Attachment 149200 Details for Bug 230881 – Patch to allow building a libuser with a libuser_krb5.so that (mostly) works

[patch] Patch to allow building a libuser with a libuser_krb5.so that (mostly) works

libuser-krb5.patch (text/plain), 156.95 KB, created by Jerry James on 2007-03-04 05:55:21 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Jerry James

Created: 2007-03-04 05:55:21 UTC

Size: 156.95 KB

patch

obsolete

>diff -durN libuser-0.54.7.ORIG/configure.in libuser-0.54.7/configure.in
>--- libuser-0.54.7.ORIG/configure.in	2006-09-25 07:48:01.000000000 -0600
>+++ libuser-0.54.7/configure.in	2007-03-03 22:27:53.000000000 -0700
>@@ -148,8 +148,7 @@
> 
> GTK_DOC_CHECK
> 
>-dnl Does not even compile
>-AM_CONDITIONAL([KRB5], [false])
>+AM_CONDITIONAL([KRB5], [true])
> 
> AC_CONFIG_FILES([Makefile po/Makefile.in docs/Makefile docs/reference/Makefile
> libuser.pc])
>diff -durN libuser-0.54.7.ORIG/Makefile.am libuser-0.54.7/Makefile.am
>--- libuser-0.54.7.ORIG/Makefile.am	2006-04-30 23:04:17.000000000 -0600
>+++ libuser-0.54.7/Makefile.am	2007-03-03 22:27:53.000000000 -0700
>@@ -182,7 +182,7 @@
> modules_libuser_krb5_la_CPPFLAGS = $(AM_CPPFLAGS) -D_LIBUSER_MODULE
> modules_libuser_krb5_la_SOURCES = modules/krb5.c
> modules_libuser_krb5_la_LDFLAGS = -module -avoid-version -export-dynamic \
>-	$(GOBJECT_LIBS)
>+	$(GOBJECT_LIBS) -lkadm5clnt
> modules_libuser_krb5_la_LIBADD = lib/libuser.la
> 
> modules_libuser_ldap_la_CPPFLAGS = $(AM_CPPFLAGS) -D_LIBUSER_MODULE
>diff -durN libuser-0.54.7.ORIG/modules/autoconf.h libuser-0.54.7/modules/autoconf.h
>--- libuser-0.54.7.ORIG/modules/autoconf.h	1969-12-31 17:00:00.000000000 -0700
>+++ libuser-0.54.7/modules/autoconf.h	2007-03-03 22:27:53.000000000 -0700
>@@ -0,0 +1,694 @@
>+/* include/autoconf.h.  Generated by configure.  */
>+/* include/autoconf.h.in.  Generated from configure.in by autoheader.  */
>+
>+
>+#ifndef KRB5_AUTOCONF_H
>+#define KRB5_AUTOCONF_H
>+
>+
>+/* Define if ANSI stdio is present (in particular "b" option to fopen) */
>+#define ANSI_STDIO 1
>+
>+/* Define if __attribute__((constructor)) works */
>+#define CONSTRUCTOR_ATTR_WORKS 1
>+
>+/* Define if library initialization should be delayed until first use */
>+#define DELAY_INITIALIZER 1
>+
>+/* Define if __attribute__((destructor)) works */
>+#define DESTRUCTOR_ATTR_WORKS 1
>+
>+/* Define if thread support enabled */
>+#define ENABLE_THREADS 1
>+
>+/* Define as return type of endrpcent */
>+#define ENDRPCENT_TYPE void
>+
>+/* Define to the type of elements in the array set by `getgroups'. Usually
>+   this is either `int' or `gid_t'. */
>+#define GETGROUPS_T gid_t
>+
>+/* Define if gethostbyname_r returns int rather than struct hostent * */
>+#define GETHOSTBYNAME_R_RETURNS_INT 1
>+
>+/* Type of getpeername second argument. */
>+#define GETPEERNAME_ARG2_TYPE GETSOCKNAME_ARG2_TYPE
>+
>+/* Type of getpeername second argument. */
>+#define GETPEERNAME_ARG3_TYPE GETSOCKNAME_ARG3_TYPE
>+
>+/* Define if getpwnam_r exists but takes only 4 arguments (e.g., POSIX draft 6
>+   implementations like some Solaris releases). */
>+/* #undef GETPWNAM_R_4_ARGS */
>+
>+/* Define if getpwnam_r returns an int */
>+#define GETPWNAM_R_RETURNS_INT 1
>+
>+/* Define if getpwuid_r exists but takes only 4 arguments (e.g., POSIX draft 6
>+   implementations like some Solaris releases). */
>+/* #undef GETPWUID_R_4_ARGS */
>+
>+/* Define if getservbyname_r returns int rather than struct servent * */
>+#define GETSERVBYNAME_R_RETURNS_INT 1
>+
>+/* Type of pointer target for argument 2 to getsockname */
>+#define GETSOCKNAME_ARG2_TYPE struct sockaddr
>+
>+/* Type of pointer target for argument 3 to getsockname */
>+#define GETSOCKNAME_ARG3_TYPE socklen_t
>+
>+/* Define if gmtime_r returns int instead of struct tm pointer, as on old
>+   HP-UX systems. */
>+/* #undef GMTIME_R_RETURNS_INT */
>+
>+/* Define to 1 if you have the `access' function. */
>+#define HAVE_ACCESS 1
>+
>+/* Define to 1 if you have the <alloca.h> header file. */
>+#define HAVE_ALLOCA_H 1
>+
>+/* Define to 1 if you have the <arpa/inet.h> header file. */
>+#define HAVE_ARPA_INET_H 1
>+
>+/* Define to 1 if you have the `bswap16' function. */
>+/* #undef HAVE_BSWAP16 */
>+
>+/* Define to 1 if you have the `bswap64' function. */
>+/* #undef HAVE_BSWAP64 */
>+
>+/* Define to 1 if bswap_16 is available via byteswap.h */
>+#define HAVE_BSWAP_16 1
>+
>+/* Define to 1 if bswap_64 is available via byteswap.h */
>+#define HAVE_BSWAP_64 1
>+
>+/* Define if bt_rseq is available, for recursive btree traversal. */
>+#define HAVE_BT_RSEQ 1
>+
>+/* Define to 1 if you have the <byteswap.h> header file. */
>+#define HAVE_BYTESWAP_H 1
>+
>+/* Define to 1 if you have the `chmod' function. */
>+#define HAVE_CHMOD 1
>+
>+/* Define to 1 if you have the `closelog' function. */
>+#define HAVE_CLOSELOG 1
>+
>+/* Define to 1 if you have the `compile' function. */
>+/* #undef HAVE_COMPILE */
>+
>+/* Define to 1 if you have the `daemon' function. */
>+#define HAVE_DAEMON 1
>+
>+/* Define to 1 if you have the <dirent.h> header file, and it defines `DIR'.
>+   */
>+#define HAVE_DIRENT_H 1
>+
>+/* Define to 1 if you have the <dlfcn.h> header file. */
>+#define HAVE_DLFCN_H 1
>+
>+/* Define to 1 if you have the `dn_skipname' function. */
>+/* #undef HAVE_DN_SKIPNAME */
>+
>+/* Define to 1 if you have the <endian.h> header file. */
>+#define HAVE_ENDIAN_H 1
>+
>+/* Define to 1 if you have the `fchmod' function. */
>+#define HAVE_FCHMOD 1
>+
>+/* Define to 1 if you have the <fcntl.h> header file. */
>+#define HAVE_FCNTL_H 1
>+
>+/* Define to 1 if you have the `flock' function. */
>+#define HAVE_FLOCK 1
>+
>+/* Define to 1 if you have the `ftime' function. */
>+#define HAVE_FTIME 1
>+
>+/* Define if you have the getaddrinfo function */
>+#define HAVE_GETADDRINFO 1
>+
>+/* Define to 1 if you have the `getcwd' function. */
>+#define HAVE_GETCWD 1
>+
>+/* Define to 1 if you have the `getenv' function. */
>+#define HAVE_GETENV 1
>+
>+/* Define to 1 if you have the `geteuid' function. */
>+#define HAVE_GETEUID 1
>+
>+/* Define to 1 if you have the `gethostbyname2' function. */
>+#define HAVE_GETHOSTBYNAME2 1
>+
>+/* Define if gethostbyname_r exists and its return type is known */
>+#define HAVE_GETHOSTBYNAME_R 1
>+
>+/* Define to 1 if you have the `getifaddrs' function. */
>+#define HAVE_GETIFADDRS 1
>+
>+/* Define to 1 if you have the `getnameinfo' function. */
>+#define HAVE_GETNAMEINFO 1
>+
>+/* Define if getpwnam_r is available and useful. */
>+#define HAVE_GETPWNAM_R 1
>+
>+/* Define if getpwuid_r is available and useful. */
>+#define HAVE_GETPWUID_R 1
>+
>+/* Define if getservbyname_r exists and its return type is known */
>+#define HAVE_GETSERVBYNAME_R 1
>+
>+/* Define to 1 if you have the `getusershell' function. */
>+#define HAVE_GETUSERSHELL 1
>+
>+/* Define to 1 if you have the `gmtime_r' function. */
>+#define HAVE_GMTIME_R 1
>+
>+/* Define to 1 if you have the <ifaddrs.h> header file. */
>+#define HAVE_IFADDRS_H 1
>+
>+/* Define to 1 if you have the `inet_aton' function. */
>+#define HAVE_INET_ATON 1
>+
>+/* Define to 1 if you have the `inet_ntoa' function. */
>+#define HAVE_INET_NTOA 1
>+
>+/* Define to 1 if you have the `inet_ntop' function. */
>+#define HAVE_INET_NTOP 1
>+
>+/* Define to 1 if you have the `inet_pton' function. */
>+#define HAVE_INET_PTON 1
>+
>+/* Define to 1 if the system has the type `int32_t'. */
>+#define HAVE_INT32_T 1
>+
>+/* Define to 1 if the system has the type `int64_t'. */
>+#define HAVE_INT64_T 1
>+
>+/* Define to 1 if you have the <inttypes.h> header file. */
>+#define HAVE_INTTYPES_H 1
>+
>+/* Define to 1 if you have the <kdc.h> header file. */
>+/* #undef HAVE_KDC_H */
>+
>+/* Define to 1 if you have the <krb_db.h> header file. */
>+/* #undef HAVE_KRB_DB_H */
>+
>+/* Define to 1 if you have the `nsl' library (-lnsl). */
>+/* #undef HAVE_LIBNSL */
>+
>+/* Define to 1 if you have the `resolv' library (-lresolv). */
>+/* #undef HAVE_LIBRESOLV */
>+
>+/* Define to 1 if you have the `socket' library (-lsocket). */
>+/* #undef HAVE_LIBSOCKET */
>+
>+/* Define if the util library is available */
>+#define HAVE_LIBUTIL 1
>+
>+/* Define to 1 if you have the <limits.h> header file. */
>+#define HAVE_LIMITS_H 1
>+
>+/* Define to 1 if you have the `localtime_r' function. */
>+#define HAVE_LOCALTIME_R 1
>+
>+/* Define to 1 if the system has the type `long long'. */
>+#define HAVE_LONG_LONG 1
>+
>+/* Define to 1 if you have the `lstat' function. */
>+#define HAVE_LSTAT 1
>+
>+/* Define to 1 if you have the <machine/byte_order.h> header file. */
>+/* #undef HAVE_MACHINE_BYTE_ORDER_H */
>+
>+/* Define to 1 if you have the <machine/endian.h> header file. */
>+/* #undef HAVE_MACHINE_ENDIAN_H */
>+
>+/* Define to 1 if you have the `memmove' function. */
>+#define HAVE_MEMMOVE 1
>+
>+/* Define to 1 if you have the <memory.h> header file. */
>+#define HAVE_MEMORY_H 1
>+
>+/* Define to 1 if you have the `mkstemp' function. */
>+#define HAVE_MKSTEMP 1
>+
>+/* Define to 1 if you have the <ndir.h> header file, and it defines `DIR'. */
>+/* #undef HAVE_NDIR_H */
>+
>+/* Define to 1 if you have the <netdb.h> header file. */
>+#define HAVE_NETDB_H 1
>+
>+/* Define if netdb.h declares h_errno */
>+#define HAVE_NETDB_H_H_ERRNO 1
>+
>+/* Define to 1 if you have the <netinet/in.h> header file. */
>+#define HAVE_NETINET_IN_H 1
>+
>+/* Define to 1 if you have the `ns_initparse' function. */
>+/* #undef HAVE_NS_INITPARSE */
>+
>+/* Define to 1 if you have the `ns_name_uncompress' function. */
>+/* #undef HAVE_NS_NAME_UNCOMPRESS */
>+
>+/* Define to 1 if you have the `openlog' function. */
>+#define HAVE_OPENLOG 1
>+
>+/* Define to 1 if you have the <paths.h> header file. */
>+#define HAVE_PATHS_H 1
>+
>+/* Define if #pragma weak references work */
>+#define HAVE_PRAGMA_WEAK_REF 1
>+
>+/* Define if you have POSIX threads libraries and header files. */
>+#define HAVE_PTHREAD 1
>+
>+/* Define to 1 if you have the <pthread.h> header file. */
>+#define HAVE_PTHREAD_H 1
>+
>+/* Define to 1 if you have the `pthread_mutex_lock' function. */
>+#define HAVE_PTHREAD_MUTEX_LOCK 1
>+
>+/* Define to 1 if you have the `pthread_once' function. */
>+/* #undef HAVE_PTHREAD_ONCE */
>+
>+/* Define to 1 if you have the `pthread_rwlock_init' function. */
>+/* #undef HAVE_PTHREAD_RWLOCK_INIT */
>+
>+/* Define if pthread_rwlock_init is provided in the thread library. */
>+#define HAVE_PTHREAD_RWLOCK_INIT_IN_THREAD_LIB 1
>+
>+/* Define to 1 if you have the <pwd.h> header file. */
>+#define HAVE_PWD_H 1
>+
>+/* Define to 1 if you have the <python2.3/Python.h> header file. */
>+/* #undef HAVE_PYTHON2_3_PYTHON_H */
>+
>+/* Define to 1 if you have the <Python.h> header file. */
>+/* #undef HAVE_PYTHON_H */
>+
>+/* Define if regcomp exists and functions */
>+#define HAVE_REGCOMP 1
>+
>+/* Define to 1 if you have the `regexec' function. */
>+#define HAVE_REGEXEC 1
>+
>+/* Define to 1 if you have the <regexpr.h> header file. */
>+/* #undef HAVE_REGEXPR_H */
>+
>+/* Define to 1 if you have the <regex.h> header file. */
>+#define HAVE_REGEX_H 1
>+
>+/* Define to 1 if you have the `res_nclose' function. */
>+/* #undef HAVE_RES_NCLOSE */
>+
>+/* Define to 1 if you have the `res_ndestroy' function. */
>+/* #undef HAVE_RES_NDESTROY */
>+
>+/* Define to 1 if you have the `res_ninit' function. */
>+/* #undef HAVE_RES_NINIT */
>+
>+/* Define to 1 if you have the `res_nsearch' function. */
>+/* #undef HAVE_RES_NSEARCH */
>+
>+/* Define to 1 if you have the `res_search' function */
>+/* #undef HAVE_RES_SEARCH */
>+
>+/* Define to 1 if you have the `re_comp' function. */
>+#define HAVE_RE_COMP 1
>+
>+/* Define to 1 if you have the `re_exec' function. */
>+#define HAVE_RE_EXEC 1
>+
>+/* Define if struct sockaddr contains sa_len */
>+/* #undef HAVE_SA_LEN */
>+
>+/* Define to 1 if you have the <sched.h> header file. */
>+#define HAVE_SCHED_H 1
>+
>+/* Define to 1 if you have the `sched_yield' function. */
>+#define HAVE_SCHED_YIELD 1
>+
>+/* Define to 1 if you have the <semaphore.h> header file. */
>+#define HAVE_SEMAPHORE_H 1
>+
>+/* Define to 1 if you have the `sem_init' function. */
>+/* #undef HAVE_SEM_INIT */
>+
>+/* Define to 1 if you have the `sem_trywait' function. */
>+/* #undef HAVE_SEM_TRYWAIT */
>+
>+/* Define to 1 if you have the `setegid' function. */
>+#define HAVE_SETEGID 1
>+
>+/* Define to 1 if you have the `setenv' function. */
>+#define HAVE_SETENV 1
>+
>+/* Define to 1 if you have the `seteuid' function. */
>+#define HAVE_SETEUID 1
>+
>+/* Define if setluid provided in OSF/1 security library */
>+/* #undef HAVE_SETLUID */
>+
>+/* Define to 1 if you have the `setregid' function. */
>+#define HAVE_SETREGID 1
>+
>+/* Define to 1 if you have the `setresgid' function. */
>+#define HAVE_SETRESGID 1
>+
>+/* Define to 1 if you have the `setresuid' function. */
>+#define HAVE_SETRESUID 1
>+
>+/* Define to 1 if you have the `setreuid' function. */
>+#define HAVE_SETREUID 1
>+
>+/* Define to 1 if you have the `setsid' function. */
>+#define HAVE_SETSID 1
>+
>+/* Define to 1 if you have the `setvbuf' function. */
>+#define HAVE_SETVBUF 1
>+
>+/* Define if there is a socklen_t type. If not, probably use size_t */
>+#define HAVE_SOCKLEN_T 1
>+
>+/* Define to 1 if you have the `srand' function. */
>+#define HAVE_SRAND 1
>+
>+/* Define to 1 if you have the `srand48' function. */
>+#define HAVE_SRAND48 1
>+
>+/* Define to 1 if you have the `srandom' function. */
>+#define HAVE_SRANDOM 1
>+
>+/* Define to 1 if you have the `stat' function. */
>+#define HAVE_STAT 1
>+
>+/* Define if stdarg available and compiles */
>+#define HAVE_STDARG_H 1
>+
>+/* Define to 1 if you have the <stddef.h> header file. */
>+#define HAVE_STDDEF_H 1
>+
>+/* Define to 1 if you have the <stdint.h> header file. */
>+#define HAVE_STDINT_H 1
>+
>+/* Define to 1 if you have the <stdlib.h> header file. */
>+#define HAVE_STDLIB_H 1
>+
>+/* Define to 1 if you have the `step' function. */
>+/* #undef HAVE_STEP */
>+
>+/* Define to 1 if you have the `strchr' function. */
>+#define HAVE_STRCHR 1
>+
>+/* Define to 1 if you have the `strdup' function. */
>+#define HAVE_STRDUP 1
>+
>+/* Define to 1 if you have the `strerror' function. */
>+#define HAVE_STRERROR 1
>+
>+/* Define to 1 if you have the `strerror_r' function. */
>+#define HAVE_STRERROR_R 1
>+
>+/* Define to 1 if you have the `strftime' function. */
>+#define HAVE_STRFTIME 1
>+
>+/* Define to 1 if you have the <strings.h> header file. */
>+#define HAVE_STRINGS_H 1
>+
>+/* Define to 1 if you have the <string.h> header file. */
>+#define HAVE_STRING_H 1
>+
>+/* Define to 1 if you have the `strptime' function. */
>+#define HAVE_STRPTIME 1
>+
>+/* Define to 1 if you have the `strstr' function. */
>+#define HAVE_STRSTR 1
>+
>+/* Define if there is a struct if_laddrconf. */
>+/* #undef HAVE_STRUCT_IF_LADDRCONF */
>+
>+/* Define if there is a struct lifconf. */
>+/* #undef HAVE_STRUCT_LIFCONF */
>+
>+/* Define to 1 if `sin_len' is member of `struct sockaddr_in'. */
>+/* #undef HAVE_STRUCT_SOCKADDR_IN_SIN_LEN */
>+
>+/* Define to 1 if `sa_len' is member of `struct sockaddr'. */
>+/* #undef HAVE_STRUCT_SOCKADDR_SA_LEN */
>+
>+/* Define if "struct sockaddr_storage" is available. */
>+#define HAVE_STRUCT_SOCKADDR_STORAGE 1
>+
>+/* Define to 1 if `st_mtimensec' is member of `struct stat'. */
>+/* #undef HAVE_STRUCT_STAT_ST_MTIMENSEC */
>+
>+/* Define to 1 if `st_mtimespec.tv_nsec' is member of `struct stat'. */
>+/* #undef HAVE_STRUCT_STAT_ST_MTIMESPEC_TV_NSEC */
>+
>+/* Define to 1 if `st_mtim.tv_nsec' is member of `struct stat'. */
>+#define HAVE_STRUCT_STAT_ST_MTIM_TV_NSEC 1
>+
>+/* Define to 1 if you have the `syslog' function. */
>+#define HAVE_SYSLOG 1
>+
>+/* Define to 1 if you have the <syslog.h> header file. */
>+#define HAVE_SYSLOG_H 1
>+
>+/* Define to 1 if you have the <sys/bswap.h> header file. */
>+/* #undef HAVE_SYS_BSWAP_H */
>+
>+/* Define to 1 if you have the <sys/dir.h> header file, and it defines `DIR'.
>+   */
>+/* #undef HAVE_SYS_DIR_H */
>+
>+/* Define if sys_errlist in libc */
>+#define HAVE_SYS_ERRLIST 1
>+
>+/* Define to 1 if you have the <sys/file.h> header file. */
>+#define HAVE_SYS_FILE_H 1
>+
>+/* Define to 1 if you have the <sys/filio.h> header file. */
>+/* #undef HAVE_SYS_FILIO_H */
>+
>+/* Define to 1 if you have the <sys/ndir.h> header file, and it defines `DIR'.
>+   */
>+/* #undef HAVE_SYS_NDIR_H */
>+
>+/* Define to 1 if you have the <sys/param.h> header file. */
>+#define HAVE_SYS_PARAM_H 1
>+
>+/* Define to 1 if you have the <sys/select.h> header file. */
>+#define HAVE_SYS_SELECT_H 1
>+
>+/* Define to 1 if you have the <sys/socket.h> header file. */
>+#define HAVE_SYS_SOCKET_H 1
>+
>+/* Define to 1 if you have the <sys/sockio.h> header file. */
>+/* #undef HAVE_SYS_SOCKIO_H */
>+
>+/* Define to 1 if you have the <sys/stat.h> header file. */
>+#define HAVE_SYS_STAT_H 1
>+
>+/* Define to 1 if you have the <sys/time.h> header file. */
>+#define HAVE_SYS_TIME_H 1
>+
>+/* Define to 1 if you have the <sys/types.h> header file. */
>+#define HAVE_SYS_TYPES_H 1
>+
>+/* Define to 1 if you have the <sys/uio.h> header file. */
>+#define HAVE_SYS_UIO_H 1
>+
>+/* Define if tcl.h found */
>+/* #undef HAVE_TCL_H */
>+
>+/* Define if tcl/tcl.h found */
>+/* #undef HAVE_TCL_TCL_H */
>+
>+/* Define to 1 if you have the `timezone' function. */
>+#define HAVE_TIMEZONE 1
>+
>+/* Define to 1 if you have the <time.h> header file. */
>+#define HAVE_TIME_H 1
>+
>+/* Define to 1 if the system has the type `uint32_t'. */
>+#define HAVE_UINT32_T 1
>+
>+/* Define to 1 if the system has the type `uint64_t'. */
>+#define HAVE_UINT64_T 1
>+
>+/* Define to 1 if the system has the type `uintmax_t'. */
>+#define HAVE_UINTMAX_T 1
>+
>+/* Define to 1 if the system has the type `uintptr_t'. */
>+#define HAVE_UINTPTR_T 1
>+
>+/* Define to 1 if the system has the type `uint_least32_t'. */
>+#define HAVE_UINT_LEAST32_T 1
>+
>+/* Define to 1 if you have the `umask' function. */
>+#define HAVE_UMASK 1
>+
>+/* Define to 1 if you have the <unistd.h> header file. */
>+#define HAVE_UNISTD_H 1
>+
>+/* Define to 1 if you have the `unsetenv' function. */
>+#define HAVE_UNSETENV 1
>+
>+/* Define if varargs available and compiles */
>+/* #undef HAVE_VARARGS_H */
>+
>+/* Define to 1 if you have the `vasprintf' function. */
>+#define HAVE_VASPRINTF 1
>+
>+/* Define to 1 if you have the `vsnprintf' function. */
>+#define HAVE_VSNPRINTF 1
>+
>+/* Define to 1 if you have the `vsprintf' function. */
>+#define HAVE_VSPRINTF 1
>+
>+/* Define to 1 if you have the `waitpid' function. */
>+#define HAVE_WAITPID 1
>+
>+/* Define if errno.h declares perror */
>+/* #undef HDR_HAS_PERROR */
>+
>+/* May need to be defined to enable IPv6 support, for example on IRIX */
>+/* #undef INET6 */
>+
>+/* Define if MIT Project Athena default configuration should be used */
>+/* #undef KRB5_ATHENA_COMPAT */
>+
>+/* Define for DNS support of locating realms and KDCs */
>+#define KRB5_DNS_LOOKUP 1
>+
>+/* Define to enable DNS lookups of Kerberos KDCs */
>+#define KRB5_DNS_LOOKUP_KDC 1
>+
>+/* Define to enable DNS lookups of Kerberos realm names */
>+/* #undef KRB5_DNS_LOOKUP_REALM */
>+
>+/* Define if Kerberos V4 backwards compatibility should be supported */
>+#define KRB5_KRB4_COMPAT 1
>+
>+/* Define if we should compile in IPv6 support (even if we can't use it at run
>+   time) */
>+#define KRB5_USE_INET6 1
>+
>+/* Define if KDC should update database with each request */
>+/* #undef KRBCONF_KDC_MODIFIES_KDB */
>+
>+/* Define if the KDC should return only vague error codes to clients */
>+/* #undef KRBCONF_VAGUE_ERRORS */
>+
>+/* define if the system header files are missing prototype for daemon() */
>+/* #undef NEED_DAEMON_PROTO */
>+
>+/* Define if in6addr_any is not defined in libc */
>+/* #undef NEED_INSIXADDR_ANY */
>+
>+/* define if the system header files are missing prototype for strptime() */
>+#define NEED_STRPTIME_PROTO 1
>+
>+/* define if the system header files are missing prototype for swab() */
>+#define NEED_SWAB_PROTO 1
>+
>+/* Define if need to declare sys_errlist */
>+/* #undef NEED_SYS_ERRLIST */
>+
>+/* Define if the KDC should use no replay cache */
>+/* #undef NOCACHE */
>+
>+/* Define if lex produes code with yylineno */
>+#define NO_YYLINENO 1
>+
>+/* Define if setjmp indicates POSIX interface */
>+/* #undef POSIX_SETJMP */
>+
>+/* Define if POSIX signal handling is used */
>+#define POSIX_SIGNALS 1
>+
>+/* Define if POSIX signal handlers are used */
>+#define POSIX_SIGTYPE 1
>+
>+/* Define if termios.h exists and tcsetattr exists */
>+#define POSIX_TERMIOS 1
>+
>+/* Define to the necessary symbol if this constant uses a non-standard name on
>+   your system. */
>+/* #undef PTHREAD_CREATE_JOINABLE */
>+
>+/* Define as the return type of signal handlers (`int' or `void'). */
>+#define RETSIGTYPE void
>+
>+/* Define as return type of setrpcent */
>+#define SETRPCENT_TYPE void
>+
>+/* Define to 1 if you have the ANSI C header files. */
>+#define STDC_HEADERS 1
>+
>+/* Define if sys_errlist is defined in errno.h */
>+#define SYS_ERRLIST_DECLARED 1
>+
>+/* Define to 1 if you can safely include both <sys/time.h> and <time.h>. */
>+#define TIME_WITH_SYS_TIME 1
>+
>+/* Define if you have dirent.h functionality */
>+#define USE_DIRENT_H 1
>+
>+/* Define if dlopen should be used */
>+#define USE_DLOPEN 1
>+
>+/* Define if link-time options for library finalization will be used */
>+/* #undef USE_LINKER_FINI_OPTION */
>+
>+/* Define if link-time options for library initialization will be used */
>+/* #undef USE_LINKER_INIT_OPTION */
>+
>+/* Define if the KDC should use a replay cache */
>+#define USE_RCACHE 1
>+
>+/* Define if sigprocmask should be used */
>+#define USE_SIGPROCMASK 1
>+
>+/* Define if wait takes int as a argument */
>+#define WAIT_USES_INT 1
>+
>+/* Define to 1 if `lex' declares `yytext' as a `char *' by default, not a
>+   `char[]'. */
>+#define YYTEXT_POINTER 1
>+
>+/* Define to empty if `const' does not conform to ANSI C. */
>+/* #undef const */
>+
>+/* Define to `int' if <sys/types.h> doesn't define. */
>+/* #undef gid_t */
>+
>+/* Define to `__inline__' or `__inline' if that's what the C compiler
>+   calls it, or to nothing if 'inline' is not supported under any name.  */
>+#ifndef __cplusplus
>+/* #undef inline */
>+#endif
>+
>+/* Define krb5_sigtype to type of signal handler */
>+#define krb5_sigtype void
>+
>+/* Define to `int' if <sys/types.h> does not define. */
>+/* #undef mode_t */
>+
>+/* Define to `long' if <sys/types.h> does not define. */
>+/* #undef off_t */
>+
>+/* Define to `long' if <sys/types.h> does not define. */
>+/* #undef time_t */
>+
>+/* Define to `int' if <sys/types.h> doesn't define. */
>+/* #undef uid_t */
>+
>+
>+#if defined(__GNUC__) && !defined(inline)
>+/* Silence gcc pedantic warnings about ANSI C.  */
>+# define inline __inline__
>+#endif
>+#endif /* KRB5_AUTOCONF_H */
>+
>diff -durN libuser-0.54.7.ORIG/modules/k5-platform.h libuser-0.54.7/modules/k5-platform.h
>--- libuser-0.54.7.ORIG/modules/k5-platform.h	1969-12-31 17:00:00.000000000 -0700
>+++ libuser-0.54.7/modules/k5-platform.h	2007-03-03 22:27:53.000000000 -0700
>@@ -0,0 +1,715 @@
>+/*
>+ * k5-platform.h
>+ *
>+ * Copyright 2003, 2004, 2005 Massachusetts Institute of Technology.
