--- old/usr/src/cmd/gss/gssd/gssd_clnt_stubs.c Thu May 7 01:13:43 2009 +++ new/usr/src/cmd/gss/gssd/gssd_clnt_stubs.c Thu May 7 01:13:42 2009 @@ -2,9 +2,8 @@ * CDDL HEADER START * * The contents of this file are subject to the terms of the - * Common Development and Distribution License, Version 1.0 only - * (the "License"). You may not use this file except in compliance - * with the License. + * Common Development and Distribution License (the "License"). + * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. @@ -19,13 +18,12 @@ * * CDDL HEADER END */ + /* - * Copyright 2003 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ -#pragma ident "%Z%%M% %I% %E% SMI" - /* * GSSAPI library stub module for gssd. */ @@ -163,7 +161,7 @@ */ if (minor_status != NULL) - *minor_status = 0xffffffff; + *minor_status = DEFAULT_MINOR_STAT; if (output_cred_handle != NULL) *output_cred_handle = NULL; if (actual_mechs != NULL) @@ -511,7 +509,7 @@ */ if (minor_status != NULL) - *minor_status = 0xffffffff; + *minor_status = DEFAULT_MINOR_STAT; if (cred_handle != NULL) *cred_handle = NULL; @@ -686,7 +684,7 @@ /* initialize the output parameters to empty values */ if (minor_status != NULL) - *minor_status = 0xffffffff; + *minor_status = DEFAULT_MINOR_STAT; if (actual_mech_type != NULL) *actual_mech_type = NULL; if (output_token != NULL) @@ -706,7 +704,22 @@ return (GSS_S_FAILURE); } + /* + * We could return from a GSS error here and need to return both the + * minor_status and output_token, back to the caller if applicable. + */ + if (minor_status != NULL) + *minor_status = res.minor_status; + if (output_token != NULL && res.output_token.GSS_BUFFER_T_val != NULL) { + output_token->length = + (size_t)res.output_token.GSS_BUFFER_T_len; + output_token->value = + (void *)res.output_token.GSS_BUFFER_T_val; + res.output_token.GSS_BUFFER_T_val = NULL; + res.output_token.GSS_BUFFER_T_len = 0; + } + /* free the allocated memory for the flattened name */ gss_release_buffer(&minor_status_temp, &external_name); @@ -714,29 +727,14 @@ if (res.status == (OM_uint32) GSS_S_COMPLETE || res.status == (OM_uint32) GSS_S_CONTINUE_NEEDED) { /* - * copy the rpc results into the return arguments - * on CONTINUE_NEEDED only the output token, minor - * code and ctxt handle are ready. + * copy the rpc results into the return argument + * on CONTINUE_NEEDED only ctx handle is ready. */ - if (minor_status != NULL) - *minor_status = res.minor_status; /*LINTED*/ *context_handle = *((OM_uint32 *) res.context_handle.GSS_CTX_ID_T_val); - - /*LINTED*/ - *context_handle = *((OM_uint32 *) - res.context_handle.GSS_CTX_ID_T_val); *gssd_context_verifier = res.gssd_context_verifier; - if (output_token != NULL) { - output_token->length = - (size_t)res.output_token.GSS_BUFFER_T_len; - output_token->value = - (void *)res.output_token.GSS_BUFFER_T_val; - res.output_token.GSS_BUFFER_T_val = NULL; - res.output_token.GSS_BUFFER_T_len = 0; - } /* the rest of the parameters is only ready on COMPLETE */ if (res.status == GSS_S_COMPLETE) { @@ -925,7 +923,7 @@ /* set the output parameters to empty values.... */ if (minor_status != NULL) - *minor_status = 0xffffffff; + *minor_status = DEFAULT_MINOR_STAT; if (src_name != NULL) { src_name->length = 0; src_name->value = NULL; @@ -947,13 +945,27 @@ return (GSS_S_FAILURE); } + /* + * We could return from a GSS error here and need to return both the + * minor_status and output_token, back