- switch man pages to being generated with the right paths in them

- drop old, incomplete SELinux patch
- add patch from Greg Hudson to make srvtab routines report missing-file
    errors at same point that keytab routines do (#241805)

3 files changed, 43 insertions, 168 deletions

diff --git a/krb5-1.6-manpage-paths.patch b/krb5-1.6-manpage-paths.patch
deleted file mode 100644
index dda7e3f..0000000
--- a/krb5-1.6-manpage-paths.patch
+++ /dev/null
@@ -1,142 +0,0 @@
---- krb5-1.3/src/appl/bsd/klogind.M
-+++ krb5-1.3/src/appl/bsd/klogind.M
-@@ -27,7 +27,7 @@
- the port indicated in /etc/inetd.conf.  A typical /etc/inetd.conf
- configuration line for \fIklogind\fP might be:
- 
--klogin stream tcp nowait root /usr/cygnus/sbin/klogind klogind -e5c
-+klogin stream tcp nowait root /usr/kerberos/sbin/klogind klogind -e5c
- 
- When a service request is received, the following protocol is initiated:
- 
---- krb5-1.3/src/appl/bsd/kshd.M
-+++ krb5-1.3/src/appl/bsd/kshd.M
-@@ -8,7 +8,7 @@
- .SH NAME
- kshd \- kerberized remote shell server
- .SH SYNOPSIS
--.B /usr/local/sbin/kshd 
-+.B /usr/kerberos/sbin/kshd 
- [
- .B \-kr45ec
- ]
-@@ -30,7 +30,7 @@
- on the port indicated in /etc/inetd.conf.  A typical /etc/inetd.conf
- configuration line for \fIkrshd\fP might be:
- 
--kshell	stream	tcp	nowait	root	/usr/local/sbin/kshd	kshd -5c
-+kshell	stream	tcp	nowait	root	/usr/kerberos/sbin/kshd	kshd -5c
- 
- When a service request is received, the following protocol is initiated:
- 
---- krb5-1.3/src/appl/sample/sserver/sserver.M
-+++ krb5-1.3/src/appl/sample/sserver/sserver.M
-@@ -59,7 +59,7 @@
- using a line in
- /etc/inetd.conf that looks like this:
- .PP
--sample  stream  tcp     nowait  root /usr/local/sbin/sserver	sserver
-+sample  stream  tcp     nowait  root /usr/kerberos/sbin/sserver	sserver
- .PP
- Since \fBsample\fP is normally not a port defined in /etc/services, you will
- usually have to add a line to /etc/services which looks like this:
---- krb5-1.3/src/appl/telnet/telnetd/telnetd.8
-+++ krb5-1.3/src/appl/telnet/telnetd/telnetd.8
-@@ -37,7 +37,7 @@
- .SM DARPA TELNET
- protocol server
- .SH SYNOPSIS
--.B /usr/libexec/telnetd
-+.B /usr/kerberos/sbin/telnetd
- [\fB\-a\fP \fIauthmode\fP] [\fB\-B\fP] [\fB\-D\fP] [\fIdebugmode\fP]
- [\fB\-edebug\fP] [\fB\-h\fP] [\fB\-I\fP\fIinitid\fP] [\fB\-l\fP]
- [\fB\-k\fP] [\fB\-n\fP] [\fB\-r\fP\fIlowpty-highpty\fP] [\fB\-s\fP]
---- krb5-1.3/src/config-files/kdc.conf.M
-+++ krb5-1.3/src/config-files/kdc.conf.M
-@@ -235,7 +235,7 @@
- realm names and the [capaths] section of its krb5.conf file
- 
- .SH FILES 
--/usr/local/var/krb5kdc/kdc.conf
-+/var/kerberos/krb5kdc/kdc.conf
- 
- .SH SEE ALSO
- krb5.conf(5), krb5kdc(8)
---- krb5-1.3/src/kadmin/cli/kadmin.M
-+++ krb5-1.3/src/kadmin/cli/kadmin.M
-@@ -733,9 +733,9 @@
- .RS
- .TP
- EXAMPLE:
--kadmin: ktremove -k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin
-+kadmin: ktremove -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin
- Entry for principal kadmin/admin with kvno 3 removed
--	from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab.
-+	from keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
- kadmin:
- .RE
- .fi
---- krb5-1.3/src/slave/kprop.M
-+++ krb5-1.3/src/slave/kprop.M
-@@ -39,7 +39,7 @@
- This is done by transmitting the dumped database file to the slave
- server over an encrypted, secure channel.  The dump file must be created
- by kdb5_util, and is normally KPROP_DEFAULT_FILE
--(/usr/local/var/krb5kdc/slave_datatrans).
-+(/var/kerberos/krb5kdc/slave_datatrans).
- .SH OPTIONS
- .TP
- \fB\-r\fP \fIrealm\fP
-@@ -51,7 +51,7 @@
- \fB\-f\fP \fIfile\fP
- specifies the filename where the dumped principal database file is to be
- found; by default the dumped database file is KPROP_DEFAULT_FILE
--(normally /usr/local/var/krb5kdc/slave_datatrans).
-+(normally /var/kerberos/krb5kdc/slave_datatrans).
- .TP
- \fB\-P\fP \fIport\fP
- specifies the port to use to contact the
---- krb5-1.3/src/slave/kpropd.M
-+++ krb5-1.3/src/slave/kpropd.M
-@@ -69,7 +69,7 @@
- This is done by adding a line to the inetd.conf file which looks like
- this:
- 
--kprop	stream	tcp	nowait	root	/usr/local/sbin/kpropd	kpropd
-+kprop	stream	tcp	nowait	root	/usr/kerberos/sbin/kpropd	kpropd
- 
- However, kpropd can also run as a standalone deamon, if the
- .B \-S
-@@ -87,13 +87,13 @@
- \fB\-f\fP \fIfile\fP
- specifies the filename where the dumped principal database file is to be
- stored; by default the dumped database file is KPROPD_DEFAULT_FILE
--(normally /usr/local/var/krb5kdc/from_master).
-+(normally /var/kerberos/krb5kdc/from_master).
- .TP
- .B \-p
- allows the user to specify the pathname to the
- .IR kdb5_util (8)
- program; by default the pathname used is KPROPD_DEFAULT_KDB5_UTIL
--(normally /usr/local/sbin/kdb5_util).
-+(normally /usr/kerberos/sbin/kdb5_util).
- .TP
- .B \-S
- turn on standalone mode.  Normally, kpropd is invoked out of
-@@ -124,14 +124,14 @@
- allows the user to specify the path to the
- .KR kpropd.acl
- file; by default the path used is KPROPD_ACL_FILE
--(normally /usr/local/var/krb5kdc/kpropd.acl).
-+(normally /var/kerberos/krb5kdc/kpropd.acl).
- .SH FILES
- .TP "\w'kpropd.acl\ \ 'u"
- kpropd.acl
- Access file for
- .BR kpropd ;
- the default location is KPROPD_ACL_FILE (normally
--/usr/local/var/krb5kdc/kpropd.acl).
-+/var/kerberos/krb5kdc/kpropd.acl).
- Each entry is a line containing the principal of a host from which the
- local machine will allow Kerberos database propagation via kprop.
- .SH SEE ALSO
diff --git a/krb5-selinux.patch b/krb5-selinux.patch
deleted file mode 100644
index cd66c37..0000000
--- a/krb5-selinux.patch
+++ /dev/null
@@ -1,13 +0,0 @@
---- krb5-1.3.1/src/util/profile/prof_file.c.selinux	2003-03-06 13:48:03.000000000 -0500
-+++ krb5-1.3.1/src/util/profile/prof_file.c	2003-09-03 13:42:42.343661059 -0400
-@@ -220,8 +220,10 @@ errcode_t profile_update_file_data(prf_d
- 	}
- 	data->upd_serial++;
- 	data->flags = 0;
-+#ifdef NO_SELINUX
- 	if (rw_access(data->filespec))
- 		data->flags |= PROFILE_FILE_RW;
-+#endif
- 	retval = profile_parse_file(f, &data->root);
- 	fclose(f);
- 	if (retval)
diff --git a/krb5.spec b/krb5.spec
index a6c6c14..973cd94 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -1,7 +1,3 @@
-%if %{?WITH_SELINUX:0}%{!?WITH_SELINUX:1}
-%define WITH_SELINUX 0
-%endif
-
 %define WITH_LDAP 1
 