>+ * All Rights Reserved.
>+ *
>+ * Export of this software from the United States of America may
>+ *   require a specific license from the United States Government.
>+ *   It is the responsibility of any person or organization contemplating
>+ *   export to obtain such a license before exporting.
>+ * 
>+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
>+ * distribute this software and its documentation for any purpose and
>+ * without fee is hereby granted, provided that the above copyright
>+ * notice appear in all copies and that both that copyright notice and
>+ * this permission notice appear in supporting documentation, and that
>+ * the name of M.I.T. not be used in advertising or publicity pertaining
>+ * to distribution of the software without specific, written prior
>+ * permission.	Furthermore if you modify this software you must label
>+ * your software as modified software and not distribute it in such a
>+ * fashion that it might be confused with the original M.I.T. software.
>+ * M.I.T. makes no representations about the suitability of
>+ * this software for any purpose.  It is provided "as is" without express
>+ * or implied warranty.
>+ * 
>+ *
>+ * Some platform-dependent definitions to sync up the C support level.
>+ * Some to a C99-ish level, some related utility code.
>+ *
>+ * Currently:
>+ * + make "static inline" work
>+ * + 64-bit types and load/store code
>+ * + SIZE_MAX
>+ * + shared library init/fini hooks
>+ * + consistent getpwnam/getpwuid interfaces
>+ */
>+
>+#ifndef K5_PLATFORM_H
>+#define K5_PLATFORM_H
>+
>+#include "./autoconf.h"
>+
>+/* Initialization and finalization function support for libraries.
>+
>+   At top level, before the functions are defined or even declared:
>+   MAKE_INIT_FUNCTION(init_fn);
>+   MAKE_FINI_FUNCTION(fini_fn);
>+   Then:
>+   int init_fn(void) { ... }
>+   void fini_fn(void) { if (INITIALIZER_RAN(init_fn)) ... }
>+   In code, in the same file:
>+   err = CALL_INIT_FUNCTION(init_fn);
>+
>+   To trigger or verify the initializer invocation from another file,
>+   a helper function must be created.
>+
>+   This model handles both the load-time execution (Windows) and
>+   delayed execution (pthread_once) approaches, and should be able to
>+   guarantee in both cases that the init function is run once, in one
>+   thread, before other stuff in the library is done; furthermore, the
>+   finalization code should only run if the initialization code did.
>+   (Maybe I could've made the "if INITIALIZER_RAN" test implicit, via
>+   another function hidden in macros, but this is hairy enough
>+   already.)
>+
>+   The init_fn and fini_fn names should be chosen such that any
>+   exported names staring with those names, and optionally followed by
>+   additional characters, fits in with any namespace constraints on
>+   the library in question.
>+
>+
>+   There's also PROGRAM_EXITING() currently always defined as zero.
>+   If there's some trivial way to find out if the fini function is
>+   being called because the program that the library is linked into is
>+   exiting, we can just skip all the work because the resources are
>+   about to be freed up anyways.  Generally this is likely to be the
>+   same as distinguishing whether the library was loaded dynamically
>+   while the program was running, or loaded as part of program
>+   startup.  On most platforms, I don't think we can distinguish these
>+   cases easily, and it's probably not worth expending any significant
>+   effort.  (Note in particular that atexit() won't do, because if the
>+   library is explicitly loaded and unloaded, it would have to be able
>+   to deregister the atexit callback function.  Also, the system limit
>+   on atexit callbacks may be small.)
>+
>+
>+   Implementation outline:
>+
>+   Windows: MAKE_FINI_FUNCTION creates a symbol with a magic name that
>+   is sought at library build time, and code is added to invoke the
>+   function when the library is unloaded.  MAKE_INIT_FUNCTION does
>+   likewise, but the function is invoked when the library is loaded,
>+   and an extra variable is declared to hold an error code and a "yes
>+   the initializer ran" flag.  CALL_INIT_FUNCTION blows up if the flag
>+   isn't set, otherwise returns the error code.
>+
>+   UNIX: MAKE_INIT_FUNCTION creates and initializes a variable with a
>+   name derived from the function name, containing a k5_once_t
>+   (pthread_once_t or int), an error code, and a pointer to the
>+   function.  The function itself is declared static, but the
>+   associated variable has external linkage.  CALL_INIT_FUNCTION
>+   ensures thath the function is called exactly once (pthread_once or
>+   just check the flag) and returns the stored error code (or the
>+   pthread_once error).
>+
>+   (That's the basic idea.  With some debugging assert() calls and
>+   such, it's a bit more complicated.  And we also need to handle
>+   doing the pthread test at run time on systems where that works, so
>+   we use the k5_once_t stuff instead.)
>+
>+   UNIX, with compiler support: MAKE_FINI_FUNCTION declares the
>+   function as a destructor, and the run time linker support or
>+   whatever will cause it to be invoked when the library is unloaded,
>+   the program ends, etc.
>+
>+   UNIX, with linker support: MAKE_FINI_FUNCTION creates a symbol with
>+   a magic name that is sought at library build time, and linker
>+   options are used to mark it as a finalization function for the
>+   library.  The symbol must be exported.
>+
>+   UNIX, no library finalization support: The finalization function
>+   never runs, and we leak memory.  Tough.
>+
>+   DELAY_INITIALIZER will be defined by the configure script if we
>+   want to use k5_once instead of load-time initialization.  That'll
>+   be the preferred method on most systems except Windows, where we
>+   have to initialize some mutexes.
>+
>+
>+
>+
>+   For maximum flexibility in defining the macros, the function name
>+   parameter should be a simple name, not even a macro defined as
>+   another name.  The function should have a unique name, and should
>+   conform to whatever namespace is used by the library in question.
>+   (We do have export lists, but (1) they're not used for all
>+   platforms, and (2) they're not used for static libraries.)
>+
>+   If the macro expansion needs the function to have been declared, it
>+   must include a declaration.  If it is not necessary for the symbol
>+   name to be exported from the object file, the macro should declare
>+   it as "static".  Hence the signature must exactly match "void
>+   foo(void)".  (ANSI C allows a static declaration followed by a
>+   non-static one; the result is internal linkage.)  The macro
>+   expansion has to come before the function, because gcc apparently
>+   won't act on "__attribute__((constructor))" if it comes after the
>+   function definition.
>+
>+   This is going to be compiler- and environment-specific, and may
>+   require some support at library build time, and/or "asm"
>+   statements.  But through macro expansion and auxiliary functions,
>+   we should be able to handle most things except #pragma.
>+
>+   It's okay for this code to require that the library be built
>+   with the same compiler and compiler options throughout, but
>+   we shouldn't require that the library and application use the
>+   same compiler.
>+
>+   For static libraries, we don't really care about cleanup too much,
>+   since it's all memory handling and mutex allocation which will all
>+   be cleaned up when the program exits.  Thus, it's okay if gcc-built
>+   static libraries don't play nicely with cc-built executables when
>+   it comes to static constructors, just as long as it doesn't cause
>+   linking to fail.
>+
>+   For dynamic libraries on UNIX, we'll use pthread_once-type support
>+   to do delayed initialization, so if finalization can't be made to
>+   work, we'll only have memory leaks in a load/use/unload cycle.  If
>+   anyone (like, say, the OS vendor) complains about this, they can
>+   tell us how to get a shared library finalization function invoked
>+   automatically.
>+
>+   Currently there's --disable-delayed-initialization for preventing
>+   the initialization from being delayed on UNIX, but that's mainly
>+   just for testing the linker options for initialization, and will
>+   probably be removed at some point.  */
>+
>+/* Helper macros.  */
>+
>+# define JOIN__2_2(A,B) A ## _ ## _ ## B
>+# define JOIN__2(A,B) JOIN__2_2(A,B)
>+
>+/* XXX Should test USE_LINKER_INIT_OPTION early, and if it's set,
>+   always provide a function by the expected name, even if we're
>+   delaying initialization.  */
>+
>+#if defined(DELAY_INITIALIZER)
>+
>+/* Run the initialization code during program execution, at the latest
>+   possible moment.  This means multiple threads may be active.  */
>+# include "./k5-thread.h"
>+typedef struct { k5_once_t once; int error, did_run; void (*fn)(void); } k5_init_t;
>+# ifdef USE_LINKER_INIT_OPTION
>+#  define MAYBE_DUMMY_INIT(NAME)		\
>+	void JOIN__2(NAME, auxinit) () { }
>+# else
>+#  define MAYBE_DUMMY_INIT(NAME)
>+# endif
>+# ifdef __GNUC__
>+/* Do it in macro form so we get the file/line of the invocation if
>+   the assertion fails.  */
>+#  define k5_call_init_function(I)					\
>+	(__extension__ ({						\
>+		k5_init_t *k5int_i = (I);				\
>+		int k5int_err = k5_once(&k5int_i->once, k5int_i->fn);	\
>+		(k5int_err						\
>+		 ? k5int_err						\
>+		 : (assert(k5int_i->did_run != 0), k5int_i->error));	\
>+	    }))
>+#  define MAYBE_DEFINE_CALLINIT_FUNCTION
>+# else
>+#  define MAYBE_DEFINE_CALLINIT_FUNCTION			\
>+	static inline int k5_call_init_function(k5_init_t *i)	\
>+	{							\
>+	    int err;						\
>+	    err = k5_once(&i->once, i->fn);			\
>+	    if (err)						\
>+		return err;					\
>+	    assert (i->did_run != 0);				\
>+	    return i->error;					\
>+	}
>+# endif
>+# define MAKE_INIT_FUNCTION(NAME)				\
>+	static int NAME(void);					\
>+	MAYBE_DUMMY_INIT(NAME)					\
>+	/* forward declaration for use in initializer */	\
>+	static void JOIN__2(NAME, aux) (void);			\
>+	static k5_init_t JOIN__2(NAME, once) =			\
>+		{ K5_ONCE_INIT, 0, 0, JOIN__2(NAME, aux) };	\
>+	MAYBE_DEFINE_CALLINIT_FUNCTION				\
>+	static void JOIN__2(NAME, aux) (void)			\
>+	{							\
>+	    JOIN__2(NAME, once).did_run = 1;			\
>+	    JOIN__2(NAME, once).error = NAME();			\
>+	}							\
>+	/* so ';' following macro use won't get error */	\
>+	static int NAME(void)
>+# define CALL_INIT_FUNCTION(NAME)	\
>+	k5_call_init_function(& JOIN__2(NAME, once))
>+/* This should be called in finalization only, so we shouldn't have
>+   multiple active threads mucking around in our library at this
>+   point.  So ignore the once_t object and just look at the flag.
>+
>+   XXX Could we have problems with memory coherence between processors
>+   if we don't invoke mutex/once routines?  Probably not, the
>+   application code should already be coordinating things such that
>+   the library code is not in use by this point, and memory
>+   synchronization will be needed there.  */
>+# define INITIALIZER_RAN(NAME)	\
>+	(JOIN__2(NAME, once).did_run && JOIN__2(NAME, once).error == 0)
>+
>+# define PROGRAM_EXITING()		(0)
>+
>+#elif defined(__GNUC__) && !defined(_WIN32) && defined(CONSTRUCTOR_ATTR_WORKS)
>+
>+/* Run initializer at load time, via GCC/C++ hook magic.  */
>+
>+# ifdef USE_LINKER_INIT_OPTION
>+     /* Both gcc and linker option??  Favor gcc.  */
>+#  define MAYBE_DUMMY_INIT(NAME)		\
>+	void JOIN__2(NAME, auxinit) () { }
>+# else
>+#  define MAYBE_DUMMY_INIT(NAME)
>+# endif
>+
>+typedef struct { int error; unsigned char did_run; } k5_init_t;
>+# define MAKE_INIT_FUNCTION(NAME)		\
>+	MAYBE_DUMMY_INIT(NAME)			\
>+	static k5_init_t JOIN__2(NAME, ran)	\
>+		= { 0, 2 };			\
>+	static void JOIN__2(NAME, aux)(void)	\
>+	    __attribute__((constructor));	\
>+	static int NAME(void);			\
>+	static void JOIN__2(NAME, aux)(void)	\
>+	{					\
>+	    JOIN__2(NAME, ran).error = NAME();	\
>+	    JOIN__2(NAME, ran).did_run = 3;	\
>+	}					\
>+	static int NAME(void)
>+# define CALL_INIT_FUNCTION(NAME)		\
>+	(JOIN__2(NAME, ran).did_run == 3	\
>+	 ? JOIN__2(NAME, ran).error		\
>+	 : (abort(),0))
>+# define INITIALIZER_RAN(NAME)	(JOIN__2(NAME,ran).did_run == 3 && JOIN__2(NAME, ran).error == 0)
>+
>+# define PROGRAM_EXITING()		(0)
>+
>+#elif defined(USE_LINKER_INIT_OPTION) || defined(_WIN32)
>+
>+/* Run initializer at load time, via linker magic, or in the
>+   case of WIN32, win_glue.c hard-coded knowledge.  */
>+typedef struct { int error; unsigned char did_run; } k5_init_t;
>+# define MAKE_INIT_FUNCTION(NAME)		\
>+	static k5_init_t JOIN__2(NAME, ran)	\
>+		= { 0, 2 };			\
>+	static int NAME(void);			\
>+	void JOIN__2(NAME, auxinit)()		\
>+	{					\
>+	    JOIN__2(NAME, ran).error = NAME();	\
>+	    JOIN__2(NAME, ran).did_run = 3;	\
>+	}					\
>+	static int NAME(void)
>+# define CALL_INIT_FUNCTION(NAME)		\
>+	(JOIN__2(NAME, ran).did_run == 3	\
>+	 ? JOIN__2(NAME, ran).error		\
>+	 : (abort(),0))
>+# define INITIALIZER_RAN(NAME)	\
>+	(JOIN__2(NAME, ran).error == 0)
>+
>+# define PROGRAM_EXITING()		(0)
>+
>+#else
>+
>+# error "Don't know how to do load-time initializers for this configuration."
>+
>+# define PROGRAM_EXITING()		(0)
>+
>+#endif
>+
>+
>+
>+#if defined(USE_LINKER_FINI_OPTION) || defined(_WIN32)
>+/* If we're told the linker option will be used, it doesn't really
>+   matter what compiler we're using.  Do it the same way
>+   regardless.  */
>+
>+# ifdef __hpux
>+
>+     /* On HP-UX, we need this auxiliary function.  At dynamic load or
>+	unload time (but *not* program startup and termination for
>+	link-time specified libraries), the linker-indicated function
>+	is called with a handle on the library and a flag indicating
>+	whether it's being loaded or unloaded.
>+
>+	The "real" fini function doesn't need to be exported, so
>+	declare it static.
>+
>+	As usual, the final declaration is just for syntactic
>+	convenience, so the top-level invocation of this macro can be
>+	followed by a semicolon.  */
>+
>+#  include <dl.h>
>+#  define MAKE_FINI_FUNCTION(NAME)					    \
>+	static void NAME(void);						    \
>+	void JOIN__2(NAME, auxfini)(shl_t, int); /* silence gcc warnings */ \
>+	void JOIN__2(NAME, auxfini)(shl_t h, int l) { if (!l) NAME(); }	    \
>+	static void NAME(void)
>+
>+# else /* not hpux */
>+
>+#  define MAKE_FINI_FUNCTION(NAME)	\
>+	void NAME(void)
>+
>+# endif
>+
>+#elif defined(__GNUC__) && defined(DESTRUCTOR_ATTR_WORKS)
>+/* If we're using gcc, if the C++ support works, the compiler should
>+   build executables and shared libraries that support the use of
>+   static constructors and destructors.  The C compiler supports a
>+   function attribute that makes use of the same facility as C++.
>+
>+   XXX How do we know if the C++ support actually works?  */
>+# define MAKE_FINI_FUNCTION(NAME)	\
>+	static void NAME(void) __attribute__((destructor))
>+
>+#elif !defined(SHARED)
>+
>+/* In this case, we just don't care about finalization.
>+
>+   The code will still define the function, but we won't do anything
>+   with it.  Annoying: This may generate unused-function warnings.  */
>+
>+# define MAKE_FINI_FUNCTION(NAME)	\
>+	static void NAME(void)
>+
>+#else
>+
>+# error "Don't know how to do unload-time finalization for this configuration."
>+
>+#endif
>+
>+
>+/* 64-bit support: krb5_ui_8 and krb5_int64.
>+
>+   This should move to krb5.h eventually, but without the namespace
>+   pollution from the autoconf macros.  */
>+#if defined(HAVE_STDINT_H) || defined(HAVE_INTTYPES_H)
>+# ifdef HAVE_STDINT_H
>+#  include <stdint.h>
>+# endif
>+# ifdef HAVE_INTTYPES_H
>+#  include <inttypes.h>
>+# endif
>+# define INT64_TYPE int64_t
>+# define UINT64_TYPE uint64_t
>+#elif defined(_WIN32)
>+# define INT64_TYPE signed __int64
>+# define UINT64_TYPE unsigned __int64
>+#else /* not Windows, and neither stdint.h nor inttypes.h */
>+# define INT64_TYPE signed long long
>+# define UINT64_TYPE unsigned long long
>+#endif
>+
>+#include <limits.h>
>+#ifndef SIZE_MAX
>+# define SIZE_MAX ((size_t)((size_t)0 - 1))
>+#endif
>+
>+/* Read and write integer values as (unaligned) octet strings in
>+   specific byte orders.  Add per-platform optimizations as
>+   needed.  */
>+
>+#if HAVE_ENDIAN_H
>+# include <endian.h>
>+#elif HAVE_MACHINE_ENDIAN_H
>+# include <machine/endian.h>
>+#endif
>+/* Check for BIG/LITTLE_ENDIAN macros.  If exactly one is defined, use
>+   it.  If both are defined, then BYTE_ORDER should be defined and
>+   match one of them.  Try those symbols, then try again with an
>+   underscore prefix.  */
>+#if defined(BIG_ENDIAN) && defined(LITTLE_ENDIAN)
>+# if BYTE_ORDER == BIG_ENDIAN
>+#  define K5_BE
>+# endif
>+# if BYTE_ORDER == LITTLE_ENDIAN
>+#  define K5_LE
>+# endif
>+#elif defined(BIG_ENDIAN)
>+# define K5_BE
>+#elif defined(LITTLE_ENDIAN)
>+# define K5_LE
>+#elif defined(_BIG_ENDIAN) && defined(_LITTLE_ENDIAN)
>+# if _BYTE_ORDER == _BIG_ENDIAN
>+#  define K5_BE
>+# endif
>+# if _BYTE_ORDER == _LITTLE_ENDIAN
>+#  define K5_LE
>+# endif
>+#elif defined(_BIG_ENDIAN)
>+# define K5_BE
>+#elif defined(_LITTLE_ENDIAN)
>+# define K5_LE
>+#endif
>+#if !defined(K5_BE) && !defined(K5_LE)
>+/* Look for some architectures we know about.
>+
>+   MIPS can use either byte order, but the preprocessor tells us which
>+   mode we're compiling for.  The GCC config files indicate that
>+   variants of Alpha and IA64 might be out there with both byte
>+   orders, but until we encounter the "wrong" ones in the real world,
>+   just go with the default (unless there are cpp predefines to help
>+   us there too).
>+
>+   As far as I know, only PDP11 and ARM (which we don't handle here)
>+   have strange byte orders where an 8-byte value isn't laid out as
>+   either 12345678 or 87654321.  */
>+# if defined(__i386__) || defined(_MIPSEL) || defined(__alpha__) || defined(__ia64__)
>+#  define K5_LE
>+# endif
>+# if defined(__hppa__) || defined(__rs6000__) || defined(__sparc__) || defined(_MIPSEB) || defined(__m68k__) || defined(__sparc64__) || defined(__ppc__) || defined(__ppc64__)
>+#  define K5_BE
>+# endif
>+#endif
>+#if defined(K5_BE) && defined(K5_LE)
>+# error "oops, check the byte order macros"
>+#endif
>+
>+/* Optimize for GCC on platforms with known byte orders.
>+
>+   GCC's packed structures can be written to with any alignment; the
>+   compiler will use byte operations, unaligned-word operations, or
>+   normal memory ops as appropriate for the architecture.
>+
>+   This assumes the availability of uint##_t types, which should work
>+   on most of our platforms except Windows, where we're not using
>+   GCC.  */
>+#ifdef __GNUC__
>+# define PUT(SIZE,PTR,VAL)	(((struct { uint##SIZE##_t i; } __attribute__((packed)) *)(PTR))->i = (VAL))
>+# define GET(SIZE,PTR)		(((const struct { uint##SIZE##_t i; } __attribute__((packed)) *)(PTR))->i)
>+# define PUTSWAPPED(SIZE,PTR,VAL)	PUT(SIZE,PTR,SWAP##SIZE(VAL))
>+# define GETSWAPPED(SIZE,PTR)		SWAP##SIZE(GET(SIZE,PTR))
>+#endif
>+/* To do: Define SWAP16, SWAP32, SWAP64 macros to byte-swap values
>+   with the indicated numbers of bits.
>+
>+   Linux: byteswap.h, bswap_16 etc.
