6516568 Warning messages still being displayed on krb ccache ownership

6574888 Principals using delegated credentials are not being registered with ktkt_warnd for auto-renewal
6689008 kwarn_add_warning should not output errors to stderr

12 files changed, 405 insertions, 118 deletions

diff --git a/usr/src/cmd/cmd-inet/common/kcmd.c b/usr/src/cmd/cmd-inet/common/kcmd.c
index 9002c96ba9..5ef65daed2 100644
--- a/usr/src/cmd/cmd-inet/common/kcmd.c
+++ b/usr/src/cmd/cmd-inet/common/kcmd.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -457,56 +457,6 @@ strsave(char *sp)
 	return (ret);
 }
 
-/*
- * Decode, decrypt and store the forwarded creds in the local ccache.
- */
-krb5_error_code
-rd_and_store_for_creds(krb5_context context,
-		    krb5_auth_context auth_context,
-		    krb5_data *inbuf,
-		    krb5_ticket *ticket,
-		    char *lusername,
-		    krb5_ccache *ccache)
-{
-	krb5_creds ** creds;
-	krb5_error_code retval;
-	char ccname[64];
-	struct passwd *pwd;
-	uid_t uid;
-
-	*ccache = NULL;
-	if (!(pwd = (struct passwd *)getpwnam(lusername)))
-		return (ENOENT);
-
-	uid = getuid();
-	if (seteuid(pwd->pw_uid))
-		return (-1);
-
-	if ((retval =
-		krb5_rd_cred(context, auth_context, inbuf, &creds, NULL)) != 0)
-		return (retval);
-
-	(void) snprintf(ccname, sizeof (ccname),
-			"FILE:/tmp/krb5cc_%ld", pwd->pw_uid);
-
-	if ((retval = krb5_cc_resolve(context, ccname, ccache)) != 0)
-		goto cleanup;
-
-	if ((retval = krb5_cc_initialize(context, *ccache,
-					ticket->enc_part2->client)) != 0)
-		goto cleanup;
-
-	if ((retval = krb5_cc_store_cred(context, *ccache, *creds)) != 0)
-		goto cleanup;
-
-	if ((retval = krb5_cc_close(context, *ccache)) != 0)
-		goto cleanup;
-
-cleanup:
-	(void) seteuid(uid);
-	krb5_free_creds(context, *creds);
-	return (retval);
-}
 
 /*
  * This routine is to initialize the desinbuf, desoutbuf and the session key
diff --git a/usr/src/cmd/cmd-inet/common/kcmd.h b/usr/src/cmd/cmd-inet/common/kcmd.h
index a497d1b097..b6bc8e9154 100644
--- a/usr/src/cmd/cmd-inet/common/kcmd.h
+++ b/usr/src/cmd/cmd-inet/common/kcmd.h
@@ -2,9 +2,8 @@
  * CDDL HEADER START
  *
  * The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License").  You may not use this file except in compliance
- * with the License.
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
  *
  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  * or http://www.opensolaris.org/os/licensing.
@@ -19,8 +18,9 @@
  *
  * CDDL HEADER END
  */
+
 /*
- * Copyright 2002 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -102,13 +102,6 @@ int kcmd(int *sock, char **ahost, ushort_t rport, char *locuser,
 	krb5_flags authopts,
 	int anyport, enum kcmd_proto *kcmd_proto);
 