 %define krb5prefix %{_prefix}/kerberos
@@ -12,6 +8,9 @@
 # This'll be pulled out at some point.
 %define build_static 0
 
+# For consistency with regular login.
+%define login_pam_service remote
+
 Summary: The Kerberos network authentication system.
 Name: krb5
 Version: 1.6.1
@@ -45,8 +44,11 @@ Source22: ekrb5-telnet.xinetd
 # and tarred up.
 Source23: krb5-%{version}-pdf.tar.gz
 Source24: krb5-tex-pdf.sh
+Source25: krb5-trunk-manpaths.txt
+Source26: gssftp.pamd
+Source27: kshell.pamd
+Source28: ekshell.pamd
 
-Patch2: krb5-1.6-manpage-paths.patch
 Patch3: krb5-1.3-netkit-rsh.patch
 Patch4: krb5-1.3-rlogind-environ.patch
 Patch5: krb5-1.3-ksu-access.patch
@@ -58,7 +60,6 @@ Patch13: krb5-1.3-large-file.patch
 Patch14: krb5-1.3-ftp-glob.patch
 Patch16: krb5-1.6-buildconf.patch
 Patch18: krb5-1.2.7-reject-bad-transited.patch
-Patch21: krb5-selinux.patch
 Patch23: krb5-1.3.1-dns.patch
 Patch25: krb5-1.4-null.patch
 Patch26: krb5-1.3.2-efence.patch
@@ -82,6 +83,10 @@ Patch55: krb5-1.6.1-empty.patch
 Patch56: krb5-1.6.1-get_opt_fixup.patch
 Patch57: krb5-1.6.1-ftp-nospew.patch
 