>+   Solaris 10: none
>+   Mac OS X: machine/endian.h or byte_order.h, NXSwap{Short,Int,LongLong}
>+   NetBSD: sys/bswap.h, bswap16 etc.  */
>+
>+#if defined(HAVE_BYTESWAP_H) && defined(HAVE_BSWAP_16)
>+# include <byteswap.h>
>+# define SWAP16			bswap_16
>+# define SWAP32			bswap_32
>+# ifdef HAVE_BSWAP_64
>+#  define SWAP64		bswap_64
>+# endif
>+#endif
>+
>+static inline void
>+store_16_be (unsigned int val, unsigned char *p)
>+{
>+#if defined(__GNUC__) && defined(K5_BE)
>+    PUT(16,p,val);
>+#elif defined(__GNUC__) && defined(K5_LE) && defined(SWAP16)
>+    PUTSWAPPED(16,p,val);
>+#else
>+    p[0] = (val >>  8) & 0xff;
>+    p[1] = (val      ) & 0xff;
>+#endif
>+}
>+static inline void
>+store_32_be (unsigned int val, unsigned char *p)
>+{
>+#if defined(__GNUC__) && defined(K5_BE)
>+    PUT(32,p,val);
>+#elif defined(__GNUC__) && defined(K5_LE) && defined(SWAP32)
>+    PUTSWAPPED(32,p,val);
>+#else
>+    p[0] = (val >> 24) & 0xff;
>+    p[1] = (val >> 16) & 0xff;
>+    p[2] = (val >>  8) & 0xff;
>+    p[3] = (val      ) & 0xff;
>+#endif
>+}
>+static inline void
>+store_64_be (UINT64_TYPE val, unsigned char *p)
>+{
>+#if defined(__GNUC__) && defined(K5_BE)
>+    PUT(64,p,val);
>+#elif defined(__GNUC__) && defined(K5_LE) && defined(SWAP64)
>+    PUTSWAPPED(64,p,val);
>+#else
>+    p[0] = (unsigned char)((val >> 56) & 0xff);
>+    p[1] = (unsigned char)((val >> 48) & 0xff);
>+    p[2] = (unsigned char)((val >> 40) & 0xff);
>+    p[3] = (unsigned char)((val >> 32) & 0xff);
>+    p[4] = (unsigned char)((val >> 24) & 0xff);
>+    p[5] = (unsigned char)((val >> 16) & 0xff);
>+    p[6] = (unsigned char)((val >>  8) & 0xff);
>+    p[7] = (unsigned char)((val      ) & 0xff);
>+#endif
>+}
>+static inline unsigned short
>+load_16_be (const unsigned char *p)
>+{
>+#if defined(__GNUC__) && defined(K5_BE)
>+    return GET(16,p);
>+#elif defined(__GNUC__) && defined(K5_LE) && defined(SWAP16)
>+    return GETSWAPPED(16,p);
>+#else
>+    return (p[1] | (p[0] << 8));
>+#endif
>+}
>+static inline unsigned int
>+load_32_be (const unsigned char *p)
>+{
>+#if defined(__GNUC__) && defined(K5_BE)
>+    return GET(32,p);
>+#elif defined(__GNUC__) && defined(K5_LE) && defined(SWAP32)
>+    return GETSWAPPED(32,p);
>+#else
>+    return (p[3] | (p[2] << 8)
>+	    | ((uint32_t) p[1] << 16)
>+	    | ((uint32_t) p[0] << 24));
>+#endif
>+}
>+static inline UINT64_TYPE
>+load_64_be (const unsigned char *p)
>+{
>+#if defined(__GNUC__) && defined(K5_BE)
>+    return GET(64,p);
>+#elif defined(__GNUC__) && defined(K5_LE) && defined(SWAP64)
>+    return GETSWAPPED(64,p);
>+#else
>+    return ((UINT64_TYPE)load_32_be(p) << 32) | load_32_be(p+4);
>+#endif
>+}
>+static inline void
>+store_16_le (unsigned int val, unsigned char *p)
>+{
>+#if defined(__GNUC__) && defined(K5_LE)
>+    PUT(16,p,val);
>+#elif defined(__GNUC__) && defined(K5_BE) && defined(SWAP16)
>+    PUTSWAPPED(16,p,val);
>+#else
>+    p[1] = (val >>  8) & 0xff;
>+    p[0] = (val      ) & 0xff;
>+#endif
>+}
>+static inline void
>+store_32_le (unsigned int val, unsigned char *p)
>+{
>+#if defined(__GNUC__) && defined(K5_LE)
>+    PUT(32,p,val);
>+#elif defined(__GNUC__) && defined(K5_BE) && defined(SWAP32)
>+    PUTSWAPPED(32,p,val);
>+#else
>+    p[3] = (val >> 24) & 0xff;
>+    p[2] = (val >> 16) & 0xff;
>+    p[1] = (val >>  8) & 0xff;
>+    p[0] = (val      ) & 0xff;
>+#endif
>+}
>+static inline void
>+store_64_le (UINT64_TYPE val, unsigned char *p)
>+{
>+#if defined(__GNUC__) && defined(K5_LE)
>+    PUT(64,p,val);
>+#elif defined(__GNUC__) && defined(K5_BE) && defined(SWAP64)
>+    PUTSWAPPED(64,p,val);
>+#else
>+    p[7] = (unsigned char)((val >> 56) & 0xff);
>+    p[6] = (unsigned char)((val >> 48) & 0xff);
>+    p[5] = (unsigned char)((val >> 40) & 0xff);
>+    p[4] = (unsigned char)((val >> 32) & 0xff);
>+    p[3] = (unsigned char)((val >> 24) & 0xff);
>+    p[2] = (unsigned char)((val >> 16) & 0xff);
>+    p[1] = (unsigned char)((val >>  8) & 0xff);
>+    p[0] = (unsigned char)((val      ) & 0xff);
>+#endif
>+}
>+static inline unsigned short
>+load_16_le (const unsigned char *p)
>+{
>+#if defined(__GNUC__) && defined(K5_LE)
>+    return GET(16,p);
>+#elif defined(__GNUC__) && defined(K5_BE) && defined(SWAP16)
>+    return GETSWAPPED(16,p);
>+#else
>+    return (p[0] | (p[1] << 8));
>+#endif
>+}
>+static inline unsigned int
>+load_32_le (const unsigned char *p)
>+{
>+#if defined(__GNUC__) && defined(K5_LE)
>+    return GET(32,p);
>+#elif defined(__GNUC__) && defined(K5_BE) && defined(SWAP32)
>+    return GETSWAPPED(32,p);
>+#else
>+    return (p[0] | (p[1] << 8) | (p[2] << 16) | (p[3] << 24));
>+#endif
>+}
>+static inline UINT64_TYPE
>+load_64_le (const unsigned char *p)
>+{
>+#if defined(__GNUC__) && defined(K5_LE)
>+    return GET(64,p);
>+#elif defined(__GNUC__) && defined(K5_BE) && defined(SWAP64)
>+    return GETSWAPPED(64,p);
>+#else
>+    return ((UINT64_TYPE)load_32_le(p+4) << 32) | load_32_le(p);
>+#endif
>+}
>+
>+/* Make the interfaces to getpwnam and getpwuid consistent.
>+   Model the wrappers on the POSIX thread-safe versions, but
>+   use the unsafe system versions if the safe ones don't exist
>+   or we can't figure out their interfaces.  */
>+
>+/* int k5_getpwnam_r(const char *, blah blah) */
>+#ifdef HAVE_GETPWNAM_R
>+# ifndef GETPWNAM_R_4_ARGS
>+/* POSIX */
>+#  define k5_getpwnam_r(NAME, REC, BUF, BUFSIZE, OUT)	\
>+	(getpwnam_r(NAME,REC,BUF,BUFSIZE,OUT) == 0	\
>+	 ? (*(OUT) == NULL ? -1 : 0) : -1)
>+# else
>+/* POSIX drafts? */
>+#  ifdef GETPWNAM_R_RETURNS_INT
>+#   define k5_getpwnam_r(NAME, REC, BUF, BUFSIZE, OUT)	\
>+	(getpwnam_r(NAME,REC,BUF,BUFSIZE) == 0		\
>+	 ? (*(OUT) = REC, 0)				\
>+	 : (*(OUT) = NULL, -1))
>+#  else
>+#   define k5_getpwnam_r(NAME, REC, BUF, BUFSIZE, OUT)  \
>+	(*(OUT) = getpwnam_r(NAME,REC,BUF,BUFSIZE), *(OUT) == NULL ? -1 : 0)
>+#  endif
>+# endif
>+#else /* no getpwnam_r, or can't figure out #args or return type */
>+/* Will get warnings about unused variables.  */
>+# define k5_getpwnam_r(NAME, REC, BUF, BUFSIZE, OUT) \
>+	(*(OUT) = getpwnam(NAME), *(OUT) == NULL ? -1 : 0)
>+#endif
>+
>+/* int k5_getpwuid_r(uid_t, blah blah) */
>+#ifdef HAVE_GETPWUID_R
>+# ifndef GETPWUID_R_4_ARGS
>+/* POSIX */
>+#  define k5_getpwuid_r(UID, REC, BUF, BUFSIZE, OUT)	\
>+	(getpwuid_r(UID,REC,BUF,BUFSIZE,OUT) == 0	\
>+	 ? (*(OUT) == NULL ? -1 : 0) : -1)
>+# else
>+/* POSIX drafts?  Yes, I mean to test GETPWNAM... here.  Less junk to
>+   do at configure time.  */
>+#  ifdef GETPWNAM_R_RETURNS_INT
>+#   define k5_getpwuid_r(UID, REC, BUF, BUFSIZE, OUT)	\
>+	(getpwuid_r(UID,REC,BUF,BUFSIZE) == 0		\
>+	 ? (*(OUT) = REC, 0)				\
>+	 : (*(OUT) = NULL, -1))
>+#  else
>+#   define k5_getpwuid_r(UID, REC, BUF, BUFSIZE, OUT)  \
>+	(*(OUT) = getpwuid_r(UID,REC,BUF,BUFSIZE), *(OUT) == NULL ? -1 : 0)
>+#  endif
>+# endif
>+#else /* no getpwuid_r, or can't figure out #args or return type */
>+/* Will get warnings about unused variables.  */
>+# define k5_getpwuid_r(UID, REC, BUF, BUFSIZE, OUT) \
>+	(*(OUT) = getpwuid(UID), *(OUT) == NULL ? -1 : 0)
>+#endif
>+
>+
>+#endif /* K5_PLATFORM_H */
>diff -durN libuser-0.54.7.ORIG/modules/k5-thread.h libuser-0.54.7/modules/k5-thread.h
>--- libuser-0.54.7.ORIG/modules/k5-thread.h	1969-12-31 17:00:00.000000000 -0700
>+++ libuser-0.54.7/modules/k5-thread.h	2007-03-03 22:27:53.000000000 -0700
>@@ -0,0 +1,797 @@
>+/*
>+ * include/k5-thread.h
>+ *
>+ * Copyright 2004,2005,2006 by the Massachusetts Institute of Technology.
>+ * All Rights Reserved.
>+ *
>+ * Export of this software from the United States of America may
>+ *   require a specific license from the United States Government.
>+ *   It is the responsibility of any person or organization contemplating
>+ *   export to obtain such a license before exporting.
>+ * 
>+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
>+ * distribute this software and its documentation for any purpose and
>+ * without fee is hereby granted, provided that the above copyright
>+ * notice appear in all copies and that both that copyright notice and
>+ * this permission notice appear in supporting documentation, and that
>+ * the name of M.I.T. not be used in advertising or publicity pertaining
>+ * to distribution of the software without specific, written prior
>+ * permission.  Furthermore if you modify this software you must label
>+ * your software as modified software and not distribute it in such a
>+ * fashion that it might be confused with the original M.I.T. software.
>+ * M.I.T. makes no representations about the suitability of
>+ * this software for any purpose.  It is provided "as is" without express
>+ * or implied warranty.
>+ * 
>+ *
>+ * Preliminary thread support.
>+ */
>+
>+#ifndef K5_THREAD_H
>+#define K5_THREAD_H
>+
>+#include "./autoconf.h"
>+#ifndef KRB5_CALLCONV
>+# define KRB5_CALLCONV
>+#endif
>+#ifndef KRB5_CALLCONV_C
>+# define KRB5_CALLCONV_C
>+#endif
>+
>+/* Interface (tentative):
>+
>+   Mutex support:
>+
>+   // Between these two, we should be able to do pure compile-time
>+   // and pure run-time initialization.
>+   //   POSIX:   partial initializer is PTHREAD_MUTEX_INITIALIZER,
>+   //            finish does nothing
>+   //   Windows: partial initializer is an invalid handle,
>+   //            finish does the real initialization work
>+   //   debug:   partial initializer sets one magic value,
>+   //            finish verifies and sets a new magic value for
>+   //              lock/unlock to check
>+   k5_mutex_t foo_mutex = K5_MUTEX_PARTIAL_INITIALIZER;
>+   int k5_mutex_finish_init(k5_mutex_t *);
>+   // for dynamic allocation
>+   int k5_mutex_init(k5_mutex_t *);
>+   // Must work for both kinds of alloc, even if it means adding flags.
>+   int k5_mutex_destroy(k5_mutex_t *);
>+
>+   // As before.
>+   int k5_mutex_lock(k5_mutex_t *);
>+   int k5_mutex_unlock(k5_mutex_t *);
>+
>+   In each library, one new function to finish the static mutex init,
>+   and any other library-wide initialization that might be desired.
>+   On POSIX, this function would be called via the second support
>+   function (see below).  On Windows, it would be called at library
>+   load time.  These functions, or functions they calls, should be the
>+   only places that k5_mutex_finish_init gets called.
>+
>+   A second function or macro called at various possible "first" entry
>+   points which either calls pthread_once on the first function
>+   (POSIX), or checks some flag set by the first function (Windows,
>+   debug support), and possibly returns an error.  (In the
>+   non-threaded case, a simple flag can be used to avoid multiple
>+   invocations, and the mutexes don't need run-time initialization
>+   anyways.)
>+
>+   A third function for library termination calls mutex_destroy on
>+   each mutex for the library.  This function would be called
>+   automatically at library unload time.  If it turns out to be needed
>+   at exit time for libraries that don't get unloaded, perhaps we
>+   should also use atexit().  Any static mutexes should be cleaned up
>+   with k5_mutex_destroy here.
>+
>+   How does that second support function invoke the first support
>+   function only once?  Through something modelled on pthread_once
>+   that I haven't written up yet.  Probably:
>+
>+   k5_once_t foo_once = K5_ONCE_INIT;
>+   k5_once(k5_once_t *, void (*)(void));
>+
>+   For POSIX: Map onto pthread_once facility.
>+   For non-threaded case: A simple flag.
>+   For Windows: Not needed; library init code takes care of it.
>+
>+   XXX: A general k5_once mechanism isn't possible for Windows,
>+   without faking it through named mutexes or mutexes initialized at
>+   startup.  I was only using it in one place outside these headers,
>+   so I'm dropping the general scheme.  Eventually the existing uses
>+   in k5-thread.h and k5-platform.h will be converted to pthread_once
>+   or static variables.
>+
>+
>+   Thread-specific data:
>+
>+   // TSD keys are limited in number in gssapi/krb5/com_err; enumerate
>+   // them all.  This allows support code init to allocate the
>+   // necessary storage for pointers all at once, and avoids any
>+   // possible error in key creation.
>+   enum { ... } k5_key_t;
>+   // Register destructor function.  Called in library init code.
>+   int k5_key_register(k5_key_t, void (*destructor)(void *));
>+   // Returns NULL or data.
>+   void *k5_getspecific(k5_key_t);
>+   // Returns error if key out of bounds, or the pointer table can't
>+   // be allocated.  A call to k5_key_register must have happened first.
>+   // This may trigger the calling of pthread_setspecific on POSIX.
>+   int k5_setspecific(k5_key_t, void *);
>+   // Called in library termination code.
>+   // Trashes data in all threads, calling the registered destructor
>+   // (but calling it from the current thread).
>+   int k5_key_delete(k5_key_t);
>+
>+   For the non-threaded version, the support code will have a static
>+   array indexed by k5_key_t values, and get/setspecific simply access
>+   the array elements.
>+
>+   The TSD destructor table is global state, protected by a mutex if
>+   threads are enabled.
>+
>+   Debug support: Not much.  Might check if k5_key_register has been
>+   called and abort if not.
>+
>+
>+   Any actual external symbols will use the krb5int_ prefix.  The k5_
>+   names will be simple macros or inline functions to rename the
>+   external symbols, or slightly more complex ones to expand the
>+   implementation inline (e.g., map to POSIX versions and/or debug
>+   code using __FILE__ and the like).
>+
>+
>+   More to be added, perhaps.  */
>+
>+#define DEBUG_THREADS
>+#define DEBUG_THREADS_LOC
>+#undef DEBUG_THREADS_SLOW /* debugging stuff that'll slow things down? */
>+#undef DEBUG_THREADS_STATS
>+
>+#include <assert.h>
>+
>+/* For tracking locations, of (e.g.) last lock or unlock of mutex.  */
>+#ifdef DEBUG_THREADS_LOC
>+typedef struct {
>+    const char *filename;
>+    int lineno;
>+} k5_debug_loc;
>+#define K5_DEBUG_LOC_INIT	{ __FILE__, __LINE__ }
>+#if __GNUC__ >= 2
>+#define K5_DEBUG_LOC		(__extension__ (k5_debug_loc)K5_DEBUG_LOC_INIT)
>+#else
>+static inline k5_debug_loc k5_debug_make_loc(const char *file, int line)
>+{
>+    k5_debug_loc l;
>+    l.filename = file;
>+    l.lineno = line;
>+    return l;
>+}
>+#define K5_DEBUG_LOC		(k5_debug_make_loc(__FILE__,__LINE__))
>+#endif
>+#else /* ! DEBUG_THREADS_LOC */
>+typedef char k5_debug_loc;
>+#define K5_DEBUG_LOC_INIT	0
>+#define K5_DEBUG_LOC		0
>+#endif
>+
>+#define k5_debug_update_loc(L)	((L) = K5_DEBUG_LOC)
>+
>+
>+
>+/* Statistics gathering:
>+
>+   Currently incomplete, don't try enabling it.
>+
>+   Eventually: Report number of times locked, total and standard
>+   deviation of the time the lock was held, total and std dev time
>+   spent waiting for the lock.  "Report" will probably mean "write a
>+   line to a file if a magic environment variable is set."  */
>+
>+#ifdef DEBUG_THREADS_STATS
>+
>+#if HAVE_TIME_H && (!defined(HAVE_SYS_TIME_H) || defined(TIME_WITH_SYS_TIME))
>+# include <time.h>
>+#endif
>+#if HAVE_SYS_TIME_H
>+# include <sys/time.h>
>+#endif
>+#ifdef HAVE_STDINT_H
>+# include <stdint.h>
>+#endif
>+/* for memset */
>+#include <string.h>
>+/* for uint64_t */
>+#include <inttypes.h>
>+typedef uint64_t k5_debug_timediff_t; /* or long double */
>+typedef struct timeval k5_debug_time_t;
>+static inline k5_debug_timediff_t
>+timediff(k5_debug_time_t t2, k5_debug_time_t t1)
>+{
>+    return (t2.tv_sec - t1.tv_sec) * 1000000 + (t2.tv_usec - t1.tv_usec);
>+}
>+static inline k5_debug_time_t get_current_time(void)
>+{
>+    struct timeval tv;
>+    if (gettimeofday(&tv,0) < 0) { tv.tv_sec = tv.tv_usec = 0; }
>+    return tv;
>+}
>+struct k5_timediff_stats {
>+    k5_debug_timediff_t valmin, valmax, valsum, valsqsum;
>+};
>+typedef struct {
>+    int count;
>+    k5_debug_time_t time_acquired, time_created;
>+    struct k5_timediff_stats lockwait, lockheld;
>+} k5_debug_mutex_stats;
>+#define k5_mutex_init_stats(S)					\
>+	(memset((S), 0, sizeof(k5_debug_mutex_stats)),	\
>+	 (S)->time_created = get_current_time(),		\
>+	 0)
>+#define k5_mutex_finish_init_stats(S) 	(0)
>+#define K5_MUTEX_STATS_INIT	{ 0, {0}, {0}, {0}, {0} }
>+typedef k5_debug_time_t k5_mutex_stats_tmp;
>+#define k5_mutex_stats_start()	get_current_time()
>+void KRB5_CALLCONV krb5int_mutex_lock_update_stats(k5_debug_mutex_stats *m,
>+						   k5_mutex_stats_tmp start);
>+void KRB5_CALLCONV krb5int_mutex_unlock_update_stats(k5_debug_mutex_stats *m);
>+#define k5_mutex_lock_update_stats	krb5int_mutex_lock_update_stats
>+#define k5_mutex_unlock_update_stats	krb5int_mutex_unlock_update_stats
>+void KRB5_CALLCONV krb5int_mutex_report_stats(/* k5_mutex_t *m */);
>+
>+#else
>+
>+typedef char k5_debug_mutex_stats;
>+#define k5_mutex_init_stats(S)		(*(S) = 's', 0)
>+#define k5_mutex_finish_init_stats(S)	(0)
>+#define K5_MUTEX_STATS_INIT		's'
>+typedef int k5_mutex_stats_tmp;
>+#define k5_mutex_stats_start()		(0)
>+#ifdef __GNUC__
>+static inline void
>+k5_mutex_lock_update_stats(k5_debug_mutex_stats *m, k5_mutex_stats_tmp t)
>+{
>+}
>+#else
>+# define k5_mutex_lock_update_stats(M,S)	(S)
>+#endif
>+#define k5_mutex_unlock_update_stats(M)	(*(M) = 's')
>+
>+/* If statistics tracking isn't enabled, these functions don't actually
>+   do anything.  Declare anyways so we can do type checking etc.  */
>+void KRB5_CALLCONV krb5int_mutex_lock_update_stats(k5_debug_mutex_stats *m,
>+						   k5_mutex_stats_tmp start);
>+void KRB5_CALLCONV krb5int_mutex_unlock_update_stats(k5_debug_mutex_stats *m);
>+void KRB5_CALLCONV krb5int_mutex_report_stats(/* k5_mutex_t *m */ void);
>+
>+#define krb5int_mutex_report_stats(M)	((M)->stats = 'd')
>+
>+#endif
>+
>+
>+
>+/* Define the OS mutex bit.  */
>+
>+/* First, if we're not actually doing multiple threads, do we
>+   want the debug support or not?  */
>+
>+#ifdef DEBUG_THREADS
>+
>+enum k5_mutex_init_states {
>+    K5_MUTEX_DEBUG_PARTLY_INITIALIZED = 0x12,
>+    K5_MUTEX_DEBUG_INITIALIZED,
>+    K5_MUTEX_DEBUG_DESTROYED
>+};
>+enum k5_mutex_flag_states {
>+    K5_MUTEX_DEBUG_UNLOCKED = 0x23,
>+    K5_MUTEX_DEBUG_LOCKED
>+};
>+
>+typedef struct {
>+    enum k5_mutex_init_states initialized;
>+    enum k5_mutex_flag_states locked;
>+} k5_os_nothread_mutex;
>+
>+# define K5_OS_NOTHREAD_MUTEX_PARTIAL_INITIALIZER \
>+	{ K5_MUTEX_DEBUG_PARTLY_INITIALIZED, K5_MUTEX_DEBUG_UNLOCKED }
>+
>+# define k5_os_nothread_mutex_finish_init(M)				\
>+	(assert((M)->initialized != K5_MUTEX_DEBUG_INITIALIZED),	\
>+	 assert((M)->initialized == K5_MUTEX_DEBUG_PARTLY_INITIALIZED),	\
>+	 assert((M)->locked == K5_MUTEX_DEBUG_UNLOCKED),		\
>+	 (M)->initialized = K5_MUTEX_DEBUG_INITIALIZED, 0)
>+# define k5_os_nothread_mutex_init(M)			\
>+	((M)->initialized = K5_MUTEX_DEBUG_INITIALIZED,	\
>+	 (M)->locked = K5_MUTEX_DEBUG_UNLOCKED, 0)
>+# define k5_os_nothread_mutex_destroy(M)				\
>+	(assert((M)->initialized == K5_MUTEX_DEBUG_INITIALIZED),	\
>+	 (M)->initialized = K5_MUTEX_DEBUG_DESTROYED, 0)
>+
>+# define k5_os_nothread_mutex_lock(M)			\
>+	(k5_os_nothread_mutex_assert_unlocked(M),	\
>+	 (M)->locked = K5_MUTEX_DEBUG_LOCKED, 0)
>+# define k5_os_nothread_mutex_unlock(M)			\
>+	(k5_os_nothread_mutex_assert_locked(M),		\
>+	 (M)->locked = K5_MUTEX_DEBUG_UNLOCKED, 0)
>+
>+# define k5_os_nothread_mutex_assert_locked(M)				\
>+	(assert((M)->initialized == K5_MUTEX_DEBUG_INITIALIZED),	\
>+	 assert((M)->locked != K5_MUTEX_DEBUG_UNLOCKED),		\
>+	 assert((M)->locked == K5_MUTEX_DEBUG_LOCKED))
>+# define k5_os_nothread_mutex_assert_unlocked(M)			\
>+	(assert((M)->initialized == K5_MUTEX_DEBUG_INITIALIZED),	\
>+	 assert((M)->locked != K5_MUTEX_DEBUG_LOCKED),			\
>+	 assert((M)->locked == K5_MUTEX_DEBUG_UNLOCKED))
>+
>+#else /* threads disabled and not debugging */
>+
>+typedef char k5_os_nothread_mutex;
>+# define K5_OS_NOTHREAD_MUTEX_PARTIAL_INITIALIZER	0
>+/* Empty inline functions avoid the "statement with no effect"
>+   warnings, and do better type-checking than functions that don't use
>+   their arguments.  */
>+static inline int k5_os_nothread_mutex_finish_init(k5_os_nothread_mutex *m) {
>+    return 0;
>+}
>+static inline int k5_os_nothread_mutex_init(k5_os_nothread_mutex *m) {
>+    return 0;
>+}
>+static inline int k5_os_nothread_mutex_destroy(k5_os_nothread_mutex *m) {
>+    return 0;
>+}
>+static inline int k5_os_nothread_mutex_lock(k5_os_nothread_mutex *m) {
>+    return 0;
>+}
>+static inline int k5_os_nothread_mutex_unlock(k5_os_nothread_mutex *m) {
>+    return 0;
>+}
>+# define k5_os_nothread_mutex_assert_locked(M)		((void)0)
>+# define k5_os_nothread_mutex_assert_unlocked(M)	((void)0)
>+
>+#endif
>+
>+/* Values:
>+   2 - function has not been run
>+   3 - function has been run
>+   4 - function is being run -- deadlock detected */
>+typedef unsigned char k5_os_nothread_once_t;
>+# define K5_OS_NOTHREAD_ONCE_INIT	2
>+# define k5_os_nothread_once(O,F)					\
>+	(*(O) == 3 ? 0							\
>+	 : *(O) == 2 ? (*(O) = 4, (F)(), *(O) = 3, 0)			\
>+	 : (assert(*(O) != 4), assert(*(O) == 2 || *(O) == 3), 0))
>+
>+
>+
>+#ifndef ENABLE_THREADS
>+
>+typedef k5_os_nothread_mutex k5_os_mutex;
>+# define K5_OS_MUTEX_PARTIAL_INITIALIZER	\
>+		K5_OS_NOTHREAD_MUTEX_PARTIAL_INITIALIZER
>+# define k5_os_mutex_finish_init	k5_os_nothread_mutex_finish_init
>+# define k5_os_mutex_init		k5_os_nothread_mutex_init
>+# define k5_os_mutex_destroy		k5_os_nothread_mutex_destroy
>+# define k5_os_mutex_lock		k5_os_nothread_mutex_lock
>+# define k5_os_mutex_unlock		k5_os_nothread_mutex_unlock
>+# define k5_os_mutex_assert_locked	k5_os_nothread_mutex_assert_locked
>+# define k5_os_mutex_assert_unlocked	k5_os_nothread_mutex_assert_unlocked
>+
>+# define k5_once_t			k5_os_nothread_once_t
>+# define K5_ONCE_INIT			K5_OS_NOTHREAD_ONCE_INIT
>+# define k5_once			k5_os_nothread_once
>+
>+#elif HAVE_PTHREAD
>+
>+# include <pthread.h>
>+
>+/* Weak reference support, etc.
>+
>+   Linux: Stub mutex routines exist, but pthread_once does not.
>+
>+   Solaris: In libc there's a pthread_once that doesn't seem to do
>+   anything.  Bleah.  But pthread_mutexattr_setrobust_np is defined
>+   only in libpthread.  However, some version of GNU libc (Red Hat's
>+   Fedora Core 5, reportedly) seems to have that function, but no
>+   declaration, so we'd have to declare it in order to test for its
>+   address.  We now have tests to see if pthread_once actually works,
>+   so stick with that for now.