-krb5_error_code rd_and_store_for_creds(krb5_context context,
-				    krb5_auth_context auth_context,
-				    krb5_data *inbuf,
-				    krb5_ticket *ticket,
-				    char *lusername,
-				    krb5_ccache *ccache);
-
 void init_encrypt(int, krb5_context, enum kcmd_proto,
 			krb5_data *, krb5_data *,
 			int, krb5_encrypt_block *);
diff --git a/usr/src/cmd/cmd-inet/common/store_forw_creds.c b/usr/src/cmd/cmd-inet/common/store_forw_creds.c
new file mode 100644
index 0000000000..2b5d7988b3
--- /dev/null
+++ b/usr/src/cmd/cmd-inet/common/store_forw_creds.c
@@ -0,0 +1,106 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+/*
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+
+#include <pwd.h>
+#include <locale.h>
+#include <syslog.h>
+#include <errno.h>
+#include <com_err.h>
+#include <k5-int.h>
+
+extern uint_t kwarn_add_warning(char *, int);
+extern uint_t kwarn_del_warning(char *);
+
+/*
+ * Store the forwarded creds in the user's local ccache and register
+ * w/ktkt_warnd(1M).
+ */
+krb5_error_code
+store_forw_creds(krb5_context context,
+		    krb5_creds **creds,
+		    krb5_ticket *ticket,
+		    char *lusername,
+		    krb5_ccache *ccache)
+{
+	krb5_error_code retval;
+	char ccname[MAXPATHLEN];
+	struct passwd *pwd;
+	uid_t uid;
+	char *client_name = NULL;
+
+	*ccache = NULL;
+	if (!(pwd = getpwnam(lusername)))
+		return (ENOENT);
+
+	uid = getuid();
+	if (seteuid(pwd->pw_uid))
+		return (-1);
+
+	(void) snprintf(ccname, sizeof (ccname), "FILE:/tmp/krb5cc_%ld",
+	    pwd->pw_uid);
+
+	if ((retval = krb5_cc_resolve(context, ccname, ccache)) != 0) {
+		krb5_set_error_message(context, retval,
+		    gettext("failed to resolve cred cache %s"), ccname);
+		goto cleanup;
+	}
+
+	if ((retval = krb5_cc_initialize(context, *ccache,
+	    ticket->enc_part2->client)) != 0) {
+		krb5_set_error_message(context, retval,
+		    gettext("failed to initialize cred cache %s"), ccname);
+		goto cleanup;
+	}
+
+	if ((retval = krb5_cc_store_cred(context, *ccache, *creds)) != 0) {
+		krb5_set_error_message(context, retval,
+		    gettext("failed to store cred in cache %s"), ccname);
+		goto cleanup;
+	}
+
+	if ((retval = krb5_cc_close(context, *ccache)) != 0)
+		goto cleanup;
+
+	/* Register with ktkt_warnd(1M) */
+	if ((retval = krb5_unparse_name(context, (*creds)->client,
+	    &client_name)) != 0)
+		goto cleanup;
+	(void) kwarn_del_warning(client_name);
+	if (kwarn_add_warning(client_name, (*creds)->times.endtime) != 0) {
+		syslog(LOG_AUTH|LOG_NOTICE,
+		    "store_forw_creds: kwarn_add_warning"
+		    " failed: ktkt_warnd(1M) down? ");
+	}
+	free(client_name);
+	client_name = NULL;
+
+cleanup:
+	(void) seteuid(uid);
+
+	return (retval);
+}
diff --git a/usr/src/cmd/cmd-inet/common/store_forw_creds.h b/usr/src/cmd/cmd-inet/common/store_forw_creds.h
new file mode 100644
index 0000000000..6aa40ebee9
--- /dev/null
+++ b/usr/src/cmd/cmd-inet/common/store_forw_creds.h
@@ -0,0 +1,48 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+
+/*
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#ifndef	_STORE_FORW_CREDS_H
+#define	_STORE_FORW_CREDS_H
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+#ifdef	__cplusplus
+extern "C" {
+#endif
+
+
+krb5_error_code store_forw_creds(krb5_context context,
+				    krb5_creds **creds,
+				    krb5_ticket *ticket,
+				    char *lusername,
+				    krb5_ccache *ccache);
+
+
+#ifdef	__cplusplus
+}
+#endif
+
+#endif /* _STORE_FORW_CREDS_H */
diff --git a/usr/src/cmd/cmd-inet/usr.sbin/Makefile b/usr/src/cmd/cmd-inet/usr.sbin/Makefile
index b8005a3fed..a520551b69 100644
--- a/usr/src/cmd/cmd-inet/usr.sbin/Makefile
+++ b/usr/src/cmd/cmd-inet/usr.sbin/Makefile
@@ -63,6 +63,7 @@ TFTPDOBJS=	in.tftpd.o tftpsubs.o
 OTHERSRC=	../usr.bin/tftp/tftpsubs.c
 K5RLOGINOBJS=	in.rlogind.o
 K5RSHDOBJS=	in.rshd.o
+K5TELNETOBJS=	in.telnetd.o
 SRCS=		$(PROGSRCS) $(OTHERSRC)
 
