File _service:download_src_package:krb5.spec of Package krb5

%define anolis_release 2

%bcond_with check
%if %{without check}
%global skipcheck 1
%endif

%if 0%{?copr_username:1}
%global skipcheck 1
%endif

%global gettext_domain mit-krb5
%define libsdocdir %{?_pkgdocdir:%(echo %{_pkgdocdir} | sed -e s,krb5,krb5-libs,g)}%{!?_pkgdocdir:%{_docdir}/%{name}-libs-%{version}}
%global configure_default_ccache_name 1
%global configured_default_ccache_name KEYRING:persistent:%%{uid}

%global kdbversion 8.0

Summary: The Kerberos network authentication system
Name: krb5
Version: 1.19.2
Release: %{anolis_release}%{?dist}

Source0: https://web.mit.edu/kerberos/dist/krb5/%{version}/krb5-%{version}.tar.gz
Source1: https://web.mit.edu/kerberos/dist/krb5/%{version}/krb5-%{version}.tar.gz.asc

Source2: kprop.service
Source4: kadmin.service
Source5: krb5kdc.service
Source6: krb5.conf
Source10: kdc.conf
Source11: kadm5.acl
Source19: krb5kdc.sysconfig
Source20: kadmin.sysconfig
Source21: kprop.sysconfig
Source29: ksu.pamd
Source33: krb5kdc.logrotate
Source34: kadmind.logrotate
Source39: krb5-krb5kdc.conf

Patch0: downstream-ksu-pam-integration.patch
Patch1: downstream-SELinux-integration.patch
Patch3: downstream-netlib-and-dns.patch
Patch4: downstream-fix-debuginfo-with-y.tab.c.patch
Patch5: downstream-Remove-3des-support.patch
Patch7: downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch
Patch8: Add-APIs-for-marshalling-credentials.patch
Patch9: Add-hostname-canonicalization-helper-to-k5test.py.patch
Patch10: Support-host-based-GSS-initiator-names.patch
Patch11: Add-KCM_OP_GET_CRED_LIST-for-faster-iteration.patch
Patch12: Fix-KCM-flag-transmission-for-remove_cred.patch
Patch13: Make-KCM-iteration-fallback-work-with-sssd-kcm.patch
Patch14: Use-KCM_OP_RETRIEVE-in-KCM-client.patch
Patch15: Fix-KCM-retrieval-support-for-sssd.patch
Patch17: Move-some-dejagnu-kadmin-tests-to-Python-tests.patch
Patch18: Fix-some-principal-realm-canonicalization-cases.patch
Patch19: Allow-kinit-with-keytab-to-defer-canonicalization.patch
Patch20: Fix-kadmin-k-with-fallback-or-referral-realm.patch
Patch21: Fix-softpkcs11-build-issues-with-openssl-3.0.patch
Patch22: Remove-deprecated-OpenSSL-calls-from-softpkcs11.patch
Patch23: Fix-k5tls-module-for-OpenSSL-3.patch
Patch24: Fix-leaks-on-error-in-kadm5-init-functions.patch
Patch25: Clean-up-context-after-failed-open-in-libkdb5.patch
Patch26: Use-asan-in-one-of-the-CI-builds.patch
Patch29: Clean-up-gssapi_krb5-ccache-name-functions.patch
Patch30: Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
Patch32: Add-buildsystem-detection-of-the-OpenSSL-3-KDF-inter.patch
Patch33: Use-OpenSSL-s-SSKDF-in-PKINIT-when-available.patch
Patch34: Use-OpenSSL-s-KBKDF-and-KRB5KDF-for-deriving-long-te.patch
Patch35: Handle-OpenSSL-3-s-providers.patch
Patch36: Remove-TCL-based-libkadm5-API-tests.patch

