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a
third-party KDB module such as Samba's. The client code for
cross-realm S4U2Self requests is also now more robust.
User experience:
* The new ktutil addent -f flag can be used to fetch salt information
from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache
within a collection by client principal name.
* The Kerberos man page has been restored, and documents the
environment variables that affect programs using the Kerberos
library.
Code quality:
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it
easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work
with more recent versions of Visual Studio. A large volume of
unused Windows-specific code has been removed. Visual Studio 2013
or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
by transactional updates; (bsc#1100126);
- Rename patches:
* krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
* krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
* krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
* krb5-1.6.3-gssapi_improve_errormessages.dif to
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
* krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
* krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
* krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch
* krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
- Upgrade to 1.17. Major changes:
Administrator experience:
* A new Kerberos database module using the Lightning Memory-Mapped
Database library (LMDB) has been added. The LMDB KDB module should
be more performant and more robust than the DB2 module, and may
become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific
principal names are requested.
Developer experience:
* The new krb5_get_etype_info() API can be used to retrieve enctype,
salt, and string-to-key parameters from the KDC for a client
principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the
log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should
perform better.
Protocol evolution:
* The SPAKE pre-authentication mechanism is now supported. This
mechanism protects against password dictionary attacks without
requiring any additional infrastructure such as certificates. SPAKE
is enabled by default on clients, but must be manually enabled on
the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can
protect against scenarios where an attacker uses temporary access to
a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid
spurious error messages about replays when a response packet is
dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a
third-party KDB module such as Samba's. The client code for
cross-realm S4U2Self requests is also now more robust.
User experience:
* The new ktutil addent -f flag can be used to fetch salt information
from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache
within a collection by client principal name.
* The Kerberos man page has been restored, and documents the
environment variables that affect programs using the Kerberos
library.
Code quality:
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it
easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work
with more recent versions of Visual Studio. A large volume of
unused Windows-specific code has been removed. Visual Studio 2013
or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
by transactional updates; (bsc#1100126);
- Rename patches:
* krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
* krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
* krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
* krb5-1.6.3-gssapi_improve_errormessages.dif to
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
* krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
* krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
* krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch
* krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
OBS-URL: https://build.opensuse.org/request/show/670179
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=212
2019-02-13 18:01:33 +01:00
|
|
|
|
|
|
|
# Do not write directly to /var/lib/kerberos anymore as it breaks transactional
|
|
|
|
# updates. Use systemd-tmpfiles to copy the files there when it doesn't exist
|
|
|
|
install -d -m 0755 %{buildroot}/usr/lib/tmpfiles.d/
|
|
|
|
install -m 644 %{SOURCE7} %{buildroot}/usr/lib/tmpfiles.d/krb5.conf
|
|
|
|
mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5kdc
|
|
|
|
# Where per-user keytabs live by default.
|
|
|
|
mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5/user
|
|
|
|
install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_datadir}/kerberos/krb5kdc/
|
|
|
|
install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_datadir}/kerberos/krb5kdc/
|
|
|
|
install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_datadir}/kerberos/krb5kdc/
|
|
|
|
|
2006-12-19 00:16:52 +01:00
|
|
|
# all libs must have permissions 0755
|
|
|
|
for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"`
|
|
|
|
do
|
|
|
|
chmod 0755 ${lib}
|
|
|
|
done
|
2007-06-15 00:30:00 +02:00
|
|
|
# and binaries too
|
|
|
|
chmod 0755 %{buildroot}/usr/lib/mit/bin/ksu
|
2012-10-05 16:25:10 +02:00
|
|
|
# install systemd files
|
2012-10-05 17:26:30 +02:00
|
|
|
%if 0%{?suse_version} >= 1210
|
2012-10-05 16:25:10 +02:00
|
|
|
mkdir -p %{buildroot}%{_unitdir}
|
|
|
|
install -m 644 %{vendorFiles}/kadmind.service %{buildroot}%{_unitdir}
|
|
|
|
install -m 644 %{vendorFiles}/krb5kdc.service %{buildroot}%{_unitdir}
|
|
|
|
install -m 644 %{vendorFiles}/kpropd.service %{buildroot}%{_unitdir}
|
2014-02-18 18:40:34 +01:00
|
|
|
%else
|
|
|
|
# install init scripts
|
|
|
|
mkdir -p %{buildroot}%{_sysconfdir}/init.d
|