 SUBDIRS=	bootconfchk htable ifconfig in.ftpd in.rdisc in.routed \
@@ -97,7 +98,32 @@ include ../Makefile.cmd-inet
 ROOTSBINPROG = $(ROOTFS_PROG:%=$(ROOTSBIN)/%)
 ROOTUSRSBINLINKS = $(SBINLINKS:%=$(ROOTUSRSBIN)/%)
 
-COMMONOBJS=	addr_match.o kcmd.o
+KWARN_OBJS = kwarnd_clnt_stubs.o kwarnd_clnt.o kwarnd_handle.o kwarnd_xdr.o
+KWARN_SRC  = $(KWARN_OBJS:%.o=%.c)
+KWARN_SRC += kwarnd.h
+kwarnd.h:	$(SRC)/cmd/krb5/kwarn/kwarnd.x
+	$(RM) $@
+	$(RPCGEN) -M -h $(SRC)/cmd/krb5/kwarn/kwarnd.x | \
+	$(SED) -e 's!$(SRC)/cmd/krb5/kwarn/kwarnd.h!kwarnd.h!' > $@
+
+kwarnd_xdr.c:	kwarnd.h $(SRC)/cmd/krb5/kwarn/kwarnd.x
+	$(RM) $@
+	$(RPCGEN) -M -c $(SRC)/cmd/krb5/kwarn/kwarnd.x | \
+	$(SED) -e 's!$(SRC)/cmd/krb5/kwarn/kwarnd.h!kwarnd.h!' > $@
+
+kwarnd_clnt.c:   kwarnd.h $(SRC)/cmd/krb5/kwarn/kwarnd.x
+	$(RM) $@
+	$(RPCGEN) -M -l $(SRC)/cmd/krb5/kwarn/kwarnd.x | \
+	$(SED) -e 's!$(SRC)/cmd/krb5/kwarn/kwarnd.h!kwarnd.h!' > $@
+kwarnd_clnt_stubs.c: kwarnd.h $(SRC)/cmd/krb5/kwarn/kwarnd_clnt_stubs.c
+	$(RM) $@
+	$(CP) $(SRC)/cmd/krb5/kwarn/kwarnd_clnt_stubs.c $@
+
+kwarnd_handle.c: $(SRC)/cmd/krb5/kwarn/kwarnd_handle.c
+	$(RM) $@
+	$(CP) $(SRC)/cmd/krb5/kwarn/kwarnd_handle.c $@
+
+COMMONOBJS=	addr_match.o kcmd.o store_forw_creds.o
 COMMONSRCS=	$(COMMONOBJS:%.o=$(CMDINETCOMMONDIR)/%.c)
 SRCS+=		$(COMMONSRCS)
 
@@ -114,8 +140,9 @@ clobber:=	TARGET= clobber
 lint:=		TARGET= lint
 _msg:=		TARGET= _msg
 
-CLOBBERFILES +=	$(ROOTFS_PROG) $(PROG)
+CLOBBERFILES +=	$(ROOTFS_PROG) $(PROG) $(KWARN_SRC)
 CLEANFILES += $(COMMONOBJS) $(K5RLOGINOBJS) $(K5RSHDOBJS) $(TFTPDOBJS)
+CLEANFILES += $(KWARN_OBJS)
 
 CPPFLAGS +=	-DSYSV -DBSD_COMP -I$(CMDINETCOMMONDIR) -I
 
@@ -169,12 +196,16 @@ $(POFILE): $(POFILES)
 %.o: $(CMDINETCOMMONDIR)/%.c
 	$(COMPILE.c) -o $@ $<
 
-in.rlogind: $(K5RLOGINOBJS) $(COMMONOBJS)
-	$(LINK.c) $(K5RLOGINOBJS) $(COMMONOBJS) -o $@ $(LDLIBS)
+in.telnetd: $(K5TELNETOBJS) $(KWARN_OBJS)
+	$(LINK.c) $(K5TELNETOBJS) $(KWARN_OBJS) -o $@ $(LDLIBS)
+	$(POST_PROCESS)
+
+in.rlogind: $(K5RLOGINOBJS) $(COMMONOBJS) $(KWARN_OBJS)
+	$(LINK.c) $(K5RLOGINOBJS) $(COMMONOBJS) $(KWARN_OBJS) -o $@ $(LDLIBS)
 	$(POST_PROCESS)
 