License: MIT
URL: https://web.mit.edu/kerberos/www/
BuildRequires: autoconf, bison, make, flex, gawk, gettext, pkgconfig, sed
BuildRequires: gcc, gcc-c++
BuildRequires: libcom_err-devel, libedit-devel, libss-devel
BuildRequires: gzip, ncurses-devel
BuildRequires: python3, python3-sphinx
BuildRequires: keyutils, keyutils-libs-devel >= 1.5.8
BuildRequires: libselinux-devel
BuildRequires: pam-devel
BuildRequires: systemd-units
BuildRequires: tcl-devel
BuildRequires: libverto-devel
BuildRequires: openldap-devel
BuildRequires: lmdb-devel
BuildRequires: perl-interpreter

BuildRequires: git

%if 0%{?skipcheck}
%else
BuildRequires: dejagnu
BuildRequires: net-tools, rpcbind
BuildRequires: hostname
BuildRequires: iproute
BuildRequires: python3-pyrad
BuildRequires: procps-ng
%endif

BuildRequires: openssl-devel => 1:3.0.0

%description
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of sending passwords over the network in unencrypted form.

%package devel
Summary: Development files needed to compile Kerberos 5 programs
Requires: %{name}-libs = %{version}-%{release}
Requires: libkadm5 = %{version}-%{release}
Requires: libcom_err-devel
Requires: keyutils-libs-devel, libselinux-devel
Requires: libverto-devel
Provides: krb5-kdb-devel-version = %{kdbversion}

%description devel
Kerberos is a network authentication system. The krb5-devel package
contains the header files and libraries needed for compiling Kerberos
5 programs. If you want to develop Kerberos-aware programs, you need
to install this package.

%package libs
Summary: The non-admin shared libraries used by Kerberos 5
Requires: openssl-libs >= 1:3.0.0
Requires: coreutils, gawk, sed
Requires: keyutils-libs >= 1.5.8
Requires: /etc/crypto-policies/back-ends/krb5.config

%description libs
Kerberos is a network authentication system. The krb5-libs package
contains the shared libraries needed by Kerberos 5. If you are using
Kerberos, you need to install this package.

%package doc
Summary:        Documentation files for %{name}
Requires:       %{name}-libs = %{version}-%{release}
BuildArch:      noarch

%description    doc
The %{name}-doc package contains documentation files for %{name}.

%package server
Summary: The KDC and related programs for Kerberos 5
Requires: %{name}-libs = %{version}-%{release}
Requires: %{name}-pkinit = %{version}-%{release}
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
Requires: logrotate
Requires: /usr/share/dict/words
BuildRequires: libverto-module-base
Requires: libverto-module-base
Requires: libkadm5 = %{version}-%{release}
Provides: krb5-kdb-version = %{kdbversion}

%description server
Kerberos is a network authentication system. The krb5-server package
contains the programs that must be installed on a Kerberos 5 key
distribution center (KDC).  If you are installing a Kerberos 5 KDC,
you need to install this package (in other words, most people should
NOT install this package).

%package server-ldap
Summary: The LDAP storage plugin for the Kerberos 5 KDC
Requires: %{name}-server = %{version}-%{release}
Requires: %{name}-libs = %{version}-%{release}
Requires: libkadm5 = %{version}-%{release}

%description server-ldap
Kerberos is a network authentication system. The krb5-server package
contains the programs that must be installed on a Kerberos 5 key
distribution center (KDC).  If you are installing a Kerberos 5 KDC,
and you wish to use a directory server to store the data for your
realm, you need to install this package.

%package workstation
Summary: Kerberos 5 programs for use on workstations
Requires: %{name}-libs = %{version}-%{release}
Requires: %{name}-pkinit = %{version}-%{release}
Requires: libkadm5 = %{version}-%{release}

%description workstation
Kerberos is a network authentication system. The krb5-workstation
package contains the basic Kerberos programs (kinit, klist, kdestroy,
kpasswd). If your network uses Kerberos, this package should be
installed on every workstation.