>+
>+   IRIX 6.5 stub pthread support in libc is really annoying.  The
>+   pthread_mutex_lock function returns ENOSYS for a program not linked
>+   against -lpthread.  No link-time failure, no weak symbols, etc.
>+   The C library doesn't provide pthread_once; we can use weak
>+   reference support for that.
>+
>+   If weak references are not available, then for now, we assume that
>+   the pthread support routines will always be available -- either the
>+   real thing, or functional stubs that merely prohibit creating
>+   threads.
>+
>+   If we find a platform with non-functional stubs and no weak
>+   references, we may have to resort to some hack like dlsym on the
>+   symbol tables of the current process.  */
>+#ifdef HAVE_PRAGMA_WEAK_REF
>+# pragma weak pthread_once
>+# pragma weak pthread_mutex_lock
>+# pragma weak pthread_mutex_unlock
>+# pragma weak pthread_mutex_destroy
>+# pragma weak pthread_mutex_init
>+# pragma weak pthread_self
>+# pragma weak pthread_equal
>+extern int krb5int_pthread_loaded(void);
>+# define K5_PTHREADS_LOADED	(krb5int_pthread_loaded())
>+#else
>+/* no pragma weak support */
>+# define K5_PTHREADS_LOADED	(1)
>+#endif
>+
>+#if defined(__mips) && defined(__sgi) && (defined(_SYSTYPE_SVR4) || defined(__SYSTYPE_SVR4__))
>+/* IRIX 6.5 stub pthread support in libc is really annoying.  The
>+   pthread_mutex_lock function returns ENOSYS for a program not linked
>+   against -lpthread.  No link-time failure, no weak reference tests,
>+   etc.
>+
>+   The C library doesn't provide pthread_once; we can use weak
>+   reference support for that.  */
>+# ifndef HAVE_PRAGMA_WEAK_REF
>+#  if defined(__GNUC__) && __GNUC__ < 3
>+#   error "Please update to a newer gcc with weak symbol support, or switch to native cc, reconfigure and recompile."
>+#  else
>+#   error "Weak reference support is required"
>+#  endif
>+# endif
>+#endif
>+
>+#ifdef HAVE_PRAGMA_WEAK_REF
>+# define USE_PTHREAD_LOCK_ONLY_IF_LOADED
>+#endif
>+
>+#ifdef HAVE_PRAGMA_WEAK_REF
>+/* Can't rely on useful stubs -- see above regarding Solaris.  */
>+typedef struct {
>+    pthread_once_t o;
>+    k5_os_nothread_once_t n;
>+} k5_once_t;
>+# define K5_ONCE_INIT	{ PTHREAD_ONCE_INIT, K5_OS_NOTHREAD_ONCE_INIT }
>+# define k5_once(O,F)	(K5_PTHREADS_LOADED			\
>+			 ? pthread_once(&(O)->o,F)		\
>+			 : k5_os_nothread_once(&(O)->n,F))
>+#else
>+typedef pthread_once_t k5_once_t;
>+# define K5_ONCE_INIT	PTHREAD_ONCE_INIT
>+# define k5_once	pthread_once
>+#endif
>+
>+typedef struct {
>+    pthread_mutex_t p;
>+#ifdef DEBUG_THREADS
>+    pthread_t owner;
>+#endif
>+#ifdef USE_PTHREAD_LOCK_ONLY_IF_LOADED
>+    k5_os_nothread_mutex n;
>+#endif
>+} k5_os_mutex;
>+
>+#ifdef DEBUG_THREADS
>+# ifdef __GNUC__
>+#  define k5_pthread_mutex_lock(M)			\
>+	({						\
>+	    k5_os_mutex *_m2 = (M);			\
>+	    int _r2 = pthread_mutex_lock(&_m2->p);	\
>+	    if (_r2 == 0) _m2->owner = pthread_self();	\
>+	    _r2;					\
>+	})
>+# else
>+static inline int
>+k5_pthread_mutex_lock(k5_os_mutex *m)
>+{
>+    int r = pthread_mutex_lock(&m->p);
>+    if (r)
>+	return r;
>+    m->owner = pthread_self();
>+    return 0;
>+}
>+# endif
>+# define k5_pthread_assert_locked(M)				\
>+	(K5_PTHREADS_LOADED					\
>+	 ? assert(pthread_equal((M)->owner, pthread_self()))	\
>+	 : (void)0)
>+# define k5_pthread_mutex_unlock(M)	\
>+	(k5_pthread_assert_locked(M),	\
>+	 (M)->owner = (pthread_t) 0,	\
>+	 pthread_mutex_unlock(&(M)->p))
>+#else
>+# define k5_pthread_mutex_lock(M) pthread_mutex_lock(&(M)->p)
>+static inline void k5_pthread_assert_locked(k5_os_mutex *m) { }
>+# define k5_pthread_mutex_unlock(M) pthread_mutex_unlock(&(M)->p)
>+#endif
>+
>+/* Define as functions to:
>+   (1) eliminate "statement with no effect" warnings for "0"
>+   (2) encourage type-checking in calling code  */
>+
>+static inline void k5_pthread_assert_unlocked(pthread_mutex_t *m) { }
>+
>+#if defined(DEBUG_THREADS_SLOW) && HAVE_SCHED_H && (HAVE_SCHED_YIELD || HAVE_PRAGMA_WEAK_REF)
>+# include <sched.h>
>+# if !HAVE_SCHED_YIELD
>+#  pragma weak sched_yield
>+#  define MAYBE_SCHED_YIELD()	((void)((&sched_yield != NULL) ? sched_yield() : 0))
>+# else
>+#  define MAYBE_SCHED_YIELD()	((void)sched_yield())
>+# endif
>+#else
>+# define MAYBE_SCHED_YIELD()	((void)0)
>+#endif
>+
>+/* It may not be obvious why this function is desirable.
>+
>+   I want to call pthread_mutex_lock, then sched_yield, then look at
>+   the return code from pthread_mutex_lock.  That can't be implemented
>+   in a macro without a temporary variable, or GNU C extensions.
>+
>+   There used to be an inline function which did it, with both
>+   functions called from the inline function.  But that messes with
>+   the debug information on a lot of configurations, and you can't
>+   tell where the inline function was called from.  (Typically, gdb
>+   gives you the name of the function from which the inline function
>+   was called, and a line number within the inline function itself.)
>+
>+   With this auxiliary function, pthread_mutex_lock can be called at
>+   the invoking site via a macro; once it returns, the inline function
>+   is called (with messed-up line-number info for gdb hopefully
>+   localized to just that call).  */
>+#ifdef __GNUC__
>+#define return_after_yield(R)			\
>+	__extension__ ({			\
>+	    int _r = (R);			\
>+	    MAYBE_SCHED_YIELD();		\
>+	    _r;					\
>+	})
>+#else
>+static inline int return_after_yield(int r)
>+{
>+    MAYBE_SCHED_YIELD();
>+    return r;
>+}
>+#endif
>+
>+#ifdef USE_PTHREAD_LOCK_ONLY_IF_LOADED
>+
>+# if defined(PTHREAD_ERRORCHECK_MUTEX_INITIALIZER_NP) && defined(DEBUG_THREADS)
>+#  define K5_OS_MUTEX_PARTIAL_INITIALIZER \
>+	{ PTHREAD_ERRORCHECK_MUTEX_INITIALIZER_NP, (pthread_t) 0, \
>+	  K5_OS_NOTHREAD_MUTEX_PARTIAL_INITIALIZER }
>+# elif defined(DEBUG_THREADS)
>+#  define K5_OS_MUTEX_PARTIAL_INITIALIZER \
>+	{ PTHREAD_MUTEX_INITIALIZER, (pthread_t) 0, \
>+	  K5_OS_NOTHREAD_MUTEX_PARTIAL_INITIALIZER }
>+# else
>+#  define K5_OS_MUTEX_PARTIAL_INITIALIZER \
>+	{ PTHREAD_MUTEX_INITIALIZER, K5_OS_NOTHREAD_MUTEX_PARTIAL_INITIALIZER }
>+# endif
>+
>+# define k5_os_mutex_finish_init(M)		\
>+	k5_os_nothread_mutex_finish_init(&(M)->n)
>+# define k5_os_mutex_init(M)			\
>+	(k5_os_nothread_mutex_init(&(M)->n),	\
>+	 (K5_PTHREADS_LOADED			\
>+	  ? pthread_mutex_init(&(M)->p, 0)	\
>+	  : 0))
>+# define k5_os_mutex_destroy(M)			\
>+	(k5_os_nothread_mutex_destroy(&(M)->n),	\
>+	 (K5_PTHREADS_LOADED			\
>+	  ? pthread_mutex_destroy(&(M)->p)	\
>+	  : 0))
>+
>+# define k5_os_mutex_lock(M)						\
>+	return_after_yield(K5_PTHREADS_LOADED				\
>+			   ? k5_pthread_mutex_lock(M)			\
>+			   : k5_os_nothread_mutex_lock(&(M)->n))
>+# define k5_os_mutex_unlock(M)				\
>+	(MAYBE_SCHED_YIELD(),				\
>+	 (K5_PTHREADS_LOADED				\
>+	  ? k5_pthread_mutex_unlock(M)			\
>+	  : k5_os_nothread_mutex_unlock(&(M)->n)))
>+
>+# define k5_os_mutex_assert_unlocked(M)			\
>+	(K5_PTHREADS_LOADED				\
>+	 ? k5_pthread_assert_unlocked(&(M)->p)		\
>+	 : k5_os_nothread_mutex_assert_unlocked(&(M)->n))
>+# define k5_os_mutex_assert_locked(M)			\
>+	(K5_PTHREADS_LOADED				\
>+	 ? k5_pthread_assert_locked(M)			\
>+	 : k5_os_nothread_mutex_assert_locked(&(M)->n))
>+
>+#else
>+
>+# ifdef DEBUG_THREADS
>+#  ifdef PTHREAD_ERRORCHECK_MUTEX_INITIALIZER_NP
>+#   define K5_OS_MUTEX_PARTIAL_INITIALIZER \
>+	{ PTHREAD_ERRORCHECK_MUTEX_INITIALIZER_NP, (pthread_t) 0 }
>+#  else
>+#   define K5_OS_MUTEX_PARTIAL_INITIALIZER \
>+	{ PTHREAD_MUTEX_INITIALIZER, (pthread_t) 0 }
>+#  endif
>+# else
>+#  define K5_OS_MUTEX_PARTIAL_INITIALIZER \
>+	{ PTHREAD_MUTEX_INITIALIZER }
>+# endif
>+
>+static inline int k5_os_mutex_finish_init(k5_os_mutex *m) { return 0; }
>+# define k5_os_mutex_init(M)		pthread_mutex_init(&(M)->p, 0)
>+# define k5_os_mutex_destroy(M)		pthread_mutex_destroy(&(M)->p)
>+# define k5_os_mutex_lock(M)	return_after_yield(k5_pthread_mutex_lock(M))
>+# define k5_os_mutex_unlock(M)		(MAYBE_SCHED_YIELD(),k5_pthread_mutex_unlock(M))
>+
>+# define k5_os_mutex_assert_unlocked(M)	k5_pthread_assert_unlocked(&(M)->p)
>+# define k5_os_mutex_assert_locked(M)	k5_pthread_assert_locked(M)
>+
>+#endif /* is pthreads always available? */
>+
>+#elif defined _WIN32
>+
>+typedef struct {
>+    HANDLE h;
>+    int is_locked;
>+} k5_os_mutex;
>+
>+# define K5_OS_MUTEX_PARTIAL_INITIALIZER { INVALID_HANDLE_VALUE, 0 }
>+
>+# define k5_os_mutex_finish_init(M)					 \
>+	(assert((M)->h == INVALID_HANDLE_VALUE),			 \
>+	 ((M)->h = CreateMutex(NULL, FALSE, NULL)) ? 0 : GetLastError())
>+# define k5_os_mutex_init(M)						 \
>+	((M)->is_locked = 0,						 \
>+	 ((M)->h = CreateMutex(NULL, FALSE, NULL)) ? 0 : GetLastError())
>+# define k5_os_mutex_destroy(M)		\
>+	(CloseHandle((M)->h) ? ((M)->h = 0, 0) : GetLastError())
>+
>+static inline int k5_os_mutex_lock(k5_os_mutex *m)
>+{
>+    DWORD res;
>+    res = WaitForSingleObject(m->h, INFINITE);
>+    if (res == WAIT_FAILED)
>+	return GetLastError();
>+    /* Eventually these should be turned into some reasonable error
>+       code.  */
>+    assert(res != WAIT_TIMEOUT);
>+    assert(res != WAIT_ABANDONED);
>+    assert(res == WAIT_OBJECT_0);
>+    /* Avoid locking twice.  */
>+    assert(m->is_locked == 0);
>+    m->is_locked = 1;
>+    return 0;
>+}
>+
>+# define k5_os_mutex_unlock(M)				\
>+	(assert((M)->is_locked == 1),			\
>+	 (M)->is_locked = 0,				\
>+	 ReleaseMutex((M)->h) ? 0 : GetLastError())
>+
>+# define k5_os_mutex_assert_unlocked(M)	((void)0)
>+# define k5_os_mutex_assert_locked(M)	((void)0)
>+
>+#else
>+
>+# error "Thread support enabled, but thread system unknown"
>+
>+#endif
>+
>+
>+
>+
>+typedef struct {
>+    k5_debug_loc loc_last, loc_created;
>+    k5_os_mutex os;
>+    k5_debug_mutex_stats stats;
>+} k5_mutex_t;
>+#define K5_MUTEX_PARTIAL_INITIALIZER		\
>+	{ K5_DEBUG_LOC_INIT, K5_DEBUG_LOC_INIT,	\
>+	  K5_OS_MUTEX_PARTIAL_INITIALIZER, K5_MUTEX_STATS_INIT }
>+static inline int k5_mutex_init_1(k5_mutex_t *m, k5_debug_loc l)
>+{
>+    int err = k5_os_mutex_init(&m->os);
>+    if (err) return err;
>+    m->loc_created = m->loc_last = l;
>+    err = k5_mutex_init_stats(&m->stats);
>+    assert(err == 0);
>+    return 0;
>+}
>+#define k5_mutex_init(M)	k5_mutex_init_1((M), K5_DEBUG_LOC)
>+static inline int k5_mutex_finish_init_1(k5_mutex_t *m, k5_debug_loc l)
>+{
>+    int err = k5_os_mutex_finish_init(&m->os);
>+    if (err) return err;
>+    m->loc_created = m->loc_last = l;
>+    err = k5_mutex_finish_init_stats(&m->stats);
>+    assert(err == 0);
>+    return 0;
>+}
>+#define k5_mutex_finish_init(M)	k5_mutex_finish_init_1((M), K5_DEBUG_LOC)
>+#define k5_mutex_destroy(M)			\
>+	(k5_os_mutex_assert_unlocked(&(M)->os),	\
>+	 krb5int_mutex_report_stats(M),		\
>+	 k5_mutex_lock(M), (M)->loc_last = K5_DEBUG_LOC, k5_mutex_unlock(M), \
>+	 k5_os_mutex_destroy(&(M)->os))
>+#ifdef __GNUC__
>+#define k5_mutex_lock(M)						 \
>+	__extension__ ({						 \
>+	    int _err = 0;						 \
>+	    k5_mutex_stats_tmp _stats = k5_mutex_stats_start();		 \
>+	    k5_mutex_t *_m = (M);					 \
>+	    _err = k5_os_mutex_lock(&_m->os);				 \
>+	    if (_err == 0) _m->loc_last = K5_DEBUG_LOC;			 \
>+	    if (_err == 0) k5_mutex_lock_update_stats(&_m->stats, _stats); \
>+	    _err;							 \
>+	})
>+#else
>+static inline int k5_mutex_lock_1(k5_mutex_t *m, k5_debug_loc l)
>+{
>+    int err = 0;
>+    k5_mutex_stats_tmp stats = k5_mutex_stats_start();
>+    err = k5_os_mutex_lock(&m->os);
>+    if (err)
>+	return err;
>+    m->loc_last = l;
>+    k5_mutex_lock_update_stats(&m->stats, stats);
>+    return err;
>+}
>+#define k5_mutex_lock(M)	k5_mutex_lock_1(M, K5_DEBUG_LOC)
>+#endif
>+#define k5_mutex_unlock(M)				\
>+	(k5_mutex_assert_locked(M),			\
>+	 k5_mutex_unlock_update_stats(&(M)->stats),	\
>+	 (M)->loc_last = K5_DEBUG_LOC,			\
>+	 k5_os_mutex_unlock(&(M)->os))
>+
>+#define k5_mutex_assert_locked(M)	k5_os_mutex_assert_locked(&(M)->os)
>+#define k5_mutex_assert_unlocked(M)	k5_os_mutex_assert_unlocked(&(M)->os)
>+
>+#define k5_assert_locked	k5_mutex_assert_locked
>+#define k5_assert_unlocked	k5_mutex_assert_unlocked
>+
>+
>+/* Thread-specific data; implemented in a support file, because we'll
>+   need to keep track of some global data for cleanup purposes.
>+
>+   Note that the callback function type is such that the C library
>+   routine free() is a valid callback.  */
>+typedef enum {
>+    K5_KEY_COM_ERR,
>+    K5_KEY_GSS_KRB5_SET_CCACHE_OLD_NAME,
>+    K5_KEY_GSS_KRB5_CCACHE_NAME,
>+    K5_KEY_MAX
>+} k5_key_t;
>+/* rename shorthand symbols for export */
>+#define k5_key_register	krb5int_key_register
>+#define k5_getspecific	krb5int_getspecific
>+#define k5_setspecific	krb5int_setspecific
>+#define k5_key_delete	krb5int_key_delete
>+extern int k5_key_register(k5_key_t, void (*)(void *));
>+extern void *k5_getspecific(k5_key_t);
>+extern int k5_setspecific(k5_key_t, void *);
>+extern int k5_key_delete(k5_key_t);
>+
>+extern int  KRB5_CALLCONV krb5int_mutex_alloc  (k5_mutex_t **);
>+extern void KRB5_CALLCONV krb5int_mutex_free   (k5_mutex_t *);
>+extern int  KRB5_CALLCONV krb5int_mutex_lock   (k5_mutex_t *);
>+extern int  KRB5_CALLCONV krb5int_mutex_unlock (k5_mutex_t *);
>+
>+/* In time, many of the definitions above should move into the support
>+   library, and this file should be greatly simplified.  For type
>+   definitions, that'll take some work, since other data structures
>+   incorporate mutexes directly, and our mutex type is dependent on
>+   configuration options and system attributes.  For most functions,
>+   though, it should be relatively easy.
>+
>+   For now, plugins should use the exported functions, and not the
>+   above macros, and use krb5int_mutex_alloc for allocations.  */
>+#ifdef PLUGIN
>+#undef k5_mutex_lock
>+#define k5_mutex_lock krb5int_mutex_lock
>+#undef k5_mutex_unlock
>+#define k5_mutex_unlock krb5int_mutex_unlock
>+#endif
>+
>+#endif /* multiple inclusion? */
>diff -durN libuser-0.54.7.ORIG/modules/kadm5/admin.h libuser-0.54.7/modules/kadm5/admin.h
>--- libuser-0.54.7.ORIG/modules/kadm5/admin.h	1969-12-31 17:00:00.000000000 -0700
>+++ libuser-0.54.7/modules/kadm5/admin.h	2007-03-03 22:27:53.000000000 -0700
>@@ -0,0 +1,734 @@
>+/*
>+ * lib/kadm5/admin.h
>+ *
>+ * Copyright 2001 by the Massachusetts Institute of Technology.
>+ * All Rights Reserved.
>+ *
>+ * Export of this software from the United States of America may
>+ *   require a specific license from the United States Government.
>+ *   It is the responsibility of any person or organization contemplating
>+ *   export to obtain such a license before exporting.
>+ * 
>+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
>+ * distribute this software and its documentation for any purpose and
>+ * without fee is hereby granted, provided that the above copyright
>+ * notice appear in all copies and that both that copyright notice and
>+ * this permission notice appear in supporting documentation, and that
>+ * the name of M.I.T. not be used in advertising or publicity pertaining
>+ * to distribution of the software without specific, written prior
>+ * permission.  Furthermore if you modify this software you must label
>+ * your software as modified software and not distribute it in such a
>+ * fashion that it might be confused with the original M.I.T. software.
>+ * M.I.T. makes no representations about the suitability of
>+ * this software for any purpose.  It is provided "as is" without express
>+ * or implied warranty.
>+ * 
>+ */
>+/*
>+ * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
>+ *
>+ * $Header$
>+ */
>+
>+#ifndef __KADM5_ADMIN_H__
>+#define __KADM5_ADMIN_H__
>+
>+#if !defined(USE_KADM5_API_VERSION)
>+#define USE_KADM5_API_VERSION 2
>+#endif
>+     
>+#include	<sys/types.h>
>+#include	<gssrpc/rpc.h>
>+#include	<krb5.h>
>+#include	"../kdb.h"
>+#include	<et/com_err.h>
>+#include	"./kadm_err.h"
>+#include	"./chpass_util_strings.h"
>+
>+#define KADM5_ADMIN_SERVICE	"kadmin/admin"
>+#define KADM5_CHANGEPW_SERVICE	"kadmin/changepw"
>+#define KADM5_HIST_PRINCIPAL	"kadmin/history"
>+
>+typedef krb5_principal	kadm5_princ_t;
>+typedef	char		*kadm5_policy_t;
>+typedef long		kadm5_ret_t;
>+
>+#define KADM5_PW_FIRST_PROMPT \
>+	(error_message(CHPASS_UTIL_NEW_PASSWORD_PROMPT))
>+#define KADM5_PW_SECOND_PROMPT \
>+	(error_message(CHPASS_UTIL_NEW_PASSWORD_AGAIN_PROMPT))
>+
>+/*
>+ * Successful return code
>+ */
>+#define KADM5_OK	0
>+
>+/*
>+ * Field masks
>+ */
>+
>+/* kadm5_principal_ent_t */
>+#define KADM5_PRINCIPAL		0x000001
>+#define KADM5_PRINC_EXPIRE_TIME	0x000002
>+#define KADM5_PW_EXPIRATION	0x000004
>+#define KADM5_LAST_PWD_CHANGE	0x000008
>+#define KADM5_ATTRIBUTES	0x000010
>+#define KADM5_MAX_LIFE		0x000020
>+#define KADM5_MOD_TIME		0x000040
>+#define KADM5_MOD_NAME		0x000080
>+#define KADM5_KVNO		0x000100
>+#define KADM5_MKVNO		0x000200
>+#define KADM5_AUX_ATTRIBUTES	0x000400
>+#define KADM5_POLICY		0x000800
>+#define KADM5_POLICY_CLR	0x001000
>+/* version 2 masks */
>+#define KADM5_MAX_RLIFE		0x002000
>+#define KADM5_LAST_SUCCESS	0x004000
>+#define KADM5_LAST_FAILED	0x008000
>+#define KADM5_FAIL_AUTH_COUNT	0x010000
>+#define KADM5_KEY_DATA		0x020000
>+#define KADM5_TL_DATA		0x040000
>+/* all but KEY_DATA and TL_DATA */
>+#define KADM5_PRINCIPAL_NORMAL_MASK 0x01ffff
>+
>+/* kadm5_policy_ent_t */
>+#define KADM5_PW_MAX_LIFE	0x004000
>+#define KADM5_PW_MIN_LIFE	0x008000
>+#define KADM5_PW_MIN_LENGTH	0x010000
>+#define KADM5_PW_MIN_CLASSES	0x020000
>+#define KADM5_PW_HISTORY_NUM	0x040000
>+#define KADM5_REF_COUNT		0x080000
>+
>+/* kadm5_config_params */
>+#define KADM5_CONFIG_REALM		0x000001
>+#define KADM5_CONFIG_DBNAME		0x000002
>+#define KADM5_CONFIG_MKEY_NAME		0x000004
>+#define KADM5_CONFIG_MAX_LIFE		0x000008
>+#define KADM5_CONFIG_MAX_RLIFE		0x000010
>+#define KADM5_CONFIG_EXPIRATION		0x000020
>+#define KADM5_CONFIG_FLAGS		0x000040
>+#define KADM5_CONFIG_ADMIN_KEYTAB	0x000080
>+#define KADM5_CONFIG_STASH_FILE		0x000100
>+#define KADM5_CONFIG_ENCTYPE		0x000200
>+#define KADM5_CONFIG_ADBNAME		0x000400
>+#define KADM5_CONFIG_ADB_LOCKFILE	0x000800
>+/*#define KADM5_CONFIG_PROFILE		0x001000*/
>+#define KADM5_CONFIG_ACL_FILE		0x002000
>+#define KADM5_CONFIG_KADMIND_PORT	0x004000
>+#define KADM5_CONFIG_ENCTYPES		0x008000
>+#define KADM5_CONFIG_ADMIN_SERVER	0x010000
>+#define KADM5_CONFIG_DICT_FILE		0x020000
>+#define KADM5_CONFIG_MKEY_FROM_KBD	0x040000
>+#define KADM5_CONFIG_KPASSWD_PORT	0x080000
>+#define KADM5_CONFIG_OLD_AUTH_GSSAPI	0x100000
>+#define KADM5_CONFIG_NO_AUTH		0x200000
>+#define KADM5_CONFIG_AUTH_NOFALLBACK	0x400000
>+/*
>+ * permission bits
>+ */
>+#define KADM5_PRIV_GET		0x01
>+#define KADM5_PRIV_ADD		0x02
>+#define KADM5_PRIV_MODIFY	0x04
>+#define KADM5_PRIV_DELETE	0x08
>+
>+/*
>+ * API versioning constants
>+ */
>+#define KADM5_MASK_BITS		0xffffff00
>+
>+#define KADM5_STRUCT_VERSION_MASK	0x12345600
>+#define KADM5_STRUCT_VERSION_1	(KADM5_STRUCT_VERSION_MASK|0x01)
>+#define KADM5_STRUCT_VERSION	KADM5_STRUCT_VERSION_1
>+
>+#define KADM5_API_VERSION_MASK	0x12345700
>+#define KADM5_API_VERSION_1	(KADM5_API_VERSION_MASK|0x01)
>+#define KADM5_API_VERSION_2	(KADM5_API_VERSION_MASK|0x02)
>+
>+typedef struct _kadm5_principal_ent_t_v2 {
>+	krb5_principal	principal;
>+	krb5_timestamp	princ_expire_time;
>+	krb5_timestamp	last_pwd_change;
>+	krb5_timestamp	pw_expiration;
>+	krb5_deltat	max_life;
>+	krb5_principal	mod_name;
>+	krb5_timestamp	mod_date;
>+	krb5_flags	attributes;
>+	krb5_kvno	kvno;
>+	krb5_kvno	mkvno;
>+	char		*policy;
>+	long		aux_attributes;
>+
>+	/* version 2 fields */
>+	krb5_deltat max_renewable_life;
>+        krb5_timestamp last_success;
>+        krb5_timestamp last_failed;
>+        krb5_kvno fail_auth_count;
>+	krb5_int16 n_key_data;
>+	krb5_int16 n_tl_data;
>+        krb5_tl_data *tl_data;
>+	krb5_key_data *key_data;
>+} kadm5_principal_ent_rec_v2, *kadm5_principal_ent_t_v2;
>+
>+typedef struct _kadm5_principal_ent_t_v1 {
>+	krb5_principal	principal;
>+	krb5_timestamp	princ_expire_time;
>+	krb5_timestamp	last_pwd_change;
>+	krb5_timestamp	pw_expiration;
>+	krb5_deltat	max_life;
>+	krb5_principal	mod_name;
>+	krb5_timestamp	mod_date;
>+	krb5_flags	attributes;
>+	krb5_kvno	kvno;
>+	krb5_kvno	mkvno;
>+	char		*policy;
>+	long		aux_attributes;
>+} kadm5_principal_ent_rec_v1, *kadm5_principal_ent_t_v1;
>+
>+#if USE_KADM5_API_VERSION == 1
>+typedef struct _kadm5_principal_ent_t_v1
>+     kadm5_principal_ent_rec, *kadm5_principal_ent_t;
>+#else
>+typedef struct _kadm5_principal_ent_t_v2
>+     kadm5_principal_ent_rec, *kadm5_principal_ent_t;
>+#endif
>+
>+typedef struct _kadm5_policy_ent_t {
>+	char		*policy;
>+	long		pw_min_life;
>+	long		pw_max_life;
>+	long		pw_min_length;
>+	long		pw_min_classes;
>+	long		pw_history_num;
>+	long		policy_refcnt;
>+} kadm5_policy_ent_rec, *kadm5_policy_ent_t;
>+
>+/*
>+ * Data structure returned by kadm5_get_config_params()
>+ */
>+typedef struct _kadm5_config_params {
>+     long		mask;
>+     char *		realm;
>+     int		kadmind_port;
>+     int		kpasswd_port;
>+
>+     char *		admin_server;
>+
>+     char *		dbname;
>+     char *		admin_dbname;
>+     char *		admin_lockfile;
>+     char *		admin_keytab;
>+     char *		acl_file;
>+     char *		dict_file;
>+
>+     int		mkey_from_kbd;
>+     char *		stash_file;
>+     char *		mkey_name;
>+     krb5_enctype	enctype;
>+     krb5_deltat	max_life;
>+     krb5_deltat	max_rlife;
>+     krb5_timestamp	expiration;
>+     krb5_flags		flags;
>+     krb5_key_salt_tuple *keysalts;
>+     krb5_int32		num_keysalts;
>+} kadm5_config_params;
>+
>+/***********************************************************************
>+ * This is the old krb5_realm_read_params, which I mutated into
>+ * kadm5_get_config_params but which old code (kdb5_* and krb5kdc)
>+ * still uses.