-in.rshd: $(K5RSHDOBJS) $(COMMONOBJS)
-	$(LINK.c) $(K5RSHDOBJS) $(COMMONOBJS) -o $@ $(LDLIBS)
+in.rshd: $(K5RSHDOBJS) $(COMMONOBJS) $(KWARN_OBJS)
+	$(LINK.c) $(K5RSHDOBJS) $(COMMONOBJS) $(KWARN_OBJS) -o $@ $(LDLIBS)
 	$(POST_PROCESS)
 
 in.tftpd: $(TFTPDOBJS)
diff --git a/usr/src/cmd/cmd-inet/usr.sbin/in.rlogind.c b/usr/src/cmd/cmd-inet/usr.sbin/in.rlogind.c
index 3a899aeb5c..03b89e20ca 100644
--- a/usr/src/cmd/cmd-inet/usr.sbin/in.rlogind.c
+++ b/usr/src/cmd/cmd-inet/usr.sbin/in.rlogind.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -69,6 +69,7 @@
 #include <sys/cryptmod.h>
 #include <bsm/adt.h>
 #include <addr_match.h>
+#include <store_forw_creds.h>
 
 #define	KRB5_RECVAUTH_V5 5
 #define	UT_NAMESIZE	sizeof (((struct utmpx *)0)->ut_name)
@@ -605,14 +606,29 @@ recvauth(int f,
 					&inbuf)))
 		fatal(f, "Error reading krb5 message");
 
-	if ((inbuf.length) && /* Forwarding being done, read creds */
-	    (status = rd_and_store_for_creds(krb_context, auth_context,
-					    &inbuf, *ticket, lusername,
-					    &ccache))) {
-		if (rcache)
-		    (void) krb5_rc_close(krb_context, rcache);
-		fatal(f, "Can't get forwarded credentials");
+	if (inbuf.length) { /* Forwarding being done, read creds */
+		krb5_creds **creds = NULL;
+
+		if (status = krb5_rd_cred(krb_context, auth_context, &inbuf,
+					    &creds, NULL)) {
+			if (rcache)
+				(void) krb5_rc_close(krb_context, rcache);
+			krb5_free_creds(krb_context, *creds);
+			fatal(f, "Can't get forwarded credentials");
+		}
+
+		/* Store the forwarded creds in the ccache */
+		if (status = store_forw_creds(krb_context,
+					    creds, *ticket, lusername,
+					    &ccache)) {
+			if (rcache)
+				(void) krb5_rc_close(krb_context, rcache);
+			krb5_free_creds(krb_context, *creds);
+			fatal(f, "Can't store forwarded credentials");
+		}
+		krb5_free_creds(krb_context, *creds);
 	}
+
 	if (rcache)
 		(void) krb5_rc_close(krb_context, rcache);
 
diff --git a/usr/src/cmd/cmd-inet/usr.sbin/in.rshd.c b/usr/src/cmd/cmd-inet/usr.sbin/in.rshd.c
index 35e71f42b9..aaae8d370d 100644
--- a/usr/src/cmd/cmd-inet/usr.sbin/in.rshd.c
+++ b/usr/src/cmd/cmd-inet/usr.sbin/in.rshd.c
@@ -20,7 +20,7 @@
  */
 
 /*
- * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -84,6 +84,7 @@
 #include <kcmd.h>
 
 #include <addr_match.h>
+#include <store_forw_creds.h>
 
 #ifndef NCARGS
 #define	NCARGS	5120
@@ -1630,16 +1631,28 @@ error_cleanup:
 	}
 
 	if (inbuf.length) {
+		krb5_creds **creds = NULL;
+
 		/* Forwarding being done, read creds */
-		if ((status = rd_and_store_for_creds(bsd_context,
-				auth_context, &inbuf, ticket, locuser,
-				&ccache))) {
+		if ((status = krb5_rd_cred(bsd_context,
+					    auth_context, &inbuf, &creds,
+					    NULL))) {
 			error("Can't get forwarded credentials: %s\n",
 				error_message(status));
 			exit(1);
 		}
 