to the caller if applicable. + */ + if (minor_status != NULL) + *minor_status = res.minor_status; + if (output_token != NULL && res.output_token.GSS_BUFFER_T_val != NULL) { + output_token->length = + res.output_token.GSS_BUFFER_T_len; + output_token->value = + (void *) res.output_token.GSS_BUFFER_T_val; + res.output_token.GSS_BUFFER_T_val = 0; + res.output_token.GSS_BUFFER_T_len = 0; + } + if (res.status == (OM_uint32) GSS_S_COMPLETE || res.status == (OM_uint32) GSS_S_CONTINUE_NEEDED) { /* * when gss returns CONTINUE_NEEDED we can only - * use the context, minor, and output token - * parameters. + * use the context parameter. */ /*LINTED*/ *context_handle = *((gssd_ctx_id_t *) @@ -960,22 +972,9 @@ res.context_handle.GSS_CTX_ID_T_val); *gssd_context_verifier = res.gssd_context_verifier; - if (output_token != NULL) { - output_token->length = - res.output_token.GSS_BUFFER_T_len; - output_token->value = - (void *) res.output_token.GSS_BUFFER_T_val; - res.output_token.GSS_BUFFER_T_val = 0; - res.output_token.GSS_BUFFER_T_len = 0; - } - - if (minor_status != NULL) - *minor_status = res.minor_status; - /* the other parameters are ready on for COMPLETE */ if (res.status == GSS_S_COMPLETE) { - /* * The src_name is in external format. */ @@ -1127,7 +1126,7 @@ */ if (minor_status != NULL) - *minor_status = 0xffffffff; + *minor_status = DEFAULT_MINOR_STAT; return (GSS_S_FAILURE); } @@ -1182,7 +1181,7 @@ */ if (minor_status != NULL) - *minor_status = 0xffffffff; + *minor_status = DEFAULT_MINOR_STAT; if (context_handle != NULL) *context_handle = NULL; if (output_token != NULL) @@ -1203,7 +1202,7 @@ *context_handle = *((gssd_ctx_id_t *) res.context_handle.GSS_CTX_ID_T_val); - if (output_token != NULL) { + if (output_token != NULL && res.output_token.GSS_BUFFER_T_val != NULL) { output_token->length = res.output_token.GSS_BUFFER_T_len; output_token->value = res.output_token.GSS_BUFFER_T_val; res.output_token.GSS_BUFFER_T_len = 0; @@ -1309,7 +1308,7 @@ */ if (minor_status != NULL) - *minor_status = 0xffffffff; + *minor_status = DEFAULT_MINOR_STAT; if (msg_token != NULL) msg_token->length = 0; @@ -1402,7 +1401,7 @@ */ if (minor_status != NULL) - *minor_status = 0xffffffff; + *minor_status = DEFAULT_MINOR_STAT; if (qop_state != NULL) *qop_state = 0; @@ -1498,7 +1497,7 @@ */ if (minor_status != NULL) - *minor_status = 0xffffffff; + *minor_status = DEFAULT_MINOR_STAT; if (conf_state != NULL) *conf_state = 0; if (output_message_buffer != NULL) @@ -1604,7 +1603,7 @@ */ if (minor_status != NULL) - *minor_status = 0xffffffff; + *minor_status = DEFAULT_MINOR_STAT; if (output_message_buffer != NULL) output_message_buffer->length = 0; if (conf_state != NULL) @@ -1723,17 +1722,17 @@ */ if (minor_status != NULL) - *minor_status = 0xffffffff; + *minor_status = DEFAULT_MINOR_STAT; return (GSS_S_FAILURE); } + if (minor_status != NULL) + *minor_status = res.minor_status; /* now process the results and pass them back to the caller */ if (res.status == GSS_S_COMPLETE) { - if (minor_status != NULL) - *minor_status = res.minor_status; if (message_context != NULL) *message_context = res.message_context; if (status_string != NULL) { @@ -1780,7 +1779,7 @@ */ if (minor_status != NULL) - *minor_status = 0xffffffff; + *minor_status = DEFAULT_MINOR_STAT; if (mech_set != NULL) *mech_set = NULL; @@ -1873,7 +1872,7 @@ */ if (minor_status != NULL) - *minor_status = 0xffffffff; + *minor_status = DEFAULT_MINOR_STAT; if (name != NULL) *name = NULL; if (lifetime != NULL) @@ -2042,7 +2041,7 @@ */ if (minor_status != NULL) - *minor_status = 0xffffffff; + *minor_status = DEFAULT_MINOR_STAT; return (GSS_S_FAILURE); } @@ -2348,7 +2347,7 @@ *context_handle = *((gssd_ctx_id_t *)res.context_handle.GSS_CTX_ID_T_val); - if (output_token != NULL) { + if (output_token != NULL && res.output_token.GSS_BUFFER_T_val != NULL) { output_token->length = res.output_token.GSS_BUFFER_T_len; output_token->value = (void *) MALLOC(output_token->length); --- old/usr/src/cmd/krb5/kadmin/kclient/kclient.sh Thu May 7 01:13:44 2009 +++ new/usr/src/cmd/krb5/kadmin/kclient/kclient.sh Thu May 7 01:13:43 2009 @@ -19,7 +19,7 @@ # # CDDL HEADER END # -# Copyright 2008 Sun Microsystems, Inc. All rights reserved. +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # This script is used to setup the Kerberos client by @@ -31,12 +31,11 @@ # bringover a master krb5.conf copy from a specified location. function cleanup { - integer ret=$1 - kdestroy -q 1> $TMP_FILE 2>&1 + kdestroy -q > $TMP_FILE 2>&1 rm -r $TMPDIR > /dev/null 2>&1 - exit $ret + exit $1 } function exiting { @@ -47,8 +46,8 @@ function error_message { - printf -- "---------------------------------------------------\n" - printf "$(gettext "Setup FAILED").\n\n" + printf -- "---------------------------------------------------\n" >&2 + printf "$(gettext "Setup FAILED").\n\n" >&2 cleanup 1 } @@ -58,7 +57,7 @@ typeset bin=$1 if [[ ! -x $bin ]]; then - printf "$(gettext "Could not access/execute %s").\n" $bin + printf "$(gettext "Could not access/execute %s").\n" $bin >&2 error_message fi } @@ -195,7 +194,7 @@ exec 3>$KRB5_CONFIG if [[ $? -ne 0 ]]; then - printf "\n$(gettext "Can not write to %s, exiting").\n" $KRB5_CONFIG + printf "\n$(gettext "Can not write to %s, exiting").\n" $KRB5_CONFIG >&2 error_message fi @@ -865,7 +864,7 @@ exec 3>$KRB5_CONFIG if [[ $? -ne 0 ]]; then - printf "\n$(gettext "Can not write to %s, exiting").\n" $KRB5_CONFIG + printf "\n$(gettext "Can not write to %s, exiting").\n" $KRB5_CONFIG >&2 error_message fi @@ -899,7 +898,7 @@ grep ^schemaNamingContext|read j schemaNamingContext if [[ $? -ne 0 ]]; then - printf "$(gettext "Can't find forest").\n" + printf "$(gettext "Can't find forest").\n" >&2 error_message fi schemaNamingContext=${schemaNamingContext#CN=Schema,CN=Configuration,} @@ -939,9 +938,14 @@ gc=$ForestDnsZones } +# +# The local variables used to calculate the IP address are of type unsigned +# integer (-ui), as this is required to restrict the integer to 32b. +# Starting in ksh88, Solaris has incorrectly assummed that -i represents 64b. +# function ipAddr2num { typeset OIFS - typeset -i16 num byte + typeset -ui16 num if [[ "$1" != +([0-9]).+([0-9]).+([0-9]).+([0-9]) ]] then @@ -959,9 +963,14 @@ print -- $num } +# +# The local variables used to calculate the IP address are of type unsigned +# integer (-ui), as this is required to restrict the integer to 32b. +# Starting in ksh88, Solaris has incorrectly assummed that -i represents 64b. +# function num2ipAddr { - typeset -i16 num - typeset -i10 a b c d + typeset -ui16 num + typeset -ui10 a b c d num=$1 a=$((num>>24 )) @@ -971,8 +980,13 @@ print -- $a.$b.$c.