Tue Jan 21 21:23:01 UTC 202020200121212301

a/aaa_elflibs-15.0-x86_64-19.txz:  Rebuilt.
  Upgraded:  libcap.so.2.31, libgmp.so.10.4.0, libgmpxx.so.4.6.0.
  Added:  libgssapi_krb5.so.2.2, libk5crypto.so.3.1, libkrb5.so.3.3,
  libkrb5support.so.0.1.
a/util-linux-2.35-x86_64-1.txz:  Upgraded.
d/python-pip-20.0.1-x86_64-1.txz:  Upgraded.
l/Mako-1.1.1-x86_64-1.txz:  Upgraded.
l/keyutils-1.6.1-x86_64-1.txz:  Upgraded.
n/krb5-1.17-x86_64-1.txz:  Added.
  Nothing links to this yet, but we'll need it soon enough. :-)
n/php-7.4.2-x86_64-1.txz:  Upgraded.
  This update fixes bugs and security issues:
  Standard: OOB read in php_strip_tags_ex
  Mbstring: global buffer-overflow in 'mbfl_filt_conv_big5_wchar'
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7059
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7060
  (* Security fix *)
n/samba-4.11.5-x86_64-1.txz:  Upgraded.
  This update fixes the following security issues:
  Replication of ACLs set to inherit down a subtree on AD Directory
  not automatic.
  Crash after failed character conversion at log level 3 or above.
  Use after free during DNS zone scavenging in Samba AD DC.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14902
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14907
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19344
  (* Security fix *)
xap/gparted-1.1.0-x86_64-1.txz:  Upgraded.