+		/* Store the forwarded creds in the ccache */
+		if ((status = store_forw_creds(bsd_context,
+					    creds, ticket, locuser,
+					    &ccache))) {
+			error("Can't store forwarded credentials: %s\n",
+				error_message(status));
+			exit(1);
+		}
+		krb5_free_creds(bsd_context, *creds);
 	}
+
 	krb5_free_ticket(bsd_context, ticket);
 	return (0);
 }
diff --git a/usr/src/cmd/cmd-inet/usr.sbin/in.telnetd.c b/usr/src/cmd/cmd-inet/usr.sbin/in.telnetd.c
index abab7ec700..afffb546cd 100644
--- a/usr/src/cmd/cmd-inet/usr.sbin/in.telnetd.c
+++ b/usr/src/cmd/cmd-inet/usr.sbin/in.telnetd.c
@@ -20,7 +20,7 @@
  */
 
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -156,10 +156,12 @@ static char	subbuffer[4096], *subpointer = subbuffer, *subend = subbuffer;
 #define	SB_EOF()	(subpointer >= subend)
 #define	SB_LEN()	(subend - subpointer)
 
-#define	MAXCCACHENAMELEN 36
 #define	MAXERRSTRLEN 1024
 #define	MAXPRINCLEN 256
 
+extern uint_t kwarn_add_warning(char *, int);
+extern uint_t kwarn_del_warning(char *);
+
 static boolean_t auth_debug = 0;
 static boolean_t negotiate_auth_krb5 = 1;
 static boolean_t auth_negotiated = 0;
@@ -465,8 +467,9 @@ rd_and_store_forwarded_creds(krb5_context context,
 {
 	krb5_creds **creds;
 	krb5_error_code retval;
-	char ccname[MAXCCACHENAMELEN];
+	char ccname[MAXPATHLEN];
 	krb5_ccache ccache = NULL;
+	char *client_name = NULL;
 
 	if (retval = krb5_rd_cred(context, auth_context, inbuf, &creds, NULL))
 		return (retval);
@@ -487,6 +490,23 @@ rd_and_store_forwarded_creds(krb5_context context,
 	if ((retval = krb5_cc_close(context, ccache)) != 0)
 		goto cleanup;
 
+	/* Register with ktkt_warnd(1M) */
+	if ((retval = krb5_unparse_name(context, (*creds)->client,
+					&client_name)) != 0)
+		goto cleanup;
+	(void) kwarn_del_warning(client_name);
+	if (kwarn_add_warning(client_name, (*creds)->times.endtime) != 0) {
+		syslog(LOG_AUTH|LOG_NOTICE,
+		    "rd_and_store_forwarded_creds: kwarn_add_warning"
+		    " failed: ktkt_warnd(1M) down? ");
+		if (auth_debug)
+			(void) fprintf(stderr,
+				    "kwarn_add_warning failed:"
+				    " ktkt_warnd(1M) down?\n");
+	}
+	free(client_name);
+	client_name = NULL;
+
 	if (username != NULL) {
 		/*
 		 * This verifies that the user is valid on the local system,
diff --git a/usr/src/cmd/krb5/kwarn/kwarnd_clnt_stubs.c b/usr/src/cmd/krb5/kwarn/kwarnd_clnt_stubs.c
index 207654b59e..434d1fe813 100644
--- a/usr/src/cmd/krb5/kwarn/kwarnd_clnt_stubs.c
+++ b/usr/src/cmd/krb5/kwarn/kwarnd_clnt_stubs.c
@@ -1,6 +1,27 @@
 /*
- * Copyright (c) 1998,1999, by Sun Microsystems, Inc.
- * All rights reserved.
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+
+/*
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
  */
 
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
@@ -22,9 +43,9 @@
 #include <sys/ddi.h>
 #include <sys/sunddi.h>
 #include <sys/uio.h>
+#include <syslog.h>
 
 CLIENT  *clnt, *getkwarnd_handle(void);
-char *server = "localhost";
 
