PSARC/2006/277 Support for Kerberos Records in LDAP Directory

6399903 Support for Kerberos Records in LDAP Directory
6520554 MIT bug #5427 with krb5_kt_get_name()
6597851 dmake lint in usr/src/lib/gss_mechs/mech_krb5 broken

--HG--
rename : usr/src/lib/gss_mechs/mech_krb5/include/krb5/kdb_dbm.h => deleted_files/usr/src/lib/gss_mechs/mech_krb5/include/krb5/kdb_dbm.h
rename : usr/src/lib/krb5/kadm5/srv/adb_free.c => deleted_files/usr/src/lib/krb5/kadm5/srv/adb_free.c
rename : usr/src/lib/krb5/kdb/fetch_mkey.c => deleted_files/usr/src/lib/krb5/kdb/fetch_mkey.c
rename : usr/src/lib/krb5/kdb/kdb_dbm.c => deleted_files/usr/src/lib/krb5/kdb/kdb_dbm.c
rename : usr/src/lib/krb5/kdb/kdb_hdr.h => deleted_files/usr/src/lib/krb5/kdb/kdb_hdr.h
rename : usr/src/lib/krb5/kdb/setup_mkey.c => deleted_files/usr/src/lib/krb5/kdb/setup_mkey.c
rename : usr/src/lib/krb5/kdb/store_mkey.c => deleted_files/usr/src/lib/krb5/kdb/store_mkey.c
rename : usr/src/lib/krb5/kdb/verify_mky.c => deleted_files/usr/src/lib/krb5/kdb/verify_mky.c
rename : usr/src/lib/krb5/kdb/kdb_kt.h => usr/src/lib/gss_mechs/mech_krb5/include/kdb_kt.h
rename : usr/src/lib/krb5/kadm5/adb_err.h => usr/src/lib/krb5/kdb/adb_err.h
rename : usr/src/lib/krb5/kadm5/srv/adb_openclose.c => usr/src/lib/krb5/plugins/kdb/db2/adb_openclose.c
rename : usr/src/lib/krb5/kadm5/srv/adb_policy.c => usr/src/lib/krb5/plugins/kdb/db2/adb_policy.c
rename : usr/src/lib/krb5/kdb/kdb_compat.h => usr/src/lib/krb5/plugins/kdb/db2/kdb_compat.h
rename : usr/src/lib/krb5/kdb/kdb_db2.c => usr/src/lib/krb5/plugins/kdb/db2/kdb_db2.c
rename : usr/src/lib/krb5/kdb/kdb_db2.h => usr/src/lib/krb5/plugins/kdb/db2/kdb_db2.h
rename : usr/src/lib/krb5/kdb/kdb_xdr.c => usr/src/lib/krb5/plugins/kdb/db2/kdb_xdr.c
rename : usr/src/lib/krb5/db2/Makefile => usr/src/lib/krb5/plugins/kdb/db2/libdb2/Makefile
rename : usr/src/lib/krb5/db2/Makefile.com => usr/src/lib/krb5/plugins/kdb/db2/libdb2/Makefile.com
rename : usr/src/lib/krb5/db2/README.db2 => usr/src/lib/krb5/plugins/kdb/db2/libdb2/README.db2
rename : usr/src/lib/krb5/db2/btree/bt_close.c => usr/src/lib/krb5/plugins/kdb/db2/libdb2/btree/bt_close.c
rename : usr/src/lib/krb5/db2/btree/bt_conv.c => usr/src/lib/krb5/plugins/kdb/db2/libdb2/btree/bt_conv.c
rename : usr/src/lib/krb5/db2/btree/bt_debug.c => usr/src/lib/krb5/plugins/kdb/db2/libdb2/btree/bt_debug.c
rename : usr/src/lib/krb5/db2/btree/bt_delete.c => usr/src/lib/krb5/plugins/kdb/db2/libdb2/btree/bt_delete.c
rename : usr/src/lib/krb5/db2/btree/bt_get.c => usr/src/lib/krb5/plugins/kdb/db2/libdb2/btree/bt_get.c
rename : usr/src/lib/krb5/db2/btree/bt_open.c => usr/src/lib/krb5/plugins/kdb/db2/libdb2/btree/bt_open.c
rename : usr/src/lib/krb5/db2/btree/bt_overflow.c => usr/src/lib/krb5/plugins/kdb/db2/libdb2/btree/bt_overflow.c
rename : usr/src/lib/krb5/db2/btree/bt_page.c => usr/src/lib/krb5/plugins/kdb/db2/libdb2/btree/bt_page.c
rename : usr/src/lib/krb5/db2/btree/bt_put.c => usr/src/lib/krb5/plugins/kdb/db2/libdb2/btree/bt_put.c
rename : usr/src/lib/krb5/db2/btree/bt_search.c => usr/src/lib/krb5/plugins/kdb/db2/libdb2/btree/bt_search.c
rename : usr/src/lib/krb5/db2/btree/bt_seq.c => usr/src/lib/krb5/plugins/kdb/db2/libdb2/btree/bt_seq.c
rename : usr/src/lib/krb5/db2/btree/bt_split.c => usr/src/lib/krb5/plugins/kdb/db2/libdb2/btree/bt_split.c
rename : usr/src/lib/krb5/db2/btree/bt_utils.c => usr/src/lib/krb5/plugins/kdb/db2/libdb2/btree/bt_utils.c