|
|
|
install -m 755 %{vendorFiles}/kadmind.init %{buildroot}%{_sysconfdir}/init.d/kadmind
|
|
|
|
install -m 755 %{vendorFiles}/krb5kdc.init %{buildroot}%{_sysconfdir}/init.d/krb5kdc
|
|
|
|
install -m 755 %{vendorFiles}/kpropd.init %{buildroot}%{_sysconfdir}/init.d/kpropd
|
2012-10-05 17:26:30 +02:00
|
|
|
%endif
|
2012-10-05 16:25:10 +02:00
|
|
|
# install sysconfig templates
|
2019-02-14 09:52:23 +01:00
|
|
|
mkdir -p %{buildroot}/%{_fillupdir}
|
|
|
|
install -m 644 %{vendorFiles}/sysconfig.kadmind %{buildroot}/%{_fillupdir}/
|
|
|
|
install -m 644 %{vendorFiles}/sysconfig.krb5kdc %{buildroot}/%{_fillupdir}/
|
2006-12-19 00:16:52 +01:00
|
|
|
# install logrotate files
|
|
|
|
mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
|
2007-06-15 00:26:00 +02:00
|
|
|
install -m 644 %{vendorFiles}/krb5-server.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/krb5-server
|
2019-02-14 09:52:23 +01:00
|
|
|
find . -type f -name '*.ps' -exec gzip -9 {} +
|
2006-12-19 00:16:52 +01:00
|
|
|
# create rc* links
|
|
|
|
mkdir -p %{buildroot}/usr/bin/
|
2012-10-05 17:26:30 +02:00
|
|
|
mkdir -p %{buildroot}/usr/sbin/
|
2014-02-18 18:40:34 +01:00
|
|
|
%if 0%{?suse_version} >= 1210
|
|
|
|
%if 0%{?suse_version} > 1220
|
|
|
|
ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rckadmind
|
|
|
|
ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rckrb5kdc
|
|
|
|
ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rckpropd
|
|
|
|
%else
|
|
|
|
ln -s /sbin/service %{buildroot}%{_sbindir}/rckadmind
|
|
|
|
ln -s /sbin/service %{buildroot}%{_sbindir}/rckrb5kdc
|
|
|
|
ln -s /sbin/service %{buildroot}%{_sbindir}/rcpropd
|
|
|
|
%endif
|
|
|
|
%else
|
2012-10-05 17:26:30 +02:00
|
|
|
ln -sf ../../etc/init.d/kadmind %{buildroot}/usr/sbin/rckadmind
|
|
|
|
ln -sf ../../etc/init.d/krb5kdc %{buildroot}/usr/sbin/rckrb5kdc
|
|
|
|
ln -sf ../../etc/init.d/kpropd %{buildroot}/usr/sbin/rckpropd
|
2014-02-18 18:40:34 +01:00
|
|
|
%endif
|
2006-12-19 00:16:52 +01:00
|
|
|
# create links for kinit and klist, because of the java ones
|
|
|
|
ln -sf ../../usr/lib/mit/bin/kinit %{buildroot}/usr/bin/kinit
|
|
|
|
ln -sf ../../usr/lib/mit/bin/klist %{buildroot}/usr/bin/klist
|
|
|
|
# install doc
|
|
|
|
install -d -m 755 %{buildroot}/%{krb5docdir}
|
|
|
|
install -m 644 %{_builddir}/%{srcRoot}/README %{buildroot}/%{krb5docdir}/README
|
2019-05-08 12:10:09 +02:00
|
|
|
install -d -m 755 %{buildroot}/%{_datadir}/kerberos/ldap
|
|
|
|
install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema %{buildroot}/%{_datadir}/kerberos/ldap/kerberos.schema
|
|
|
|
install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif %{buildroot}/%{_datadir}/kerberos/ldap/kerberos.ldif
|
2016-11-24 15:43:00 +01:00
|
|
|
# link pam-config for su to ksu
|
|
|
|
mkdir -p %{buildroot}/etc/pam.d/
|
|
|
|
install -m 644 %{S:6} %{buildroot}/etc/pam.d/ksu
|
|
|
|
|
2006-12-19 00:16:52 +01:00
|
|
|
# cleanup
|
|
|
|
rm -f %{buildroot}/usr/share/man/man1/tmac.doc*
|
2017-01-27 16:29:04 +01:00
|
|
|
rm -f /usr/share/man/man1/tmac.doc* html/.doctrees/environment.pickle
|
2013-01-25 15:30:07 +01:00
|
|
|
rm -rf %{buildroot}/usr/lib/mit/share/examples
|
2016-01-10 17:41:42 +01:00
|
|
|
# manually remove test plugin since configure doesn't support disabling it at build time
|
|
|
|
rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
|
2013-06-09 16:19:29 +02:00
|
|
|
|
|
|
|
%find_lang mit-krb5
|
2013-03-15 11:21:16 +01:00
|
|
|
|
2013-06-24 18:22:21 +02:00
|
|
|
%post -p /sbin/ldconfig
|
|
|
|
|
2016-07-02 09:38:07 +02:00
|
|
|
%postun -p /sbin/ldconfig
|
2009-07-08 19:41:43 +02:00
|
|
|
|
2012-10-05 16:25:10 +02:00
|
|
|
%preun server
|
|
|
|
%service_del_preun krb5kdc.service kadmind.service kpropd.service
|
2006-12-19 00:16:52 +01:00
|
|
|
|
|
|
|
%postun server
|
2012-10-05 16:25:10 +02:00
|
|
|
%service_del_postun krb5kdc.service kadmind.service kpropd.service
|
|
|
|
|
|
|
|
%post server
|
|
|
|
%service_add_post krb5kdc.service kadmind.service kpropd.service
|
Accepting request 670179 from home:scabrero:branches:network
- Upgrade to 1.17. Major changes:
Administrator experience:
* A new Kerberos database module using the Lightning Memory-Mapped
Database library (LMDB) has been added. The LMDB KDB module should
be more performant and more robust than the DB2 module, and may
become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific
principal names are requested.
Developer experience:
* The new krb5_get_etype_info() API can be used to retrieve enctype,
salt, and string-to-key parameters from the KDC for a client
principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the
log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should
perform better.
Protocol evolution:
* The SPAKE pre-authentication mechanism is now supported. This
mechanism protects against password dictionary attacks without
requiring any additional infrastructure such as certificates. SPAKE
is enabled by default on clients, but must be manually enabled on
the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can
protect against scenarios where an attacker uses temporary access to
a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid
spurious error messages about replays when a response packet is
dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a
third-party KDB module such as Samba's. The client code for
cross-realm S4U2Self requests is also now more robust.
User experience:
* The new ktutil addent -f flag can be used to fetch salt information
from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache
within a collection by client principal name.
* The Kerberos man page has been restored, and documents the
environment variables that affect programs using the Kerberos
library.