$d } +# +# The local variables used to calculate the IP address are of type unsigned +# integer (-ui), as this is required to restrict the integer to 32b. +# Starting in ksh88, Solaris has incorrectly assummed that -i represents 64b. +# function netmask2length { - typeset -i16 netmask + typeset -ui16 netmask typeset -i len netmask=$1 @@ -985,9 +999,14 @@ print $len } +# +# The local variables used to calculate the IP address are of type unsigned +# integer (-ui), as this is required to restrict the integer to 32b. +# Starting in ksh88, Solaris has incorrectly assummed that -i represents 64b. +# function getSubnets { - typeset -i16 addr netmask - typeset -i16 classa=16\#ff000000 + typeset -ui16 addr netmask + typeset -ui16 classa=16\#ff000000 ifconfig -a|while read line do @@ -1112,7 +1131,7 @@ query "$(gettext "Do you want the client to join a new domain") ?" printf "\n" if [[ $answer != yes ]]; then - printf "$(gettext "Client will not be joined to the new domain").\n" + printf "$(gettext "Client will not be joined to the new domain").\n" >&2 error_message fi fi @@ -1129,7 +1148,7 @@ if [[ -n $dc ]]; then KDC=$dc else - printf "$(gettext "Could not find domain controller server for '%s'. Exiting").\n" $realm + printf "$(gettext "Could not find domain controller server for '%s'. Exiting").\n" $realm >&2 error_message fi fi @@ -1150,7 +1169,7 @@ fi if ! discover_domain; then - printf "$(gettext "Can not find realm") '%s'.\n" $realm + printf "$(gettext "Can not find realm") '%s'.\n" $realm >&2 error_message fi @@ -1192,7 +1211,7 @@ kinit $cprinc@$realm if [[ $? -ne 0 ]]; then - printf "$(gettext "Could not authenticate %s. Exiting").\n" $cprinc@$realm + printf "$(gettext "Could not authenticate %s. Exiting").\n" $cprinc@$realm >&2 error_message fi @@ -1218,7 +1237,7 @@ fi if [[ ${#GCs} -eq 0 ]]; then - printf "$(gettext "Could not find global catalogs. Exiting").\n" + printf "$(gettext "Could not find global catalogs. Exiting").\n" >&2 error_message fi @@ -1233,7 +1252,7 @@ domainControllerFunctionality| grep ^domainControllerFunctionality| \ read j level if [[ $? -ne 0 ]]; then - printf "$(gettext "Search for domain functionality failed, exiting").\n" + printf "$(gettext "Search for domain functionality failed, exiting").\n" >&2 error_message fi # Longhorn and above can't perform an init auth from service @@ -1246,7 +1265,7 @@ then : else - printf "$(gettext "Search for node failed, exiting").\n" + printf "$(gettext "Search for node failed, exiting").\n" >&2 error_message fi ldapsearch -R -T -h "$dc" $ldap_args -b "$baseDN" -s sub \ @@ -1287,13 +1306,13 @@ if $recreate; then ldapdelete -h "$dc" $ldap_args "$dn" > /dev/null 2>&1 if [[ $? -ne 0 ]]; then - printf "$(gettext "Error in deleting object: %s").\n" ${sub_dn#$dn} + printf "$(gettext "Error in deleting object: %s").\n" ${sub_dn#$dn} >&2 error_message fi elif $modify_existing; then : # Nothing to delete else - printf "$(gettext "A machine account already exists").\n" + printf "$(gettext "A machine account already exists").\n" >&2 error_message fi fi @@ -1318,7 +1337,7 @@ printf "$(gettext "A machine account already exists; updating it").\n" ldapadd -h "$dc" $ldap_args -f "$object" > /dev/null 2>&1 if [[ $? -ne 0 ]]; then - printf "$(gettext "Failed to create the AD object via LDAP").\n" + printf "$(gettext "Failed to create the AD object via LDAP").\n" >&2 error_message fi else @@ -1337,7 +1356,7 @@ ldapadd -h "$dc" $ldap_args -f "$object" > /dev/null 2>&1 if [[ $? -ne 0 ]]; then - printf "$(gettext "Failed to create the AD object via LDAP").\n" + printf "$(gettext "Failed to create the AD object via LDAP").