>+ ***********************************************************************/
>+
>+/*
>+ * Data structure returned by krb5_read_realm_params()
>+ */
>+typedef struct __krb5_realm_params {
>+    char *		realm_profile;
>+    char *		realm_dbname;
>+    char *		realm_mkey_name;
>+    char *		realm_stash_file;
>+    char *		realm_kdc_ports;
>+    char *		realm_kdc_tcp_ports;
>+    char *		realm_acl_file;
>+    krb5_int32		realm_kadmind_port;
>+    krb5_enctype	realm_enctype;
>+    krb5_deltat		realm_max_life;
>+    krb5_deltat		realm_max_rlife;
>+    krb5_timestamp	realm_expiration;
>+    krb5_flags		realm_flags;
>+    krb5_key_salt_tuple	*realm_keysalts;
>+    unsigned int	realm_reject_bad_transit:1;
>+    unsigned int	realm_kadmind_port_valid:1;
>+    unsigned int	realm_enctype_valid:1;
>+    unsigned int	realm_max_life_valid:1;
>+    unsigned int	realm_max_rlife_valid:1;
>+    unsigned int	realm_expiration_valid:1;
>+    unsigned int	realm_flags_valid:1;
>+    unsigned int	realm_reject_bad_transit_valid:1;
>+    krb5_int32		realm_num_keysalts;
>+} krb5_realm_params;
>+
>+/*
>+ * functions
>+ */
>+
>+#if USE_KADM5_API_VERSION > 1
>+krb5_error_code kadm5_get_config_params(krb5_context context,
>+					int use_kdc_config,
>+					kadm5_config_params *params_in,
>+					kadm5_config_params *params_out);
>+
>+krb5_error_code kadm5_free_config_params(krb5_context context, 
>+					 kadm5_config_params *params);
>+
>+krb5_error_code kadm5_free_realm_params(krb5_context kcontext,
>+					kadm5_config_params *params);
>+
>+krb5_error_code kadm5_get_admin_service_name(krb5_context, char *,
>+					     char *, size_t);
>+#endif
>+
>+kadm5_ret_t    kadm5_init(char *client_name, char *pass,
>+			  char *service_name,
>+#if USE_KADM5_API_VERSION == 1
>+			  char *realm,
>+#else
>+			  kadm5_config_params *params,
>+#endif
>+			  krb5_ui_4 struct_version,
>+			  krb5_ui_4 api_version,
>+			  char **db_args,
>+			  void **server_handle);
>+kadm5_ret_t    kadm5_init_with_password(char *client_name,
>+					char *pass, 
>+					char *service_name,
>+#if USE_KADM5_API_VERSION == 1
>+					char *realm,
>+#else
>+					kadm5_config_params *params,
>+#endif
>+					krb5_ui_4 struct_version,
>+					krb5_ui_4 api_version,
>+					char **db_args,
>+					void **server_handle);
>+kadm5_ret_t    kadm5_init_with_skey(char *client_name,
>+				    char *keytab,
>+				    char *service_name,
>+#if USE_KADM5_API_VERSION == 1
>+				    char *realm,
>+#else
>+				    kadm5_config_params *params,
>+#endif
>+				    krb5_ui_4 struct_version,
>+				    krb5_ui_4 api_version,
>+				    char **db_args,
>+				    void **server_handle);
>+#if USE_KADM5_API_VERSION > 1
>+kadm5_ret_t    kadm5_init_with_creds(char *client_name,
>+				     krb5_ccache cc,
>+				     char *service_name,
>+				     kadm5_config_params *params,
>+				     krb5_ui_4 struct_version,
>+				     krb5_ui_4 api_version,
>+				     char **db_args,
>+				     void **server_handle);
>+#endif
>+kadm5_ret_t    kadm5_lock(void *server_handle);
>+kadm5_ret_t    kadm5_unlock(void *server_handle);
>+kadm5_ret_t    kadm5_flush(void *server_handle);
>+kadm5_ret_t    kadm5_destroy(void *server_handle);
>+kadm5_ret_t    kadm5_create_principal(void *server_handle,
>+				      kadm5_principal_ent_t ent,
>+				      long mask, char *pass);
>+kadm5_ret_t    kadm5_create_principal_3(void *server_handle,
>+					kadm5_principal_ent_t ent,
>+					long mask,
>+					int n_ks_tuple,
>+					krb5_key_salt_tuple *ks_tuple,
>+					char *pass);
>+kadm5_ret_t    kadm5_delete_principal(void *server_handle,
>+				      krb5_principal principal);
>+kadm5_ret_t    kadm5_modify_principal(void *server_handle,
>+				      kadm5_principal_ent_t ent,
>+				      long mask);
>+kadm5_ret_t    kadm5_rename_principal(void *server_handle,
>+				      krb5_principal,krb5_principal);
>+#if USE_KADM5_API_VERSION == 1
>+kadm5_ret_t    kadm5_get_principal(void *server_handle,
>+				   krb5_principal principal,
>+				   kadm5_principal_ent_t *ent);
>+#else
>+kadm5_ret_t    kadm5_get_principal(void *server_handle,
>+				   krb5_principal principal,
>+				   kadm5_principal_ent_t ent,
>+				   long mask);
>+#endif
>+kadm5_ret_t    kadm5_chpass_principal(void *server_handle,
>+				      krb5_principal principal,
>+				      char *pass);
>+kadm5_ret_t    kadm5_chpass_principal_3(void *server_handle,
>+					krb5_principal principal,
>+					krb5_boolean keepold,
>+					int n_ks_tuple,
>+					krb5_key_salt_tuple *ks_tuple,
>+					char *pass);
>+#if USE_KADM5_API_VERSION == 1
>+kadm5_ret_t    kadm5_randkey_principal(void *server_handle,
>+				       krb5_principal principal,
>+				       krb5_keyblock **keyblock);
>+#else
>+kadm5_ret_t    kadm5_randkey_principal(void *server_handle,
>+				       krb5_principal principal,
>+				       krb5_keyblock **keyblocks,
>+				       int *n_keys);
>+kadm5_ret_t    kadm5_randkey_principal_3(void *server_handle,
>+					 krb5_principal principal,
>+					 krb5_boolean keepold,
>+					 int n_ks_tuple,
>+					 krb5_key_salt_tuple *ks_tuple,
>+					 krb5_keyblock **keyblocks,
>+					 int *n_keys);
>+#endif
>+kadm5_ret_t    kadm5_setv4key_principal(void *server_handle,
>+					krb5_principal principal,
>+					krb5_keyblock *keyblock);
>+
>+kadm5_ret_t    kadm5_setkey_principal(void *server_handle,
>+				      krb5_principal principal,
>+				      krb5_keyblock *keyblocks,
>+				      int n_keys);
>+
>+kadm5_ret_t    kadm5_setkey_principal_3(void *server_handle,
>+					krb5_principal principal,
>+					krb5_boolean keepold,
>+					int n_ks_tuple,
>+					krb5_key_salt_tuple *ks_tuple,
>+					krb5_keyblock *keyblocks,
>+					int n_keys);
>+
>+kadm5_ret_t    kadm5_decrypt_key(void *server_handle,
>+				 kadm5_principal_ent_t entry, krb5_int32
>+				 ktype, krb5_int32 stype, krb5_int32
>+				 kvno, krb5_keyblock *keyblock,
>+				 krb5_keysalt *keysalt, int *kvnop);
>+
>+kadm5_ret_t    kadm5_create_policy(void *server_handle,
>+				   kadm5_policy_ent_t ent,
>+				   long mask);
>+/*
>+ * kadm5_create_policy_internal is not part of the supported,
>+ * exposed API.  It is available only in the server library, and you
>+ * shouldn't use it unless you know why it's there and how it's
>+ * different from kadm5_create_policy.
>+ */
>+kadm5_ret_t    kadm5_create_policy_internal(void *server_handle,
>+					    kadm5_policy_ent_t
>+					    entry, long mask);
>+kadm5_ret_t    kadm5_delete_policy(void *server_handle,
>+				   kadm5_policy_t policy);
>+kadm5_ret_t    kadm5_modify_policy(void *server_handle,
>+				   kadm5_policy_ent_t ent,
>+				   long mask);
>+/*
>+ * kadm5_modify_policy_internal is not part of the supported,
>+ * exposed API.  It is available only in the server library, and you
>+ * shouldn't use it unless you know why it's there and how it's
>+ * different from kadm5_modify_policy.
>+ */
>+kadm5_ret_t    kadm5_modify_policy_internal(void *server_handle,
>+					    kadm5_policy_ent_t
>+					    entry, long mask);
>+#if USE_KADM5_API_VERSION == 1
>+kadm5_ret_t    kadm5_get_policy(void *server_handle,
>+				kadm5_policy_t policy,
>+				kadm5_policy_ent_t *ent);
>+#else
>+kadm5_ret_t    kadm5_get_policy(void *server_handle,
>+				kadm5_policy_t policy,
>+				kadm5_policy_ent_t ent);
>+#endif
>+kadm5_ret_t    kadm5_get_privs(void *server_handle,
>+			       long *privs);
>+
>+kadm5_ret_t    kadm5_chpass_principal_util(void *server_handle,
>+					   krb5_principal princ,
>+					   char *new_pw, 
>+					   char **ret_pw,
>+					   char *msg_ret,
>+					   unsigned int msg_len);
>+
>+kadm5_ret_t    kadm5_free_principal_ent(void *server_handle,
>+					kadm5_principal_ent_t
>+					ent);
>+kadm5_ret_t    kadm5_free_policy_ent(void *server_handle,
>+				     kadm5_policy_ent_t ent);
>+
>+kadm5_ret_t    kadm5_get_principals(void *server_handle,
>+				    char *exp, char ***princs,
>+				    int *count);
>+
>+kadm5_ret_t    kadm5_get_policies(void *server_handle,
>+				  char *exp, char ***pols,
>+				  int *count);
>+
>+#if USE_KADM5_API_VERSION > 1
>+kadm5_ret_t    kadm5_free_key_data(void *server_handle,
>+				   krb5_int16 *n_key_data,
>+				   krb5_key_data *key_data);
>+#endif
>+
>+kadm5_ret_t    kadm5_free_name_list(void *server_handle, char **names, 
>+				    int count);
>+
>+krb5_error_code kadm5_init_krb5_context (krb5_context *);
>+
>+#if USE_KADM5_API_VERSION == 1
>+/*
>+ * OVSEC_KADM_API_VERSION_1 should be, if possible, compile-time
>+ * compatible with KADM5_API_VERSION_2.  Basically, this means we have
>+ * to continue to provide all the old ovsec_kadm function and symbol
>+ * names.
>+ */
>+
>+#define OVSEC_KADM_ACLFILE		"/krb5/ovsec_adm.acl"
>+#define	OVSEC_KADM_WORDFILE		"/krb5/ovsec_adm.dict"
>+
>+#define OVSEC_KADM_ADMIN_SERVICE	"ovsec_adm/admin"
>+#define OVSEC_KADM_CHANGEPW_SERVICE	"ovsec_adm/changepw"
>+#define OVSEC_KADM_HIST_PRINCIPAL	"ovsec_adm/history"
>+
>+typedef krb5_principal	ovsec_kadm_princ_t;
>+typedef krb5_keyblock	ovsec_kadm_keyblock;
>+typedef	char		*ovsec_kadm_policy_t;
>+typedef long		ovsec_kadm_ret_t;
>+
>+enum	ovsec_kadm_salttype { OVSEC_KADM_SALT_V4, OVSEC_KADM_SALT_NORMAL };
>+enum	ovsec_kadm_saltmod  { OVSEC_KADM_MOD_KEEP, OVSEC_KADM_MOD_V4, OVSEC_KADM_MOD_NORMAL };
>+
>+#define OVSEC_KADM_PW_FIRST_PROMPT \
>+	((char *) error_message(CHPASS_UTIL_NEW_PASSWORD_PROMPT))
>+#define OVSEC_KADM_PW_SECOND_PROMPT \
>+	((char *) error_message(CHPASS_UTIL_NEW_PASSWORD_AGAIN_PROMPT))
>+
>+/*
>+ * Successful return code
>+ */
>+#define OVSEC_KADM_OK	0
>+ 
>+/*
>+ * Create/Modify masks
>+ */
>+/* principal */
>+#define OVSEC_KADM_PRINCIPAL		0x000001
>+#define OVSEC_KADM_PRINC_EXPIRE_TIME	0x000002
>+#define OVSEC_KADM_PW_EXPIRATION	0x000004
>+#define OVSEC_KADM_LAST_PWD_CHANGE	0x000008
>+#define OVSEC_KADM_ATTRIBUTES		0x000010
>+#define OVSEC_KADM_MAX_LIFE		0x000020
>+#define OVSEC_KADM_MOD_TIME		0x000040
>+#define OVSEC_KADM_MOD_NAME		0x000080
>+#define OVSEC_KADM_KVNO			0x000100
>+#define OVSEC_KADM_MKVNO		0x000200
>+#define OVSEC_KADM_AUX_ATTRIBUTES	0x000400
>+#define OVSEC_KADM_POLICY		0x000800
>+#define OVSEC_KADM_POLICY_CLR		0x001000
>+/* policy */
>+#define OVSEC_KADM_PW_MAX_LIFE		0x004000
>+#define OVSEC_KADM_PW_MIN_LIFE		0x008000
>+#define OVSEC_KADM_PW_MIN_LENGTH	0x010000
>+#define OVSEC_KADM_PW_MIN_CLASSES	0x020000
>+#define OVSEC_KADM_PW_HISTORY_NUM	0x040000
>+#define OVSEC_KADM_REF_COUNT		0x080000
>+
>+/*
>+ * permission bits
>+ */
>+#define OVSEC_KADM_PRIV_GET	0x01
>+#define OVSEC_KADM_PRIV_ADD	0x02
>+#define OVSEC_KADM_PRIV_MODIFY	0x04
>+#define OVSEC_KADM_PRIV_DELETE	0x08
>+
>+/*
>+ * API versioning constants
>+ */
>+#define OVSEC_KADM_MASK_BITS		0xffffff00
>+
>+#define OVSEC_KADM_STRUCT_VERSION_MASK	0x12345600
>+#define OVSEC_KADM_STRUCT_VERSION_1	(OVSEC_KADM_STRUCT_VERSION_MASK|0x01)
>+#define OVSEC_KADM_STRUCT_VERSION	OVSEC_KADM_STRUCT_VERSION_1
>+
>+#define OVSEC_KADM_API_VERSION_MASK	0x12345700
>+#define OVSEC_KADM_API_VERSION_1	(OVSEC_KADM_API_VERSION_MASK|0x01)
>+
>+
>+typedef struct _ovsec_kadm_principal_ent_t {
>+	krb5_principal	principal;
>+	krb5_timestamp	princ_expire_time;
>+	krb5_timestamp	last_pwd_change;
>+	krb5_timestamp	pw_expiration;
>+	krb5_deltat	max_life;
>+	krb5_principal	mod_name;
>+	krb5_timestamp	mod_date;
>+	krb5_flags	attributes;
>+	krb5_kvno	kvno;
>+	krb5_kvno	mkvno;
>+	char		*policy;
>+	long		aux_attributes;
>+} ovsec_kadm_principal_ent_rec, *ovsec_kadm_principal_ent_t;
>+
>+typedef struct _ovsec_kadm_policy_ent_t {
>+	char		*policy;
>+	long		pw_min_life;
>+	long		pw_max_life;
>+	long		pw_min_length;
>+	long		pw_min_classes;
>+	long		pw_history_num;
>+	long		policy_refcnt;
>+} ovsec_kadm_policy_ent_rec, *ovsec_kadm_policy_ent_t;
>+
>+/*
>+ * functions
>+ */
>+ovsec_kadm_ret_t    ovsec_kadm_init(char *client_name, char *pass,
>+				    char *service_name, char *realm,
>+				    krb5_ui_4 struct_version,
>+				    krb5_ui_4 api_version,
>+				    char **db_args,
>+				    void **server_handle);
>+ovsec_kadm_ret_t    ovsec_kadm_init_with_password(char *client_name,
>+						  char *pass, 
>+						  char *service_name,
>+						  char *realm, 
>+						  krb5_ui_4 struct_version,
>+						  krb5_ui_4 api_version,
>+						  char ** db_args,
>+						  void **server_handle);
>+ovsec_kadm_ret_t    ovsec_kadm_init_with_skey(char *client_name,
>+					      char *keytab,
>+					      char *service_name,
>+					      char *realm,
>+					      krb5_ui_4 struct_version,
>+					      krb5_ui_4 api_version,
>+					      char **db_args,
>+					      void **server_handle);
>+ovsec_kadm_ret_t    ovsec_kadm_flush(void *server_handle);
>+ovsec_kadm_ret_t    ovsec_kadm_destroy(void *server_handle);
>+ovsec_kadm_ret_t    ovsec_kadm_create_principal(void *server_handle,
>+						ovsec_kadm_principal_ent_t ent,
>+						long mask, char *pass);
>+ovsec_kadm_ret_t    ovsec_kadm_delete_principal(void *server_handle,
>+						krb5_principal principal);
>+ovsec_kadm_ret_t    ovsec_kadm_modify_principal(void *server_handle,
>+						ovsec_kadm_principal_ent_t ent,
>+						long mask);
>+ovsec_kadm_ret_t    ovsec_kadm_rename_principal(void *server_handle,
>+						krb5_principal,krb5_principal);
>+ovsec_kadm_ret_t    ovsec_kadm_get_principal(void *server_handle,
>+					     krb5_principal principal,
>+					     ovsec_kadm_principal_ent_t *ent);
>+ovsec_kadm_ret_t    ovsec_kadm_chpass_principal(void *server_handle,
>+						krb5_principal principal,
>+						char *pass);
>+ovsec_kadm_ret_t    ovsec_kadm_randkey_principal(void *server_handle,
>+						 krb5_principal principal,
>+						 krb5_keyblock **keyblock);
>+ovsec_kadm_ret_t    ovsec_kadm_create_policy(void *server_handle,
>+					     ovsec_kadm_policy_ent_t ent,
>+					     long mask);
>+/*
>+ * ovsec_kadm_create_policy_internal is not part of the supported,
>+ * exposed API.  It is available only in the server library, and you
>+ * shouldn't use it unless you know why it's there and how it's
>+ * different from ovsec_kadm_create_policy.
>+ */
>+ovsec_kadm_ret_t    ovsec_kadm_create_policy_internal(void *server_handle,
>+						      ovsec_kadm_policy_ent_t
>+						      entry, long mask);
>+ovsec_kadm_ret_t    ovsec_kadm_delete_policy(void *server_handle,
>+					     ovsec_kadm_policy_t policy);
>+ovsec_kadm_ret_t    ovsec_kadm_modify_policy(void *server_handle,
>+					     ovsec_kadm_policy_ent_t ent,
>+					     long mask);
>+/*
>+ * ovsec_kadm_modify_policy_internal is not part of the supported,
>+ * exposed API.  It is available only in the server library, and you
>+ * shouldn't use it unless you know why it's there and how it's
>+ * different from ovsec_kadm_modify_policy.
>+ */
>+ovsec_kadm_ret_t    ovsec_kadm_modify_policy_internal(void *server_handle,
>+						      ovsec_kadm_policy_ent_t
>+						      entry, long mask);
>+ovsec_kadm_ret_t    ovsec_kadm_get_policy(void *server_handle,
>+					  ovsec_kadm_policy_t policy,
>+					  ovsec_kadm_policy_ent_t *ent);
>+ovsec_kadm_ret_t    ovsec_kadm_get_privs(void *server_handle,
>+					 long *privs);
>+
>+ovsec_kadm_ret_t    ovsec_kadm_chpass_principal_util(void *server_handle,
>+						     krb5_principal princ,
>+						     char *new_pw, 
>+						     char **ret_pw,
>+						     char *msg_ret);
>+
>+ovsec_kadm_ret_t    ovsec_kadm_free_principal_ent(void *server_handle,
>+						  ovsec_kadm_principal_ent_t
>+						  ent);
>+ovsec_kadm_ret_t    ovsec_kadm_free_policy_ent(void *server_handle,
>+					       ovsec_kadm_policy_ent_t ent);
>+
>+ovsec_kadm_ret_t ovsec_kadm_free_name_list(void *server_handle,
>+					   char **names, int count);
>+
>+ovsec_kadm_ret_t    ovsec_kadm_get_principals(void *server_handle,
>+					      char *exp, char ***princs,
>+					      int *count);
>+
>+ovsec_kadm_ret_t    ovsec_kadm_get_policies(void *server_handle,
>+					    char *exp, char ***pols,
>+					    int *count);
>+
>+#define OVSEC_KADM_FAILURE KADM5_FAILURE
>+#define OVSEC_KADM_AUTH_GET KADM5_AUTH_GET
>+#define OVSEC_KADM_AUTH_ADD KADM5_AUTH_ADD
>+#define OVSEC_KADM_AUTH_MODIFY KADM5_AUTH_MODIFY
>+#define OVSEC_KADM_AUTH_DELETE KADM5_AUTH_DELETE
>+#define OVSEC_KADM_AUTH_INSUFFICIENT KADM5_AUTH_INSUFFICIENT
>+#define OVSEC_KADM_BAD_DB KADM5_BAD_DB
>+#define OVSEC_KADM_DUP KADM5_DUP
>+#define OVSEC_KADM_RPC_ERROR KADM5_RPC_ERROR
>+#define OVSEC_KADM_NO_SRV KADM5_NO_SRV
>+#define OVSEC_KADM_BAD_HIST_KEY KADM5_BAD_HIST_KEY
>+#define OVSEC_KADM_NOT_INIT KADM5_NOT_INIT
>+#define OVSEC_KADM_UNK_PRINC KADM5_UNK_PRINC
>+#define OVSEC_KADM_UNK_POLICY KADM5_UNK_POLICY
>+#define OVSEC_KADM_BAD_MASK KADM5_BAD_MASK
>+#define OVSEC_KADM_BAD_CLASS KADM5_BAD_CLASS
>+#define OVSEC_KADM_BAD_LENGTH KADM5_BAD_LENGTH
>+#define OVSEC_KADM_BAD_POLICY KADM5_BAD_POLICY
>+#define OVSEC_KADM_BAD_PRINCIPAL KADM5_BAD_PRINCIPAL
>+#define OVSEC_KADM_BAD_AUX_ATTR KADM5_BAD_AUX_ATTR
>+#define OVSEC_KADM_BAD_HISTORY KADM5_BAD_HISTORY
>+#define OVSEC_KADM_BAD_MIN_PASS_LIFE KADM5_BAD_MIN_PASS_LIFE
>+#define OVSEC_KADM_PASS_Q_TOOSHORT KADM5_PASS_Q_TOOSHORT
>+#define OVSEC_KADM_PASS_Q_CLASS KADM5_PASS_Q_CLASS
>+#define OVSEC_KADM_PASS_Q_DICT KADM5_PASS_Q_DICT
>+#define OVSEC_KADM_PASS_REUSE KADM5_PASS_REUSE
>+#define OVSEC_KADM_PASS_TOOSOON KADM5_PASS_TOOSOON
>+#define OVSEC_KADM_POLICY_REF KADM5_POLICY_REF
>+#define OVSEC_KADM_INIT KADM5_INIT
>+#define OVSEC_KADM_BAD_PASSWORD KADM5_BAD_PASSWORD
>+#define OVSEC_KADM_PROTECT_PRINCIPAL KADM5_PROTECT_PRINCIPAL
>+#define OVSEC_KADM_BAD_SERVER_HANDLE KADM5_BAD_SERVER_HANDLE
>+#define OVSEC_KADM_BAD_STRUCT_VERSION KADM5_BAD_STRUCT_VERSION
>+#define OVSEC_KADM_OLD_STRUCT_VERSION KADM5_OLD_STRUCT_VERSION
>+#define OVSEC_KADM_NEW_STRUCT_VERSION KADM5_NEW_STRUCT_VERSION
>+#define OVSEC_KADM_BAD_API_VERSION KADM5_BAD_API_VERSION
>+#define OVSEC_KADM_OLD_LIB_API_VERSION KADM5_OLD_LIB_API_VERSION
>+#define OVSEC_KADM_OLD_SERVER_API_VERSION KADM5_OLD_SERVER_API_VERSION
>+#define OVSEC_KADM_NEW_LIB_API_VERSION KADM5_NEW_LIB_API_VERSION
>+#define OVSEC_KADM_NEW_SERVER_API_VERSION KADM5_NEW_SERVER_API_VERSION
>+#define OVSEC_KADM_SECURE_PRINC_MISSING KADM5_SECURE_PRINC_MISSING
>+#define OVSEC_KADM_NO_RENAME_SALT KADM5_NO_RENAME_SALT
>+
>+#endif /* USE_KADM5_API_VERSION == 1 */
>+
>+#endif /* __KADM5_ADMIN_H__ */
>diff -durN libuser-0.54.7.ORIG/modules/kadm5/chpass_util_strings.h libuser-0.54.7/modules/kadm5/chpass_util_strings.h
>--- libuser-0.54.7.ORIG/modules/kadm5/chpass_util_strings.h	1969-12-31 17:00:00.000000000 -0700
>+++ libuser-0.54.7/modules/kadm5/chpass_util_strings.h	2007-03-03 22:27:53.000000000 -0700
>@@ -0,0 +1,34 @@
>+/*
>+ * ettmp18589.h:
>+ * This file is automatically generated; please do not edit it.
