##
## kerberos.spec -- OpenPKG RPM Package Specification
## Copyright (c) 2000-2022 OpenPKG Project
##
## Permission to use, copy, modify, and distribute this software for
## any purpose with or without fee is hereby granted, provided that
## the above copyright notice and this permission notice appear in all
## copies.
##
## THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
## WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
## MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
## IN NO EVENT SHALL THE AUTHORS AND COPYRIGHT HOLDERS AND THEIR
## CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
## SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
## LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
## USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
## ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
## OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
## OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
## SUCH DAMAGE.
##
# FIXME: rse: with_ldap still defunct
# package version
%define V_major 1.6
%define V_minor 3
# package information
Name: kerberos
Summary: Kerberos Network Authentication System
URL: http://web.mit.edu/kerberos/
Vendor: MIT
Packager: OpenPKG Project
Distribution: OpenPKG Community
Class: BASE
Group: Cryptography
License: MIT subject to US EAR
Version: %{V_major}.%{V_minor}
Release: 20100227
# package options
%option with_fsl yes
%option with_server yes
%option with_ldap no
# list of sources
Source0: http://web.mit.edu/kerberos/dist/krb5/%{V_major}/krb5-%{version}-signed.tar
Source1: rc.kerberos
Source2: fsl.kerberos
Source3: krb5.conf
Source4: kdc.conf
Source5: kerberos-setup.sh
Patch0: kerberos.patch
Patch1: http://web.mit.edu/kerberos/advisories/2009-001-patch.txt
Patch2: http://web.mit.edu/kerberos/advisories/2009-002-patch.txt
# build information
BuildPreReq: OpenPKG, openpkg >= 20160101, flex, bison, make, sed, perl
PreReq: OpenPKG, openpkg >= 20160101
%if "%{with_fsl}" == "yes"
BuildPreReq: fsl
PreReq: fsl
%endif
%if "%{with_ldap}" == "yes"
BuildPreReq: openldap
PreReq: openldap
%endif
Provides: KERBEROS
Conflicts: heimdal
%description
Kerberos is a network authentication protocol. It is designed to
provide strong authentication for client/server applications by
using secret-key cryptography. This is the free implementation of
this protocol, as available from the Massachusetts Institute of
Technology (MIT). Kerberos is available in many commercial products
as well.
%track
prog kerberos = {
version = %{version}
url = http://web.mit.edu/kerberos/dist/
regex = krb5-(__VER__)-signed\.tar
}
%prep
%setup -q -T -c -n krb5-%{version}
%{l_tar} xf %{SOURCE krb5-%{version}-signed.tar}
%{l_gzip} -d -c krb5-%{version}.tar.gz | ( cd .. && %{l_tar} xf - ) || exit $?
%patch -p0
%patch -p1 -P 1
%patch -p1 -P 2
%build
# configure toolkit
%{l_shtool} subst \
-e 's/if test "$enable_static" = yes; then/if false; then/' \
-e 's/if test "$enable_shared" != yes; then/if false; then/' \
-e 's/if test "$enable_static" = no && test "$krb5_force_static" != yes; then/if false; then/' \
`find . -name configure -type f -print | grep -v plugins/kdb/db2 | grep -v plugins/kdb/ldap`
%{l_shtool} subst \
-e 's;/etc/krb5\.conf:@SYSCONFDIR/krb5.conf;@SYSCONFDIR/kerberos/krb5.conf;g' \
-e 's;FILE:/etc/krb5\.keytab;FILE:@SYSCONFDIR/kerberos/krb5.keytab;g' \
-e 's;DEFAULT_KDC_PROFILE."@LOCALSTATEDIR/krb5kdc;DEFAULT_KDC_PROFILE "@SYSCONFDIR/kerberos;g' \
-e 's;@LOCALSTATEDIR/krb5kdc;@LOCALSTATEDIR/kerberos/db;g' \
src/include/stock/osconf.h
%{l_shtool} subst \
-e 's;/etc/krb5\.keytab;%{l_prefix}/etc/kerberos/krb5.keytab;' \
src/kadmin/cli/k5srvutil.sh \
src/kadmin/cli/kadmin.c
cd src
CC="%{l_cc}" \
CFLAGS="%{l_cflags -O}" \
CPPFLAGS="%{l_cppflags}" \
LDFLAGS="%{l_fsl_ldflags}" \
LIBS="%{l_fsl_libs}" \
./configure \
--prefix=%{l_prefix} \
--includedir=%{l_prefix}/include/kerberos \
--libdir=%{l_prefix}/lib/kerberos \
--enable-dns-for-realm \
--without-tcl \
--without-krb4 \
--enable-static \
--disable-shared
# build toolkit
%{l_make} %{l_mflags}
# configure and build database plugin DSO
%if "%{with_server}" == "yes"
( cd plugins/kdb/db2
CC="%{l_cc}" \
CFLAGS="%{l_cflags -O}" \
./configure \
--prefix=%{l_prefix} \
--libdir=%{l_prefix}/lib/kerberos \
--disable-static \
--enable-shared
%{l_make} %{l_mflags} db2.so
) || exit $?