\n" >&2 error_message fi fi @@ -1378,7 +1397,7 @@ printf "%s" $newpw | $KSETPW ${netbios_nodename}@${realm} > /dev/null 2>&1 if [[ $? -ne 0 ]] then - printf "$(gettext "Failed to set account password").\n" + printf "$(gettext "Failed to set account password").\n" >&2 error_message fi @@ -1416,8 +1435,7 @@ fi if encrypt -l | $grep -q ^des then - ((val=val+1+2)) - enctypes[${#enctypes[@]}]=des-cbc-crc + ((val=val+2)) enctypes[${#enctypes[@]}]=des-cbc-md5 fi @@ -1424,7 +1442,7 @@ if [[ ${#enctypes[@]} -eq 0 ]] then printf "$(gettext "No enctypes are supported").\n" - printf "$(gettext "Please enable arcfour or 1DES, then re-join; see cryptoadm(1M)").\n" + printf "$(gettext "Please enable arcfour or 1DES, then re-join; see cryptoadm(1M)").\n" >&2 error_message fi @@ -1462,7 +1480,7 @@ EOF ldapmodify -h "$dc" $ldap_args -f "$object" >/dev/null 2>&1 if [[ $? -ne 0 ]]; then - printf "$(gettext "ldapmodify failed to modify account attribute").\n" + printf "$(gettext "ldapmodify failed to modify account attribute").\n" >&2 error_message fi @@ -1483,44 +1501,66 @@ servicePrincipalName: nfs/${fqdn} servicePrincipalName: HTTP/${fqdn} servicePrincipalName: root/${fqdn} +servicePrincipalName: cifs/${fqdn} EOF ldapmodify -h "$dc" $ldap_args -f "$object" >/dev/null 2>&1 if [[ $? -ne 0 ]]; then - printf "$(gettext "ldapmodify failed to modify account attribute").\n" + printf "$(gettext "ldapmodify failed to modify account attribute").\n" >&2 error_message fi - printf "%s" $newpw | $KSETPW -n -v $kvno -k "$new_keytab" "${args[@]}" host/${fqdn}@${realm} > /dev/null 2>&1 + # + # In Windows, unlike MIT based implementations we salt the keys with + # the UPN, which is based on the host/fqdn@realm elements, not with the + # individual SPN strings. + # + salt=host/${fqdn}@${realm} + + printf "%s" $newpw | $KSETPW -n -s $salt -v $kvno -k "$new_keytab" "${args[@]}" host/${fqdn}@${realm} > /dev/null 2>&1 if [[ $? -ne 0 ]] then - printf "$(gettext "Failed to set account password").\n" + printf "$(gettext "Failed to set account password").\n" >&2 error_message fi + printf "%s" $newpw | $KSETPW -n -s $salt -v $kvno -k "$new_keytab" "${args[@]}" HOST/${fqdn}@${realm} > /dev/null 2>&1 + if [[ $? -ne 0 ]] + then + printf "$(gettext "Failed to set account password").\n" >&2 + error_message + fi + # Could be setting ${netbios_nodename}@${realm}, but for now no one # is requesting this. - print "%s" $newpw | $KSETPW -n -v $kvno -k "$new_keytab" "${args[@]}" nfs/${fqdn}@${realm} > /dev/null 2>&1 + printf "%s" $newpw | $KSETPW -n -s $salt -v $kvno -k "$new_keytab" "${args[@]}" nfs/${fqdn}@${realm} > /dev/null 2>&1 if [[ $? -ne 0 ]] then - printf "$(gettext "Failed to set account password").\n" + printf "$(gettext "Failed to set account password").\n" >&2 error_message fi - print "%s" $newpw | $KSETPW -n -v $kvno -k "$new_keytab" "${args[@]}" HTTP/${fqdn}@${realm} > /dev/null 2>&1 + printf "%s" $newpw | $KSETPW -n -s $salt -v $kvno -k "$new_keytab" "${args[@]}" HTTP/${fqdn}@${realm} > /dev/null 2>&1 if [[ $? -ne 0 ]] then - printf "$(gettext "Failed to set account password").\n" + printf "$(gettext "Failed to set account password").\n" >&2 error_message fi - print "%s" $newpw | $KSETPW -n -v $kvno -k "$new_keytab" "${args[@]}" root/${fqdn}@${realm} > /dev/null 2>&1 + printf "%s" $newpw | $KSETPW -n -s $salt -v $kvno -k "$new_keytab" "${args[@]}" root/${fqdn}@${realm} > /dev/null 2>&1 if [[ $? -ne 0 ]] then - printf "$(gettext "Failed to set account password").