%package pkinit
Summary: The PKINIT module for Kerberos 5
Requires: %{name}-libs = %{version}-%{release}
Obsoletes: krb5-pkinit-openssl < %{version}-%{release}
Provides: krb5-pkinit-openssl = %{version}-%{release}

%description pkinit
Kerberos is a network authentication system. The krb5-pkinit
package contains the PKINIT plugin, which allows clients
to obtain initial credentials from a KDC using a private key and a
certificate.

%package -n libkadm5
Summary: Kerberos 5 Administrative libraries
Requires: %{name}-libs = %{version}-%{release}

%description -n libkadm5
Kerberos is a network authentication system. The libkadm5 package
contains only the libkadm5clnt and libkadm5serv shared objects. This
interface is not considered stable.

%prep
%autosetup -S git_am -n %{name}-%{version}
ln NOTICE LICENSE

inldif=src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
cat > '60kerberos.ldif' << EOF
# This is a variation on kerberos.ldif which 389 Directory Server will like.
dn: cn=schema
EOF
grep -Eiv '(^$|^dn:|^changetype:|^add:)' $inldif >> 60kerberos.ldif
touch -r $inldif 60kerberos.ldif

pushd src
autoreconf -fiv
popd

cfg="src/util/k5test.py"
LONG_BIT=`getconf LONG_BIT`
PORT=`expr 61000 + $LONG_BIT - 48`
sed -i -e s,61000,`expr "$PORT" + 0`,g $cfg
PORT=`expr 1750 + $LONG_BIT - 48`
sed -i -e s,1750,`expr "$PORT" + 0`,g $cfg
sed -i -e s,1751,`expr "$PORT" + 1`,g $cfg
sed -i -e s,1752,`expr "$PORT" + 2`,g $cfg
PORT=`expr 8888 + $LONG_BIT - 48`
sed -i -e s,8888,`expr "$PORT" - 0`,g $cfg
sed -i -e s,8887,`expr "$PORT" - 1`,g $cfg
sed -i -e s,8886,`expr "$PORT" - 2`,g $cfg
PORT=`expr 7777 + $LONG_BIT - 48`
sed -i -e s,7777,`expr "$PORT" + 0`,g $cfg
sed -i -e s,7778,`expr "$PORT" + 1`,g $cfg

%build
source %{_libdir}/tclConfig.sh
pushd src

export runstatedir=/run

INCLUDES=-I%{_includedir}/et
CFLAGS="`echo $RPM_OPT_FLAGS $DEFINES $INCLUDES -fPIC -fno-strict-aliasing -fstack-protector-all`"
CPPFLAGS="`echo $DEFINES $INCLUDES`"
%configure \
    CC="%{__cc}" \
    CFLAGS="$CFLAGS" \
    CPPFLAGS="$CPPFLAGS" \
    SS_LIB="-lss" \
    --enable-shared \
    --runstatedir=/run \
    --localstatedir=%{_var}/kerberos \
    --disable-rpath \
    --without-krb5-config \
    --with-system-et \
    --with-system-ss \
    --with-netlib=-lresolv \
    --with-tcl \
    --enable-dns-for-realm \
    --with-ldap \
    --with-dirsrv-account-locking \
    --enable-pkinit \
    --with-crypto-impl=openssl \
    --with-tls-impl=openssl \
    --with-system-verto \
    --with-pam \
    --with-selinux \
    --with-prng-alg=os \
    --with-lmdb \
    || (cat config.log; exit 1)

pushd include
make osconf.h
popd
configured_dir=`grep KDC_RUN_DIR include/osconf.h | awk '{print $NF}'`
configured_dir=`eval echo $configured_dir`
if test "$configured_dir" != /run/krb5kdc ; then
    echo Failed to configure KDC_RUN_DIR.
    exit 1
fi

make %{?_smp_mflags} || make -j1
popd

make -C src/doc paths.py version.py
cp src/doc/paths.py doc/
mkdir -p build-man build-html
sphinx-build -a -b man   -t pathsubs doc build-man
sphinx-build -a -b html  -t pathsubs doc build-html
rm -fr build-html/_sources