>+ */
>+
>+#include <et/com_err.h>
>+
>+#define CHPASS_UTIL_GET_POLICY_INFO              (-1492553984L)
>+#define CHPASS_UTIL_GET_PRINC_INFO               (-1492553983L)
>+#define CHPASS_UTIL_NEW_PASSWORD_MISMATCH        (-1492553982L)
>+#define CHPASS_UTIL_NEW_PASSWORD_PROMPT          (-1492553981L)
>+#define CHPASS_UTIL_NEW_PASSWORD_AGAIN_PROMPT    (-1492553980L)
>+#define CHPASS_UTIL_NO_PASSWORD_READ             (-1492553979L)
>+#define CHPASS_UTIL_NO_POLICY_YET_Q_ERROR        (-1492553978L)
>+#define CHPASS_UTIL_PASSWORD_CHANGED             (-1492553977L)
>+#define CHPASS_UTIL_PASSWORD_IN_DICTIONARY       (-1492553976L)
>+#define CHPASS_UTIL_PASSWORD_NOT_CHANGED         (-1492553975L)
>+#define CHPASS_UTIL_PASSWORD_TOO_SHORT           (-1492553974L)
>+#define CHPASS_UTIL_TOO_FEW_CLASSES              (-1492553973L)
>+#define CHPASS_UTIL_PASSWORD_TOO_SOON            (-1492553972L)
>+#define CHPASS_UTIL_PASSWORD_REUSE               (-1492553971L)
>+#define CHPASS_UTIL_WHILE_TRYING_TO_CHANGE       (-1492553970L)
>+#define CHPASS_UTIL_WHILE_READING_PASSWORD       (-1492553969L)
>+extern const struct error_table et_ovku_error_table;
>+extern void initialize_ovku_error_table(void);
>+
>+/* For compatibility with Heimdal */
>+extern void initialize_ovku_error_table_r(struct et_list **list);
>+
>+#define ERROR_TABLE_BASE_ovku (-1492553984L)
>+
>+/* for compatibility with older versions... */
>+#define init_ovku_err_tbl initialize_ovku_error_table
>+#define ovku_err_base ERROR_TABLE_BASE_ovku
>diff -durN libuser-0.54.7.ORIG/modules/kadm5/kadm_err.h libuser-0.54.7/modules/kadm5/kadm_err.h
>--- libuser-0.54.7.ORIG/modules/kadm5/kadm_err.h	1969-12-31 17:00:00.000000000 -0700
>+++ libuser-0.54.7/modules/kadm5/kadm_err.h	2007-03-03 22:27:53.000000000 -0700
>@@ -0,0 +1,74 @@
>+/*
>+ * ettmp18603.h:
>+ * This file is automatically generated; please do not edit it.
>+ */
>+
>+#include <et/com_err.h>
>+
>+#define KADM5_FAILURE                            (43787520L)
>+#define KADM5_AUTH_GET                           (43787521L)
>+#define KADM5_AUTH_ADD                           (43787522L)
>+#define KADM5_AUTH_MODIFY                        (43787523L)
>+#define KADM5_AUTH_DELETE                        (43787524L)
>+#define KADM5_AUTH_INSUFFICIENT                  (43787525L)
>+#define KADM5_BAD_DB                             (43787526L)
>+#define KADM5_DUP                                (43787527L)
>+#define KADM5_RPC_ERROR                          (43787528L)
>+#define KADM5_NO_SRV                             (43787529L)
>+#define KADM5_BAD_HIST_KEY                       (43787530L)
>+#define KADM5_NOT_INIT                           (43787531L)
>+#define KADM5_UNK_PRINC                          (43787532L)
>+#define KADM5_UNK_POLICY                         (43787533L)
>+#define KADM5_BAD_MASK                           (43787534L)
>+#define KADM5_BAD_CLASS                          (43787535L)
>+#define KADM5_BAD_LENGTH                         (43787536L)
>+#define KADM5_BAD_POLICY                         (43787537L)
>+#define KADM5_BAD_PRINCIPAL                      (43787538L)
>+#define KADM5_BAD_AUX_ATTR                       (43787539L)
>+#define KADM5_BAD_HISTORY                        (43787540L)
>+#define KADM5_BAD_MIN_PASS_LIFE                  (43787541L)
>+#define KADM5_PASS_Q_TOOSHORT                    (43787542L)
>+#define KADM5_PASS_Q_CLASS                       (43787543L)
>+#define KADM5_PASS_Q_DICT                        (43787544L)
>+#define KADM5_PASS_REUSE                         (43787545L)
>+#define KADM5_PASS_TOOSOON                       (43787546L)
>+#define KADM5_POLICY_REF                         (43787547L)
>+#define KADM5_INIT                               (43787548L)
>+#define KADM5_BAD_PASSWORD                       (43787549L)
>+#define KADM5_PROTECT_PRINCIPAL                  (43787550L)
>+#define KADM5_BAD_SERVER_HANDLE                  (43787551L)
>+#define KADM5_BAD_STRUCT_VERSION                 (43787552L)
>+#define KADM5_OLD_STRUCT_VERSION                 (43787553L)
>+#define KADM5_NEW_STRUCT_VERSION                 (43787554L)
>+#define KADM5_BAD_API_VERSION                    (43787555L)
>+#define KADM5_OLD_LIB_API_VERSION                (43787556L)
>+#define KADM5_OLD_SERVER_API_VERSION             (43787557L)
>+#define KADM5_NEW_LIB_API_VERSION                (43787558L)
>+#define KADM5_NEW_SERVER_API_VERSION             (43787559L)
>+#define KADM5_SECURE_PRINC_MISSING               (43787560L)
>+#define KADM5_NO_RENAME_SALT                     (43787561L)
>+#define KADM5_BAD_CLIENT_PARAMS                  (43787562L)
>+#define KADM5_BAD_SERVER_PARAMS                  (43787563L)
>+#define KADM5_AUTH_LIST                          (43787564L)
>+#define KADM5_AUTH_CHANGEPW                      (43787565L)
>+#define KADM5_GSS_ERROR                          (43787566L)
>+#define KADM5_BAD_TL_TYPE                        (43787567L)
>+#define KADM5_MISSING_CONF_PARAMS                (43787568L)
>+#define KADM5_BAD_SERVER_NAME                    (43787569L)
>+#define KADM5_AUTH_SETKEY                        (43787570L)
>+#define KADM5_SETKEY_DUP_ENCTYPES                (43787571L)
>+#define KADM5_SETV4KEY_INVAL_ENCTYPE             (43787572L)
>+#define KADM5_SETKEY3_ETYPE_MISMATCH             (43787573L)
>+#define KADM5_MISSING_KRB5_CONF_PARAMS           (43787574L)
>+#define KADM5_XDR_FAILURE                        (43787575L)
>+extern const struct error_table et_ovk_error_table;
>+extern void initialize_ovk_error_table(void);
>+
>+/* For compatibility with Heimdal */
>+extern void initialize_ovk_error_table_r(struct et_list **list);
>+
>+#define ERROR_TABLE_BASE_ovk (43787520L)
>+
>+/* for compatibility with older versions... */
>+#define init_ovk_err_tbl initialize_ovk_error_table
>+#define ovk_err_base ERROR_TABLE_BASE_ovk
>diff -durN libuser-0.54.7.ORIG/modules/kdb.h libuser-0.54.7/modules/kdb.h
>--- libuser-0.54.7.ORIG/modules/kdb.h	1969-12-31 17:00:00.000000000 -0700
>+++ libuser-0.54.7/modules/kdb.h	2007-03-03 22:27:53.000000000 -0700
>@@ -0,0 +1,503 @@
>+/*
>+ * include/krb5/kdb.h
>+ *
>+ * Copyright 1990,1991 by the Massachusetts Institute of Technology.
>+ * All Rights Reserved.
>+ *
>+ * Export of this software from the United States of America may
>+ *   require a specific license from the United States Government.
>+ *   It is the responsibility of any person or organization contemplating
>+ *   export to obtain such a license before exporting.
>+ * 
>+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
>+ * distribute this software and its documentation for any purpose and
>+ * without fee is hereby granted, provided that the above copyright
>+ * notice appear in all copies and that both that copyright notice and
>+ * this permission notice appear in supporting documentation, and that
>+ * the name of M.I.T. not be used in advertising or publicity pertaining
>+ * to distribution of the software without specific, written prior
>+ * permission.  Furthermore if you modify this software you must label
>+ * your software as modified software and not distribute it in such a
>+ * fashion that it might be confused with the original M.I.T. software.
>+ * M.I.T. makes no representations about the suitability of
>+ * this software for any purpose.  It is provided "as is" without express
>+ * or implied warranty.
>+ * 
>+ *
>+ * KDC Database interface definitions.
>+ */
>+
>+/*
>+ * Copyright (C) 1998 by the FundsXpress, INC.
>+ * 
>+ * All rights reserved.
>+ * 
>+ * Export of this software from the United States of America may require
>+ * a specific license from the United States Government.  It is the
>+ * responsibility of any person or organization contemplating export to
>+ * obtain such a license before exporting.
>+ * 
>+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
>+ * distribute this software and its documentation for any purpose and
>+ * without fee is hereby granted, provided that the above copyright
>+ * notice appear in all copies and that both that copyright notice and
>+ * this permission notice appear in supporting documentation, and that
>+ * the name of FundsXpress. not be used in advertising or publicity pertaining
>+ * to distribution of the software without specific, written prior
>+ * permission.  FundsXpress makes no representations about the suitability of
>+ * this software for any purpose.  It is provided "as is" without express
>+ * or implied warranty.
>+ * 
>+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
>+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
>+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
>+ */
>+
>+#ifndef KRB5_KDB5__
>+#define KRB5_KDB5__
>+
>+/* Salt types */
>+#define KRB5_KDB_SALTTYPE_NORMAL	0
>+#define KRB5_KDB_SALTTYPE_V4		1
>+#define KRB5_KDB_SALTTYPE_NOREALM	2
>+#define KRB5_KDB_SALTTYPE_ONLYREALM	3
>+#define KRB5_KDB_SALTTYPE_SPECIAL	4
>+#define KRB5_KDB_SALTTYPE_AFS3		5
>+
>+/* Attributes */
>+#define	KRB5_KDB_DISALLOW_POSTDATED	0x00000001
>+#define	KRB5_KDB_DISALLOW_FORWARDABLE	0x00000002
>+#define	KRB5_KDB_DISALLOW_TGT_BASED	0x00000004
>+#define	KRB5_KDB_DISALLOW_RENEWABLE	0x00000008
>+#define	KRB5_KDB_DISALLOW_PROXIABLE	0x00000010
>+#define	KRB5_KDB_DISALLOW_DUP_SKEY	0x00000020
>+#define	KRB5_KDB_DISALLOW_ALL_TIX	0x00000040
>+#define	KRB5_KDB_REQUIRES_PRE_AUTH	0x00000080
>+#define KRB5_KDB_REQUIRES_HW_AUTH	0x00000100
>+#define	KRB5_KDB_REQUIRES_PWCHANGE	0x00000200
>+#define KRB5_KDB_DISALLOW_SVR		0x00001000
>+#define KRB5_KDB_PWCHANGE_SERVICE	0x00002000
>+#define KRB5_KDB_SUPPORT_DESMD5         0x00004000
>+#define	KRB5_KDB_NEW_PRINC		0x00008000
>+
>+/* Creation flags */
>+#define KRB5_KDB_CREATE_BTREE		0x00000001
>+#define KRB5_KDB_CREATE_HASH		0x00000002
>+
>+#if !defined(_WIN32)
>+
>+/*
>+ * Note --- these structures cannot be modified without changing the
>+ * database version number in libkdb.a, but should be expandable by
>+ * adding new tl_data types.
>+ */
>+typedef struct _krb5_tl_data {
>+    struct _krb5_tl_data* tl_data_next;		/* NOT saved */
>+    krb5_int16 		  tl_data_type;		
>+    krb5_ui_2		  tl_data_length;	
>+    krb5_octet 	        * tl_data_contents;	
>+} krb5_tl_data;
>+
>+/* 
>+ * If this ever changes up the version number and make the arrays be as
>+ * big as necessary.
>+ *
>+ * Currently the first type is the enctype and the second is the salt type.
>+ */
>+typedef struct _krb5_key_data {
>+    krb5_int16 		  key_data_ver;		/* Version */
>+    krb5_int16		  key_data_kvno;	/* Key Version */
>+    krb5_int16		  key_data_type[2];	/* Array of types */
>+    krb5_ui_2		  key_data_length[2];	/* Array of lengths */
>+    krb5_octet 	        * key_data_contents[2];	/* Array of pointers */
>+} krb5_key_data;
>+
>+#define KRB5_KDB_V1_KEY_DATA_ARRAY	2	/* # of array elements */
>+
>+typedef struct _krb5_keysalt {
>+    krb5_int16		  type;	
>+    krb5_data		  data;			/* Length, data */
>+} krb5_keysalt;
>+
>+typedef struct _krb5_db_entry_new {
>+    krb5_magic 		  magic;		/* NOT saved */
>+    krb5_ui_2		  len;			
>+    krb5_ui_4             mask;                 /* members currently changed/set */	
>+    krb5_flags 		  attributes;
>+    krb5_deltat		  max_life;
>+    krb5_deltat		  max_renewable_life;
>+    krb5_timestamp 	  expiration;	  	/* When the client expires */
>+    krb5_timestamp 	  pw_expiration;  	/* When its passwd expires */
>+    krb5_timestamp 	  last_success;		/* Last successful passwd */
>+    krb5_timestamp 	  last_failed;		/* Last failed passwd attempt */
>+    krb5_kvno 	 	  fail_auth_count; 	/* # of failed passwd attempt */
>+    krb5_int16 		  n_tl_data;
>+    krb5_int16 		  n_key_data;
>+    krb5_ui_2		  e_length;		/* Length of extra data */
>+    krb5_octet		* e_data;		/* Extra data to be saved */
>+
>+    krb5_principal 	  princ;		/* Length, data */	
>+    krb5_tl_data	* tl_data;		/* Linked list */
>+    krb5_key_data       * key_data;		/* Array */
>+} krb5_db_entry;
>+
>+typedef struct _osa_policy_ent_t {
>+    int               version;
>+    char      *name;
>+    krb5_ui_4       pw_min_life;
>+    krb5_ui_4       pw_max_life;
>+    krb5_ui_4       pw_min_length;
>+    krb5_ui_4       pw_min_classes;
>+    krb5_ui_4       pw_history_num;
>+    krb5_ui_4       policy_refcnt;
>+} osa_policy_ent_rec, *osa_policy_ent_t;
>+
>+typedef       void    (*osa_adb_iter_policy_func) (void *, osa_policy_ent_t);
>+
>+typedef struct __krb5_key_salt_tuple {
>+    krb5_enctype	ks_enctype;
>+    krb5_int32		ks_salttype;
>+} krb5_key_salt_tuple;
>+
>+#define	KRB5_KDB_MAGIC_NUMBER		0xdbdbdbdb
>+#define KRB5_KDB_V1_BASE_LENGTH		38
>+  
>+#define KRB5_TL_LAST_PWD_CHANGE		0x0001
>+#define KRB5_TL_MOD_PRINC		0x0002
>+#define KRB5_TL_KADM_DATA		0x0003
>+#define KRB5_TL_KADM5_E_DATA		0x0004
>+#define KRB5_TL_RB1_CHALLENGE		0x0005
>+#ifdef SECURID
>+#define KRB5_TL_SECURID_STATE           0x0006
>+#define KRB5_TL_DB_ARGS                 0x7fff
>+#endif /* SECURID */
>+    
>+/*
>+ * Determines the number of failed KDC requests before DISALLOW_ALL_TIX is set
>+ * on the principal.
>+ */
>+#define KRB5_MAX_FAIL_COUNT		5
>+
>+/* XXX depends on knowledge of krb5_parse_name() formats */
>+#define KRB5_KDB_M_NAME		"K/M"	/* Kerberos/Master */
>+
>+/* prompts used by default when reading the KDC password from the keyboard. */
>+#define KRB5_KDC_MKEY_1	"Enter KDC database master key"
>+#define KRB5_KDC_MKEY_2	"Re-enter KDC database master key to verify"
>+
>+
>+extern char *krb5_mkey_pwd_prompt1;
>+extern char *krb5_mkey_pwd_prompt2;
>+
>+/*
>+ * These macros specify the encoding of data within the database.
>+ *
>+ * Data encoding is little-endian.
>+ */
>+#include "./k5-platform.h"
>+#define	krb5_kdb_decode_int16(cp, i16)	\
>+	*((krb5_int16 *) &(i16)) = load_16_le(cp)
>+#define	krb5_kdb_decode_int32(cp, i32)	\
>+	*((krb5_int32 *) &(i32)) = load_32_le(cp)
>+#define krb5_kdb_encode_int16(i16, cp)	store_16_le(i16, cp)
>+#define	krb5_kdb_encode_int32(i32, cp)	store_32_le(i32, cp)
>+
>+#define KRB5_KDB_OPEN_RW                0
>+#define KRB5_KDB_OPEN_RO                1
>+
>+#ifndef KRB5_KDB_SRV_TYPE_KDC
>+#define KRB5_KDB_SRV_TYPE_KDC           0x0100        
>+#endif
>+
>+#ifndef KRB5_KDB_SRV_TYPE_ADMIN
>+#define KRB5_KDB_SRV_TYPE_ADMIN         0x0200  
>+#endif
>+
>+#ifndef KRB5_KDB_SRV_TYPE_PASSWD
>+#define KRB5_KDB_SRV_TYPE_PASSWD        0x0300
>+#endif
>+
>+#ifndef KRB5_KDB_SRV_TYPE_OTHER
>+#define KRB5_KDB_SRV_TYPE_OTHER         0x0400  
>+#endif
>+
>+#define KRB5_KDB_OPT_SET_DB_NAME        0
>+#define KRB5_KDB_OPT_SET_LOCK_MODE      1
>+
>+#define KRB5_DB_LOCKMODE_SHARED       0x0001
>+#define KRB5_DB_LOCKMODE_EXCLUSIVE    0x0002
>+#define KRB5_DB_LOCKMODE_DONTBLOCK    0x0004
>+#define KRB5_DB_LOCKMODE_PERMANENT    0x0008
>+
>+/* libkdb.spec */
>+krb5_error_code krb5_db_open( krb5_context kcontext, char **db_args, int mode );
>+krb5_error_code krb5_db_init  ( krb5_context kcontext );
>+krb5_error_code krb5_db_create ( krb5_context kcontext, char **db_args );
>+krb5_error_code krb5_db_inited  ( krb5_context kcontext );
>+krb5_error_code kdb5_db_create ( krb5_context kcontext, char **db_args );
>+krb5_error_code krb5_db_fini ( krb5_context kcontext );
>+const char * krb5_db_errcode2string ( krb5_context kcontext, long err_code );
>+krb5_error_code krb5_db_destroy ( krb5_context kcontext, char **db_args );
>+krb5_error_code krb5_db_promote ( krb5_context kcontext, char **db_args );
>+krb5_error_code krb5_db_get_age ( krb5_context kcontext, char *db_name, time_t *t );
>+krb5_error_code krb5_db_set_option ( krb5_context kcontext, int option, void *value );
>+krb5_error_code krb5_db_lock ( krb5_context kcontext, int lock_mode );
>+krb5_error_code krb5_db_unlock ( krb5_context kcontext );
>+krb5_error_code krb5_db_get_principal ( krb5_context kcontext,
>+					krb5_const_principal search_for,
>+					krb5_db_entry *entries,
>+					int *nentries,
>+					krb5_boolean *more );
>+krb5_error_code krb5_db_free_principal ( krb5_context kcontext,
>+					 krb5_db_entry *entry,
>+					 int count );
>+krb5_error_code krb5_db_put_principal ( krb5_context kcontext,
>+					krb5_db_entry *entries,
>+					int *nentries);
>+krb5_error_code krb5_db_delete_principal ( krb5_context kcontext,
>+					   krb5_principal search_for,
>+					   int *nentries );
>+krb5_error_code krb5_db_iterate ( krb5_context kcontext,
>+				  char *match_entry,
>+				  int (*func) (krb5_pointer, krb5_db_entry *),
>+				  krb5_pointer func_arg );
>+krb5_error_code krb5_supported_realms ( krb5_context kcontext,
>+					char **realms );
>+krb5_error_code krb5_free_supported_realms ( krb5_context kcontext,
>+					     char **realms );
>+krb5_error_code krb5_db_set_master_key_ext ( krb5_context kcontext,
>+					     char *pwd,
>+					     krb5_keyblock *key );
>+krb5_error_code krb5_db_set_mkey ( krb5_context context, 
>+				   krb5_keyblock *key);
>+krb5_error_code krb5_db_get_mkey ( krb5_context kcontext,
>+				   krb5_keyblock **key );
>+krb5_error_code krb5_db_free_master_key ( krb5_context kcontext,
>+					  krb5_keyblock *key );
>+krb5_error_code krb5_db_store_master_key  ( krb5_context kcontext, 
>+					    char *db_arg, 
>+					    krb5_principal mname,
>+					    krb5_keyblock *key,
>+					    char *master_pwd);
>+krb5_error_code krb5_db_fetch_mkey  ( krb5_context   context,
>+				      krb5_principal mname,
>+				      krb5_enctype   etype,
>+				      krb5_boolean   fromkeyboard,
>+				      krb5_boolean   twice,
>+				      char          *db_args,
>+				      krb5_data     *salt,
>+				      krb5_keyblock *key);
>+krb5_error_code krb5_db_verify_master_key ( krb5_context kcontext,
>+					    krb5_principal mprinc,
>+					    krb5_keyblock *mkey );
>+krb5_error_code
>+krb5_dbe_find_enctype( krb5_context	kcontext,
>+		       krb5_db_entry	*dbentp,
>+		       krb5_int32		ktype,
>+		       krb5_int32		stype,
>+		       krb5_int32		kvno,
>+		       krb5_key_data	**kdatap);
>+
>+
>+krb5_error_code krb5_dbe_search_enctype ( krb5_context kcontext, 
>+					  krb5_db_entry *dbentp, 
>+					  krb5_int32 *start, 
>+					  krb5_int32 ktype, 
>+					  krb5_int32 stype, 
>+					  krb5_int32 kvno, 
>+					  krb5_key_data **kdatap);
>+
>+krb5_error_code
>+krb5_db_setup_mkey_name ( krb5_context context,
>+			  const char *keyname,
>+			  const char *realm,
>+			  char **fullname,
>+			  krb5_principal *principal);
>+
>+krb5_error_code
>+krb5_dbekd_decrypt_key_data( krb5_context 	  context,
>+			     const krb5_keyblock	* mkey,
>+			     const krb5_key_data	* key_data,
>+			     krb5_keyblock 	* dbkey,
>+			     krb5_keysalt 	* keysalt);
>+
>+krb5_error_code
>+krb5_dbekd_encrypt_key_data( krb5_context 		  context,
>+			     const krb5_keyblock	* mkey,
>+			     const krb5_keyblock 	* dbkey,
>+			     const krb5_keysalt		* keysalt,
>+			     int			  keyver,
>+			     krb5_key_data	        * key_data);
>+
>+krb5_error_code
>+krb5_dbe_lookup_mod_princ_data( krb5_context          context,
>+				krb5_db_entry       * entry,
>+				krb5_timestamp      * mod_time,
>+				krb5_principal      * mod_princ);
>+ 
>+
>+krb5_error_code
>+krb5_dbe_update_last_pwd_change( krb5_context          context,
>+				 krb5_db_entry       * entry,
>+				 krb5_timestamp	  stamp);
>+
>+krb5_error_code
>+krb5_dbe_lookup_tl_data( krb5_context          context,
>+			 krb5_db_entry       * entry,
>+			 krb5_tl_data        * ret_tl_data);
>+
>+krb5_error_code
>+krb5_dbe_create_key_data( krb5_context          context,
>+			  krb5_db_entry       * entry);
>+
>+
>+krb5_error_code
>+krb5_dbe_update_mod_princ_data( krb5_context          context,
>+				krb5_db_entry       * entry,
>+				krb5_timestamp        mod_date,
>+				krb5_const_principal  mod_princ);
>+
>+krb5_error_code
>+krb5_dbe_update_last_pwd_change( krb5_context          context,
>+				 krb5_db_entry       * entry,
>+				 krb5_timestamp	  stamp);
>+
>+void *krb5_db_alloc( krb5_context kcontext,
>+		     void *ptr,
>+		     size_t size );
>+
>+void krb5_db_free( krb5_context kcontext,
>+		   void *ptr);
>+
>+
>+krb5_error_code
>+krb5_dbe_lookup_last_pwd_change( krb5_context          context,
>+				 krb5_db_entry       * entry,
>+				 krb5_timestamp      * stamp);
>+
>+krb5_error_code
>+krb5_dbe_update_tl_data( krb5_context          context,
>+			 krb5_db_entry       * entry,
>+			 krb5_tl_data        * new_tl_data);
>+
>+krb5_error_code
>+krb5_dbe_cpw( krb5_context	  kcontext,