\n" + printf "$(gettext "Failed to set account password").\n" >&2 error_message fi + printf "%s" $newpw | $KSETPW -n -s $salt -v $kvno -k "$new_keytab" "${args[@]}" cifs/${fqdn}@${realm} > /dev/null 2>&1 + if [[ $? -ne 0 ]] + then + printf "$(gettext "Failed to set account password").\n" >&2 + error_message + fi + doKRB5config addDNSRR $dom @@ -1564,6 +1604,10 @@ export TMPDIR="/var/run/kclient" mkdir $TMPDIR > /dev/null 2>&1 +if [[ $? -ne 0 ]]; then + printf "\n$(gettext "Can not create directory: %s")\n\n" $TMPDIR >&2 + exit 1 +fi TMP_FILE=$(mktemp -q -t kclient-tmpfile.XXXXXX) export KRB5_CONFIG=$(mktemp -q -t kclient-krb5conf.XXXXXX) @@ -1571,8 +1615,8 @@ new_keytab=$(mktemp -q -t kclient-krb5keytab.XXXXXX) if [[ -z $TMP_FILE || -z $KRB5_CONFIG || -z $KRB5CCNAME || -z $new_keytab ]] then - printf "\n$(gettext "Can not create temporary file, exiting").\n" >&2 - error_message + printf "\n$(gettext "Can not create temporary files, exiting").\n\n" >&2 + exit 1 fi # --- old/usr/src/cmd/krb5/kadmin/kclient/ksetpw.c Thu May 7 01:13:46 2009 +++ new/usr/src/cmd/krb5/kadmin/kclient/ksetpw.c Thu May 7 01:13:45 2009 @@ -20,12 +20,10 @@ */ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ -#pragma ident "%Z%%M% %I% %E% SMI" - #include #include #include @@ -39,8 +37,8 @@ static char *whoami = NULL; static void kt_add_entry(krb5_context ctx, krb5_keytab kt, - const krb5_principal princ, krb5_enctype enctype, krb5_kvno kvno, - const char *pw); + const krb5_principal princ, const krb5_principal sprinc, + krb5_enctype enctype, krb5_kvno kvno, const char *pw); static krb5_error_code kt_remove_entries(krb5_context ctx, krb5_keytab kt, const krb5_principal princ); @@ -57,7 +55,7 @@ krb5_ccache cc = NULL; krb5_keytab kt = NULL; krb5_kvno kvno = 1; - krb5_principal victim; + krb5_principal victim, salt; char c, *vprincstr, *ktname, *token, *lasts, *newpw; int result_code, i, len, nflag = 0; krb5_data result_code_string, result_string; @@ -82,7 +80,7 @@ exit(1); } - while ((c = getopt(argc, argv, "v:c:k:e:n")) != -1) { + while ((c = getopt(argc, argv, "v:c:k:e:ns:")) != -1) { switch (c) { case 'n': nflag++; @@ -147,6 +145,16 @@ case 'v': kvno = (krb5_kvno) atoi(optarg); break; + case 's': + vprincstr = optarg; + code = krb5_parse_name(ctx, vprincstr, &salt); + if (code != 0) { + com_err(whoami, code, + gettext("krb5_parse_name(%s) failed"), + vprincstr); + exit(1); + } + break; default: usage(); break; @@ -237,7 +245,7 @@ goto error; for (i = 0; i < enctype_count; i++) - kt_add_entry(ctx, kt, victim, enctypes[i], kvno, newpw); + kt_add_entry(ctx, kt, victim, salt, enctypes[i], kvno, newpw); error: if (kt != NULL) @@ -319,7 +327,8 @@ static void kt_add_entry(krb5_context ctx, krb5_keytab kt, const krb5_principal princ, - krb5_enctype enctype, krb5_kvno kvno, const char *pw) + const krb5_principal sprinc, krb5_enctype enctype, krb5_kvno kvno, + const char *pw) { krb5_keytab_entry *entry; krb5_data password, salt; @@ -342,7 +351,7 @@ password.length = strlen(pw); password.data = (char *)pw; - if ((code = krb5_principal2salt(ctx, princ, &salt)) != 0) { + if ((code = krb5_principal2salt(ctx, sprinc, &salt)) != 0) { com_err(whoami, code, gettext("Could not compute salt for %s"), enctype); return; --- old/usr/src/lib/gss_mechs/mech_krb5/mech/accept_sec_context.c Thu May 7 01:13:47 2009 +++ new/usr/src/lib/gss_mechs/mech_krb5/mech/accept_sec_context.c Thu May 7 01:13:46 2009 @@ -1,9 +1,8 @@ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ - /* * Copyright 2000, 2004 by the Massachusetts Institute of Technology. * All Rights Reserved. @@ -316,6 +315,7 @@ OM_uint32 saved_ap_options = 0; krb5int_access kaccess; int cred_rcache = 0; + OM_uint32 t_minor_status = 0; KRB5_LOG0(KRB5_INFO,"krb5_gss_accept_sec_context() start"); @@ -1180,7 +1180,7 @@ cleanup: if (!verifier_cred_handle && cred_handle) { - krb5_gss_release_cred(minor_status, &cred_handle); + krb5_gss_release_cred(&t_minor_status, &cred_handle); } krb5_free_context(context); --- old/usr/src/lib/gss_mechs/mech_spnego/mech/spnego_mech.c Thu May 7 01:13:48 2009 +++ new/usr/src/lib/gss_mechs/mech_spnego/mech/spnego_mech.c Thu May 7 01:13:47 2009 @@ -18,8 +18,9 @@ * * CDDL HEADER END */ + /* - * Copyright 2007 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. * * A module that implements the spnego security mechanism. @@ -28,8 +29,6 @@ * */ -#pragma ident "%Z%%M% %I% %E% SMI" - #include #include #include @@ -1079,8 +1078,8 @@ generic_gss_release_oid(&mstat, &mech_wanted); } - (void) gss_release_cred(minor_status, &acquired_cred); - (void) gss_release_oid_set(minor_status, &supported_mechSet); + (void) gss_release_cred(&mstat, &acquired_cred); + (void) gss_release_oid_set(&mstat, &supported_mechSet); (void) gss_release_buffer(&mstat, i_output_token); free(i_output_token); --- old/usr/src/lib/libgss/g_accept_sec_context.c Thu May 7 01:13:49 2009 +++ new/usr/src/lib/libgss/g_accept_sec_context.c Thu May 7 01:13:49 2009 @@ -2,9 +2,8 @@ * CDDL HEADER START * * The contents of this file are subject to the terms of the - * Common Development and Distribution License, Version 1.0 only - * (the "License"). You may not use this file except in compliance - * with the License. + * Common Development and Distribution License (the "License"). + * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. @@ -19,13 +18,12 @@ * * CDDL HEADER END */ + /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ -#pragma ident "%Z%%M% %I% %E% SMI" - /* * glue routine for gss_accept_sec_context */ @@ -329,9 +327,6 @@ *context_handle = GSS_C_NO_CONTEXT; } - if (output_token->length) - (void) gss_release_buffer(&t_minstat, output_token); - if (src_name) *src_name = GSS_C_NO_NAME; --- old/usr/src/pkgdefs/SUNWkdcu/depend Thu May 7 01:13:51 2009 +++ new/usr/src/pkgdefs/SUNWkdcu/depend Thu May 7 01:13:50 2009 @@ -1,13 +1,12 @@ # -# Copyright 2005 Sun Microsystems, Inc. All rights reserved. +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # CDDL HEADER START # # The contents of this file are subject to the terms of the -# Common Development and Distribution License, Version 1.0 only -# (the "License"). You may not use this file except in compliance -# with the License. +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. # # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE # or http://www.opensolaris.org/os/licensing. @@ -22,8 +21,6 @@ # # CDDL HEADER END # -# ident "%Z%%M% %I% %E% SMI" -# # This package information file defines software dependencies associated # with the pkg. You can define three types of pkg dependencies with this file: # P indicates a prerequisite for installation @@ -50,5 +47,7 @@ P SUNWcsu Core Solaris, (Usr) P SUNWcsd Core Solaris Devices P SUNWcsl Core Solaris Libraries -P SUNWrsg RPCSEC_GSS +P SUNWrsg RPCSEC_GSS P SUNWgss Generic Security Service App Program Int, Ver 2 - user +P SUNWlldap LDAP Libraries +P SUNWsmbsu SMB Server (Usr) --- old/usr/src/uts/common/gssapi/gssd_clnt_stubs.c Thu May 7 01:13:52 2009 +++ new/usr/src/uts/common/gssapi/gssd_clnt_stubs.c Thu May 7 01:13:51 2009 @@ -18,13 +18,12 @@ * * CDDL HEADER END */ + /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ -#pragma ident "%Z%%M% %I% %E% SMI" - /* * GSSAPI library stub module for gssd. */ @@ -766,6 +765,16 @@ if (minor_status != NULL) *minor_status = res.minor_status; + if (output_token != NULL && res.output_token.GSS_BUFFER_T_val != NULL) { + output_token->length = + (size_t)res.output_token.GSS_BUFFER_T_len; + output_token->value = + (void *)MALLOC(output_token->length); + (void) memcpy(output_token->value, + res.output_token.GSS_BUFFER_T_val, + output_token->length); + } + /* if the call was successful, copy out the results */ if (res.status == (OM_uint32) GSS_S_COMPLETE || res.status == (OM_uint32) GSS_S_CONTINUE_NEEDED) { @@ -779,16 +788,6 @@ res.context_handle.GSS_CTX_ID_T_val); *gssd_context_verifier = res.gssd_context_verifier; - if (output_token != NULL) { - output_token->length = - (size_t)res.output_token.GSS_BUFFER_T_len; - output_token->value = - (void *)MALLOC(output_token->length); - (void) memcpy(output_token->value, - res.output_token.GSS_BUFFER_T_val, - output_token->length); - } - if (res.status == GSS_S_COMPLETE) { if (actual_mech_type != NULL) { *actual_mech_type = @@ -1055,6 +1054,20 @@ return (GSS_S_FAILURE); } + if (minor_status != NULL) + *minor_status = res.minor_status; + + if (output_token != NULL && res.output_token.GSS_BUFFER_T_val != NULL) { + output_token->length = + res.output_token.GSS_BUFFER_T_len; + output_token->value = + (void *) MALLOC(output_token->length); + (void) memcpy(output_token->value, + res.output_token.GSS_BUFFER_T_val, + output_token->length); + } + + /* if the call was successful, copy out the results */ if (res.status == (OM_uint32) GSS_S_COMPLETE || @@ -1070,19 +1083,6 @@ res.context_handle.GSS_CTX_ID_T_val); *gssd_context_verifier = res.gssd_context_verifier; - if (output_token != NULL) { - output_token->length = - res.output_token.GSS_BUFFER_T_len; - output_token->value = - (void *) MALLOC(output_token->length); - (void) memcpy(output_token->value, - res.output_token.GSS_BUFFER_T_val, - output_token->length); - } - - if (minor_status != NULL) - *minor_status = res.minor_status; - /* these other parameters are only ready upon GSS_S_COMPLETE */ if (res.status == (OM_uint32) GSS_S_COMPLETE) { --- old/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/init_ctx.c Thu May 7 01:13:53 2009 +++ new/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/init_ctx.c Thu May 7 01:13:52 2009 @@ -1,9 +1,8 @@ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ - /* * lib/krb5/krb/init_ctx.c * @@ -79,11 +78,17 @@ configure KDCs to issue TGTs with des-mdX keys and then not accept them. This'll be fixed, but for better compatibility, let's prefer des-crc for now. */ +/* + * Solaris Kerberos: + * Added arcfour-hmac-md5-exp as default enc type. + * Changed des3-hmac-sha1 to des3-cbc-sha1-kd, as specified in RFC3961. + */ #define DEFAULT_ETYPE_LIST \ "aes256-cts-hmac-sha1-96 " \ "aes128-cts-hmac-sha1-96 " \ - "des3-hmac-sha1 " \ + "des3-cbc-sha1-kd " \ "arcfour-hmac-md5 " \ + "arcfour-hmac-md5-exp " \ "des-cbc-md5 " \ "des-cbc-crc"