%if 0%{?skipcheck}
%else
%check
pushd src

keyctl session - make check OFFLINE=yes TMPDIR=%{_tmppath}
popd
%endif

%install
[ "$RPM_BUILD_ROOT" != '/' ] && rm -rf -- "$RPM_BUILD_ROOT"

mkdir -p $RPM_BUILD_ROOT%{_var}/kerberos/krb5kdc
install -pm 600 %{SOURCE10} $RPM_BUILD_ROOT%{_var}/kerberos/krb5kdc/
install -pm 600 %{SOURCE11} $RPM_BUILD_ROOT%{_var}/kerberos/krb5kdc/

mkdir -p $RPM_BUILD_ROOT%{_var}/kerberos/krb5/user

mkdir -p $RPM_BUILD_ROOT/etc
install -pm 644 %{SOURCE6} $RPM_BUILD_ROOT/etc/krb5.conf

mkdir -p $RPM_BUILD_ROOT/etc/krb5.conf.d
ln -sv /etc/crypto-policies/back-ends/krb5.config $RPM_BUILD_ROOT/etc/krb5.conf.d/crypto-policies

mkdir -m 755 -p $RPM_BUILD_ROOT/etc/gss
mkdir -m 755 -p $RPM_BUILD_ROOT/etc/gss/mech.d

%if 0%{?configure_default_ccache_name}
export DEFCCNAME="%{configured_default_ccache_name}"
awk '{print}
     /^#    default_realm/{print "    default_ccache_name =", ENVIRON["DEFCCNAME"]}' \
     %{SOURCE6} > $RPM_BUILD_ROOT/etc/krb5.conf
touch -r %{SOURCE6} $RPM_BUILD_ROOT/etc/krb5.conf
grep default_ccache_name $RPM_BUILD_ROOT/etc/krb5.conf
%endif

mkdir -p $RPM_BUILD_ROOT%{_unitdir}
for unit in \
    %{SOURCE5}\
     %{SOURCE4} \
     %{SOURCE2} ; do
    install -pm 644 ${unit} $RPM_BUILD_ROOT%{_unitdir}
done
mkdir -p $RPM_BUILD_ROOT/%{_tmpfilesdir}
install -pm 644 %{SOURCE39} $RPM_BUILD_ROOT/%{_tmpfilesdir}/
mkdir -p $RPM_BUILD_ROOT/%{_localstatedir}/run/krb5kdc

mkdir -p $RPM_BUILD_ROOT/etc/sysconfig
for sysconfig in %{SOURCE19} %{SOURCE20} %{SOURCE21} ; do
    install -pm 644 ${sysconfig} \
            $RPM_BUILD_ROOT/etc/sysconfig/`basename ${sysconfig} .sysconfig`
done

mkdir -p $RPM_BUILD_ROOT/etc/logrotate.d/
for logrotate in \
    %{SOURCE33} \
     %{SOURCE34} ; do
    install -pm 644 ${logrotate} \
            $RPM_BUILD_ROOT/etc/logrotate.d/`basename ${logrotate} .logrotate`
done

mkdir -p $RPM_BUILD_ROOT/etc/pam.d/
for pam in %{SOURCE29} ; do
    install -pm 644 ${pam} \
            $RPM_BUILD_ROOT/etc/pam.d/`basename ${pam} .pamd`
done

install -pdm 755 $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/preauth
install -pdm 755 $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/kdb
install -pdm 755 $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/authdata