rename : usr/src/lib/krb5/db2/btree/btree.h => usr/src/lib/krb5/plugins/kdb/db2/libdb2/btree/btree.h
rename : usr/src/lib/krb5/db2/btree/extern.h => usr/src/lib/krb5/plugins/kdb/db2/libdb2/btree/extern.h
rename : usr/src/lib/krb5/db2/db/db.c => usr/src/lib/krb5/plugins/kdb/db2/libdb2/db/db.c
rename : usr/src/lib/krb5/db2/hash/dbm.c => usr/src/lib/krb5/plugins/kdb/db2/libdb2/hash/dbm.c
rename : usr/src/lib/krb5/db2/hash/extern.h => usr/src/lib/krb5/plugins/kdb/db2/libdb2/hash/extern.h
rename : usr/src/lib/krb5/db2/hash/hash.c => usr/src/lib/krb5/plugins/kdb/db2/libdb2/hash/hash.c
rename : usr/src/lib/krb5/db2/hash/hash.h => usr/src/lib/krb5/plugins/kdb/db2/libdb2/hash/hash.h
rename : usr/src/lib/krb5/db2/hash/hash_bigkey.c => usr/src/lib/krb5/plugins/kdb/db2/libdb2/hash/hash_bigkey.c
rename : usr/src/lib/krb5/db2/hash/hash_func.c => usr/src/lib/krb5/plugins/kdb/db2/libdb2/hash/hash_func.c
rename : usr/src/lib/krb5/db2/hash/hash_log2.c => usr/src/lib/krb5/plugins/kdb/db2/libdb2/hash/hash_log2.c
rename : usr/src/lib/krb5/db2/hash/hash_page.c => usr/src/lib/krb5/plugins/kdb/db2/libdb2/hash/hash_page.c
rename : usr/src/lib/krb5/db2/hash/hsearch.c => usr/src/lib/krb5/plugins/kdb/db2/libdb2/hash/hsearch.c
rename : usr/src/lib/krb5/db2/hash/page.h => usr/src/lib/krb5/plugins/kdb/db2/libdb2/hash/page.h
rename : usr/src/lib/krb5/db2/hash/search.h => usr/src/lib/krb5/plugins/kdb/db2/libdb2/hash/search.h
rename : usr/src/lib/krb5/db2/i386/Makefile => usr/src/lib/krb5/plugins/kdb/db2/libdb2/i386/Makefile
rename : usr/src/lib/krb5/db2/include/db-int.h => usr/src/lib/krb5/plugins/kdb/db2/libdb2/include/db-int.h
rename : usr/src/lib/krb5/db2/include/db-ndbm.h => usr/src/lib/krb5/plugins/kdb/db2/libdb2/include/db-ndbm.h
rename : usr/src/lib/krb5/db2/include/db-queue.h => usr/src/lib/krb5/plugins/kdb/db2/libdb2/include/db-queue.h
rename : usr/src/lib/krb5/db2/mapfile-vers => usr/src/lib/krb5/plugins/kdb/db2/libdb2/mapfile-vers
rename : usr/src/lib/krb5/db2/mpool/mpool.c => usr/src/lib/krb5/plugins/kdb/db2/libdb2/mpool/mpool.c
rename : usr/src/lib/krb5/db2/mpool/mpool.h => usr/src/lib/krb5/plugins/kdb/db2/libdb2/mpool/mpool.h
rename : usr/src/lib/krb5/db2/recno/extern.h => usr/src/lib/krb5/plugins/kdb/db2/libdb2/recno/extern.h
rename : usr/src/lib/krb5/db2/recno/rec_close.c => usr/src/lib/krb5/plugins/kdb/db2/libdb2/recno/rec_close.c
rename : usr/src/lib/krb5/db2/recno/rec_delete.c => usr/src/lib/krb5/plugins/kdb/db2/libdb2/recno/rec_delete.c
rename : usr/src/lib/krb5/db2/recno/rec_get.c => usr/src/lib/krb5/plugins/kdb/db2/libdb2/recno/rec_get.c
rename : usr/src/lib/krb5/db2/recno/rec_open.c => usr/src/lib/krb5/plugins/kdb/db2/libdb2/recno/rec_open.c
rename : usr/src/lib/krb5/db2/recno/rec_put.c => usr/src/lib/krb5/plugins/kdb/db2/libdb2/recno/rec_put.c
rename : usr/src/lib/krb5/db2/recno/rec_search.c => usr/src/lib/krb5/plugins/kdb/db2/libdb2/recno/rec_search.c
rename : usr/src/lib/krb5/db2/recno/rec_seq.c => usr/src/lib/krb5/plugins/kdb/db2/libdb2/recno/rec_seq.c
rename : usr/src/lib/krb5/db2/recno/rec_utils.c => usr/src/lib/krb5/plugins/kdb/db2/libdb2/recno/rec_utils.c
rename : usr/src/lib/krb5/db2/recno/recno.h => usr/src/lib/krb5/plugins/kdb/db2/libdb2/recno/recno.h
rename : usr/src/lib/krb5/db2/sparc/Makefile => usr/src/lib/krb5/plugins/kdb/db2/libdb2/sparc/Makefile