>+	      krb5_keyblock       * master_key,
>+	      krb5_key_salt_tuple	* ks_tuple,
>+	      int			  ks_tuple_count,
>+	      char 		* passwd,
>+	      int			  new_kvno,
>+	      krb5_boolean	  keepold,
>+	      krb5_db_entry	* db_entry);
>+
>+
>+krb5_error_code
>+krb5_dbe_ark( krb5_context	  context,
>+	      krb5_keyblock       * master_key,
>+	      krb5_key_salt_tuple	* ks_tuple,
>+	      int			  ks_tuple_count,
>+	      krb5_db_entry	* db_entry);
>+
>+krb5_error_code
>+krb5_dbe_crk( krb5_context	  context,
>+	      krb5_keyblock       * master_key,
>+	      krb5_key_salt_tuple	* ks_tuple,
>+	      int			  ks_tuple_count,
>+	      krb5_boolean	  keepold,
>+	      krb5_db_entry	* db_entry);
>+
>+krb5_error_code
>+krb5_dbe_apw( krb5_context	  context,
>+	      krb5_keyblock       * master_key,
>+	      krb5_key_salt_tuple	* ks_tuple,
>+	      int			  ks_tuple_count,
>+	      char 		* passwd,
>+	      krb5_db_entry	* db_entry);
>+
>+/* default functions. Should not be directly called */
>+/*
>+ *   Default functions prototype
>+ */
>+
>+krb5_error_code
>+krb5_dbe_def_search_enctype( krb5_context kcontext, 
>+			     krb5_db_entry *dbentp, 
>+			     krb5_int32 *start, 
>+			     krb5_int32 ktype, 
>+			     krb5_int32 stype, 
>+			     krb5_int32 kvno, 
>+			     krb5_key_data **kdatap);
>+
>+krb5_error_code
>+krb5_def_store_mkey( krb5_context context,
>+		     char *keyfile,
>+		     krb5_principal mname,
>+		     krb5_keyblock *key,
>+		     char *master_pwd);
>+
>+
>+krb5_error_code
>+krb5_db_def_fetch_mkey( krb5_context   context,
>+			krb5_principal mname,
>+			krb5_keyblock *key,
>+			int           *kvno,
>+			char          *db_args);
>+
>+krb5_error_code
>+krb5_def_verify_master_key( krb5_context context,
>+			    krb5_principal mprinc,
>+			    krb5_keyblock *mkey);
>+
>+krb5_error_code kdb_def_set_mkey ( krb5_context kcontext,
>+				   char *pwd,
>+				   krb5_keyblock *key );
>+
>+krb5_error_code kdb_def_get_mkey ( krb5_context kcontext,
>+				   krb5_keyblock **key );
>+
>+krb5_error_code
>+krb5_dbe_def_cpw( krb5_context	  context,
>+		  krb5_keyblock       * master_key,
>+		  krb5_key_salt_tuple	* ks_tuple,
>+		  int			  ks_tuple_count,
>+		  char 		* passwd,
>+		  int			  new_kvno,
>+		  krb5_boolean	  keepold,
>+		  krb5_db_entry	* db_entry);
>+
>+krb5_error_code
>+krb5_def_promote_db(krb5_context, char *, char **);
>+
>+krb5_error_code 
>+krb5_db_create_policy( krb5_context kcontext, 
>+		       osa_policy_ent_t policy);
>+
>+krb5_error_code 
>+krb5_db_get_policy ( krb5_context kcontext, 
>+		     char *name, 
>+		     osa_policy_ent_t *policy,
>+		     int *nentries);
>+
>+krb5_error_code 
>+krb5_db_put_policy( krb5_context kcontext, 
>+		    osa_policy_ent_t policy);
>+
>+krb5_error_code 
>+krb5_db_iter_policy( krb5_context kcontext,
>+		     char *match_entry,
>+		     osa_adb_iter_policy_func func,
>+		     void *data);
>+
>+krb5_error_code 
>+krb5_db_delete_policy( krb5_context kcontext, 
>+		       char *policy);
>+
>+void 
>+krb5_db_free_policy( krb5_context kcontext, 
>+		     osa_policy_ent_t policy);
>+
>+#define KRB5_KDB_DEF_FLAGS	0
>+
>+#endif /* !defined(_WIN32) */
>+
>+#endif /* KRB5_KDB5__ */
>diff -durN libuser-0.54.7.ORIG/modules/krb5.c libuser-0.54.7/modules/krb5.c
>--- libuser-0.54.7.ORIG/modules/krb5.c	2005-11-11 16:29:40.000000000 -0700
>+++ libuser-0.54.7/modules/krb5.c	2007-03-03 22:29:42.000000000 -0700
>@@ -30,24 +30,41 @@
> #include <string.h>
> #include <unistd.h>
> #include <krb5.h>
>-#include <krb5/kdb.h>
>-#include <kadm5/admin.h>
>+#include "./kdb.h"
>+#include "./kadm5/admin.h"
> #include "../lib/user_private.h"
> 
> #define LU_KRB5_REALM 0
> #define LU_KRB5_PRINC 1
> #define LU_KRB5_PASSWORD 2
>-#define LU_KRBPASSWORD "*K*"
>+#define LU_KRBPASSWORD "*Kerberos5*"
>+#define DEFAULT_SHELL  "/bin/bash"
> 
> #ifndef KRB5_SUCCESS
> #define KRB5_SUCCESS 0
> #endif
> 
>+LU_MODULE_INIT(libuser_krb5_init)
>+
>+enum lock_op { LO_LOCK, LO_UNLOCK, LO_UNLOCK_NONEMPTY };
>+
>+static GValue lu_krbpassword_val;
>+static GValueArray *lu_krbpassword;
>+
> struct lu_krb5_context {
> 	struct lu_prompt prompts[3];
> 	void *handle;
> };
> 
>+static void
>+lu_krb5_error_message(krb5_context context, krb5_error_code err,
>+		      lu_status_t code, struct lu_error **error)
>+{
>+	char *msg = krb5_get_error_message (context, err);
>+	lu_error_new(error, code, _(msg));
>+	krb5_free_error_message (context, msg);
>+}
>+
> static const char *
> get_default_realm(struct lu_context *context)
> {
>@@ -57,8 +74,8 @@
> 
> 	g_assert(context != NULL);
> 
>-	if (krb5_init_secure_context(&kcontext) == 0) {
>-		if (krb5_get_default_realm(kcontext, &realm) == 0) {
>+	if (krb5_init_secure_context(&kcontext) == KRB5_SUCCESS) {
>+		if (krb5_get_default_realm(kcontext, &realm) == KRB5_SUCCESS) {
> 			ret =
> 			    context->scache->cache(context->scache, realm);
> 			krb5_free_default_realm(kcontext, realm);
>@@ -77,10 +94,11 @@
> {
> 	kadm5_config_params params;
> 	void *handle = NULL;
>-	int ret;
>+	kadm5_ret_t ret;
> 	char *service = NULL;
> 
> 	g_assert(context != NULL);
>+	LU_ERROR_CHECK(error);
> 
> 	memset(&params, 0, sizeof(params));
> 	params.mask = KADM5_CONFIG_REALM;
>@@ -90,65 +108,78 @@
> 	} else {
> 		service = KADM5_CHANGEPW_SERVICE;
> 	}
>-	ret = kadm5_init(context->prompts[LU_KRB5_PRINC].value,
>-			 context->prompts[LU_KRB5_PASSWORD].value,
>-			 service,
>-			 &params,
>-			 KADM5_STRUCT_VERSION,
>-			 KADM5_API_VERSION_2, &handle);
>-	if (ret == KADM5_OK) {
>-		return handle;
>-	} else {
>+	ret = kadm5_init_with_password(context->prompts[LU_KRB5_PRINC].value,
>+				       context->prompts[LU_KRB5_PASSWORD].value,
>+				       service,
>+				       &params,
>+				       KADM5_STRUCT_VERSION,
>+				       KADM5_API_VERSION_2,
>+				       NULL,
>+				       &handle);
>+	if (ret != KADM5_OK) {
> 		lu_error_new(error, lu_error_generic,
> 			     _
> 			     ("error connecting to the kadm5 server for service `%s' in realm `%s': %s"),
> 			     service, params.realm, error_message(ret));
> 		return NULL;
> 	}
>+	return handle;
> }
> 
> static void
> free_server_handle(void *handle)
> {
> 	if (handle != NULL) {
>-		kadm5_destroy(handle);
>+		(void) kadm5_destroy(handle);
> 	}
> }
> 
> static gboolean
>-lu_krb5_user_lookup_name(struct lu_module *module, gconstpointer name,
>+lu_krb5_uses_elevated_privileges(struct lu_module *module)
>+{
>+	/* FIXME: it is false, isn't it? */
>+	return FALSE;
>+}
>+
>+static gboolean
>+lu_krb5_user_lookup_name(struct lu_module *module, const char *name,
> 			 struct lu_ent *ent, struct lu_error **error)
> {
> 	krb5_context context = NULL;
> 	krb5_principal principal = NULL;
>+	krb5_error_code err;
> 	kadm5_principal_ent_rec principal_rec;
>+	kadm5_ret_t kret;
> 	struct lu_krb5_context *ctx = NULL;
>-	gboolean ret = FALSE;
>+	gboolean ret;
> 
> 	g_assert(module != NULL);
> 	g_assert(name != NULL);
> 	g_assert(strlen((char *) name) > 0);
>+	LU_ERROR_CHECK(error);
> 
> 	ctx = (struct lu_krb5_context *) module->module_context;
> 
>-	if (krb5_init_secure_context(&context) != 0) {
>-		lu_error_new(error, lu_error_init,
>-			     _("error initializing kerberos library"));
>+	err = krb5_init_secure_context(&context);
>+	if (err != KRB5_SUCCESS) {
>+		lu_krb5_error_message(context, err, lu_error_init, error);
> 		return FALSE;
> 	}
> 
>-	if (krb5_parse_name(context, (const char *) name, &principal) != 0) {
>-		lu_error_new(error, lu_error_init,
>-			     _
>-			     ("error parsing user name `%s' for kerberos"),
>-			     (const char *) name);
>+	err = krb5_parse_name(context, (const char *) name, &principal);
>+	if (err != KRB5_SUCCESS) {
>+		lu_krb5_error_message(context, err, lu_error_init, error);
> 		krb5_free_context(context);
> 		return FALSE;
> 	}
> 
>-	if (kadm5_get_principal(ctx->handle, principal, &principal_rec, 0)
>-	    == KADM5_OK) {
>+	memset(&principal_rec, 0, sizeof(principal_rec));
>+	kret = kadm5_get_principal(ctx->handle, principal, &principal_rec, 0);
>+	if (kret == KADM5_OK) {
> 		ret = TRUE;
>+	} else {
>+		lu_error_new(error, lu_error_generic, _(error_message(kret)));
>+		ret = FALSE;
> 	}
> 
> 	krb5_free_principal(context, principal);
>@@ -158,78 +189,182 @@
> }
> 
> static gboolean
>-lu_krb5_user_lookup_id(struct lu_module *module, gconstpointer uid,
>+lu_krb5_user_lookup_id(struct lu_module *module, uid_t uid,
> 		       struct lu_ent *ent, struct lu_error **error)
> {
>+	LU_ERROR_CHECK(error);
> 	return FALSE;
> }
> 
> static gboolean
>-lu_krb5_group_lookup_name(struct lu_module *module, gconstpointer name,
>+lu_krb5_group_lookup_name(struct lu_module *module, const char *name,
> 			  struct lu_ent *ent, struct lu_error **error)
> {
>+	LU_ERROR_CHECK(error);
> 	return FALSE;
> }
> 
> static gboolean
>-lu_krb5_group_lookup_id(struct lu_module *module, gconstpointer gid,
>+lu_krb5_group_lookup_id(struct lu_module *module, gid_t gid,
> 			struct lu_ent *ent, struct lu_error **error)
> {
>+	LU_ERROR_CHECK(error);
> 	return FALSE;
> }
> 
> static gboolean
>+lu_krb5_user_default(struct lu_module *module, const char *name,
>+		     gboolean is_system, struct lu_ent *ent,
>+		     struct lu_error **error)
>+{
>+	GValue value;
>+	const char *today;
>+
>+	g_return_val_if_fail(name != NULL, FALSE);
>+	today = lu_util_shadow_current_date(ent->cache);
>+	memset(&value, 0, sizeof(value));
>+	if (lu_ent_get(ent, LU_USERPASSWORD) == NULL) {
>+		g_value_init(&value, G_TYPE_STRING);
>+		g_value_set_string(&value, LU_KRBPASSWORD);
>+		lu_ent_add(ent, LU_USERPASSWORD, &value);
>+		g_value_unset(&value);
>+	}
>+	if (lu_ent_get(ent, LU_SHADOWPASSWORD) == NULL) {
>+		g_value_init(&value, G_TYPE_STRING);
>+		g_value_set_string(&value, LU_KRBPASSWORD);
>+		lu_ent_add(ent, LU_SHADOWPASSWORD, &value);
>+		g_value_unset(&value);
>+	}
>+	if (lu_ent_get(ent, LU_GECOS) == NULL) {
>+		g_value_init(&value, G_TYPE_STRING);
>+		g_value_set_string(&value, name);
>+		lu_ent_add(ent, LU_GECOS, &value);
>+		g_value_unset(&value);
>+	}
>+	if (lu_ent_get(ent, LU_HOMEDIRECTORY) == NULL) {
>+		char *tmp;
>+
>+		g_value_init(&value, G_TYPE_STRING);
>+		tmp = g_strdup_printf("/home/%s", name);
>+		g_value_set_string(&value, tmp);
>+		g_free(tmp);
>+		lu_ent_add(ent, LU_HOMEDIRECTORY, &value);
>+		g_value_unset(&value);
>+	}
>+	if (lu_ent_get(ent, LU_LOGINSHELL) == NULL) {
>+		g_value_init(&value, G_TYPE_STRING);
>+		g_value_set_string(&value, DEFAULT_SHELL);
>+		lu_ent_add(ent, LU_LOGINSHELL, &value);
>+		g_value_unset(&value);
>+	}
>+	if (lu_ent_get(ent, LU_SHADOWLASTCHANGE) == NULL) {
>+		g_value_init(&value, G_TYPE_STRING);
>+		g_value_set_string(&value, today);
>+		lu_ent_add(ent, LU_SHADOWLASTCHANGE, &value);
>+		g_value_unset(&value);
>+	}
>+	if (lu_ent_get(ent, LU_SHADOWMIN) == NULL) {
>+		g_value_init(&value, G_TYPE_LONG);
>+		g_value_set_long(&value, 0);
>+		lu_ent_add(ent, LU_SHADOWMIN, &value);
>+		g_value_unset(&value);
>+	}
>+	if (lu_ent_get(ent, LU_SHADOWMAX) == NULL) {
>+		g_value_init(&value, G_TYPE_LONG);
>+		g_value_set_long(&value, 99999);
>+		lu_ent_add(ent, LU_SHADOWMAX, &value);
>+		g_value_unset(&value);
>+	}
>+	if (lu_ent_get(ent, LU_SHADOWWARNING) == NULL) {
>+		g_value_init(&value, G_TYPE_LONG);
>+		g_value_set_long(&value, 7);
>+		lu_ent_add(ent, LU_SHADOWWARNING, &value);
>+		g_value_unset(&value);
>+	}
>+	if (lu_ent_get(ent, LU_SHADOWINACTIVE) == NULL) {
>+		g_value_init(&value, G_TYPE_LONG);
>+		g_value_set_long(&value, -1);
>+		lu_ent_add(ent, LU_SHADOWINACTIVE, &value);
>+		g_value_unset(&value);
>+	}
>+	if (lu_ent_get(ent, LU_SHADOWEXPIRE) == NULL) {
>+		g_value_init(&value, G_TYPE_LONG);
>+		g_value_set_long(&value, -1);
>+		lu_ent_add(ent, LU_SHADOWEXPIRE, &value);
>+		g_value_unset(&value);
>+	}
>+	if (lu_ent_get(ent, LU_SHADOWFLAG) == NULL) {
>+		g_value_init(&value, G_TYPE_LONG);
>+		g_value_set_long(&value, -1);
>+		lu_ent_add(ent, LU_SHADOWFLAG, &value);
>+		g_value_unset(&value);
>+	}
>+	return TRUE;
>+}
>+
>+static gboolean
>+lu_krb5_user_add_prep(struct lu_module *module, struct lu_ent *ent,
>+		      struct lu_error **error)
>+{
>+	LU_ERROR_CHECK(error);
>+	return TRUE;
>+}
>+
>+static gboolean
> lu_krb5_user_add(struct lu_module *module, struct lu_ent *ent,
> 		 struct lu_error **error)
> {
> 	krb5_context context = NULL;
>+	krb5_error_code err;
> 	kadm5_principal_ent_rec principal;
>-	GList *name, *pass, *i;
>-	char *password;
>-	int err;
>+	GValueArray *name, *pass;
>+	GValue *val;
>+	const char *password;
>+	guint i;
> 	gboolean ret = FALSE;
> 	struct lu_krb5_context *ctx;
> 
> 	g_assert(module != NULL);
>-	g_assert(name != NULL);
> 	g_assert(ent != NULL);
> 	g_assert(ent->magic == LU_ENT_MAGIC);
>+	LU_ERROR_CHECK(error);
> 
> 	ctx = (struct lu_krb5_context *) module->module_context;
> 
>-	if (krb5_init_secure_context(&context) != 0) {
>-		lu_error_new(error, lu_error_init,
>-			     _("error initializing kerberos library"));
>+	err = krb5_init_secure_context(&context);
>+	if (err != KRB5_SUCCESS) {
>+		lu_krb5_error_message(context, err, lu_error_init, error);
> 		return FALSE;
> 	}
> 
>-	name = lu_ent_get(ent, LU_KRBNAME);
>-	if (name == NULL) {
>-		name = lu_ent_get(ent, LU_USERNAME);
>-	}
>-	if (name == NULL) {
>+	memset(&principal, 0, sizeof(principal));
>+	name = lu_ent_get(ent, LU_USERNAME);
>+	if (name == NULL ||
>+	    !G_VALUE_HOLDS_STRING(g_value_array_get_nth(name, 0))) {
> 		lu_error_new(error, lu_error_generic,
> 			     _
>-			     ("entity structure has no %s or %s attributes"),
>-			     LU_KRBNAME, LU_USERNAME);
>+			     ("entity structure has no %s attribute"),
>+			     LU_USERNAME);
> 		krb5_free_context(context);
> 		return FALSE;
> 	}
> 
>-	if (krb5_parse_name(context, name->data, &principal.principal) !=
>-	    0) {
>-		lu_error_new(error, lu_error_init,
>-			     _
>-			     ("error parsing user name `%s' for kerberos"),
>-			     (const char *) name->data);
>+	val = g_value_array_get_nth(name, 0);
>+	err = krb5_parse_name(context, g_value_get_string(val),
>+			      &principal.principal);
>+	if (err != KRB5_SUCCESS) {
>+		lu_krb5_error_message(context, err, lu_error_init, error);
> 		krb5_free_context(context);
> 		return FALSE;
> 	}
> 
> 	/* screen out pre-hashed passwords */
> 	pass = lu_ent_get(ent, LU_USERPASSWORD);
>-	for (i = pass; i; i = g_list_next(i)) {
>-		password = i->data;
>+	for (i = 0; i < pass->n_values; i++) {
>+		val = g_value_array_get_nth(pass, i);
>+		if (!G_VALUE_HOLDS_STRING(val))
>+			continue;
>+		password = g_value_get_string(val);
> 		if (password && !g_str_has_prefix(password, "{crypt}")) {
> 			/* we can use this one */
> 			break;
>@@ -239,8 +374,11 @@
> 	/* screen out non-plain passwords (this catches all sorts of stuff, including {md5} and {sha1} */
> 	if (password == NULL) {
> 		pass = lu_ent_get(ent, LU_USERPASSWORD);
>-		for (i = pass; i; i = g_list_next(i)) {
>-			password = i->data;
>+		for (i = 0; i < pass->n_values; i++) {
>+			val = g_value_array_get_nth(pass, i);
>+			if (!G_VALUE_HOLDS_STRING(val))
>+				continue;
>+			password = g_value_get_string(val);
> 			if (password
> 			    && !g_str_has_prefix(password, "{") != 0) {
> 				/* we can use this one */
>@@ -253,30 +391,36 @@
> 	/* Note that we tried to create the account. */
> 	ret = FALSE;
> 	if (password != NULL) {
>-		err =
>-		    kadm5_create_principal(ctx->handle, &principal,
>-					   KADM5_PRINCIPAL, password);
>-		if (err == KADM5_OK) {
>+		kadm5_ret_t kret;
>+
>+		kret = kadm5_create_principal(ctx->handle, &principal,
>+					      KADM5_PRINCIPAL,
>+					      (char *) password);
>+		if (kret == KADM5_OK) {
> 			char *unparsed = NULL;
> 			/* Change the password field so that a subsequent information add will note that
> 			 * the user is Kerberized. */
>-			lu_ent_set(ent, LU_USERPASSWORD, LU_KRBPASSWORD);
>+			lu_ent_set(ent, LU_USERPASSWORD, lu_krbpassword);
> 			if (krb5_unparse_name
> 			    (context, principal.principal,
> 			     &unparsed) == KRB5_SUCCESS) {
>-				char *tmp;
>-				tmp =
>-				    g_strconcat("{KERBEROS}", unparsed,
>-						NULL);
>-				lu_ent_add(ent, LU_USERPASSWORD, tmp);
>-				g_free(tmp);
>+				GValue tmp = {G_TYPE_STRING, { {0}, {0} }};
>+				g_value_set_string(&tmp,
>+						   g_strconcat("{KERBEROS}",
>+							       unparsed,
>+							       NULL));
>+				lu_ent_add(ent, LU_USERPASSWORD, &tmp);
> 				krb5_free_unparsed_name(context, unparsed);
> 			}
> 			/* Hey, it worked! */
> 			ret = TRUE;
>+		} else {
>+			lu_error_new(error, lu_error_generic,
>+				     _(error_message(kret)));
> 		}
> 	}
> 
>+	krb5_free_context(context);
> 	return ret;
> }
> 
>@@ -286,60 +430,59 @@
> {
> 	krb5_context context = NULL;
> 	krb5_principal principal = NULL, old_principal = NULL;
>-	GList *name, *old_name;
>+	krb5_error_code err;
>+	GValueArray *name, *old_name;
>+	GValue *val;
> 	gboolean ret = TRUE;
> 	struct lu_krb5_context *ctx;
> 
> 	g_assert(module != NULL);
> 	g_assert(ent != NULL);
> 	g_assert(ent->magic == LU_ENT_MAGIC);
>+	LU_ERROR_CHECK(error);
> 
> 	ctx = (struct lu_krb5_context *) module->module_context;
> 
>-	if (krb5_init_secure_context(&context) != 0) {
>-		lu_error_new(error, lu_error_init,
>-			     _("error initializing kerberos library"));
>+	err = krb5_init_secure_context(&context);
>+	if (err != KRB5_SUCCESS) {
>+		lu_krb5_error_message(context, err, lu_error_init, error);
> 		return FALSE;
> 	}
> 
>-	name = lu_ent_get(ent, LU_KRBNAME);
>-	if (name == NULL) {
>-		name = lu_ent_get(ent, LU_USERNAME);
>-	}
>-	if (name == NULL) {
>+	name = lu_ent_get(ent, LU_USERNAME);
>+	if (name == NULL ||
>+	    !G_VALUE_HOLDS_STRING(g_value_array_get_nth(name, 0))) {
> 		lu_error_new(error, lu_error_generic,
>-			     _("entity has no %s or %s attributes"),
>-			     LU_KRBNAME, LU_USERNAME);
>+			     _("entity has no %s attribute"),
>+			     LU_USERNAME);
> 		krb5_free_context(context);
> 		return FALSE;
> 	}
> 
>-	old_name = lu_ent_get_original(ent, LU_KRBNAME);
>-	if (old_name == NULL) {
>-		old_name = lu_ent_get_original(ent, LU_USERNAME);
>-	}
>-	if (old_name == NULL) {
>+	old_name = lu_ent_get_current(ent, LU_USERNAME);
>+	if (old_name == NULL ||
>+	    !G_VALUE_HOLDS_STRING(g_value_array_get_nth(old_name, 0))) {
> 		lu_error_new(error, lu_error_generic,
> 			     _
>-			     ("entity was created with no %s or %s attributes"),
>-			     LU_KRBNAME, LU_USERNAME);
>+			     ("entity was created with no %s attribute"),
>+			     LU_USERNAME);
> 		krb5_free_context(context);
> 		return FALSE;
> 	}
> 
>-	if (krb5_parse_name(context, name->data, &principal) != 0) {
>-		lu_error_new(error, lu_error_generic,
>-			     _
>-			     ("error parsing user name `%s' for kerberos"),
>-			     (const char *) name->data);
>+	val = g_value_array_get_nth(name, 0);
>+	err = krb5_parse_name(context, g_value_get_string(val),
>+			      &principal);
>+	if (err != KRB5_SUCCESS) {
>+		lu_krb5_error_message(context, err, lu_error_generic, error);
> 		krb5_free_context(context);
> 		return FALSE;
> 	}
>-	if (krb5_parse_name(context, old_name->data, &old_principal) != 0) {
>-		lu_error_new(error, lu_error_generic,
>-			     _
>-			     ("error parsing user name `%s' for kerberos"),
>-			     (const char *) old_name->data);
>+	val = g_value_array_get_nth(old_name, 0);
>+	err = krb5_parse_name(context, g_value_get_string(val),
>+			      &old_principal);
>+	if (err != KRB5_SUCCESS) {
>+		lu_krb5_error_message(context, err, lu_error_generic, error);
> 		krb5_free_principal(context, principal);
> 		krb5_free_context(context);
> 		return FALSE;
>@@ -348,14 +491,19 @@
> 	/* If we need to rename the principal, do it. */
> 	if (krb5_principal_compare(context, principal, old_principal) ==
> 	    FALSE) {
>-		ret = FALSE;
>-		if (kadm5_rename_principal
>-		    (ctx->handle, old_principal, principal) == KADM5_OK) {
>+		kadm5_ret_t kret;
>+		kret = kadm5_rename_principal(ctx->handle, old_principal,
>+					      principal);
>+		if (kret == KADM5_OK) {
> 			ret = TRUE;
>+		} else {
>+			ret = FALSE;
>+			lu_error_new(error, lu_error_generic,
>+				     _(error_message(kret)));
> 		}
> 	} else {
> 		/* Note that the user uses Kerberos. */
>-		lu_ent_set(ent, LU_USERPASSWORD, LU_KRBPASSWORD);
>+		lu_ent_set(ent, LU_USERPASSWORD, lu_krbpassword);
> 		/* We don't know how to do anything else, so just nod our
> 		 * heads and smile. */
> 		ret = TRUE;
>@@ -374,45 +522,53 @@
> {
> 	krb5_context context = NULL;
> 	krb5_principal principal;
>-	GList *name;
>+	krb5_error_code err;