%endif
# configure and build LDAP plugin DSO
%if "%{with_server}" == "yes" && "%{with_ldap}" == "yes"
( cd plugins/kdb/ldap/libkdb_ldap
CC="%{l_cc}" \
CFLAGS="%{l_cflags -O}" \
CPPFLAGS="%{l_cppflags}" \
LDFLAGS="%{l_fsl_ldflags}" \
LIBS="%{l_fsl_libs} -lldap -llber -lssl -lcrypto" \
./configure \
--prefix=%{l_prefix} \
--includedir=%{l_prefix}/include/kerberos \
--libdir=%{l_prefix}/lib/kerberos \
--enable-dns-for-realm \
--without-tcl \
--without-krb4 \
--with-ldap \
--disable-static \
--enable-shared
./config.status --file ../Makefile
./config.status --file ../ldap_util/Makefile
) || exit $?
( cd plugins/kdb/ldap
%{l_make} %{l_mflags} kldap.so
) || exit $?
%endif
%install
# install toolkit
( cd src
%{l_make} %{l_mflags} install DESTDIR=$RPM_BUILD_ROOT
) || exit $?
# install database plugin DSO
%if "%{with_server}" == "yes"
( cd src/plugins/kdb/db2
%{l_make} %{l_mflags} install DESTDIR=$RPM_BUILD_ROOT
) || exit $?
%endif
# create additional directories
%{l_shtool} mkdir -p -m 755 \
%if "%{with_server}" == "yes"
$RPM_BUILD_ROOT%{l_prefix}/var/kerberos/log \
$RPM_BUILD_ROOT%{l_prefix}/var/kerberos/run \
$RPM_BUILD_ROOT%{l_prefix}/var/kerberos/db \
$RPM_BUILD_ROOT%{l_prefix}/etc/rc.d \
$RPM_BUILD_ROOT%{l_prefix}/etc/fsl \
%endif
$RPM_BUILD_ROOT%{l_prefix}/share/kerberos \
$RPM_BUILD_ROOT%{l_prefix}/info \
$RPM_BUILD_ROOT%{l_prefix}/etc/kerberos
# strip down installation
rm -f $RPM_BUILD_ROOT%{l_prefix}/bin/compile_et
rm -f $RPM_BUILD_ROOT%{l_prefix}/man/man1/compile_et.1
rm -f $RPM_BUILD_ROOT%{l_prefix}/man/man1/krb5-send-pr.1
rm -rf $RPM_BUILD_ROOT%{l_prefix}/share/et
rm -rf $RPM_BUILD_ROOT%{l_prefix}/share/gnats
rm -rf $RPM_BUILD_ROOT%{l_prefix}/share/examples
rm -rf $RPM_BUILD_ROOT%{l_prefix}/include/kerberos/kerberosIV
strip $RPM_BUILD_ROOT%{l_prefix}/bin/* >/dev/null 2>&1 || true
strip $RPM_BUILD_ROOT%{l_prefix}/sbin/* >/dev/null 2>&1 || true
# strip down installation (server-related only)
%if "%{with_server}" != "yes"
rm -rf $RPM_BUILD_ROOT%{l_prefix}/lib/kerberos/krb5
rm -f $RPM_BUILD_ROOT%{l_prefix}/lib/kerberos/libkadm5srv.a
rm -f $RPM_BUILD_ROOT%{l_prefix}/lib/kerberos/libkdb5.a
rm -f $RPM_BUILD_ROOT%{l_prefix}/man/man5/kdc.conf.5
rm -f $RPM_BUILD_ROOT%{l_prefix}/man/man8/k5srvutil.8
rm -f $RPM_BUILD_ROOT%{l_prefix}/man/man8/kadmin.local.8
rm -f $RPM_BUILD_ROOT%{l_prefix}/man/man8/kadmind.8
rm -f $RPM_BUILD_ROOT%{l_prefix}/man/man8/kdb5_util.8
rm -f $RPM_BUILD_ROOT%{l_prefix}/man/man8/kprop.8
rm -f $RPM_BUILD_ROOT%{l_prefix}/man/man8/kpropd.8