5 files changed, 163 insertions, 24 deletions

diff --git a/usr/src/uts/common/gssapi/mechs/krb5/include/k5-int.h b/usr/src/uts/common/gssapi/mechs/krb5/include/k5-int.h
index 970c5a2ac6..e4db471239 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/include/k5-int.h
+++ b/usr/src/uts/common/gssapi/mechs/krb5/include/k5-int.h
@@ -649,7 +649,6 @@ krb5_error_code krb5_sync_disk_file
 
 krb5_error_code
 krb5_open_pkcs11_session(CK_SESSION_HANDLE *);
-#endif
 
 
 krb5_error_code krb5_read_message
@@ -658,7 +657,14 @@ krb5_error_code krb5_read_message
 krb5_error_code krb5_write_message
 	(krb5_context, krb5_pointer, krb5_data *);
 
+krb5_error_code
+krb5int_sendto (krb5_context context, const krb5_data *message,
+		const struct addrlist *addrs, krb5_data *reply,
+		struct sockaddr_storage *localaddr, socklen_t *localaddrlen,
+		int *addr_used);
+
 krb5_error_code krb5int_get_fq_local_hostname (char *, size_t);
+#endif
 
 /*
  * Solaris Kerberos
@@ -672,8 +678,10 @@ krb5_error_code krb5int_domain_get_realm(krb5_context, const char *,
 krb5_error_code krb5int_fqdn_get_realm(krb5_context, const char *,
     char **);
 