Code quality:
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it
easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work
with more recent versions of Visual Studio. A large volume of
unused Windows-specific code has been removed. Visual Studio 2013
or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
by transactional updates; (bsc#1100126);
- Rename patches:
* krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
* krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
* krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
* krb5-1.6.3-gssapi_improve_errormessages.dif to
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
* krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
* krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
* krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch
* krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
- Upgrade to 1.17. Major changes:
Administrator experience:
* A new Kerberos database module using the Lightning Memory-Mapped
Database library (LMDB) has been added. The LMDB KDB module should
be more performant and more robust than the DB2 module, and may
become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific
principal names are requested.
Developer experience:
* The new krb5_get_etype_info() API can be used to retrieve enctype,
salt, and string-to-key parameters from the KDC for a client
principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the
log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should
perform better.
Protocol evolution:
* The SPAKE pre-authentication mechanism is now supported. This
mechanism protects against password dictionary attacks without
requiring any additional infrastructure such as certificates. SPAKE
is enabled by default on clients, but must be manually enabled on
the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can
protect against scenarios where an attacker uses temporary access to
a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid
spurious error messages about replays when a response packet is
dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a
third-party KDB module such as Samba's. The client code for
cross-realm S4U2Self requests is also now more robust.
User experience:
* The new ktutil addent -f flag can be used to fetch salt information
from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache
within a collection by client principal name.
* The Kerberos man page has been restored, and documents the
environment variables that affect programs using the Kerberos
library.
Code quality:
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it
easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work
with more recent versions of Visual Studio. A large volume of
unused Windows-specific code has been removed. Visual Studio 2013
or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
by transactional updates; (bsc#1100126);
- Rename patches:
* krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
* krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
* krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
* krb5-1.6.3-gssapi_improve_errormessages.dif to
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
* krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
* krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
* krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch
* krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
OBS-URL: https://build.opensuse.org/request/show/670179
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=212
2019-02-13 18:01:33 +01:00
|
|
|
%tmpfiles_create krb5.conf
|
2012-10-05 16:25:10 +02:00
|
|
|
%{fillup_only -n kadmind}
|
|
|
|
%{fillup_only -n krb5kdc}
|
|
|
|
%{fillup_only -n kpropd}
|
|
|
|
|
|
|
|
%pre server
|
|
|
|
%service_add_pre krb5kdc.service kadmind.service kpropd.service
|
|
|
|
|
2012-10-15 15:04:28 +02:00
|
|
|
%post plugin-kdb-ldap -p /sbin/ldconfig
|
2009-07-08 19:41:43 +02:00
|
|
|
|
2016-07-02 09:38:07 +02:00
|
|
|
%postun plugin-kdb-ldap -p /sbin/ldconfig
|
2012-10-05 16:25:10 +02:00
|
|
|
|
2009-07-08 19:41:43 +02:00
|
|
|
%files devel
|
|
|
|
%defattr(-,root,root)
|
|
|
|
%dir /usr/lib/mit
|
|
|
|
%dir /usr/lib/mit/bin
|
|
|
|
%dir /usr/lib/mit/sbin
|
2013-01-25 15:30:07 +01:00
|
|
|
%dir /usr/lib/mit/share
|
2012-02-28 10:04:15 +01:00
|
|
|
%dir %{_datadir}/aclocal
|
2009-07-08 19:41:43 +02:00
|
|
|
%{_libdir}/libgssrpc.so
|
|
|
|
%{_libdir}/libk5crypto.so
|
2010-03-23 12:40:55 +01:00
|
|
|
%{_libdir}/libkadm5clnt_mit.so
|
2009-07-08 19:41:43 +02:00
|
|
|
%{_libdir}/libkadm5clnt.so
|
2010-03-23 12:40:55 +01:00
|
|
|
%{_libdir}/libkadm5srv_mit.so
|
2009-07-08 19:41:43 +02:00
|
|
|
%{_libdir}/libkadm5srv.so
|
|
|
|
%{_libdir}/libkdb5.so
|
|
|
|
%{_libdir}/libkrb5.so
|
|
|
|
%{_libdir}/libkrb5support.so
|
2014-01-15 15:14:20 +01:00
|
|
|
%{_libdir}/libkrad.so
|
|
|
|
%{_libdir}/pkgconfig/gssrpc.pc
|
|
|
|
%{_libdir}/pkgconfig/kadm-client.pc
|
|
|
|
%{_libdir}/pkgconfig/kadm-server.pc
|
|
|
|
%{_libdir}/pkgconfig/kdb.pc
|
|
|
|
%{_libdir}/pkgconfig/krb5-gssapi.pc
|
|
|
|
%{_libdir}/pkgconfig/krb5.pc
|
|
|
|
%{_libdir}/pkgconfig/mit-krb5-gssapi.pc
|
|
|
|
%{_libdir}/pkgconfig/mit-krb5.pc
|
2009-07-08 19:41:43 +02:00
|
|
|
%{_includedir}/*
|
|
|
|
/usr/lib/mit/bin/krb5-config
|
|
|
|
/usr/lib/mit/sbin/krb5-send-pr
|
2013-04-28 17:33:40 +02:00
|
|
|
%{_mandir}/man1/krb5-config.1*
|
2012-02-28 10:04:15 +01:00
|
|
|
%{_datadir}/aclocal/ac_check_krb5.m4
|
2012-10-05 16:25:10 +02:00
|
|
|
|
2013-06-09 16:19:29 +02:00
|
|
|
%files -f mit-krb5.lang
|
2006-12-19 00:16:52 +01:00
|
|
|
%defattr(-,root,root)
|
|
|
|
%dir %{krb5docdir}
|
2007-04-20 01:22:05 +02:00
|
|
|
# add plugin directories
|
|
|
|
%dir %{_libdir}/krb5
|
|
|
|
%dir %{_libdir}/krb5/plugins
|
|
|
|
%dir %{_libdir}/krb5/plugins/kdb
|
|
|
|
