OBSOLETE Patch-ID# 147794-20


Download this patch from My Oracle Support

Your use of the firmware, software and any other materials contained in this update is subject to My Oracle Support Terms of Use, which may be viewed at My Oracle Support.
For further information on patching best practices and resources, please see the following links:
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.

Keywords: security kdb5 krb5 libss.so.1 krb5.conf autologin rsh rlogin rcp rdist telnet kerberos
Synopsis: Obsoleted by: 147794-21 SunOS 5.10_x86: Kerberos patch
Date: May/12/2016


Install Requirements: Reboot after installing this patch to activate the changes delivered. An alternative may be specified in the Special Install Instructions.

Solaris Release: 10_x86

SunOS Release: 5.10_x86

Unbundled Product:

Unbundled Release:

Xref: This patch available for SPARC as patch 147793

Topic: SunOS 5.10_x86: Kerberos patch

Relevant Architectures: i386

Bugs fixed with this patch:

Sun CR # Bug #
664787415449097
684816915567444
690237815604439
704330515714441
15870828
16448392
16617641
16887464
17617775
17628214
17792428
18071497
18673832
19176902
19392488
19624343
19680513
20365797
20418929
20434169
20434175
22612138
504797115211419
506074515214688
637252515306891
637253515306897
657488815406642
659618515418553
668032715467952
668364915469868
668900815473093
682129915551251
683537015559519
683751215560740
689169115596655
692252015619617
695511215645282
695600515645958
696058615649324
699358815676203
699458115677042
699758315679434
702133915698412
704580915716294
705908615724537
706100815725603
713619315769284
714126515769730
719441415812546


Changes incorporated in this version: 22612138

Patches accumulated and obsoleted by this patch: 140149-01 140160-03 143938-03 144892-02 146665-02 147716-04 148070-02 148080-01 148395-01 148688-01 149501-01

Patches which conflict with this patch:

Patches required with this patch: 118855-36 120012-14 127128-11 144501-19 (or greater)

Obsoleted by:

Files included with this patch:

/kernel/misc/kgss/amd64/kmech_krb5
/kernel/misc/kgss/kmech_krb5
/usr/bin/kdestroy
/usr/bin/kinit
/usr/bin/klist
/usr/bin/rcp
/usr/bin/rdist
/usr/bin/rlogin
/usr/bin/rsh
/usr/include/kerberosv5/krb5.h
/usr/lib/amd64/gss/mech_krb5.so.1
/usr/lib/gss/mech_krb5.so.1
/usr/lib/krb5/amd64/libkadm5clnt.so.1
/usr/lib/krb5/db2.so.1
/usr/lib/krb5/kldap.so.1
/usr/lib/krb5/kpropd
/usr/lib/krb5/krb5kdc
/usr/lib/krb5/libkadm5clnt.so.1
/usr/lib/krb5/libkadm5srv.so.1
/usr/lib/krb5/libkadmin.so.1
/usr/lib/krb5/libkdb.so.1
/usr/lib/krb5/libkdb_ldap.so.1
/usr/lib/krb5/libss.so.1
/usr/lib/sasl/amd64/gssapi.so.1
/usr/lib/sasl/gssapi.so.1
/usr/lib/security/amd64/pam_krb5.so.1
/usr/lib/security/amd64/pam_krb5_migrate.so.1
/usr/lib/security/pam_krb5.so.1
/usr/lib/security/pam_krb5_migrate.so.1
/usr/sbin/in.rlogind
/usr/sbin/in.rshd
/usr/sbin/in.telnetd
/usr/sbin/kadmin
/usr/sbin/kadmin.local
/usr/sbin/kdb5_ldap_util
/usr/sbin/kdb5_util

Problem Description:

22612138 problem with Kerberos libraries
 
(from 147794-19)
 
15714441 mech_krb5.so.1`generic_gss_add_buffer_set_member+0x6f memory leaks
 
(from 147794-18)
 
19176902 RPC timeout too short during kadmin:listprincs while retrieving 150k principles
 
(from 147794-17)
 
20365797 krb5kdc incorrectly  terminates after 2nd kill -HUP
20418929 problem with Kerberos libraries
20434169 uninitialized memory in krb5_ldap_create_password_policy of ldap_pwd_policy.c:125
20434175 uninitialized memory in krb5_ldap_put_password_policy of ldap_pwd_policy.c:191
 
(from 147794-16)
 
18673832 problem with Kerberos utilities
 
(from 147794-15)
 
19624343 problem with GSS library
19680513 Solaris 10 kadmin unable to use kpasswd history more than 10 keys
 
(from 147794-14)
 
17617775 krb5kdc and kadmind cores during LDAP rebind
19392488 problem with krb5kdc
 
(from 147794-13)
 
15604439 add realm option to pam_krb5
18071497 pam_krb5 issues in multi-realm auth when default realm is specified second
 
(from 147794-12)
 
17792428 problem with Kerberos utilities
 
(from 147794-11)
 
15449097 LDAP backend uses 10ms connection timeout
15567444 fix for kdb LDAP plugin timeout incomplete, still using 10ms
17628214 kadmin.local from Solaris 10 dumps core when displaying Solaris 11 principal (missing salt)
 
(from 147794-10)
 
16448392 Solaris krb5 does not support RFC6448 which causes ssh interoperability problem
 
(from 147794-09)
 
16887464 problem with Kerberos utilities
 
(from 147794-08)
 
16617641 sshd core dump due to an uninitialized krb5_cred variable in mech_krb5 library
 
(from 147794-07)
 
15870828 winbindd crashing when trying to get TGT from a KDC (Active Directory)
 
(from 147794-06)
 
        This revision accumulates generic Sustaining patch 146665-02
        into Solaris S10U11 update.
 