+krb5_error_code krb5int_init_context_kdc(krb5_context *);
+
 krb5_error_code krb5_os_init_context
-        (krb5_context);
+        (krb5_context, krb5_boolean);
 
 void krb5_os_free_context (krb5_context);
 
@@ -946,6 +954,11 @@ extern const struct krb5_hash_provider krb5int_hash_md5;
 krb5_error_code krb5_crypto_us_timeofday
     (krb5_int32  *, krb5_int32  *);
 
+#ifndef _KERNEL
+/* Solaris kerberos: for convenience */
+time_t gmt_mktime (struct tm *);
+#endif /* ! _KERNEL */
+
 /* #endif KRB5_OLD_CRYPTO */
 
 /* this helper fct is in libkrb5, but it makes sense declared here. */
@@ -960,12 +973,6 @@ krb5_error_code krb5_encrypt_helper
  */
 
 /*
- * Include the KDB definitions.
- */
-#ifndef _KERNEL
-#include <krb5/kdb.h>
-#endif /* !_KERNEL */
-/*
  * Begin "libos.h"
  */
 #ifndef KRB5_LIBOS__
@@ -1195,6 +1202,7 @@ void KRB5_CALLCONV krb5_free_pa_enc_ts
 /* #include "krb5/wordsize.h" -- comes in through base-defs.h. */
 #ifndef	_KERNEL
 #include "com_err.h"
+#include <krb5/k5-plugin.h>
 #endif /* _KERNEL */
 
 /*
@@ -1291,6 +1299,9 @@ struct _krb5_context {
 
 	/* arcfour_ctx: used only for rcmd stuff so no fork safety issues apply */
 	arcfour_ctx_rec arcfour_ctx;
+
+	/* error detail info */
+	struct errinfo err;
 #else /* ! KERNEL */
 	crypto_mech_type_t kef_cipher_mt;
 	crypto_mech_type_t kef_hash_mt;
@@ -1790,6 +1801,18 @@ krb5_error_code decode_krb5_enc_sam_response_enc_2
 krb5_error_code decode_krb5_sam_response_2
 	(const krb5_data *, krb5_sam_response_2 **);
 
+struct _krb5_key_data;		/* kdb.h */
+krb5_error_code
+krb5int_ldap_encode_sequence_of_keys (struct _krb5_key_data *key_data,
+				      krb5_int16 n_key_data,
+				      krb5_int32 mkvno,
+				      krb5_data **code);
+
+krb5_error_code
+krb5int_ldap_decode_sequence_of_keys (krb5_data *in,
+				      struct _krb5_key_data **out,
+				      krb5_int16 *n_key_data,
+				      int *mkvno);
 
 /*************************************************************************
  * End of prototypes for krb5_decode.c
@@ -2016,7 +2039,7 @@ typedef struct _krb5int_access {
     /* crypto stuff */
     const struct krb5_hash_provider *md5_hash_provider;
     const struct krb5_enc_provider *arcfour_enc_provider;
-    krb5_error_code (* krb5_hmac) (const struct krb5_hash_provider *hash,
+    krb5_error_code (* krb5_hmac) (krb5_context context, const struct krb5_hash_provider *hash,
                                    const krb5_keyblock *key,
                                    unsigned int icount, const krb5_data *input,
                                    krb5_data *output);
@@ -2028,7 +2051,7 @@ typedef struct _krb5int_access {
                                       int, int, int, int);
     krb5_error_code (*sendto_udp) (krb5_context, const krb5_data *msg,
                                    const struct addrlist *, krb5_data *reply,
-                                   struct sockaddr *, socklen_t *, int *);
+                                   struct sockaddr_storage *, socklen_t *, int *);
     krb5_error_code (*add_host_to_list)(struct addrlist *lp,
                                         const char *hostname,
                                         int port, int secport,
@@ -2054,6 +2077,19 @@ typedef struct _krb5int_access {
         (krb5_int64, krb5_octet **, size_t *);
     krb5_error_code (KRB5_CALLCONV *krb5_ser_unpack_int64)
         (krb5_int64 *, krb5_octet **, size_t *);
+
+    /* Used for KDB LDAP back end.  */
+    krb5_error_code
+    (*asn1_ldap_encode_sequence_of_keys) (struct _krb5_key_data *key_data,
+					  krb5_int16 n_key_data,
+					  krb5_int32 mkvno,
+					  krb5_data **code);
+
+    krb5_error_code
+    (*asn1_ldap_decode_sequence_of_keys) (krb5_data *in,
+					  struct _krb5_key_data **out,
+					  krb5_int16 *n_key_data,
+					  int *mkvno);
 } krb5int_access;
 