8 files changed, 192 insertions, 0 deletions

diff --git a/source/n/krb5/conf/kadmind b/source/n/krb5/conf/kadmind
new file mode 100644
index 000000000..5913ac120
--- /dev/null
+++ b/source/n/krb5/conf/kadmind
@@ -0,0 +1,2 @@
+# To set additional options for kadmind, add them in the variable below:
+KADMIND_OPTIONS=""
diff --git a/source/n/krb5/conf/kdc.conf.example b/source/n/krb5/conf/kdc.conf.example
new file mode 100644
index 000000000..1c7cc3a94
--- /dev/null
+++ b/source/n/krb5/conf/kdc.conf.example
@@ -0,0 +1,35 @@
+[kdcdefaults]
+    kdc_listen = 88
+    kdc_tcp_listen = 88
+
+[realms]
+    ATHENA.MIT.EDU = {
+        kadmind_port = 749
+        max_life = 12h 0m 0s
+        max_renewable_life = 7d 0h 0m 0s
+        master_key_type = aes256-cts-hmac-sha1-96
+        supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal
+        database_module = openldap_ldapconf
+    }
+
+[logging]
+    kdc = FILE:/var/kerberos/krb5kdc/kdc.log
+    admin_server = FILE:/var/kerberos/krb5kdc/kadmin.log
+
+[dbdefaults]
+    ldap_kerberos_container_dn = cn=krbcontainer,dc=mit,dc=edu
+
+[dbmodules]
+    openldap_ldapconf = {
+        db_library = kldap
+        disable_last_success = true
+        ldap_kdc_dn = "cn=krbadmin,dc=mit,dc=edu"
+            # this object needs to have read rights on
+            # the realm container and principal subtrees
+        ldap_kadmind_dn = "cn=krbadmin,dc=mit,dc=edu"
+            # this object needs to have read and write rights on
+            # the realm container and principal subtrees
+        ldap_service_password_file = /etc/kerberos/service.keyfile
+        ldap_servers = ldaps://kerberos.mit.edu
+        ldap_conns_per_server = 5
+    }
diff --git a/source/n/krb5/conf/kpropd b/source/n/krb5/conf/kpropd
new file mode 100644
index 000000000..cc65d10b4
--- /dev/null
+++ b/source/n/krb5/conf/kpropd
@@ -0,0 +1,2 @@
+# To set additional options for kpropd, add them in the variable below:
+KPROPD_OPTIONS=""
diff --git a/source/n/krb5/conf/krb5.conf.example b/source/n/krb5/conf/krb5.conf.example
new file mode 100644
index 000000000..705e7cf30
--- /dev/null
+++ b/source/n/krb5/conf/krb5.conf.example
@@ -0,0 +1,29 @@
+[libdefaults]
+    default_realm = ATHENA.MIT.EDU
+    dns_lookup_kdc = true
+    dns_lookup_realm = false
+
+[realms]
+    ATHENA.MIT.EDU = {
+        kdc = kerberos.mit.edu
+        kdc = kerberos-1.mit.edu
+        kdc = kerberos-2.mit.edu
+        admin_server = kerberos.mit.edu
+        master_kdc = kerberos.mit.edu
+    }
+    EXAMPLE.COM = {
+        kdc = kerberos.example.com
+        kdc = kerberos-1.example.com
+        admin_server = kerberos.example.com
+    }
+
+[domain_realm]
+    mit.edu = ATHENA.MIT.EDU
+
+[capaths]
+    ATHENA.MIT.EDU = {
+           EXAMPLE.COM = .
+    }
+    EXAMPLE.COM = {
+           ATHENA.MIT.EDU = .
+    }
diff --git a/source/n/krb5/conf/krb5kdc b/source/n/krb5/conf/krb5kdc
new file mode 100644
index 000000000..6679d1b80
--- /dev/null
+++ b/source/n/krb5/conf/krb5kdc
@@ -0,0 +1,2 @@
+# To set additional options for krb5kdc, add them in the variable below:
+KRB5KDC_OPTIONS=""
diff --git a/source/n/krb5/conf/rc.kadmind b/source/n/krb5/conf/rc.kadmind
new file mode 100644
index 000000000..2f838a7c4
--- /dev/null
+++ b/source/n/krb5/conf/rc.kadmind
@@ -0,0 +1,40 @@
+#!/bin/sh
+# Start the Kerberos administration server. This typically runs on the
+# master Kerberos server, which stores the KDC database.
+
+# To change the default options, edit /etc/default/kadmind.
+if [ -r /etc/default/kadmind ]; then
+  . /etc/default/kadmind
+fi
+
+start_atd() {
+  if ! /usr/bin/pgrep --ns $$ --euid root -f "^/usr/sbin/kadmind" 1> /dev/null 2> /dev/null ; then
+    echo "Starting kadmind:  /usr/sbin/kadmind $KADMIND_OPTIONS"
+    /usr/sbin/kadmind $KADMIND_OPTIONS
+  fi
+}
+
+stop_atd() {
+  echo "Stopping kadmind."
+  /usr/bin/pkill --ns $$ --euid root -f "^/usr/sbin/kadmind" 2> /dev/null
+}
+
+restart_atd() {
+  stop_atd
+  sleep 1
+  start_atd
+}
+
+case "$1" in
+'start')
+  start_atd
+  ;;
+'stop')
+  stop_atd
+  ;;
+'restart')
+  restart_atd
+  ;;
+*)
+  echo "usage $0 start|stop|restart"
+esac
diff --git a/source/n/krb5/conf/rc.kpropd b/source/n/krb5/conf/rc.kpropd
new file mode 100644
index 000000000..8dde85d87
--- /dev/null
+++ b/source/n/krb5/conf/rc.kpropd
@@ -0,0 +1,41 @@
+#!/bin/sh
+# Start the Kerberos V5 slave KDC update server. This runs on a slave
+# (secondary) KDC server. It allows the master Kerberos server to use
+# kprop(8) to propagate its database to the slave servers.
+
+# To change the default options, edit /etc/default/kpropd.
+if [ -r /etc/default/kpropd ]; then
+  . /etc/default/kpropd
+fi
+
+start_atd() {
+  if ! /usr/bin/pgrep --ns $$ --euid root -f "^/usr/sbin/kpropd" 1> /dev/null 2> /dev/null ; then
+    echo "Starting kpropd:  /usr/sbin/kpropd $KPROPD_OPTIONS"
+    /usr/sbin/kpropd $KPROPD_OPTIONS
+  fi
+}
+
+stop_atd() {
+  echo "Stopping kpropd."
+  /usr/bin/pkill --ns $$ --euid root -f "^/usr/sbin/kpropd" 2> /dev/null
+}
+
+restart_atd() {
+  stop_atd
+  sleep 1
+  start_atd
+}
+
+case "$1" in
+'start')
+  start_atd
+  ;;
+'stop')
+  stop_atd
+  ;;
+'restart')
+  restart_atd
+  ;;
+*)
+  echo "usage $0 start|stop|restart"
+esac
diff --git a/source/n/krb5/conf/rc.krb5kdc b/source/n/krb5/conf/rc.krb5kdc
new file mode 100644
index 000000000..5e9baef1a
--- /dev/null
+++ b/source/n/krb5/conf/rc.krb5kdc
@@ -0,0 +1,41 @@
+#!/bin/sh
+# Start krb5kdc, which is the Kerberos version 5 Authentication Service
+# and Key Distribution Center (AS/KDC). This needs to run first on both
+# master and secondary KDCs.
+
+# To change the default options, edit /etc/default/krb5kdc.
+if [ -r /etc/default/krb5kdc ]; then
+  . /etc/default/krb5kdc
+fi
+
+start_atd() {
+  if ! /usr/bin/pgrep --ns $$ --euid root -f "^/usr/sbin/krb5kdc" 1> /dev/null 2> /dev/null ; then
+    echo "Starting krb5kdc:  /usr/sbin/krb5kdc $KRB5KDC_OPTIONS"
+    /usr/sbin/krb5kdc $KRB5KDC_OPTIONS
+  fi
+}
+
+stop_atd() {
+  echo "Stopping krb5kdc."
+  /usr/bin/pkill --ns $$ --euid root -f "^/usr/sbin/krb5kdc" 2> /dev/null
+}
+
+restart_atd() {
+  stop_atd
+  sleep 1
+  start_atd
+}
+
+case "$1" in
+'start')
+  start_atd
+  ;;
+'stop')
+  stop_atd
+  ;;
+'restart')
+  restart_atd
+  ;;
+*)
+  echo "usage $0 start|stop|restart"
+esac