- reference unapplied patch to fix password-changing with servers other

    than the first one we try to contact
- reference bug 242502 (rawhide) instead of 242500 (rhel)

2 files changed, 53 insertions, 2 deletions

diff --git a/krb5-trunk-seqnum.patch b/krb5-trunk-seqnum.patch
new file mode 100644
index 0000000..0d6d876
--- /dev/null
+++ b/krb5-trunk-seqnum.patch
@@ -0,0 +1,48 @@
+Every KRB-PRIV message we generate to include as part of a password change
+request we create (after the first one) will include sequence numbers which
+look "wrong" to the recipient, because previously generating other KRB-PRIV
+messages will mess with the counters in the auth_context.  Because the
+current code attempts to reuse auth_context structures (and changing that
+would be more invasive), we'll just save the sequence number values as they
+are after we build the AP-REQ, and restore them before generating requests.
+
+Index: src/lib/krb5/os/changepw.c
+===================================================================
+--- src/lib/krb5/os/changepw.c	(revision 20195)
++++ src/lib/krb5/os/changepw.c	(working copy)
+@@ -34,6 +34,7 @@
+ #include "k5-int.h"
+ #include "os-proto.h"
+ #include "cm.h"
++#include "../krb/auth_con.h"
+ 
+ #include <stdio.h>
+ #include <errno.h>
+@@ -48,6 +49,7 @@
+     krb5_principal 	set_password_for;
+     char 		*newpw;
+     krb5_data 		ap_req;
++    krb5_ui_4		remote_seq_num, local_seq_num;
+ };
+ 
+ 
+@@ -159,6 +161,9 @@
+ 				       &local_kaddr, NULL))) 
+ 	goto cleanup;
+ 
++    ctx->auth_context->remote_seq_number = ctx->remote_seq_num;
++    ctx->auth_context->local_seq_number = ctx->local_seq_num;
++
+     if (ctx->set_password_for)
+ 	code = krb5int_mk_setpw_req(ctx->context, 
+ 				    ctx->auth_context, 
+@@ -225,6 +230,9 @@
+ 				     &callback_ctx.ap_req)))
+ 	goto cleanup;
+ 
++    callback_ctx.remote_seq_num = callback_ctx.auth_context->remote_seq_number;
++    callback_ctx.local_seq_num = callback_ctx.auth_context->local_seq_number;
++
+     do {
+ 	if ((code = krb5_locate_kpasswd(callback_ctx.context,
+ 					krb5_princ_realm(callback_ctx.context,
diff --git a/krb5.spec b/krb5.spec
index b270f7f..ca7ff8b 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -92,6 +92,7 @@ Patch62: krb5-any-fixup-patch.txt
 Patch63: krb5-1.6.1-selinux-label.patch
 Patch64: krb5-ok-as-delegate.patch
 Patch68: krb5-trunk-spnego_delegation.patch
+Patch69: krb5-trunk-seqnum.patch
 
 License: MIT, freely distributable.
 URL: http://web.mit.edu/kerberos/www/
@@ -224,10 +225,11 @@ certificate.
 %changelog
 * Wed Jan  2 2008 Nalin Dahyabhai <nalin@redhat.com> 1.6.3-4
 - some init script cleanups
-  - drop unquoted check and silent exit for "$NETWORKING" (#426852, #242500)
+  - drop unquoted check and silent exit for "$NETWORKING" (#426852, #242502)
   - krb524: don't barf on missing database if it looks like we're using kldap,
     same as for kadmin
-  - return non-zero status for missing files which cause startup to fail
+  - return non-zero status for missing files which cause startup to
+    fail (#242502)
 
 * Tue Dec 18 2007 Nalin Dahyabhai <nalin@redhat.com> 1.6.3-3
 - allocate space for the nul-terminator in the local pathname when looking up
@@ -1278,6 +1280,7 @@ popd
 #%patch59 -p0 -b .kpasswd_tcp
 #%patch64 -p0 -b .ok-as-delegate
 #%patch68 -p0 -b .spnego_delegation
+#%patch69 -p0 -b .seqnum
 cp src/krb524/README README.krb524
 gzip doc/*.ps