%make_install -C src EXAMPLEDIR=%{libsdocdir}/examples

sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' $RPM_BUILD_ROOT%{_bindir}/krb5-config

sed -i -r -e 's/^(LDFLAGS=).*/\1/' $RPM_BUILD_ROOT%{_bindir}/krb5-config

for section in 1 5 8 ; do
    install -m 644 build-man/*.${section} \
            $RPM_BUILD_ROOT/%{_mandir}/man${section}/
done

rm -- "$RPM_BUILD_ROOT/%{_sbindir}/krb5-send-pr"
rm -- "$RPM_BUILD_ROOT/%{_sbindir}/sim_server"
rm -- "$RPM_BUILD_ROOT/%{_sbindir}/gss-server"
rm -- "$RPM_BUILD_ROOT/%{_sbindir}/uuserver"
rm -- "$RPM_BUILD_ROOT/%{_bindir}/sim_client"
rm -- "$RPM_BUILD_ROOT/%{_bindir}/gss-client"
rm -- "$RPM_BUILD_ROOT/%{_bindir}/uuclient"

rm -- "$RPM_BUILD_ROOT/%{_docdir}/krb5-libs/examples/kdc.conf"
rm -- "$RPM_BUILD_ROOT/%{_docdir}/krb5-libs/examples/krb5.conf"
rm -- "$RPM_BUILD_ROOT/%{_docdir}/krb5-libs/examples/services.append"

rm -- "$RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/preauth/test.so"

%find_lang %{gettext_domain}

%ldconfig_scriptlets libs

%ldconfig_scriptlets server-ldap

%post server
%systemd_post krb5kdc.service kadmin.service kprop.service
/bin/systemctl daemon-reload
exit 0

%preun server
%systemd_preun krb5kdc.service kadmin.service kprop.service
exit 0

%postun server
%systemd_postun_with_restart krb5kdc.service kadmin.service kprop.service
exit 0

%ldconfig_scriptlets -n libkadm5

%files workstation
%doc src/config-files/services.append
%doc src/config-files/krb5.conf
%doc build-html/*
%attr(0755,root,root) %doc src/config-files/convert-config-files

%{_bindir}/kdestroy
%{_mandir}/man1/kdestroy.1*
%{_bindir}/kinit
%{_mandir}/man1/kinit.1*
%{_bindir}/klist
%{_mandir}/man1/klist.1*
%{_bindir}/kpasswd
%{_mandir}/man1/kpasswd.1*
%{_bindir}/kswitch
%{_mandir}/man1/kswitch.1*

%{_bindir}/kvno
%{_mandir}/man1/kvno.1*
%{_bindir}/kadmin
%{_mandir}/man1/kadmin.1*
%{_bindir}/k5srvutil
%{_mandir}/man1/k5srvutil.1*
%{_bindir}/ktutil
%{_mandir}/man1/ktutil.1*

%attr(4755,root,root) %{_bindir}/ksu
%{_mandir}/man1/ksu.1*
%config(noreplace) /etc/pam.d/ksu

%files server
%docdir %{_mandir}
%doc src/config-files/kdc.conf
%{_unitdir}/krb5kdc.service
%{_unitdir}/kadmin.service
%{_unitdir}/kprop.service
%{_tmpfilesdir}/krb5-krb5kdc.conf
%dir %{_localstatedir}/run/krb5kdc
%config(noreplace) /etc/sysconfig/krb5kdc
%config(noreplace) /etc/sysconfig/kadmin
%config(noreplace) /etc/sysconfig/kprop
%config(noreplace) /etc/logrotate.d/krb5kdc
%config(noreplace) /etc/logrotate.d/kadmind

%dir %{_var}/kerberos
%dir %{_var}/kerberos/krb5kdc
%config(noreplace) %{_var}/kerberos/krb5kdc/kdc.conf
%config(noreplace) %{_var}/kerberos/krb5kdc/kadm5.acl

%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/kdb
%dir %{_libdir}/krb5/plugins/preauth
%dir %{_libdir}/krb5/plugins/authdata
%{_libdir}/krb5/plugins/preauth/otp.so
%{_libdir}/krb5/plugins/kdb/db2.so
%{_libdir}/krb5/plugins/kdb/klmdb.so