rm -f $RPM_BUILD_ROOT%{l_prefix}/man/man8/krb5kdc.8
rm -f $RPM_BUILD_ROOT%{l_prefix}/man/man8/ktutil.8
rm -f $RPM_BUILD_ROOT%{l_prefix}/sbin/gss-server
rm -f $RPM_BUILD_ROOT%{l_prefix}/sbin/k5srvutil
rm -f $RPM_BUILD_ROOT%{l_prefix}/sbin/kadmin.local
rm -f $RPM_BUILD_ROOT%{l_prefix}/sbin/kadmind
rm -f $RPM_BUILD_ROOT%{l_prefix}/sbin/kdb5_util
rm -f $RPM_BUILD_ROOT%{l_prefix}/sbin/kerberos-setup
rm -f $RPM_BUILD_ROOT%{l_prefix}/sbin/kprop
rm -f $RPM_BUILD_ROOT%{l_prefix}/sbin/kpropd
rm -f $RPM_BUILD_ROOT%{l_prefix}/sbin/krb5-send-pr
rm -f $RPM_BUILD_ROOT%{l_prefix}/sbin/krb5kdc
rm -f $RPM_BUILD_ROOT%{l_prefix}/sbin/ktutil
%endif
# install setup script
%if "%{with_server}" == "yes"
%{l_shtool} install -c -m 755 %{l_value -s -a} \
%{SOURCE kerberos-setup.sh} \
$RPM_BUILD_ROOT%{l_prefix}/sbin/kerberos-setup
%endif
# install run-command script
%if "%{with_server}" == "yes"
%{l_shtool} install -c -m 755 %{l_value -s -a} \
%{SOURCE rc.kerberos} \
$RPM_BUILD_ROOT%{l_prefix}/etc/rc.d/
%endif
# install default configuration files
%{l_shtool} install -c -m 644 %{l_value -s -a} \
%{SOURCE krb5.conf} \
$RPM_BUILD_ROOT%{l_prefix}/etc/kerberos/
%if "%{with_server}" == "yes"
%{l_shtool} install -c -m 644 %{l_value -s -a} \
%{SOURCE kdc.conf} \
$RPM_BUILD_ROOT%{l_prefix}/etc/kerberos/
%endif
%{l_shtool} install -c -m 644 \
/dev/null $RPM_BUILD_ROOT%{l_prefix}/etc/kerberos/krb5.dict
# install OSSP fsl configuration
%if "%{with_server}" == "yes"
%{l_shtool} install -c -m 644 %{l_value -s -a} \
%{SOURCE fsl.kerberos} \
$RPM_BUILD_ROOT%{l_prefix}/etc/fsl/
%endif
# install documentation
mv doc/install-guide.ps doc/krb5-install.ps
mv doc/admin-guide.ps doc/krb5-admin.ps
mv doc/user-guide.ps doc/krb5-user.ps
%if "%{with_server}" == "yes"
%{l_shtool} install -c -m 644 \
doc/krb5-install.html \
doc/krb5-install.ps \
doc/krb5-admin.html \
doc/krb5-admin.ps \
$RPM_BUILD_ROOT%{l_prefix}/share/kerberos/
%{l_shtool} install -c -m 644 \
doc/krb5-install.info* \
doc/krb5-admin.info* \
$RPM_BUILD_ROOT%{l_prefix}/info/
%endif
%{l_shtool} install -c -m 644 \
doc/krb5-user.html \
doc/krb5-user.ps \
$RPM_BUILD_ROOT%{l_prefix}/share/kerberos/
%{l_shtool} install -c -m 644 \
doc/krb5-user.info* \
$RPM_BUILD_ROOT%{l_prefix}/info/
# determine installation files
%{l_rpmtool} files -v -ofiles -r$RPM_BUILD_ROOT \
%{l_files_std} \
%if "%{with_server}" == "yes"
'%config %{l_prefix}/etc/fsl/fsl.kerberos' \
'%doc %{l_prefix}/share/kerberos/*.ps' \
'%doc %{l_prefix}/share/kerberos/*.html' \