 OM_UINT32
 kwarn_add_warning(WARNING_NAME_T warning_name, int cred_exp_time)
@@ -38,7 +59,12 @@ kwarn_add_warning(WARNING_NAME_T warning_name, int cred_exp_time)
 
 	/* get the client handle to kwarnd */
 	if ((clnt = getkwarnd_handle()) == NULL) {
-		clnt_pcreateerror(server);
+		/*
+		 * Let app output if an error occurs but we'll syslog to
+		 * DEBUG to get error details if needed.
+		 */
+		syslog(LOG_DEBUG, "%s",
+		    clnt_spcreateerror("getkwarnd_handle"));
 		return (1);
 	}
 
@@ -70,7 +96,12 @@ kwarn_del_warning(WARNING_NAME_T warning_name)
 
 	/* get the client GSSD handle */
 	if ((clnt = getkwarnd_handle()) == NULL) {
-		clnt_pcreateerror(server);
+		/*
+		 * Let app output if an error occurs but we'll syslog to
+		 * DEBUG to get error details if needed.
+		 */
+		syslog(LOG_DEBUG, "%s",
+		    clnt_spcreateerror("getkwarnd_handle"));
 		return (1);
 	}
 
diff --git a/usr/src/lib/gss_mechs/mech_krb5/Makefile.com b/usr/src/lib/gss_mechs/mech_krb5/Makefile.com
index 83bd77fed2..29ab0eda14 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/Makefile.com
+++ b/usr/src/lib/gss_mechs/mech_krb5/Makefile.com
@@ -193,9 +193,12 @@ PROFILE_OBJS= prof_tree.o prof_file.o prof_parse.o prof_init.o \
 
 SUPPORT_OBJS= fake-addrinfo.o threads.o errors.o plugins.o
 
+KWARN_OBJS= kwarnd_clnt_stubs.o kwarnd_clnt.o kwarnd_handle.o kwarnd_xdr.o
+
 OBJECTS= \
 	$(MECH) $(MECH_UTS) $(GSSAPI_UTS)\
 	$(SUPPORT_OBJS) \
+	$(KWARN_OBJS) \
 	$(PROFILE_OBJS) \
 	$(CRYPTO) $(CRYPTO_UTS) \
 	$(CRYPTO_CRC32) \
@@ -535,6 +538,29 @@ SOURCES= \
 	$(PROFILE_OBJS:%.o= $(SRC)/lib/gss_mechs/mech_krb5/profile/%.c) \
 	$(SUPPORT_OBJS:%.o= $(SRC)/lib/gss_mechs/mech_krb5/support/%.c)
 
+kwarnd.h:	$(SRC)/cmd/krb5/kwarn/kwarnd.x
+	$(RM) $@
+	$(RPCGEN) -M -h $(SRC)/cmd/krb5/kwarn/kwarnd.x | \
+	$(SED) -e 's!$(SRC)/cmd/krb5/kwarn/kwarnd.h!kwarnd.h!' > $@
+
+kwarnd_xdr.c:	kwarnd.h $(SRC)/cmd/krb5/kwarn/kwarnd.x
+	$(RM) $@
+	$(RPCGEN) -M -c $(SRC)/cmd/krb5/kwarn/kwarnd.x | \
+	$(SED) -e 's!$(SRC)/cmd/krb5/kwarn/kwarnd.h!kwarnd.h!' > $@
+
+kwarnd_clnt.c:   kwarnd.h $(SRC)/cmd/krb5/kwarn/kwarnd.x
+	$(RM) $@
+	$(RPCGEN) -M -l $(SRC)/cmd/krb5/kwarn/kwarnd.x | \
+	$(SED) -e 's!$(SRC)/cmd/krb5/kwarn/kwarnd.h!kwarnd.h!' > $@
+
+kwarnd_clnt_stubs.c: kwarnd.h $(SRC)/cmd/krb5/kwarn/kwarnd_clnt_stubs.c
+	$(RM) $@
+	$(CP) $(SRC)/cmd/krb5/kwarn/kwarnd_clnt_stubs.c $@
+
+kwarnd_handle.c: $(SRC)/cmd/krb5/kwarn/kwarnd_handle.c
+	$(RM) $@
+	$(CP) $(SRC)/cmd/krb5/kwarn/kwarnd_handle.c $@
+
 # So lint.out won't be needlessly recreated
 lint: $(LINTOUT)
 