%dir %{_libdir}/krb5/plugins/preauth
|
|
|
|
%dir %{_libdir}/krb5/plugins/libkrb5
|
2015-01-06 11:58:20 +01:00
|
|
|
%dir %{_libdir}/krb5/plugins/tls
|
2007-04-20 01:22:05 +02:00
|
|
|
# add log directory
|
2006-12-19 00:16:52 +01:00
|
|
|
%attr(0700,root,root) %dir /var/log/krb5
|
2009-07-08 19:41:43 +02:00
|
|
|
%doc %{krb5docdir}/README
|
2006-12-19 00:16:52 +01:00
|
|
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf
|
2018-05-01 05:19:15 +02:00
|
|
|
%dir %{_sysconfdir}/krb5.conf.d
|
2006-12-19 00:16:52 +01:00
|
|
|
%attr(0644,root,root) %config /etc/profile.d/krb5*
|
2009-07-08 19:41:43 +02:00
|
|
|
%{_libdir}/libgssapi_krb5.*
|
|
|
|
%{_libdir}/libgssrpc.so.*
|
|
|
|
%{_libdir}/libk5crypto.so.*
|
2010-03-23 12:40:55 +01:00
|
|
|
%{_libdir}/libkadm5clnt_mit.so.*
|
|
|
|
%{_libdir}/libkadm5srv_mit.so.*
|
2009-07-08 19:41:43 +02:00
|
|
|
%{_libdir}/libkdb5.so.*
|
|
|
|
%{_libdir}/libkrb5.so.*
|
|
|
|
%{_libdir}/libkrb5support.so.*
|
2014-01-15 15:14:20 +01:00
|
|
|
%{_libdir}/libkrad.so.*
|
2018-06-18 13:26:07 +02:00
|
|
|
%{_libdir}/krb5/plugins/tls/*.so
|
2006-12-19 00:16:52 +01:00
|
|
|
|
|
|
|
%files server
|
|
|
|
%defattr(-,root,root)
|
2013-06-09 16:19:29 +02:00
|
|
|
%attr(0700,root,root) %dir /var/log/krb5
|
2007-06-15 00:26:00 +02:00
|
|
|
%config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server
|
2012-10-05 17:26:30 +02:00
|
|
|
%if 0%{?suse_version} >= 1210
|
2012-10-05 16:25:10 +02:00
|
|
|
%{_unitdir}/kadmind.service
|
|
|
|
%{_unitdir}/krb5kdc.service
|
|
|
|
%{_unitdir}/kpropd.service
|
Accepting request 670179 from home:scabrero:branches:network
- Upgrade to 1.17. Major changes:
Administrator experience:
* A new Kerberos database module using the Lightning Memory-Mapped
Database library (LMDB) has been added. The LMDB KDB module should
be more performant and more robust than the DB2 module, and may
become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific
principal names are requested.
Developer experience:
* The new krb5_get_etype_info() API can be used to retrieve enctype,
salt, and string-to-key parameters from the KDC for a client
principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the
log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should
perform better.
Protocol evolution:
* The SPAKE pre-authentication mechanism is now supported. This
mechanism protects against password dictionary attacks without
requiring any additional infrastructure such as certificates. SPAKE
is enabled by default on clients, but must be manually enabled on
the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can
protect against scenarios where an attacker uses temporary access to
a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid
spurious error messages about replays when a response packet is
dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a
third-party KDB module such as Samba's. The client code for
cross-realm S4U2Self requests is also now more robust.
User experience:
* The new ktutil addent -f flag can be used to fetch salt information
from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache
within a collection by client principal name.
* The Kerberos man page has been restored, and documents the
environment variables that affect programs using the Kerberos
library.
Code quality:
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it
easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work
with more recent versions of Visual Studio. A large volume of
unused Windows-specific code has been removed. Visual Studio 2013
or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
by transactional updates; (bsc#1100126);
- Rename patches:
* krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
* krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
* krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
* krb5-1.6.3-gssapi_improve_errormessages.dif to
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
* krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
* krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
* krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch
* krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
- Upgrade to 1.17. Major changes:
Administrator experience:
* A new Kerberos database module using the Lightning Memory-Mapped
Database library (LMDB) has been added. The LMDB KDB module should
be more performant and more robust than the DB2 module, and may
become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific
principal names are requested.
Developer experience:
* The new krb5_get_etype_info() API can be used to retrieve enctype,
salt, and string-to-key parameters from the KDC for a client
principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the
log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should
perform better.
Protocol evolution:
* The SPAKE pre-authentication mechanism is now supported. This
mechanism protects against password dictionary attacks without
requiring any additional infrastructure such as certificates. SPAKE
is enabled by default on clients, but must be manually enabled on
the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can
protect against scenarios where an attacker uses temporary access to
a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid
spurious error messages about replays when a response packet is
dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a
third-party KDB module such as Samba's. The client code for
cross-realm S4U2Self requests is also now more robust.
User experience:
* The new ktutil addent -f flag can be used to fetch salt information
from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache
within a collection by client principal name.
* The Kerberos man page has been restored, and documents the
environment variables that affect programs using the Kerberos
library.