 #define KRB5INT_ACCESS_VERSION \
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/include/k5-thread.h b/usr/src/uts/common/gssapi/mechs/krb5/include/k5-thread.h
index 683934ae71..a348883b15 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/include/k5-thread.h
+++ b/usr/src/uts/common/gssapi/mechs/krb5/include/k5-thread.h
@@ -1,12 +1,12 @@
 /*
- * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
 /*
  * include/k5-thread.h
  *
- * Copyright 2004 by the Massachusetts Institute of Technology.
+ * Copyright 2004,2005,2006 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -41,6 +41,13 @@
 #include "autoconf.h"
 #endif
 
+#ifndef KRB5_CALLCONV
+# define KRB5_CALLCONV
+#endif
+#ifndef KRB5_CALLCONV_C
+# define KRB5_CALLCONV_C
+#endif
+
 /* Interface (tentative):
 
    Mutex support:
@@ -161,7 +168,7 @@
 #ifdef DEBUG_THREADS_LOC
 typedef struct {
     const char *filename;
-    short lineno;
+    int lineno;
 } k5_debug_loc;
 #define K5_DEBUG_LOC_INIT	{ __FILE__, __LINE__ }
 #if __GNUC__ >= 2
@@ -206,8 +213,11 @@ typedef char k5_debug_loc;
 #ifdef HAVE_STDINT_H
 # include <stdint.h>
 #endif
+/* for memset */
+#include <string.h>
+/* for uint64_t */
 #include <inttypes.h>
-typedef uint64_t k5_debug_timediff_t;
+typedef uint64_t k5_debug_timediff_t; /* or long double */
 typedef struct timeval k5_debug_time_t;
 static inline k5_debug_timediff_t
 timediff(k5_debug_time_t t2, k5_debug_time_t t1)
@@ -758,4 +768,25 @@ extern void *k5_getspecific(k5_key_t);
 extern int k5_setspecific(k5_key_t, void *);
 extern int k5_key_delete(k5_key_t);
 
+extern int  KRB5_CALLCONV krb5int_mutex_alloc  (k5_mutex_t **);
+extern void KRB5_CALLCONV krb5int_mutex_free   (k5_mutex_t *);
+extern int  KRB5_CALLCONV krb5int_mutex_lock   (k5_mutex_t *);
+extern int  KRB5_CALLCONV krb5int_mutex_unlock (k5_mutex_t *);
+
+/* In time, many of the definitions above should move into the support
+   library, and this file should be greatly simplified.  For type
+   definitions, that'll take some work, since other data structures
+   incorporate mutexes directly, and our mutex type is dependent on
+   configuration options and system attributes.  For most functions,
+   though, it should be relatively easy.
+
+   For now, plugins should use the exported functions, and not the
+   above macros, and use krb5int_mutex_alloc for allocations.  */
+#ifdef PLUGIN
+#undef k5_mutex_lock
+#define k5_mutex_lock krb5int_mutex_lock
+#undef k5_mutex_unlock
+#define k5_mutex_unlock krb5int_mutex_unlock
+#endif
+
 #endif /* multiple inclusion? */
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/include/krb5.h b/usr/src/uts/common/gssapi/mechs/krb5/include/krb5.h
index 31255ca355..596acc2da3 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/include/krb5.h
+++ b/usr/src/uts/common/gssapi/mechs/krb5/include/krb5.h
@@ -2670,6 +2670,30 @@ typedef krb5_int32 krb5_prompt_type;
 krb5_prompt_type* KRB5_CALLCONV krb5_get_prompt_types
 	(krb5_context context);
 