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/cc_file.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/cc_file.c
index 35c7c1838a..17302a9d38 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/cc_file.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/cc_file.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -83,7 +83,8 @@ etc.
    fcc_nseq.c and fcc_read don't check return values a lot.
  */
 #include "k5-int.h"
-#include <syslog.h>	/* SUNW */
+#include <syslog.h>	/* Solaris Kerberos */
+#include <ctype.h>
 
 #define NEED_SOCKETS    /* Only for ntohs, etc. */
 #define NEED_LOWLEVEL_IO
@@ -248,7 +249,7 @@ static krb5_error_code krb5_fcc_open_file
 #define	FCC_OPEN_AND_ERASE	1
 #define	FCC_OPEN_RDWR		2
 #define	FCC_OPEN_RDONLY		3
-#define	FCC_OPEN_AND_ERASE_NOUNLINK	255	/* SUNW */
+#define	FCC_OPEN_AND_ERASE_NOUNLINK	255	/* Solaris Kerberos */
 
 /* Credential file header tags.
  * The header tags are constructed as:
@@ -1215,7 +1216,7 @@ krb5_fcc_open_nounlink(char *filename, int open_flag, int *ret_fd, int *new)
 
      *ret_fd = -1;
      /*
-      * SUNW
+      * Solaris Kerberos
       * If we are opening in NOUNLINK mode, we have to check that the
       * existing file, if any, is not a symlink. If it is, we try to
       * delete and re-create it.
@@ -1267,14 +1268,14 @@ krb5_fcc_open_nounlink(char *filename, int open_flag, int *ret_fd, int *new)
 	  return (-1);
 
      /*
-      * SUNW
+      * Solaris Kerberos
       * If the file was not created now with a O_CREAT | O_EXCL open,
       * we have opened an existing file. We should check if the file
       * owner is us, if not, unlink and retry. If unlink fails we log
       * the error and return.
       */
      if (!newfile) {
-	  if (fstat(fd, &fres) == -1) {
+	    if (fstat(fd, &fres) == -1) {
 	       syslog(LOG_ERR, "lstat failed for %s [%m]", filename);
 	       close(fd);
 	       return (-1);
@@ -1288,29 +1289,42 @@ krb5_fcc_open_nounlink(char *filename, int open_flag, int *ret_fd, int *new)
 
 	  /*
 	   * Solaris Kerberos
-	   * Use krb5_getuid to select the mechanism to obtain the uid.
+	   * Check if the cc filename uid matches owner of file.
+	   * Expects cc file to be in the form of /tmp/krb5cc_<uid>,
+	   * else skip this check.
 	   */
-	  uid = krb5_getuid();
-	  euid = geteuid();
-	  /*
-	   * Some apps (gssd, via a priv version of getuid())
-	   * "set" the real uid only, others
-	   * (telnetd/login/pam_krb5, etc) set effective uid only.
-	   */
-	  if (fres.st_uid != uid && fres.st_uid != euid) {
-	       close(fd);
-	       syslog(LOG_WARNING,
-		    "%s owned by %d instead of %d (euid=%d, uid=%d)",
-		    filename, fres.st_uid, euid, euid, uid);
-	       syslog(LOG_WARNING, "trying to unlink %s", filename);
-	       if (unlink(filename) != 0) {
-		    syslog(LOG_ERR, "could not unlink %s [%m]", filename);
-		    return (-1);
-	       }
-	       return (0);
+	  if (strncmp(filename, "/tmp/krb5cc_", strlen("/tmp/krb5cc_")) == 0) {
+		uid_t fname_uid;
+		char *uidstr = strchr(filename, '_');
+		char *s = NULL;
+
+		/* make sure we have some non-null char after '_' */
+		if (!*++uidstr)
+			goto out;
+
+		/* make sure the uid part is all digits */
+		for (s = uidstr; *s; s++)
+			if (!isdigit(*s))
+				goto out;
+
+		fname_uid = (uid_t) atoi(uidstr);
+		if (fname_uid != fres.st_uid) {
+			close(fd);
+			syslog(LOG_WARNING,
+			    "%s owned by %d instead of %d",
+			    filename, fres.st_uid, fname_uid);
+			syslog(LOG_WARNING, "trying to unlink %s", filename);
+			if (unlink(filename) != 0) {
+				syslog(LOG_ERR,
+				    "could not unlink %s [%m]", filename);
+				return (-1);
+			}
+			return (0);
+		}
 	  }
      }
 