(from 147794-05)
 
        This revision accumulates generic Sustaining patch 147716-04
        into Solaris S10U11 update.
 
(from 147794-04)
 
6596185 kadmin negates -allow_tix when adding a principal record
7141265 krb5 is not recognizing a duplicate security token when running "gss_accept_sec_context"
 
(from 147794-03)
 
        This revision accumulates generic Sustaining patches 147716-02
        and 148070-02 into Solaris S10U11 update.
 
(from 147794-02)
 
6835370 Kerberos replay cache should have better granularity
6960586 Kerberos replay cache intermittently reports authentication errors with FTP sessions
6993588 need to implement the k5buf string modules in Solaris in support of replay hashing fix
 
(from 147794-01)
 
        This revision accumulates generic Sustaining patch 144892-02
        into Solaris S10U11 update.
 
(from 148080-01)
 
        This revision accumulates generic Sustaining patch 148070-01
        into Solaris S10U11 update.
 
(from 148070-02)
 
6837512 krb5.h C++ guards are wrong
6956005 "stash" option fails to re-create the stash file if the KDC is set up by kdb5_ldap_util
 
(from 148070-01)
 
6680327 kdb5_util/kdb5_ldap_util core dumps and prints incorrect progname on error paths
 
(from 147716-04)
 
7136193 problem with Kerberos utilities
 
(from 147716-03)
 
7045809 chgpwd.c needs more resyncing to properly support RFC3244
 
(from 147716-02)
 
6372525 problem with library libsasl
6372535 krb5gss_unwrap() doesn't output data when the only error is out-of-sequence or replay detection
 
(from 147716-01)
 
7021339 nscd crashed in krb5int_sendto() when trying to free memory at an invalid address
 
(from 144892-02)
 
6997583 problem with Kerberos kdc
7059086 problem with Kerberos admin
7061008 problem with Kerberos admin
 
(from 144892-01)
 
5047971 kadmin could use libtecla for enhanced command history and editing
 
(from 149501-01)
 
5060745 rdist core dumps when libumem is used
 
(from 146665-02)
 
6574888 principals using delegated credentials are not being registered with ktkt_warnd for auto-renewal
6689008 kwarn_add_warning should not output errors to stderr
7194414 failed to compile when backporting CR 6574888 fix to Solaris 10
 
(from 146665-01)
 
        This revision accumulates generic Sustaining patch 143938-03
        into Solaris S10U10 update.
 
(from 143938-03)
 
6994581 r(cmds) and kcfd take too many CPU cycles after upgrade to Solaris 10 Update 7
 
(from 143938-02)
 
        This revision accumulates generic Sustaining patch 140160-03
        into Solaris S10U9 update.
 
(from 143938-01)
 
        This revision accumulates generic Sustaining patch 140160-02
        into Solaris S10U9 update.
 
(from 140160-03)
 
6922520 rcp data transfer to local system should improve error testing
 
(from 140160-02)
 
6821299 rdist problem with savelink
 
(from 140160-01)
 
        This revision accumulates generic Sustaining patch 140149-01
        into Solaris S10U7 update.
 
(from 140149-01)
 
6683649 krb5.conf autologin setting should be valid for rsh/rlogin/rcp/rdist as well as telnet
 
(from 148688-01)
 
        This revision accumulates generic Sustaining patch 148395-01
        into Solaris S10U11 update.
 
(from 148395-01)
 
6891691 if full sync fails leaving(principal~, principal~.ok, principal~.kadm5.lock), kdb5_util exits w/error
6955112 kdb5_util should report error if lock files exist and it can not update database


Patch Installation Instructions:
--------------------------------
 
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' commands provided with Solaris.
 
The following example installs a patch to a standalone machine:
 
       example# patchadd /var/spool/patch/123456-07
 
The following example removes a patch from a standalone system:
 
       example# patchrm 123456-07
 
For additional examples please see the appropriate man pages. Any
other special or non-generic installation instructions should be
described below as special instructions.


Special Install Instructions:
-----------------------------
 
NOTE 1:  For bug 15604439 (add realm option to pam_krb5):
 
         This patch version provides the option to authenticate users through
         Multiple Realms as First Choice Using Password-based Authentication.
 
         The new option realm=realm_name can be passed to the Kerberos V5
         authentication module where realm_name is the realm name used to
         authenticate the user rather than the system's default_realm as
         defined in krb5.conf(4).
 
         For example: Modify pam.conf(4)file as below to authenticate the user
         who is in EXAMPLE1.COM realm which is different from the default realm
         EXAMPLE.COM using pam_krb5(5).
 
         # Default definitions for Authentication management
         # Used when service name is not explicitly mentioned for authentication
         #
         other   auth requisite          pam_authtok_get.so.1
         other   auth required           pam_dhkeys.so.1
         other   auth required           pam_unix_cred.so.1
         other   auth sufficient         pam_krb5.so.1 debug
         other   auth sufficient         pam_krb5.so.1 realm=EXAMPLE1.COM
         other   auth required           pam_unix_auth.so.1
 
         This will cause an initial authentication attempt for the
         default_realm, as configured in the /etc/krb5/krb5.conf file, realm
         first.  If this fails then an initial authentication attempt for the
         EXAMPLE1.COM is attempted.


README -- Last modified date: Wednesday, December 14, 2016