%endif
'%config %{l_prefix}/etc/kerberos/*' \
'%attr(4755,%{l_susr},%{l_mgrp}) %{l_prefix}/bin/ksu'
%files -f files
%clean
%pre
# before upgrade, save status and stop service
%if "%{with_server}" == "yes"
[ $1 -eq 2 ] || exit 0
eval `%{l_rc} kerberos status 2>/dev/null | tee %{l_tmpfile}`
%{l_rc} kerberos stop 2>/dev/null
exit 0
%endif
%post
# initial hints
%if "%{with_server}" == "yes"
if [ $1 -eq 1 ]; then
# display information about next steps
( echo "Before you can use Kerberos you have to choose the"
echo "Kerberos realm (e.g. EXAMPLE.COM) and initialize the"
echo "Kerberos database with the command:"
echo " \$ $RPM_INSTALL_PREFIX/sbin/kerberos-setup "
echo "where is the primary DNS zone of this setup and"
echo " by convention is the upper-case version of ."
echo ""
echo "After this you should start the Kerberos server with:"
echo " \$ $RPM_INSTALL_PREFIX/bin/openpkg rc kerberos start"
echo ""
echo "Then you should change the password of the admin/admin user"
echo "from the default \"admin\" to something secure:"
echo " \$ $RPM_INSTALL_PREFIX/sbin/kadmin -p admin/admin -q \\ "
echo " \"change_password -pw admin/admin\""
echo ""
echo "Then you should add and attach all remote hosts to Kerberos"
echo "by running the following command on each *remote* host:"
echo " \$ $RPM_INSTALL_PREFIX/sbin/kadmin -p admin/admin -q \\ "
echo " \"add_principal host/.\""
echo " \$ $RPM_INSTALL_PREFIX/sbin/kadmin -p admin/admin -q \\ "
echo " \"ktadd host/.\""
echo ""
echo "Then you should add all your users to Kerberos via:"
echo " \$ $RPM_INSTALL_PREFIX/sbin/kadmin -p admin/admin -q \\ "
echo " \"add_principal /@\""
echo ""
echo "After this, users can use Kerberos on all attached hosts:"
echo " \$ $RPM_INSTALL_PREFIX/bin/kinit /"
echo " \$ $RPM_INSTALL_PREFIX/bin/klist"
echo " \$ $RPM_INSTALL_PREFIX/bin/kdestroy"
) | %{l_rpmtool} msg -b -t notice
fi
# after upgrade, restore status
[ $1 -eq 2 ] || exit 0
eval `cat %{l_tmpfile}`; rm -f %{l_tmpfile}
[ ".$kerberos_active" = .yes ] && %{l_rc} kerberos start
exit 0
%endif
%preun
# before erase, stop service and remove log files
%if "%{with_server}" == "yes"
[ $1 -eq 0 ] || exit 0
%{l_rc} kerberos stop 2>/dev/null
rm -f $RPM_INSTALL_PREFIX/var/kerberos/log/*.log* >/dev/null 2>&1 || true
rm -f $RPM_INSTALL_PREFIX/var/kerberos/run/*.pid >/dev/null 2>&1 || true
rm -f $RPM_INSTALL_PREFIX/var/kerberos/db/* >/dev/null 2>&1 || true
rm -f $RPM_INSTALL_PREFIX/etc/kerberos/krb5.keytab >/dev/null 2>&1 || true
exit 0
%endif