Code quality:
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it
easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work
with more recent versions of Visual Studio. A large volume of
unused Windows-specific code has been removed. Visual Studio 2013
or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
by transactional updates; (bsc#1100126);
- Rename patches:
* krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
* krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
* krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
* krb5-1.6.3-gssapi_improve_errormessages.dif to
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
* krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
* krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
* krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch
* krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
OBS-URL: https://build.opensuse.org/request/show/670179
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=212
2019-02-13 18:01:33 +01:00
|
|
|
%{_libexecdir}/tmpfiles.d/krb5.conf
|
2014-02-18 18:40:34 +01:00
|
|
|
%else
|
|
|
|
%{_sysconfdir}/init.d/kadmind
|
|
|
|
%{_sysconfdir}/init.d/krb5kdc
|
|
|
|
%{_sysconfdir}/init.d/kpropd
|
2012-10-05 17:26:30 +02:00
|
|
|
%endif
|
2006-12-19 00:16:52 +01:00
|
|
|
%dir %{krb5docdir}
|
|
|
|
%dir /usr/lib/mit
|
|
|
|
%dir /usr/lib/mit/sbin
|
Accepting request 670179 from home:scabrero:branches:network
- Upgrade to 1.17. Major changes:
Administrator experience:
* A new Kerberos database module using the Lightning Memory-Mapped
Database library (LMDB) has been added. The LMDB KDB module should
be more performant and more robust than the DB2 module, and may
become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific
principal names are requested.
Developer experience:
* The new krb5_get_etype_info() API can be used to retrieve enctype,
salt, and string-to-key parameters from the KDC for a client
principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the
log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should
perform better.
Protocol evolution:
* The SPAKE pre-authentication mechanism is now supported. This
mechanism protects against password dictionary attacks without
requiring any additional infrastructure such as certificates. SPAKE
is enabled by default on clients, but must be manually enabled on
the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can
protect against scenarios where an attacker uses temporary access to
a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid
spurious error messages about replays when a response packet is
dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a
third-party KDB module such as Samba's. The client code for
cross-realm S4U2Self requests is also now more robust.
User experience:
* The new ktutil addent -f flag can be used to fetch salt information
from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache
within a collection by client principal name.
* The Kerberos man page has been restored, and documents the
environment variables that affect programs using the Kerberos
library.
Code quality:
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it
easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work
with more recent versions of Visual Studio. A large volume of
unused Windows-specific code has been removed. Visual Studio 2013
or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
by transactional updates; (bsc#1100126);
- Rename patches:
* krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
* krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
* krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
* krb5-1.6.3-gssapi_improve_errormessages.dif to
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
* krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
* krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
* krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch
* krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
- Upgrade to 1.17. Major changes:
Administrator experience:
* A new Kerberos database module using the Lightning Memory-Mapped
Database library (LMDB) has been added. The LMDB KDB module should
be more performant and more robust than the DB2 module, and may
become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific
principal names are requested.
Developer experience:
* The new krb5_get_etype_info() API can be used to retrieve enctype,
salt, and string-to-key parameters from the KDC for a client
principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the
log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should
perform better.
Protocol evolution:
* The SPAKE pre-authentication mechanism is now supported. This
mechanism protects against password dictionary attacks without
requiring any additional infrastructure such as certificates. SPAKE
is enabled by default on clients, but must be manually enabled on
the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can
protect against scenarios where an attacker uses temporary access to
a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid
spurious error messages about replays when a response packet is
dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a
third-party KDB module such as Samba's. The client code for
cross-realm S4U2Self requests is also now more robust.
User experience:
* The new ktutil addent -f flag can be used to fetch salt information
from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache
within a collection by client principal name.
* The Kerberos man page has been restored, and documents the
environment variables that affect programs using the Kerberos
library.
Code quality:
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it
easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work
with more recent versions of Visual Studio. A large volume of
unused Windows-specific code has been removed. Visual Studio 2013
or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
by transactional updates; (bsc#1100126);
- Rename patches:
* krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
* krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
* krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
* krb5-1.6.3-gssapi_improve_errormessages.dif to
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
* krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
* krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
* krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch
* krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
OBS-URL: https://build.opensuse.org/request/show/670179
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=212
2019-02-13 18:01:33 +01:00
|
|
|
%dir %{_datadir}/kerberos/
|
|
|
|
%dir %{_datadir}/kerberos/krb5kdc
|
|
|
|
%dir %{_datadir}/kerberos/krb5
|
|
|
|
%dir %{_datadir}/kerberos/krb5/user
|
2006-12-19 00:16:52 +01:00
|
|
|
%dir %{_libdir}/krb5
|
|
|
|
%dir %{_libdir}/krb5/plugins
|
|
|
|
%dir %{_libdir}/krb5/plugins/kdb
|
2015-01-06 11:58:20 +01:00
|
|
|
%dir %{_libdir}/krb5/plugins/tls
|
Accepting request 670179 from home:scabrero:branches:network
- Upgrade to 1.17. Major changes:
Administrator experience:
* A new Kerberos database module using the Lightning Memory-Mapped
Database library (LMDB) has been added. The LMDB KDB module should
be more performant and more robust than the DB2 module, and may
become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific
principal names are requested.
Developer experience:
* The new krb5_get_etype_info() API can be used to retrieve enctype,
salt, and string-to-key parameters from the KDC for a client
principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the
log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should
perform better.
Protocol evolution:
* The SPAKE pre-authentication mechanism is now supported. This
mechanism protects against password dictionary attacks without
requiring any additional infrastructure such as certificates. SPAKE
is enabled by default on clients, but must be manually enabled on
the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can
protect against scenarios where an attacker uses temporary access to
a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid
spurious error messages about replays when a response packet is
dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a
third-party KDB module such as Samba's. The client code for
cross-realm S4U2Self requests is also now more robust.
User experience:
* The new ktutil addent -f flag can be used to fetch salt information
from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache
within a collection by client principal name.
