Patch Name: PHSS_31009

Patch Description: s700_800 11.11 KRB5-Client Version 1.0 cumulative patch

Creation Date: 04/06/23

Post Date: 04/07/12

Repost: 04/07/29 
	The Equivalent Patch information was removed from the patch
	documentation. 

Hardware Platforms - OS Releases:
	s700: 11.11
	s800: 11.11

Products: N/A

Filesets:
	KRB5-Client.KRB5-SHLIB,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP
	KRB5-Client.KRB5-PRG,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP
	KRB5-Client.KRB5-RUN,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP
	KRB5-Client.KRB5-ENG-A-MAN,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP
	KRB5-Client.KRB5-64SLIB,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP

Automatic Reboot?: No

Status: General Release

Critical: No

Category Tags:
	defect_repair enhancement general_release
	manual_dependencies

Path Name: /hp-ux_patches/s700_800/11.X/PHSS_31009

Symptoms:
	PHSS_31009:

	1. SR: 8606365765 CR:JAGaf26395 :
	   The sub section auth_to_local_names and the tag
	   auth_to_local, in the Kerberos configuration file,
	   were not parsed properly.

	PHSS_29486:

	1. SR: 8606283759 CR:JAGae47704 :
	   In a 64-bit environment, an application fails to decrypt
	   messages using the gss context received from the same
	   application after initializing the gss environment.

	PHSS_28940:

	1. SR: 8606303905 CR:JAGae67255 :
	   When a user makes a ticket request to the KDC for a
	   malformed principal, the KDC logs unnecessary messages
	   to the KDC log file.

	PHSS_26850:

	1. SR: 8606256012 CR: JAGae20328 :
	   The Kerberos Client configuration file does not
	   support the appdefaults section to specify the
	   default options for applications, for example,
	   kinit, telnet et cetera.

	2. SR: 8606255026 CR: JAGae19355 :
	   In case of Windows 2000 multidomain, Kerberos Client
	   resolves the principal's realm to the default realm as
	   specified in the Kerberos configuration file.
	   The Kerberos Client should instead, resolve it to the
	   appropriate Windows 2000 domain.

	3. SR: 8606247862 CR: JAGae14262 :
	   The file names in the shared library list need to have an
	   absolute path instead of a relative path.

Defect Description:
	PHSS_31009:

	1. SR: 8606365765 CR:JAGaf26395 :
	   In non default configurations, explicit mapping or the
	   rules-based mapping functionality works incorrectly.
	  Resolution:
	   The code has been modified to handle non-default
	   configurations correctly.

	PHSS_29486:

	1. SR: 8606283759 CR:JAGae47704 :
	   The application fails because the conditional compilation
	   of the variable length in the data structure struct
	   gss_buffer_desc_struct and the variable count in the data
	   structure struct gss_OID_set_desc_struct are not
	   compliant to the RFC 1509 (Generic Security Service API :
	   C-bindings).
	  Resolution:
	   The two structures, gss_buffer_desc_struct and
	   gss_OID_set_desc_struct, have been modified to comply
	   with RFC 1509.

	PHSS_28940:

	1. SR: 8606303905 CR:JAGae67255 :
	   The Kerberos client library does not perform validation
	   for malformed principals in a ticket request and sends
	   the same request to the KDC.
	  Resolution:
	   The code has been modified to handle the malformed
	   principal names.

	PHSS_26850:

	1. SR: 8606256012 CR: JAGae20328 :
	   The kerberos configuration file does not support the
	   appdefaults section, where the application specific
	   defaults can be specified.
	  Resolution:
	   Two new APIs krb5_get_appdefault_string() and
	   krb5_get_appdefault_boolean() have been added to
	   libkrb5.sl. Applications can use these APIs to get the
	   default values from the appdefaults section of the
	   Kerberos Configuration file.

	2. SR: 8606255026 CR: JAGae19355 :
	   If the principal is present in the Windows 2000
	   multidomain, then the Kerberos client should resolve
	   its realm name to the Windows 2000 domain.
	  Resolution:
	   The krb5_parse_name() has been modified to obtain the
	   principal's realm name from the Windows 2000 multidomain
	   if the LDAPUX Windows 2000 multidomain product has been
	   configured. If the principal is not present in the
	   Windows 2000 multidomain then the principal's realm will
	   be the default realm, as specified in the Kerberos
	   Configuration file.

	3. SR: 8606247862 CR: JAGae14262 :
	   While building the libraries relative paths are used,
	   which are recorded in the shared library list.
	  Resolution:
	   The build has been altered to record an absolute path
	   instead of a relative path in the shared library list.

Enhancement:
	No (superseded patches contained enhancements)
	PHSS_26850:
	     This is an enhancement to support appdefaults section
	     in the kerberos configuration file and windows
	     multidomain support for the principal names.