+out:
      *new = newfile;
      *ret_fd = fd;
      return (0);
@@ -1361,7 +1375,7 @@ krb5_fcc_open_file (krb5_context context, krb5_ccache id, int mode)
 
 fcc_retry:
     /*
-     * SUNW
+     * Solaris Kerberos
      * If we are opening in NOUNLINK mode, check whether we are opening a
      * symlink or a file owned by some other user and take preventive action.
      */
@@ -1387,7 +1401,7 @@ fcc_retry:
     if ((retval = krb5_lock_file(context, f, lock_flag))) {
        (void) close(f);
         if (retval == EAGAIN && retries++ < LOCK_RETRIES) {
-	    /* SUNW wait some time before retrying */
+	    /* Solaris Kerberos wait some time before retrying */
 	    if (poll(NULL, 0, WAIT_LENGTH) == 0)
 	        goto fcc_retry;
 	}
@@ -1399,7 +1413,7 @@ fcc_retry:
         int cnt;
 
 	/*
-	 * SUNW
+	 * Solaris Kerberos
 	 * If this file was not created, we have to flush existing data.
 	 * This will happen only if we are doing an ERASE_NOUNLINK open.
 	 */
@@ -1590,7 +1604,7 @@ krb5_fcc_initialize(krb5_context context, krb5_ccache id, krb5_principal princ)
      if (kret)
 	 return kret;
 
-     MAYBE_OPEN(context, id, FCC_OPEN_AND_ERASE_NOUNLINK); /* SUNW */
+     MAYBE_OPEN(context, id, FCC_OPEN_AND_ERASE_NOUNLINK); /* Solaris Kerberos */
 
      /*
       * SUN14resync
diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/store_cred.c b/usr/src/lib/gss_mechs/mech_krb5/mech/store_cred.c
index dc2c955f8c..d744d9a7cc 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/mech/store_cred.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/mech/store_cred.c
@@ -1,5 +1,26 @@
 /*
- * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+
+/*
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -9,6 +30,10 @@
 #include <gssapiP_krb5.h>
 #include <memory.h>
 #include <assert.h>
+#include <syslog.h>
+
+extern uint_t kwarn_add_warning(char *, int);
+extern uint_t kwarn_del_warning(char *);
 
 static
 OM_uint32
@@ -108,6 +133,7 @@ gss_cred_usage_t *cred_usage_stored;
 	OM_uint32 cur_time_rec;			/* lifetime of current cred */
 	gss_cred_usage_t in_usage;		/* usage of input cred */
 	gss_name_t in_name = GSS_C_NO_NAME;	/* name of input cred */
+	char *client_name = NULL;
 
 	if (input_cred == GSS_C_NO_CREDENTIAL)
 		return (GSS_S_CALL_INACCESSIBLE_READ);
@@ -205,6 +231,19 @@ gss_cred_usage_t *cred_usage_stored;
 	if (GSS_ERROR(maj))
 		goto cleanup;
 
+	/* Alert ktkt_warnd(1M) */
+	maj = krb5_unparse_name(ctx, cred->princ, &client_name);
+	if (GSS_ERROR(maj))
+		goto cleanup;
+	(void) kwarn_del_warning(client_name);
+	if (kwarn_add_warning(client_name, cred->tgt_expire) != 0) {
+		syslog(LOG_AUTH|LOG_NOTICE,
+		    "store_cred: kwarn_add_warning"
+		    " failed: ktkt_warnd(1M) down? ");
+	}
+	free(client_name);
+	client_name = NULL;
+
 	/* Output parameters */
 	if (cred_usage_stored != NULL)
 		*cred_usage_stored = GSS_C_INITIATE;