* The Kerberos man page has been restored, and documents the
environment variables that affect programs using the Kerberos
library.
Code quality:
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it
easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work
with more recent versions of Visual Studio. A large volume of
unused Windows-specific code has been removed. Visual Studio 2013
or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
by transactional updates; (bsc#1100126);
- Rename patches:
* krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
* krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
* krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
* krb5-1.6.3-gssapi_improve_errormessages.dif to
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
* krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
* krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
* krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch
* krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
- Upgrade to 1.17. Major changes:
Administrator experience:
* A new Kerberos database module using the Lightning Memory-Mapped
Database library (LMDB) has been added. The LMDB KDB module should
be more performant and more robust than the DB2 module, and may
become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific
principal names are requested.
Developer experience:
* The new krb5_get_etype_info() API can be used to retrieve enctype,
salt, and string-to-key parameters from the KDC for a client
principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the
log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should
perform better.
Protocol evolution:
* The SPAKE pre-authentication mechanism is now supported. This
mechanism protects against password dictionary attacks without
requiring any additional infrastructure such as certificates. SPAKE
is enabled by default on clients, but must be manually enabled on
the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can
protect against scenarios where an attacker uses temporary access to
a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid
spurious error messages about replays when a response packet is
dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a
third-party KDB module such as Samba's. The client code for
cross-realm S4U2Self requests is also now more robust.
User experience:
* The new ktutil addent -f flag can be used to fetch salt information
from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache
within a collection by client principal name.
* The Kerberos man page has been restored, and documents the
environment variables that affect programs using the Kerberos
library.
Code quality:
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it
easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work
with more recent versions of Visual Studio. A large volume of
unused Windows-specific code has been removed. Visual Studio 2013
or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
by transactional updates; (bsc#1100126);
- Rename patches:
* krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
* krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
* krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
* krb5-1.6.3-gssapi_improve_errormessages.dif to
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
* krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
* krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
* krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch
* krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
OBS-URL: https://build.opensuse.org/request/show/670179
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=212
2019-02-13 18:01:33 +01:00
|
|
|
%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kdc.conf
|
|
|
|
%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.acl
|
|
|
|
%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.dict
|
|
|
|
%ghost %dir %{_sharedstatedir}/kerberos/
|
|
|
|
%ghost %dir %{_sharedstatedir}/kerberos/krb5kdc
|
|
|
|
%ghost %dir %{_sharedstatedir}/kerberos/krb5
|
|
|
|
%ghost %dir %{_sharedstatedir}/kerberos/krb5/user
|
|
|
|
%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kdc.conf
|
|
|
|
%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.acl
|
|
|
|
%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.dict
|
2017-11-23 15:51:34 +01:00
|
|
|
%{_fillupdir}/sysconfig.*
|
2012-10-05 17:26:30 +02:00
|
|
|
/usr/sbin/rc*
|
2006-12-19 00:16:52 +01:00
|
|
|
/usr/lib/mit/sbin/kadmin.local
|
|
|
|
/usr/lib/mit/sbin/kadmind
|
|
|
|
/usr/lib/mit/sbin/kpropd
|
2009-07-08 19:41:43 +02:00
|
|
|
/usr/lib/mit/sbin/kproplog
|
2006-12-19 00:16:52 +01:00
|
|
|
/usr/lib/mit/sbin/kprop
|
|
|
|
/usr/lib/mit/sbin/kdb5_util
|
|
|
|
/usr/lib/mit/sbin/krb5kdc
|
2010-03-23 12:40:55 +01:00
|
|
|
/usr/lib/mit/sbin/gss-server
|
|
|
|
/usr/lib/mit/sbin/sim_server
|
|
|
|
/usr/lib/mit/sbin/sserver
|
|
|
|
/usr/lib/mit/sbin/uuserver
|
2009-07-08 19:41:43 +02:00
|
|
|
%{_libdir}/krb5/plugins/kdb/db2.so
|
2006-12-19 00:16:52 +01:00
|
|
|
%{_mandir}/man5/kdc.conf.5*
|
2013-03-15 11:21:16 +01:00
|
|
|
%{_mandir}/man5/kadm5.acl.5*
|
2006-12-19 00:16:52 +01:00
|
|
|
%{_mandir}/man8/kadmind.8*
|
|
|
|
%{_mandir}/man8/kadmin.local.8*
|
|
|
|
%{_mandir}/man8/kpropd.8*
|
|
|
|
%{_mandir}/man8/kprop.8*
|
2009-07-08 19:41:43 +02:00
|
|
|
%{_mandir}/man8/kproplog.8.gz
|
2006-12-19 00:16:52 +01:00
|
|
|
%{_mandir}/man8/kdb5_util.8*
|
|
|
|
%{_mandir}/man8/krb5kdc.8*
|
2010-03-23 12:40:55 +01:00
|
|
|
%{_mandir}/man8/sserver.8*
|
2006-12-19 00:16:52 +01:00
|
|
|
|
|
|
|
%files client
|
|
|
|
%defattr(-,root,root)
|
|
|
|
%dir /usr/lib/mit
|
|
|
|
%dir /usr/lib/mit/bin
|
|
|
|
%dir /usr/lib/mit/sbin
|