SR:
	8606365765 8606283759 8606303905 8606256012 8606255026
	8606247862

Patch Files:
	
	KRB5-Client.KRB5-SHLIB,fr=B.11.11,fa=HP-UX_B.11.11_32/64,
		v=HP:
	/usr/lib/libkrb5.sl
	/usr/lib/gss/libgssapi_krb5.sl

	KRB5-Client.KRB5-PRG,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP:
	/usr/include/krb5.h
	/usr/include/krb5/gssapi.h

	KRB5-Client.KRB5-RUN,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP:
	/usr/bin/kinit
	/usr/bin/klist

	KRB5-Client.KRB5-ENG-A-MAN,fr=B.11.11,
		fa=HP-UX_B.11.11_32/64,v=HP:
	/usr/share/man/man4.Z/krb5.conf.4
	/usr/share/man/man1.Z/kinit.1
	/usr/share/man/man1.Z/klist.1

	KRB5-Client.KRB5-64SLIB,fr=B.11.11,fa=HP-UX_B.11.11_32/64,
		v=HP:
	/usr/lib/pa20_64/libkrb5.sl
	/usr/lib/pa20_64/gss/libgssapi_krb5.sl

what(1) Output:
	
	KRB5-Client.KRB5-SHLIB,fr=B.11.11,fa=HP-UX_B.11.11_32/64,
		v=HP:
	/usr/lib/libkrb5.sl:
		HP Kerberos V5 1.0 (PHSS_31009) Module: libkrb5.sl D
			ate: Jun 15 2004 12:16:37
	/usr/lib/gss/libgssapi_krb5.sl:
		HP Kerberos V5 1.0 (PHSS_31009) Module: libgssapi_kr
			b5.sl Date: Jun  7 2004 18:19:58

	KRB5-Client.KRB5-PRG,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP:
	/usr/include/krb5.h:
		None
	/usr/include/krb5/gssapi.h:
		None

	KRB5-Client.KRB5-RUN,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP:
	/usr/bin/kinit:
		HP Kerberos V5 1.0 (PHSS_31009) Module: kinit Date: 
			Jun  7 2004 18:22:03
	/usr/bin/klist:
		HP Kerberos V5 1.0 (PHSS_31009) Module: klist Date: 
			Jun  7 2004 18:22:03

	KRB5-Client.KRB5-ENG-A-MAN,fr=B.11.11,
		fa=HP-UX_B.11.11_32/64,v=HP:
	/usr/share/man/man4.Z/krb5.conf.4:
		None
	/usr/share/man/man1.Z/kinit.1:
		None
	/usr/share/man/man1.Z/klist.1:
		None

	KRB5-Client.KRB5-64SLIB,fr=B.11.11,fa=HP-UX_B.11.11_32/64,
		v=HP:
	/usr/lib/pa20_64/libkrb5.sl:
		HP Kerberos V5 1.0 (PHSS_31009) Module: libkrb5.sl D
			ate: Jun 15 2004 12:19:27
	/usr/lib/pa20_64/gss/libgssapi_krb5.sl:
		HP Kerberos V5 1.0 (PHSS_31009) Module: libgssapi_kr
			b5.sl Date: Jun  7 2004 18:20:47

cksum(1) Output:
	
	KRB5-Client.KRB5-SHLIB,fr=B.11.11,fa=HP-UX_B.11.11_32/64,
		v=HP:
	1741230745 1110016 /usr/lib/libkrb5.sl
	747026662 253952 /usr/lib/gss/libgssapi_krb5.sl

	KRB5-Client.KRB5-PRG,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP:
	2278134644 104306 /usr/include/krb5.h
	2301076931 23763 /usr/include/krb5/gssapi.h

	KRB5-Client.KRB5-RUN,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP:
	4153795383 45056 /usr/bin/kinit
	23106819 57344 /usr/bin/klist

	KRB5-Client.KRB5-ENG-A-MAN,fr=B.11.11,
		fa=HP-UX_B.11.11_32/64,v=HP:
	1937719455 7868 /usr/share/man/man4.Z/krb5.conf.4
	669823348 3347 /usr/share/man/man1.Z/kinit.1
	3091347552 2251 /usr/share/man/man1.Z/klist.1

	KRB5-Client.KRB5-64SLIB,fr=B.11.11,fa=HP-UX_B.11.11_32/64,
		v=HP:
	37709790 708952 /usr/lib/pa20_64/libkrb5.sl
	1434905715 176136 /usr/lib/pa20_64/gss/libgssapi_krb5.sl

Patch Conflicts: None

Patch Dependencies: None

Hardware Dependencies: None

Other Dependencies:
	PHSS_29487 needs to be installed for 64-bit applications
	using the Kerberos security mechanism and are linked to
	the libgss.sl library.

Supersedes:
	PHSS_26850 PHSS_28940 PHSS_29486

Equivalent Patches: None

Patch Package Size: 770 KBytes

Installation Instructions:
	Please review all instructions and the Hewlett-Packard
	SupportLine User Guide or your Hewlett-Packard support terms
	and conditions for precautions, scope of license,
	restrictions, and, limitation of liability and warranties,
	before installing this patch.
	------------------------------------------------------------
	1. Back up your system before installing a patch.

	2. Login as root.

	3. Copy the patch to the /tmp directory.

	4. Move to the /tmp directory and unshar the patch:

		cd /tmp
		sh PHSS_31009

	5. Run swinstall to install the patch:

		swinstall -x autoreboot=true -x patch_match_target=true \
			  -s /tmp/PHSS_31009.depot

	By default swinstall will archive the original software in 
	/var/adm/sw/save/PHSS_31009.  If you do not wish to retain a
	copy of the original software, include the patch_save_files
	option in the swinstall command above:

		-x patch_save_files=false

	WARNING: If patch_save_files is false when a patch is installed,
		 the patch cannot be deinstalled.  Please be careful
		 when using this feature.

	For future reference, the contents of the PHSS_31009.text file is 
	available in the product readme:

		swlist -l product -a readme -d @ /tmp/PHSS_31009.depot

	To put this patch on a magnetic tape and install from the
	tape drive, use the command:

		dd if=/tmp/PHSS_31009.depot of=/dev/rmt/0m bs=2k

Special Installation Instructions:
	After installing this patch all 64-bit applications built
	from the source including the /usr/include/krb5/gssapi.h
	header file, should be rebuild.