>+	kadm5_ret_t kret;
>+	GValueArray *name;
>+	GValue *val;
> 	gboolean ret = FALSE;
> 	struct lu_krb5_context *ctx;
> 
> 	g_assert(module != NULL);
> 	g_assert(ent != NULL);
> 	g_assert(ent->magic == LU_ENT_MAGIC);
>+	LU_ERROR_CHECK(error);
> 
> 	ctx = (struct lu_krb5_context *) module->module_context;
> 
>-	if (krb5_init_secure_context(&context) != 0) {
>-		lu_error_new(error, lu_error_init,
>-			     _("error initializing kerberos library"));
>+	err = krb5_init_secure_context(&context);
>+	if (err != KRB5_SUCCESS) {
>+		lu_krb5_error_message(context, err, lu_error_init, error);
> 		return FALSE;
> 	}
> 
>-	name = lu_ent_get(ent, LU_KRBNAME);
>-	if (name == NULL) {
>-		name = lu_ent_get(ent, LU_USERNAME);
>-	}
>-	if (name == NULL) {
>+	name = lu_ent_get(ent, LU_USERNAME);
>+	if (name == NULL ||
>+	    !G_VALUE_HOLDS_STRING(g_value_array_get_nth(name, 0))) {
> 		lu_error_new(error, lu_error_generic,
> 			     _
>-			     ("entity structure has no %s or %s attributes"),
>-			     LU_KRBNAME, LU_USERNAME);
>+			     ("entity structure has no %s attribute"),
>+			     LU_USERNAME);
> 		krb5_free_context(context);
> 		return FALSE;
> 	}
> 
>-	if (krb5_parse_name(context, name->data, &principal) != 0) {
>-		lu_error_new(error, lu_error_generic,
>-			     _
>-			     ("error parsing user name `%s' for kerberos"),
>-			     (const char *) name->data);
>+	val = g_value_array_get_nth(name, 0);
>+	err = krb5_parse_name(context, g_value_get_string(val),
>+			      &principal);
>+	if (err != KRB5_SUCCESS) {
>+		lu_krb5_error_message(context, err, lu_error_generic, error);
> 		krb5_free_context(context);
> 		return FALSE;
> 	}
> 
>-	ret = (kadm5_delete_principal(ctx->handle, principal) == KADM5_OK);
>+	kret = kadm5_delete_principal(ctx->handle, principal);
>+	if (kret == KADM5_OK) {
>+		ret = TRUE;
>+	} else {
>+		ret = FALSE;
>+		lu_error_new(error, lu_error_generic, _(error_message(kret)));
>+	}
> 
> 	krb5_free_principal(context, principal);
> 	krb5_free_context(context);
>@@ -422,74 +578,90 @@
> 
> static gboolean
> lu_krb5_user_do_lock(struct lu_module *module, struct lu_ent *ent,
>-		     gboolean lck, struct lu_error **error)
>+		     enum lock_op lck, struct lu_error **error)
> {
> 	krb5_context context = NULL;
>+	krb5_error_code err;
> 	kadm5_principal_ent_rec principal;
>-	GList *name;
>+	kadm5_ret_t kret;
>+	GValueArray *name;
>+	GValue *val;
> 	gboolean ret = FALSE;
> 	struct lu_krb5_context *ctx;
> 
> 	g_assert(module != NULL);
> 	g_assert(ent != NULL);
> 	g_assert(ent->magic == LU_ENT_MAGIC);
>+	LU_ERROR_CHECK(error);
> 
> 	ctx = (struct lu_krb5_context *) module->module_context;
> 
>-	if (krb5_init_secure_context(&context) != 0) {
>-		lu_error_new(error, lu_error_init,
>-			     _("error initializing kerberos library"));
>+	err = krb5_init_secure_context(&context);
>+	if (err != KRB5_SUCCESS) {
>+		lu_krb5_error_message(context, err, lu_error_init, error);
> 		return FALSE;
> 	}
> 
>-	name = lu_ent_get(ent, LU_KRBNAME);
>-	if (name == NULL) {
>-		name = lu_ent_get(ent, LU_USERNAME);
>-	}
>-	if (name == NULL) {
>+	memset(&principal, 0, sizeof(principal));
>+	name = lu_ent_get(ent, LU_USERNAME);
>+	if (name == NULL ||
>+	    !G_VALUE_HOLDS_STRING(g_value_array_get_nth(name, 0))) {
> 		lu_error_new(error, lu_error_generic,
>-			     _
>-			     ("entity structure has no %s or %s attributes"),
>-			     LU_KRBNAME, LU_USERNAME);
>+			     _("entity structure has no %s attribute"),
>+			     LU_USERNAME);
> 		krb5_free_context(context);
> 		return FALSE;
> 	}
> 
>-	if (krb5_parse_name(context, name->data, &principal.principal) !=
>-	    0) {
>-		lu_error_new(error, lu_error_generic,
>-			     _
>-			     ("error parsing user name `%s' for kerberos"),
>-			     (const char *) name->data);
>+	val = g_value_array_get_nth(name, 0);
>+	err = krb5_parse_name(context, g_value_get_string(val),
>+			      &principal.principal);
>+	if (err != KRB5_SUCCESS) {
>+		lu_krb5_error_message(context, err, lu_error_generic, error);
> 		krb5_free_context(context);
> 		return FALSE;
> 	}
> 
>-	ret =
>-	    (kadm5_get_principal
>-	     (ctx->handle, principal.principal, &principal,
>-	      KADM5_PRINCIPAL | KADM5_ATTRIBUTES) == KADM5_OK);
>-	if (ret == FALSE) {
>-		lu_error_new(error, lu_error_generic,
>-			     _
>-			     ("error reading information for `%s' from kerberos"),
>-			     (const char *) name->data);
>+	kret = kadm5_get_principal(ctx->handle, principal.principal,
>+				   &principal,
>+				   KADM5_PRINCIPAL | KADM5_ATTRIBUTES);
>+	if (kret != KADM5_OK) {
>+		lu_error_new(error, lu_error_generic, _(error_message(kret)));
> 		krb5_free_principal(context, principal.principal);
> 		krb5_free_context(context);
> 		return FALSE;
> 	} else {
>-		if (lck) {
>+		switch (lck) {
>+		case LO_LOCK:
> 			principal.attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
>-		} else {
>+			break;
>+		case LO_UNLOCK:
> 			principal.attributes &= ~KRB5_KDB_DISALLOW_ALL_TIX;
>+			break;
>+		case LO_UNLOCK_NONEMPTY:
>+			if ((principal.attributes & KRB5_KDB_DISALLOW_ALL_TIX) == 0) {
>+				lu_error_new(error, lu_error_unlock_empty,
>+					     NULL);
>+				krb5_free_principal(context, principal.principal);
>+				krb5_free_context(context);
>+				return FALSE;
>+			}
>+			principal.attributes &= ~KRB5_KDB_DISALLOW_ALL_TIX;
>+			break;
>+		}
>+		kret = kadm5_modify_principal(ctx->handle, &principal,
>+					      KADM5_PRINCIPAL | KADM5_ATTRIBUTES);
>+		if (kret == KADM5_OK) {
>+			ret = TRUE;
>+		} else {
>+			ret = FALSE;
>+			lu_error_new(error, lu_error_generic,
>+				     _(error_message(kret)));
> 		}
>-		ret =
>-		    (kadm5_modify_principal
>-		     (ctx->handle, &principal,
>-		      KADM5_PRINCIPAL | KADM5_ATTRIBUTES) == KADM5_OK);
> 	}
> 
> 	krb5_free_principal(context, principal.principal);
>+	krb5_free_context(context);
> 
> 	return ret;
> }
>@@ -498,79 +670,85 @@
> lu_krb5_user_lock(struct lu_module *module, struct lu_ent *ent,
> 		  struct lu_error **error)
> {
>-	return lu_krb5_user_do_lock(module, ent, TRUE, error);
>+	LU_ERROR_CHECK(error);
>+	return lu_krb5_user_do_lock(module, ent, LO_LOCK, error);
> }
> 
> static gboolean
> lu_krb5_user_unlock(struct lu_module *module, struct lu_ent *ent,
> 		    struct lu_error **error)
> {
>-	return lu_krb5_user_do_lock(module, ent, FALSE, error);
>+	LU_ERROR_CHECK(error);
>+	return lu_krb5_user_do_lock(module, ent, LO_UNLOCK, error);
> }
> 
> static gboolean
>-lu_krb5_user_islocked(struct lu_module *module, struct lu_ent *ent,
>-		      struct lu_error **error)
>+lu_krb5_user_unlock_nonempty(struct lu_module *module, struct lu_ent *ent,
>+			     struct lu_error **error)
>+{
>+	LU_ERROR_CHECK(error);
>+	return lu_krb5_user_do_lock(module, ent, LO_UNLOCK_NONEMPTY, error);
>+}
>+
>+static gboolean
>+lu_krb5_user_is_locked(struct lu_module *module, struct lu_ent *ent,
>+		       struct lu_error **error)
> {
> 	krb5_context context = NULL;
>+	krb5_error_code err;
> 	kadm5_principal_ent_rec principal;
>-	GList *name;
>+	kadm5_ret_t kret;
>+	GValueArray *name;
>+	GValue *val;
> 	gboolean ret = FALSE;
> 	struct lu_krb5_context *ctx;
> 
> 	g_assert(module != NULL);
> 	g_assert(ent != NULL);
> 	g_assert(ent->magic == LU_ENT_MAGIC);
>+	LU_ERROR_CHECK(error);
> 
> 	ctx = (struct lu_krb5_context *) module->module_context;
> 
>-	if (krb5_init_secure_context(&context) != 0) {
>-		lu_error_new(error, lu_error_init,
>-			     _("error initializing kerberos library"));
>+	err = krb5_init_secure_context(&context);
>+	if (err != KRB5_SUCCESS) {
>+		lu_krb5_error_message(context, err, lu_error_init, error);
> 		return FALSE;
> 	}
> 
>-	name = lu_ent_get(ent, LU_KRBNAME);
>-	if (name == NULL) {
>-		name = lu_ent_get(ent, LU_USERNAME);
>-	}
>-	if (name == NULL) {
>+	memset (&principal, 0, sizeof(principal));
>+	name = lu_ent_get(ent, LU_USERNAME);
>+	if (name == NULL ||
>+	    !G_VALUE_HOLDS_STRING(g_value_array_get_nth(name, 0))) {
> 		lu_error_new(error, lu_error_generic,
>-			     _
>-			     ("entity structure has no %s or %s attributes"),
>-			     LU_KRBNAME, LU_USERNAME);
>+			     _("entity structure has no %s attribute"),
>+			     LU_USERNAME);
> 		krb5_free_context(context);
> 		return FALSE;
> 	}
> 
>-	if (krb5_parse_name(context, name->data, &principal.principal) !=
>-	    0) {
>-		lu_error_new(error, lu_error_generic,
>-			     _
>-			     ("error parsing user name `%s' for kerberos"),
>-			     (const char *) name->data);
>+	val = g_value_array_get_nth(name, 0);
>+	err = krb5_parse_name(context, g_value_get_string(val),
>+			      &principal.principal);
>+	if (err != KRB5_SUCCESS) {
>+		lu_krb5_error_message(context, err, lu_error_generic, error);
> 		krb5_free_context(context);
> 		return FALSE;
> 	}
> 
>-	ret =
>-	    (kadm5_get_principal
>-	     (ctx->handle, principal.principal, &principal,
>-	      KADM5_PRINCIPAL | KADM5_ATTRIBUTES) == KADM5_OK);
>-	if (ret == FALSE) {
>-		lu_error_new(error, lu_error_generic,
>-			     _
>-			     ("error reading information for `%s' from kerberos"),
>-			     (const char *) name->data);
>-		krb5_free_principal(context, principal.principal);
>-		krb5_free_context(context);
>-		return FALSE;
>+	kret = kadm5_get_principal(ctx->handle, principal.principal,
>+				   &principal,
>+				   KADM5_PRINCIPAL | KADM5_ATTRIBUTES);
>+	if (kret == KADM5_OK) {
>+		ret = (principal.attributes & KRB5_KDB_DISALLOW_ALL_TIX) ==
>+		  KRB5_KDB_DISALLOW_ALL_TIX;
> 	} else {
>-		ret =
>-		    (principal.attributes & KRB5_KDB_DISALLOW_ALL_TIX) ==
>-		    KRB5_KDB_DISALLOW_ALL_TIX;
>+		ret = FALSE;
>+		lu_error_new(error, lu_error_generic, _(error_message(kret)));
> 	}
> 
>+	krb5_free_principal(context, principal.principal);
>+	krb5_free_context(context);
> 	return ret;
> }
> 
>@@ -580,51 +758,55 @@
> {
> 	krb5_context context = NULL;
> 	krb5_principal principal = NULL;
>-	GList *name;
>+	krb5_error_code err;
>+	GValueArray *name;
>+	GValue *val;
> 	gboolean ret = TRUE;
> 	struct lu_krb5_context *ctx;
> 
> 	g_assert(module != NULL);
> 	g_assert(ent != NULL);
> 	g_assert(ent->magic == LU_ENT_MAGIC);
>+	LU_ERROR_CHECK(error);
> 
> 	ctx = (struct lu_krb5_context *) module->module_context;
> 
>-	if (krb5_init_secure_context(&context) != 0) {
>-		lu_error_new(error, lu_error_init,
>-			     _("error initializing kerberos library"));
>+	err = krb5_init_secure_context(&context);
>+	if (err != KRB5_SUCCESS) {
>+		lu_krb5_error_message(context, err, lu_error_init, error);
> 		return FALSE;
> 	}
> 
>-	if (name == NULL) {
>-		name = lu_ent_get(ent, LU_USERNAME);
>-	}
>-	if (name == NULL) {
>+	name = lu_ent_get(ent, LU_USERNAME);
>+	if (name == NULL ||
>+	    !G_VALUE_HOLDS_STRING(g_value_array_get_nth(name, 0))) {
> 		lu_error_new(error, lu_error_generic,
>-			     _("entity has no %s attribute"), LU_USERNAME);
>+			     _("entity has no %s attribute"),
>+			     LU_USERNAME);
> 		krb5_free_context(context);
> 		return FALSE;
> 	}
> 
>-	if (krb5_parse_name(context, name->data, &principal) != 0) {
>-		lu_error_new(error, lu_error_generic,
>-			     _
>-			     ("error parsing user name `%s' for kerberos"),
>-			     (const char *) name->data);
>+	val = g_value_array_get_nth(name, 0);
>+	err = krb5_parse_name(context, g_value_get_string(val),
>+			      &principal);
>+	if (err != KRB5_SUCCESS) {
>+		lu_krb5_error_message(context, err, lu_error_generic, error);
> 		krb5_free_context(context);
> 		return FALSE;
> 	}
> 
> 	/* Now try to change the password. */
> 	if (password != NULL) {
>+		kadm5_ret_t err;
> #ifdef DEBUG
> 		g_print("Working password for %s is `%s'.\n", name->data,
> 			password);
> 		g_print("Changing password for %s.\n", name->data);
> #endif
>-		if (kadm5_chpass_principal
>-		    (ctx->handle, principal,
>-		     (char *) password) == KADM5_OK) {
>+		err = kadm5_chpass_principal(ctx->handle, principal,
>+					     (char *) password);
>+		if (err == KADM5_OK) {
> #ifdef DEBUG
> 			g_print("...succeeded.\n");
> #endif
>@@ -632,15 +814,14 @@
> 			 * that a subsequent information
> 			 * modify will note that the
> 			 * user is Kerberized. */
>-			lu_ent_set(ent, LU_USERPASSWORD, LU_KRBPASSWORD);
>+			lu_ent_set(ent, LU_USERPASSWORD, lu_krbpassword);
> 			ret = TRUE;
> 		} else {
> #ifdef DEBUG
> 			g_print("...failed.\n");
> #endif
> 			lu_error_new(error, lu_error_generic,
>-				     _("error setting password for `%s'"),
>-				     (const char *) name->data);
>+				     _(error_message(err)));
> 		}
> 	}
> 
>@@ -651,44 +832,92 @@
> }
> 
> static gboolean
>+lu_krb5_user_removepass(struct lu_module *module, struct lu_ent *ent,
>+			struct lu_error **error)
>+{
>+	LU_ERROR_CHECK(error);
>+	return lu_krb5_user_setpass(module, ent, LU_KRBPASSWORD, error);
>+}
>+
>+static gboolean
>+lu_krb5_group_default(struct lu_module *module, const char *name,
>+		      gboolean is_system, struct lu_ent *ent,
>+		      struct lu_error **error)
>+{
>+	g_return_val_if_fail(name != NULL, FALSE);
>+	if (lu_ent_get(ent, LU_SHADOWPASSWORD) == NULL) {
>+		GValue value;
>+
>+		memset(&value, 0, sizeof(value));
>+		g_value_init(&value, G_TYPE_STRING);
>+		g_value_set_string(&value, LU_KRBPASSWORD);
>+		lu_ent_add(ent, LU_SHADOWPASSWORD, &value);
>+		g_value_unset(&value);
>+	}
>+	return TRUE;
>+}
>+
>+static gboolean
>+lu_krb5_group_add_prep(struct lu_module *module, struct lu_ent *ent,
>+		       struct lu_error **error)
>+{
>+	LU_ERROR_CHECK(error);
>+	return TRUE;
>+}
>+
>+static gboolean
> lu_krb5_group_add(struct lu_module *module, struct lu_ent *ent,
> 		  struct lu_error **error)
> {
>-	return FALSE;
>+	LU_ERROR_CHECK(error);
>+	return TRUE;
> }
> 
> static gboolean
> lu_krb5_group_mod(struct lu_module *module, struct lu_ent *ent,
> 		  struct lu_error **error)
> {
>-	return FALSE;
>+	LU_ERROR_CHECK(error);
>+	return TRUE;
> }
> 
> static gboolean
> lu_krb5_group_del(struct lu_module *module, struct lu_ent *ent,
> 		  struct lu_error **error)
> {
>-	return FALSE;
>+	LU_ERROR_CHECK(error);
>+	return TRUE;
> }
> 
> static gboolean
> lu_krb5_group_lock(struct lu_module *module, struct lu_ent *ent,
> 		   struct lu_error **error)
> {
>-	return FALSE;
>+	LU_ERROR_CHECK(error);
>+	return TRUE;
> }
> 
> static gboolean
> lu_krb5_group_unlock(struct lu_module *module, struct lu_ent *ent,
> 		     struct lu_error **error)
> {
>-	return FALSE;
>+	LU_ERROR_CHECK(error);
>+	return TRUE;
> }
> 
> static gboolean
>-lu_krb5_group_islocked(struct lu_module *module, struct lu_ent *ent,
>-		       struct lu_error **error)
>+lu_krb5_group_unlock_nonempty(struct lu_module *module, struct lu_ent *ent,
>+			      struct lu_error **error)
> {
>+	LU_ERROR_CHECK(error);
>+	return TRUE;
>+}
>+
>+static gboolean
>+lu_krb5_group_is_locked(struct lu_module *module, struct lu_ent *ent,
>+			struct lu_error **error)
>+{
>+	LU_ERROR_CHECK(error);
> 	return FALSE;
> }
> 
>@@ -696,35 +925,83 @@
> lu_krb5_group_setpass(struct lu_module *module, struct lu_ent *ent,
> 		      const char *password, struct lu_error **error)
> {
>-	return FALSE;
>+	LU_ERROR_CHECK(error);
>+	return TRUE;
> }
> 
>-static GList *
>+static gboolean
>+lu_krb5_group_removepass(struct lu_module *module, struct lu_ent *ent,
>+			 struct lu_error **error)
>+{
>+	LU_ERROR_CHECK(error);
>+	return TRUE;
>+}
>+
>+static GValueArray *
> lu_krb5_users_enumerate(struct lu_module *module, const char *pattern,
> 			struct lu_error **error)
> {
>+	LU_ERROR_CHECK(error);
> 	return NULL;
> }
> 
>-static GList *
>+static GValueArray *
> lu_krb5_groups_enumerate(struct lu_module *module, const char *pattern,
> 			 struct lu_error **error)
> {
>+	LU_ERROR_CHECK(error);
> 	return NULL;
> }
> 
>-static GList *
>+static GValueArray *
> lu_krb5_users_enumerate_by_group(struct lu_module *module,
> 				 const char *group, gid_t gid,
> 				 struct lu_error **error)
> {
>+	LU_ERROR_CHECK(error);
> 	return NULL;
> }
> 
>-static GList *
>+static GPtrArray *
>+lu_krb5_users_enumerate_full(struct lu_module *module, const char *pattern,
>+			     struct lu_error **error)
>+{
>+	LU_ERROR_CHECK(error);
>+	return NULL;
>+}
>+
>+static GPtrArray *
>+lu_krb5_users_enumerate_by_group_full(struct lu_module *module,
>+				      const char *group, gid_t gid,
>+				      struct lu_error **error)
>+{
>+	LU_ERROR_CHECK(error);
>+	return NULL;
>+}
>+
>+static GValueArray *
> lu_krb5_groups_enumerate_by_user(struct lu_module *module,
>-				 const char *user, struct lu_error **error)
>+				 const char *user, uid_t uid,
>+				 struct lu_error **error)
>+{
>+	LU_ERROR_CHECK(error);
>+	return NULL;
>+}
>+
>+static GPtrArray *
>+lu_krb5_groups_enumerate_full(struct lu_module *module, const char *pattern,
>+			      struct lu_error **error)
> {
>+	LU_ERROR_CHECK(error);
>+	return NULL;
>+}
>+
>+static GPtrArray *
>+lu_krb5_groups_enumerate_by_user_full(struct lu_module *module,
>+				      const char *user, uid_t uid,
>+				      struct lu_error **error)
>+{
>+	LU_ERROR_CHECK(error);
> 	return NULL;
> }
> 
>@@ -748,7 +1025,7 @@
> }
> 
> struct lu_module *
>-lu_krb5_init(struct lu_context *context, struct lu_error **error)
>+libuser_krb5_init(struct lu_context *context, struct lu_error **error)
> {
> 	struct lu_module *ret = NULL;
> 	struct lu_krb5_context *ctx = NULL;
>@@ -757,7 +1034,6 @@
> 
> 	g_assert(context != NULL);
> 	initialize_krb5_error_table();
>-	initialize_kadm_error_table();
> 
> 	/* Verify that we can connect to the kadmind server. */
> 	g_assert(context->prompter != NULL);
>@@ -812,6 +1088,12 @@
> 	}
> 	ctx->handle = handle;
> 
>+	/* Set up the default password */
>+	g_value_init (&lu_krbpassword_val, G_TYPE_STRING);
>+	g_value_set_string (&lu_krbpassword_val, LU_KRBPASSWORD);
>+	lu_krbpassword = g_value_array_new (1);
>+	g_value_array_append (lu_krbpassword, &lu_krbpassword_val);
>+
> 	/* Allocate the method structure. */
> 	ret = g_malloc0(sizeof(struct lu_module));
> 	ret->version = LU_MODULE_VERSION;
>@@ -820,31 +1102,45 @@
> 	ret->module_context = ctx;
> 
> 	/* Set the method pointers. */
>+	ret->uses_elevated_privileges = lu_krb5_uses_elevated_privileges;
>+
> 	ret->user_lookup_name = lu_krb5_user_lookup_name;
> 	ret->user_lookup_id = lu_krb5_user_lookup_id;
> 
>+	ret->user_default = lu_krb5_user_default;
>+	ret->user_add_prep = lu_krb5_user_add_prep;
> 	ret->user_add = lu_krb5_user_add;
> 	ret->user_mod = lu_krb5_user_mod;
> 	ret->user_del = lu_krb5_user_del;
> 	ret->user_lock = lu_krb5_user_lock;
> 	ret->user_unlock = lu_krb5_user_unlock;
>-	ret->user_islocked = lu_krb5_user_islocked;
>+	ret->user_unlock_nonempty = lu_krb5_user_unlock_nonempty;
>+	ret->user_is_locked = lu_krb5_user_is_locked;
> 	ret->user_setpass = lu_krb5_user_setpass;
>+	ret->user_removepass = lu_krb5_user_removepass;
> 	ret->users_enumerate = lu_krb5_users_enumerate;
> 	ret->users_enumerate_by_group = lu_krb5_users_enumerate_by_group;
>+	ret->users_enumerate_full = lu_krb5_users_enumerate_full;
>+	ret->users_enumerate_by_group_full = lu_krb5_users_enumerate_by_group_full;
> 
> 	ret->group_lookup_name = lu_krb5_group_lookup_name;
> 	ret->group_lookup_id = lu_krb5_group_lookup_id;
> 
>+	ret->group_default = lu_krb5_group_default;
>+	ret->group_add_prep = lu_krb5_group_add_prep;
> 	ret->group_add = lu_krb5_group_add;
> 	ret->group_mod = lu_krb5_group_mod;
> 	ret->group_del = lu_krb5_group_del;
> 	ret->group_lock = lu_krb5_group_lock;
> 	ret->group_unlock = lu_krb5_group_unlock;
>-	ret->group_islocked = lu_krb5_group_islocked;
>+	ret->group_unlock_nonempty = lu_krb5_group_unlock_nonempty;
>+	ret->group_is_locked = lu_krb5_group_is_locked;
> 	ret->group_setpass = lu_krb5_group_setpass;
>+	ret->group_removepass = lu_krb5_group_removepass;
> 	ret->groups_enumerate = lu_krb5_groups_enumerate;
> 	ret->groups_enumerate_by_user = lu_krb5_groups_enumerate_by_user;
>+	ret->groups_enumerate_full = lu_krb5_groups_enumerate_full;
>+	ret->groups_enumerate_by_user_full = lu_krb5_groups_enumerate_by_user_full;
> 
> 	ret->close = lu_krb5_close_module;
> 
>diff -durN libuser-0.54.7.ORIG/modules/ldap.c libuser-0.54.7/modules/ldap.c
>--- libuser-0.54.7.ORIG/modules/ldap.c	2006-03-11 16:11:12.000000000 -0700
>+++ libuser-0.54.7/modules/ldap.c	2007-03-03 22:28:53.000000000 -0700
>@@ -1536,7 +1536,7 @@
> 	if (password == NULL) {
> 		lu_error_new(error, lu_error_generic,
> 			     _("object has no %s attribute"),
>-			     LU_USERPASSWORD);
>+			     attribute);
> 		return FALSE;
> 	}
> 	value = g_value_array_get_nth(password, 0);

Actions: View | Diff

Attachments on bug 230881: 149200