2016-11-24 15:43:00 +01:00
|
|
|
%attr(0644,root,root) %config(noreplace) /etc/pam.d/ksu
|
2006-12-19 00:16:52 +01:00
|
|
|
/usr/lib/mit/bin/kvno
|
|
|
|
/usr/lib/mit/bin/kinit
|
|
|
|
/usr/lib/mit/bin/kdestroy
|
|
|
|
/usr/lib/mit/bin/kpasswd
|
|
|
|
/usr/lib/mit/bin/klist
|
2009-07-08 19:41:43 +02:00
|
|
|
/usr/lib/mit/bin/kadmin
|
|
|
|
/usr/lib/mit/bin/ktutil
|
|
|
|
/usr/lib/mit/bin/k5srvutil
|
2010-03-23 12:40:55 +01:00
|
|
|
/usr/lib/mit/bin/gss-client
|
|
|
|
/usr/lib/mit/bin/ksu
|
|
|
|
/usr/lib/mit/bin/sclient
|
|
|
|
/usr/lib/mit/bin/sim_client
|
|
|
|
/usr/lib/mit/bin/uuclient
|
2012-06-06 17:14:50 +02:00
|
|
|
/usr/lib/mit/bin/kswitch
|
2006-12-19 00:16:52 +01:00
|
|
|
/usr/bin/kinit
|
|
|
|
/usr/bin/klist
|
|
|
|
%{_mandir}/man1/kvno.1*
|
|
|
|
%{_mandir}/man1/kinit.1*
|
|
|
|
%{_mandir}/man1/kdestroy.1*
|
|
|
|
%{_mandir}/man1/kpasswd.1*
|
|
|
|
%{_mandir}/man1/klist.1*
|
2009-07-08 19:41:43 +02:00
|
|
|
%{_mandir}/man1/kadmin.1*
|
|
|
|
%{_mandir}/man1/ktutil.1*
|
|
|
|
%{_mandir}/man1/k5srvutil.1*
|
2012-06-06 17:14:50 +02:00
|
|
|
%{_mandir}/man1/kswitch.1*
|
2007-01-26 17:41:59 +01:00
|
|
|
%{_mandir}/man5/krb5.conf.5*
|
|
|
|
%{_mandir}/man5/.k5login.5*
|
2012-06-06 17:14:50 +02:00
|
|
|
%{_mandir}/man5/.k5identity.5*
|
|
|
|
%{_mandir}/man5/k5identity.5*
|
|
|
|
%{_mandir}/man5/k5login.5*
|
2010-03-23 12:40:55 +01:00
|
|
|
%{_mandir}/man1/ksu.1.gz
|
|
|
|
%{_mandir}/man1/sclient.1.gz
|
Accepting request 670179 from home:scabrero:branches:network
- Upgrade to 1.17. Major changes:
Administrator experience:
* A new Kerberos database module using the Lightning Memory-Mapped
Database library (LMDB) has been added. The LMDB KDB module should
be more performant and more robust than the DB2 module, and may
become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific
principal names are requested.
Developer experience:
* The new krb5_get_etype_info() API can be used to retrieve enctype,
salt, and string-to-key parameters from the KDC for a client
principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the
log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should
perform better.
Protocol evolution:
* The SPAKE pre-authentication mechanism is now supported. This
mechanism protects against password dictionary attacks without
requiring any additional infrastructure such as certificates. SPAKE
is enabled by default on clients, but must be manually enabled on
the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can
protect against scenarios where an attacker uses temporary access to
a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid
spurious error messages about replays when a response packet is
dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a
third-party KDB module such as Samba's. The client code for
cross-realm S4U2Self requests is also now more robust.
User experience:
* The new ktutil addent -f flag can be used to fetch salt information
from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache
within a collection by client principal name.
* The Kerberos man page has been restored, and documents the
environment variables that affect programs using the Kerberos
library.
Code quality:
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it
easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work
with more recent versions of Visual Studio. A large volume of
unused Windows-specific code has been removed. Visual Studio 2013
or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
by transactional updates; (bsc#1100126);
- Rename patches:
* krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
* krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
* krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
* krb5-1.6.3-gssapi_improve_errormessages.dif to
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
* krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
* krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
* krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch
* krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
- Upgrade to 1.17. Major changes:
Administrator experience:
* A new Kerberos database module using the Lightning Memory-Mapped
Database library (LMDB) has been added. The LMDB KDB module should
be more performant and more robust than the DB2 module, and may
become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific
principal names are requested.
Developer experience:
* The new krb5_get_etype_info() API can be used to retrieve enctype,
salt, and string-to-key parameters from the KDC for a client
principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the
log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should
perform better.
Protocol evolution:
* The SPAKE pre-authentication mechanism is now supported. This
mechanism protects against password dictionary attacks without
requiring any additional infrastructure such as certificates. SPAKE
is enabled by default on clients, but must be manually enabled on
the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can
protect against scenarios where an attacker uses temporary access to
a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid
spurious error messages about replays when a response packet is
dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a
third-party KDB module such as Samba's. The client code for
cross-realm S4U2Self requests is also now more robust.
User experience:
* The new ktutil addent -f flag can be used to fetch salt information
from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache
within a collection by client principal name.
* The Kerberos man page has been restored, and documents the
environment variables that affect programs using the Kerberos
library.