+Patch60: krb5-1.6.1-pam.patch
+Patch61: krb5-trunk-manpaths.patch
+Patch62: krb5-any-fixup-patch.txt
+
 License: MIT, freely distributable.
 URL: http://web.mit.edu/kerberos/www/
 Group: System Environment/Libraries
@@ -90,7 +95,6 @@ Prereq: grep, info, sh-utils, /sbin/install-info
 BuildPrereq: autoconf, bison, e2fsprogs-devel >= 1.35, flex
 BuildPrereq: gzip, ncurses-devel, rsh, texinfo, tar
 BuildRequires: tetex-latex
-# Wait until the merge completes -- keyutils lives in Extras.
 BuildRequires: keyutils-libs-devel
 
 %if %{WITH_LDAP}
@@ -185,7 +189,7 @@ Group: System Environment/Base
 Requires: %{name}-workstation = %{version}-%{release}
 Prereq: grep, /sbin/install-info, /bin/sh, sh-utils
 # mktemp is used by krb5-send-pr
-Requires: mktemp, xinetd
+Requires: mktemp, xinetd, /etc/pam.d/%{login_pam_service}
 
 %description workstation-servers
 Kerberos is a network authentication system. The krb5-workstation-servers
@@ -195,6 +199,12 @@ installed on systems which are meant provide these services.
 %endif
 
 %changelog
+* Fri Jun 22 2007 Nalin Dahyabhai <nalin@redhat.com>
+- switch man pages to being generated with the right paths in them
+- drop old, incomplete SELinux patch
+- add patch from Greg Hudson to make srvtab routines report missing-file errors
+  at same point that keytab routines do (#241805)
+
 * Thu May 24 2007 Nalin Dahyabhai <nalin@redhat.com> 1.6.1-2
 - pull patch from svn to undo unintentional chattiness in ftp
 - pull patch from svn to handle NULL krb5_get_init_creds_opt structures
@@ -1087,7 +1097,13 @@ installed on systems which are meant provide these services.
 
 %prep
 %setup -q -a 23
-%patch2  -p1 -b .manpage-paths
+pushd src
+%patch60 -p2 -b .pam
+%patch61 -p0 -b .manpaths
+popd
+pushd src/lib/krb5/keytab
+%patch62 -p0 -b .any-fixup
+popd
 %patch3  -p1 -b .netkit-rsh
 %patch4  -p1 -b .rlogind-environ
 %patch5  -p1 -b .ksu-access
@@ -1099,9 +1115,6 @@ installed on systems which are meant provide these services.
 %patch14 -p1 -b .ftp-glob
 %patch16 -p1 -b .buildconf
 %patch18 -p1 -b .reject-bad-transited
-%if %{WITH_SELINUX}
-%patch21 -p1 -b .selinux
-%endif
 %patch23 -p1 -b .dns
 %patch25 -p1 -b .null
 # Removes a malloc(0) case, nothing more.
@@ -1138,6 +1151,13 @@ sed -i -e '1c\
 \\usepackage{fancyheadings}\
 \\usepackage{hyperref}' doc/implement/implement.tex
 
+# Rename the man pages so that they'll get generated correctly.
+pushd src
+cat $RPM_SOURCE_DIR/krb5-trunk-manpaths.txt | while read manpage ; do
+	mv "$manpage" "$manpage".in
+done
+popd
+
 # Check that the PDFs we built earlier match this source tree.
 $RPM_SOURCE_DIR/krb5-tex-pdf.sh check << EOF
 doc/api       library krb5
@@ -1195,7 +1215,9 @@ CPPFLAGS="`echo $DEFINES $INCLUDES`"
 	--with-system-ss \
 	--with-netlib=-lresolv \
 	--without-tcl \
-	--enable-dns
+	--enable-dns \
+	--with-pam \
+	--with-pam-login-service=%{login_pam_service}
 # Now build it.
 make
 
@@ -1250,6 +1272,13 @@ for xinetd in eklogin klogin kshell ekrb5-telnet krb5-telnet gssftp ; do
 	$RPM_BUILD_ROOT/etc/xinetd.d/${xinetd}
 done
 
+# PAM configuration files.
+mkdir -p $RPM_BUILD_ROOT/etc/pam.d/
+for pam in kshell ekshell remote gssftp ; do
+	install -pm 644 $RPM_SOURCE_DIR/$pam.pamd \
+	$RPM_BUILD_ROOT/etc/pam.d/$pam
+done
+
 # Plug-in directories.
 install -pdm 755 $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/preauth
 install -pdm 755 $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/kdb
@@ -1440,6 +1469,7 @@ exit 0
 %endif
 
 %config(noreplace) /etc/xinetd.d/*
+%config(noreplace) /etc/pam.d/*
 
 # Login is used by telnetd and klogind.
 %{krb5prefix}/sbin/login.krb5