+/* Error reporting */
+void KRB5_CALLCONV_C
+krb5_set_error_message (krb5_context, krb5_error_code, const char *, ...);
+#ifdef va_start
+void KRB5_CALLCONV
+krb5_vset_error_message (krb5_context, krb5_error_code, const char *, va_list);
+#endif
+/*
+ * The behavior of krb5_get_error_message is only defined the first
+ * time it is called after a failed call to a krb5 function using the
+ * same context, and only when the error code passed in is the same as
+ * that returned by the krb5 function.  Future versions may return the
+ * same string for the second and following calls.
+ *
+ * The string returned by this function must be freed using
+ * krb5_free_error_message.
+ */
+const char * KRB5_CALLCONV
+krb5_get_error_message (krb5_context, krb5_error_code);
+void KRB5_CALLCONV
+krb5_free_error_message (krb5_context, const char *);
+void KRB5_CALLCONV
+krb5_clear_error_message (krb5_context);
+
 #if TARGET_OS_MAC 
 #    pragma options align=reset 
 #endif /* KRB5INT_END_DECLS */
@@ -2947,6 +2971,8 @@ krb5_prompt_type* KRB5_CALLCONV krb5_get_prompt_types
 #endif /* _KERNEL */
 
 #define KRB5_DELTAT_BADFORMAT			(-1765328133L)
+#define KRB5_PLUGIN_NO_HANDLE			(-1765328132L)
+#define KRB5_PLUGIN_OP_NOTSUPP			(-1765328131L)
 
 #define ERROR_TABLE_BASE_krb5 (-1765328384L)
 
@@ -2992,6 +3018,13 @@ krb5_prompt_type* KRB5_CALLCONV krb5_get_prompt_types
 #define	KRB5_LOG_UNSTABLE			(-1780008418L)
 #define	KRB5_LOG_CORRUPT			(-1780008417L)
 #define	KRB5_LOG_ERROR				(-1780008416L)
+#define KRB5_KDB_DBTYPE_NOTFOUND		(-1780008415L)
+#define KRB5_KDB_DBTYPE_NOSUP			(-1780008414L)
+#define KRB5_KDB_DBTYPE_INIT			(-1780008413L)
+#define KRB5_KDB_SERVER_INTERNAL_ERR		(-1780008412L)
+#define KRB5_KDB_ACCESS_ERROR			(-1780008411L)
+#define KRB5_KDB_INTERNAL_ERROR			(-1780008410L)
+#define KRB5_KDB_CONSTRAINT_VIOLATION		(-1780008409L)
 #define ERROR_TABLE_BASE_kdb5 (-1780008448L)
 
 /* for compatibility with older versions... */
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/init_ctx.c b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/init_ctx.c
index f4f706e00d..baf7e5169a 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/init_ctx.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/init_ctx.c
@@ -101,23 +101,30 @@ extern krb5_error_code krb5_vercheck();
 extern void krb5_win_ccdll_load(krb5_context context);
 #endif
 
-static krb5_error_code init_common (krb5_context *, krb5_boolean);
+static krb5_error_code init_common (krb5_context *, krb5_boolean, krb5_boolean);
 
 krb5_error_code KRB5_CALLCONV
 krb5_init_context(context)
 	krb5_context *context;
 {
-	return init_common (context, FALSE);
+	return init_common (context, FALSE, FALSE);
 }
 
 krb5_error_code KRB5_CALLCONV
 krb5_init_secure_context(context)
 	krb5_context *context;
 {
-	return init_common (context, TRUE);
+	return init_common (context, TRUE, FALSE);
 }
 
