--- a/usr/src/cmd/krb5/kadmin/dbutil/kdb5_create.c	Mon Jul 09 20:55:03 2007 -0700
+++ b/usr/src/cmd/krb5/kadmin/dbutil/kdb5_create.c	Mon Jul 09 20:58:37 2007 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -415,7 +415,7 @@
     }
     if (master_salt.data)
 	free(master_salt.data);
-    krb5_free_keyblock_contents(util_context, rblock.key);
+    krb5_free_keyblock(util_context, rblock.key);
     krb5_free_keyblock_contents(util_context, &mkey);
     (void) krb5_db_fini(util_context);
 

--- a/usr/src/cmd/krb5/kadmin/dbutil/kdb5_util.c	Mon Jul 09 20:55:03 2007 -0700
+++ b/usr/src/cmd/krb5/kadmin/dbutil/kdb5_util.c	Mon Jul 09 20:58:37 2007 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -486,7 +486,13 @@
 	    gettext("while reading master key"));
 	com_err(progname, 0,
 	    gettext("Warning: proceeding without master key"));
-	exit_status++;
+	/*
+	 * Solaris Kerberos: We don't want to count as an error if for instance
+	 * the stash file is not present and we are trying to automate
+	 * propagation, which really doesn't need a master key to do so.
+	 */
+	if (retval != KRB5_KDB_CANTREAD_STORED)
+		exit_status++;
 	return(0);
     }
     if ((retval = krb5_db_verify_master_key(util_context, master_princ, 

--- a/usr/src/cmd/krb5/kadmin/server/ovsec_kadmd.c	Mon Jul 09 20:55:03 2007 -0700
+++ b/usr/src/cmd/krb5/kadmin/server/ovsec_kadmd.c	Mon Jul 09 20:58:37 2007 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -507,17 +507,6 @@
 		(void) enable_extended_FILE_stdio(-1, -1);
 	}
 
-	if (!nofork && (ret = daemon(0, 0))) {
-		ret = errno;
-		krb5_klog_syslog(LOG_ERR,
-		    gettext("Cannot detach from tty: %s"),
-		    error_message(ret));
-		fprintf(stderr, gettext("%s: Cannot detach from tty: %s\n"),
-		    whoami, error_message(ret));
-		krb5_klog_close(context);
-		exit(1);
-	}
-
 	if (ret = krb5_init_context(&context)) {
 		fprintf(stderr,
 		    gettext("%s: %s while initializing context, aborting\n"),
@@ -888,6 +877,17 @@
 		exit(1);
 	}
 
+	if (!nofork && (ret = daemon(0, 0))) {
+		ret = errno;
+		krb5_klog_syslog(LOG_ERR,
+		    gettext("Cannot detach from tty: %s"),
+		    error_message(ret));
+		fprintf(stderr, gettext("%s: Cannot detach from tty: %s\n"),
+		    whoami, error_message(ret));
+		krb5_klog_close(context);
+		exit(1);
+	}
+
 	handle = global_server_handle;
 	ctx = handle->context;
 	if (params.iprop_enabled == TRUE)

--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/get_in_tkt.c	Mon Jul 09 20:55:03 2007 -0700
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/get_in_tkt.c	Mon Jul 09 20:58:37 2007 -0700
@@ -1,9 +1,9 @@
 /*
- * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
+#pragma ident	"%Z%%M%	%I%	%E% SMI"$
 
 /*
  * lib/krb5/krb/get_in_tkt.c
@@ -69,6 +69,7 @@
 
  */
 
+#define	max(a, b)	((a) > (b) ? (a) : (b))
 
 /* some typedef's for the function args to make things look a bit cleaner */
 
@@ -320,6 +321,11 @@
 	|| ((request->till != 0) &&
 	    (as_reply->enc_part2->times.endtime > request->till))
 	|| ((request->kdc_options & KDC_OPT_RENEWABLE) &&
+	    /*
+	     * Solaris Kerberos: Here we error only if renewable_ok was not set.
+	     */
+	    !(request->kdc_options & KDC_OPT_RENEWABLE_OK) &&
+	    (as_reply->enc_part2->flags & KDC_OPT_RENEWABLE) &&
 	    (request->rtime != 0) &&
 	    (as_reply->enc_part2->times.renew_till > request->rtime))
 	|| ((request->kdc_options & KDC_OPT_RENEWABLE_OK) &&
@@ -327,6 +333,16 @@
 	    (as_reply->enc_part2->flags & KDC_OPT_RENEWABLE) &&
 	    (request->till != 0) &&
 	    (as_reply->enc_part2->times.renew_till > request->till))
+	    /*
+	     * Solaris Kerberos: renew_till should never be greater than till or
+	     * rtime.
+	     */
+	|| ((request->kdc_options & KDC_OPT_RENEWABLE_OK) &&
+	    (as_reply->enc_part2->flags & KDC_OPT_RENEWABLE) &&
+	    (request->till != 0) &&
+	    (request->rtime != 0) &&
+	    (as_reply->enc_part2->times.renew_till > max(request->till,
+	     request->rtime)))
 	)
 	return KRB5_KDCREP_MODIFIED;
 