Code quality:
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it
easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work
with more recent versions of Visual Studio. A large volume of
unused Windows-specific code has been removed. Visual Studio 2013
or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
by transactional updates; (bsc#1100126);
- Rename patches:
* krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
* krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
* krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
* krb5-1.6.3-gssapi_improve_errormessages.dif to
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
* krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
* krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
* krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch
* krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
OBS-URL: https://build.opensuse.org/request/show/670179
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=212
2019-02-13 18:01:33 +01:00
|
|
|
%{_mandir}/man7/kerberos.7.gz
|
2006-12-19 00:16:52 +01:00
|
|
|
|
2009-07-08 19:41:43 +02:00
|
|
|
%files plugin-kdb-ldap
|
2006-12-19 00:16:52 +01:00
|
|
|
%defattr(-,root,root)
|
2009-07-08 19:41:43 +02:00
|
|
|
%dir %{_libdir}/krb5
|
|
|
|
%dir %{_libdir}/krb5/plugins
|
|
|
|
%dir %{_libdir}/krb5/plugins/kdb
|
|
|
|
%dir /usr/lib/mit/sbin/
|
2019-05-08 12:10:09 +02:00
|
|
|
%dir %{_datadir}/kerberos
|
|
|
|
%dir %{_datadir}/kerberos/ldap
|
|
|
|
%config %{_datadir}/kerberos/ldap/kerberos.schema
|
|
|
|
%config %{_datadir}/kerberos/ldap/kerberos.ldif
|
2009-07-08 19:41:43 +02:00
|
|
|
%{_libdir}/krb5/plugins/kdb/kldap.so
|
|
|
|
/usr/lib/mit/sbin/kdb5_ldap_util
|
|
|
|
%{_libdir}/libkdb_ldap*
|
|
|
|
%{_mandir}/man8/kdb5_ldap_util.8*
|
|
|
|
|
|
|
|
%files plugin-preauth-pkinit
|
|
|
|
%defattr(-,root,root)
|
|
|
|
%dir %{_libdir}/krb5
|
|
|
|
%dir %{_libdir}/krb5/plugins
|
|
|
|
%dir %{_libdir}/krb5/plugins/preauth
|
|
|
|
%{_libdir}/krb5/plugins/preauth/pkinit.so
|
2013-03-15 11:21:16 +01:00
|
|
|
|
2014-01-15 15:14:20 +01:00
|
|
|
%files plugin-preauth-otp
|
|
|
|
%defattr(-,root,root)
|
|
|
|
%dir %{_libdir}/krb5
|
|
|
|
%dir %{_libdir}/krb5/plugins
|
|
|
|
%dir %{_libdir}/krb5/plugins/preauth
|
|
|
|
%{_libdir}/krb5/plugins/preauth/otp.so
|
|
|
|
|
Accepting request 670179 from home:scabrero:branches:network
- Upgrade to 1.17. Major changes:
Administrator experience:
* A new Kerberos database module using the Lightning Memory-Mapped
Database library (LMDB) has been added. The LMDB KDB module should
be more performant and more robust than the DB2 module, and may
become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific
principal names are requested.
Developer experience:
* The new krb5_get_etype_info() API can be used to retrieve enctype,
salt, and string-to-key parameters from the KDC for a client
principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the
log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should
perform better.
Protocol evolution:
* The SPAKE pre-authentication mechanism is now supported. This
mechanism protects against password dictionary attacks without
requiring any additional infrastructure such as certificates. SPAKE
is enabled by default on clients, but must be manually enabled on
the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can
protect against scenarios where an attacker uses temporary access to
a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid
spurious error messages about replays when a response packet is
dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a
third-party KDB module such as Samba's. The client code for
cross-realm S4U2Self requests is also now more robust.
User experience:
* The new ktutil addent -f flag can be used to fetch salt information
from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache
within a collection by client principal name.
* The Kerberos man page has been restored, and documents the
environment variables that affect programs using the Kerberos
library.
Code quality:
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it
easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work
with more recent versions of Visual Studio. A large volume of
unused Windows-specific code has been removed. Visual Studio 2013
or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
by transactional updates; (bsc#1100126);
- Rename patches:
* krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
* krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
* krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
* krb5-1.6.3-gssapi_improve_errormessages.dif to
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
* krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
* krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
* krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch
* krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
- Upgrade to 1.17. Major changes:
Administrator experience:
* A new Kerberos database module using the Lightning Memory-Mapped
Database library (LMDB) has been added. The LMDB KDB module should
be more performant and more robust than the DB2 module, and may
become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific
principal names are requested.
Developer experience:
* The new krb5_get_etype_info() API can be used to retrieve enctype,
salt, and string-to-key parameters from the KDC for a client
principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the
log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should
perform better.
Protocol evolution:
* The SPAKE pre-authentication mechanism is now supported. This
mechanism protects against password dictionary attacks without
requiring any additional infrastructure such as certificates. SPAKE
is enabled by default on clients, but must be manually enabled on
the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can
protect against scenarios where an attacker uses temporary access to
a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid
spurious error messages about replays when a response packet is
dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a
third-party KDB module such as Samba's. The client code for
cross-realm S4U2Self requests is also now more robust.
User experience:
* The new ktutil addent -f flag can be used to fetch salt information
from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache
within a collection by client principal name.
* The Kerberos man page has been restored, and documents the
environment variables that affect programs using the Kerberos
library.
Code quality:
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it
easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work
with more recent versions of Visual Studio. A large volume of
unused Windows-specific code has been removed. Visual Studio 2013
or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
by transactional updates; (bsc#1100126);
- Rename patches:
* krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
* krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
* krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
* krb5-1.6.3-gssapi_improve_errormessages.dif to
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
* krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
* krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
* krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch
* krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
OBS-URL: https://build.opensuse.org/request/show/670179
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=212
2019-02-13 18:01:33 +01:00
|
|
|
%files plugin-preauth-spake
|
|
|
|
%defattr(-,root,root)
|
|
|
|
%dir %{_libdir}/krb5
|
|
|
|
%dir %{_libdir}/krb5/plugins
|
|
|
|
%dir %{_libdir}/krb5/plugins/preauth
|
|
|
|
%{_libdir}/krb5/plugins/preauth/spake.so
|
|
|
|
|
2007-02-19 21:42:34 +01:00
|
|
|
%changelog
|