 #ifndef _KERNEL
+
+krb5_error_code
+krb5int_init_context_kdc(krb5_context *context)
+{
+    return init_common (context, FALSE, TRUE);
+}
+
 krb5_error_code
 krb5_open_pkcs11_session(CK_SESSION_HANDLE *hSession)
 {
@@ -340,7 +347,7 @@ krb5_free_ef_handle(krb5_context ctx)
 #endif /* !_KERNEL */
 
 static krb5_error_code
-init_common (krb5_context *context, krb5_boolean secure)
+init_common (krb5_context *context, krb5_boolean secure, krb5_boolean kdc)
 {
 	krb5_context ctx = 0;
 	krb5_error_code retval;
@@ -386,7 +393,7 @@ init_common (krb5_context *context, krb5_boolean secure)
 
 	ctx->profile_secure = secure;
 
-	if ((retval = krb5_os_init_context(ctx)))
+	if ((retval = krb5_os_init_context(ctx, kdc)))
 		goto cleanup;
 
 	/*
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/krb5/os/init_os_ctx.c b/usr/src/uts/common/gssapi/mechs/krb5/krb5/os/init_os_ctx.c
index 1007b3b27e..d412ff85a9 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/krb5/os/init_os_ctx.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/krb5/os/init_os_ctx.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -302,12 +302,40 @@ os_get_default_config_files(profile_filespec_t **pfiles, krb5_boolean secure)
     return 0;
 }
 
+static krb5_error_code
+add_kdc_config_file(profile_filespec_t **pfiles)
+{
+    char *file;
+    size_t count;
+    profile_filespec_t *newfiles;
+
+    file = getenv(KDC_PROFILE_ENV);
+    if (file == NULL)
+	file = DEFAULT_KDC_PROFILE;
+
+    for (count = 0; (*pfiles)[count]; count++)
+	;
+    count += 2;
+    newfiles = malloc(count * sizeof(*newfiles));
+    if (newfiles == NULL)
+	return errno;
+    memcpy(newfiles + 1, *pfiles, (count-1) * sizeof(*newfiles));
+    newfiles[0] = strdup(file);
+    if (newfiles[0] == NULL) {
+	int e = errno;
+	free(newfiles);
+	return e;
+    }
+    free(*pfiles);
+    *pfiles = newfiles;
+    return 0;
+}
 
 /* Set the profile paths in the context. If secure is set to TRUE then 
    do not include user paths (from environment variables, etc.)
 */
 static krb5_error_code
-os_init_paths(krb5_context ctx)
+os_init_paths(krb5_context ctx, krb5_boolean kdc)
 {
     krb5_error_code	retval = 0;
     profile_filespec_t *files = 0;
@@ -319,6 +347,9 @@ os_init_paths(krb5_context ctx)
 
     retval = os_get_default_config_files(&files, secure);
 
+    if (retval == 0 && kdc == TRUE)
+	retval = add_kdc_config_file(&files);
+
     if (!retval) {
         retval = profile_init((const_profile_filespec_t *) files,
 			      &ctx->profile);
@@ -353,8 +384,9 @@ os_init_paths(krb5_context ctx)
 }
 #endif /* !_KERNEL */
 
+/*ARGSUSED1*/
 krb5_error_code
-krb5_os_init_context(krb5_context ctx)
+krb5_os_init_context(krb5_context ctx, krb5_boolean kdc)
 {
 	krb5_os_context os_ctx;
 	krb5_error_code	retval = 0;
@@ -370,7 +402,7 @@ krb5_os_init_context(krb5_context ctx)
 #ifndef _KERNEL
 	krb5_cc_set_default_name(ctx, NULL);
 
-	retval = os_init_paths(ctx);
+	retval = os_init_paths(ctx, kdc);
 #endif
 	/*
 	 * If there's an error in the profile, return an error.  Just
@@ -465,7 +497,7 @@ krb5_secure_config_files(krb5_context ctx)
 	}
 
 	ctx->profile_secure = TRUE;
-	retval = os_init_paths(ctx);
+	retval = os_init_paths(ctx, FALSE);
 	if (retval)
 		return retval;