--- a/usr/src/lib/krb5/kadm5/srv/server_init.c	Mon Jul 09 20:55:03 2007 -0700
+++ b/usr/src/lib/krb5/kadm5/srv/server_init.c	Mon Jul 09 20:58:37 2007 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -263,6 +263,13 @@
      *
      * kdb_init_master's third argument is "from_keyboard".
      */
+    /*
+     * Solaris Kerberos: Setting to an unknown enc type will make the function
+     * read the encryption type in the stash file instead of assumming that it
+     * is the default type.
+     */
+    if (handle->params.enctype == DEFAULT_KDC_ENCTYPE)
+	handle->params.enctype = ENCTYPE_UNKNOWN;
     ret = kdb_init_master(handle, handle->params.realm,
 			  (handle->api_version == KADM5_API_VERSION_1 ?
 			   ((pass == NULL) || !(strlen(pass))) :
@@ -275,6 +282,11 @@
 	free(handle);
 	return ret;
     }
+    /*
+     * Solaris Kerberos: We used the enc type that was discovered in the stash
+     * file to associate with the other magic principals in the database.
+     */
+    handle->params.enctype = handle->master_keyblock.enctype;
     
     ret = kdb_init_hist(handle, handle->params.realm);
     if (ret) {

--- a/usr/src/lib/krb5/kdb/fetch_mkey.c	Mon Jul 09 20:55:03 2007 -0700
+++ b/usr/src/lib/krb5/kdb/fetch_mkey.c	Mon Jul 09 20:58:37 2007 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
@@ -124,6 +124,14 @@
 		if (retval)
 			return retval;
 	}
+
+	/*
+	 * Solaris Kerberos: If the enc type is unknown then we revert back to
+	 * the default enc type since we don't have the luxury of finding this
+	 * in the stash file when reading the password from the keyboard.
+	 */
+	if (etype == ENCTYPE_UNKNOWN)
+		etype = DEFAULT_KDC_ENCTYPE;
 	retval = krb5_c_string_to_key(context, etype, &pwd, salt?salt:&scratch,
 				      key);
 

--- a/usr/src/lib/pam_modules/krb5/krb5_setcred.c	Mon Jul 09 20:55:03 2007 -0700
+++ b/usr/src/lib/pam_modules/krb5/krb5_setcred.c	Mon Jul 09 20:58:37 2007 -0700
@@ -138,8 +138,14 @@
 				return (PAM_SYSTEM_ERR);
 			}
 		} else {
-				err = PAM_CRED_UNAVAIL;
-				goto out;
+			/*
+			 * This could mean that we are not the account authority
+			 * for the authenticated user.  Therefore we should
+			 * return PAM_IGNORE in order to not affect the
+			 * login process of said user.
+			 */
+			err = PAM_IGNORE;
+			goto out;
 		}
 
 	} else {  /* pam_get_data success */

--- a/usr/src/lib/pam_modules/krb5_migrate/krb5_migrate_authenticate.c	Mon Jul 09 20:55:03 2007 -0700
+++ b/usr/src/lib/pam_modules/krb5_migrate/krb5_migrate_authenticate.c	Mon Jul 09 20:58:37 2007 -0700
@@ -275,6 +275,13 @@
 
 	if (expire_pw) {
 		(void) time(&now);
+		/*
+		 * The local system time could actually be later than the
+		 * system time of the KDC we are authenticating to.  We expire
+		 * w/the local system time minus clockskew so that we are
+		 * assured that it is expired on this login, not the next.
+		 */
+		now -= context->clockskew;
 		kadm5_userprinc.pw_expiration = now;
 		mask |= KADM5_PW_EXPIRATION;
 	}