%{_mandir}/man5/kadm5.acl.5*
%{_mandir}/man5/kdc.conf.5*
%{_sbindir}/kadmin.local
%{_mandir}/man8/kadmin.local.8*
%{_sbindir}/kadmind
%{_mandir}/man8/kadmind.8*
%{_sbindir}/kdb5_util
%{_mandir}/man8/kdb5_util.8*
%{_sbindir}/kprop
%{_mandir}/man8/kprop.8*
%{_sbindir}/kpropd
%{_mandir}/man8/kpropd.8*
%{_sbindir}/kproplog
%{_mandir}/man8/kproplog.8*
%{_sbindir}/krb5kdc
%{_mandir}/man8/krb5kdc.8*

%{_bindir}/sclient
%{_mandir}/man1/sclient.1*
%{_sbindir}/sserver
%{_mandir}/man8/sserver.8*

%files server-ldap
%docdir %{_mandir}
%doc src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
%doc src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
%doc 60kerberos.ldif
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/kdb
%{_libdir}/krb5/plugins/kdb/kldap.so
%{_libdir}/libkdb_ldap.so
%{_libdir}/libkdb_ldap.so.*
%{_mandir}/man8/kdb5_ldap_util.8.gz
%{_sbindir}/kdb5_ldap_util

%files libs -f %{gettext_domain}.lang
%{!?_licensedir:%global license %%doc}
%license LICENSE
%docdir %{_mandir}
%dir /etc/gss
%dir /etc/gss/mech.d
%dir /etc/krb5.conf.d
%config(noreplace) /etc/krb5.conf
%config(noreplace,missingok) /etc/krb5.conf.d/crypto-policies
/%{_mandir}/man5/.k5identity.5*
/%{_mandir}/man5/.k5login.5*
/%{_mandir}/man5/k5identity.5*
/%{_mandir}/man5/k5login.5*
/%{_mandir}/man5/krb5.conf.5*
/%{_mandir}/man7/kerberos.7*
%{_libdir}/libgssapi_krb5.so.*
%{_libdir}/libgssrpc.so.*
%{_libdir}/libk5crypto.so.*
%{_libdir}/libkdb5.so.*
%{_libdir}/libkrad.so.*
%{_libdir}/libkrb5.so.*
%{_libdir}/libkrb5support.so.*
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/*
%{_libdir}/krb5/plugins/tls/k5tls.so
%{_libdir}/krb5/plugins/preauth/spake.so
%dir %{_var}/kerberos
%dir %{_var}/kerberos/krb5
%dir %{_var}/kerberos/krb5/user

%files doc
%doc README NOTICE

%files pkinit
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/preauth
%{_libdir}/krb5/plugins/preauth/pkinit.so

%files devel
%docdir %{_mandir}

%{_includedir}/*
%{_libdir}/libgssapi_krb5.so
%{_libdir}/libgssrpc.so
%{_libdir}/libk5crypto.so
%{_libdir}/libkdb5.so
%{_libdir}/libkrad.so
%{_libdir}/libkrb5.so
%{_libdir}/libkrb5support.so
%{_libdir}/pkgconfig/*

%{_bindir}/krb5-config
%{_mandir}/man1/krb5-config.1*

%files -n libkadm5
%{_libdir}/libkadm5clnt.so
%{_libdir}/libkadm5clnt_mit.so
%{_libdir}/libkadm5srv.so
%{_libdir}/libkadm5srv_mit.so
%{_libdir}/libkadm5clnt_mit.so.*
%{_libdir}/libkadm5srv_mit.so.*

%changelog
* Mon Oct 10 2022 mgb01105731 <mgb01105731@alibaba-inc.com> - 1.19.2-2
- add doc package

* Tue Mar 15 2022 forrest_ly <flin@linux.alibaba.com> - 1.19.2-1 
- Init for Anolis OS 23