krb5 bug fix enhancement update

Updated krb5 packages that fix various bugs and add enhancements are now
available.

Kerberos is a trusted-third-party authentication system which allows
clients and servers to authenticate to each other using symmetric-key
encryption.

These updated packages fix the following bugs:

* tools that created files applied an incorrect SELinux label to those
files. In certain situations the ktadd command failed with a "kadmin:
Insufficient access to lock database while changing" error, and the kadmin
service could not be started using the "service kadmin start" command. In
these updated packages the correct SELinux labels are applied.

* the path to the dictionary file in the default KDC configuration was
incorrect. In a default configuration, the dictionary will not be found.
In these updated packages the path to the dictionary file is correctly set.

* a library function returned "NULL" instead of "OID". Microsoft Windows
clients running Internet Explorer or Mozilla Firefox failed to authenticate
against Apache mod_auth_kerb. The following error occurred:

gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may
provide more information (Cannot allocate memory)

This issue is resolved in these updated packages.

* users with home directories on NFS servers using root squashing would
receive a false error report, indicating that the user has no home
directory. The user could still access their home directory when this error
occurred. The false error message is no longer issued.

* the behavior of the "srvtab" keytab type was not consistent with the
"file" keytab type. Scanning keytabs and srvtabs that did not exist using
the "klist -k -t FILE:/tmp/does-not-exist" and "klist -k -t
SRVTAB:/tmp/does-not-exist" commands reported inconsistent errors. The
behavior of the "srvtab" keytab type is more consistent with the "file"
keytab type in these updated packages.

These updated packages also add the following enhancements:

* the Kerberos-aware rsh, rlogin, ftp, and telnet servers now use PAM to
perform session management. This allows process limits to be set using the
pam_limits.so module.

* services can now use keys with a version number of "0". This improves
compatibility with Microsoft Windows Server 2003 Domain Controllers.

* in these updated packages the KDC listens for TCP connections by default.

All krb5 users are advised to upgrade to these updated packages, which
resolve these issues and add these enhancements.

Before applying this update, make sure that all previously-released errata
relevant to your system have been applied. Use Red Hat Network to download
and update your packages. To do so, run the following command (as root):

pup

Alternatively, for a command-line interface, run the following command:

yum update

To register your system to RHN, use the following command:

rhn_register

For information on how to manually install or remove packages, refer to the
following link:

http://kbase.redhat.com/faq/FAQ_80_11223.shtm

236417 - kdc.conf has default items in crazy locations
238847 - kerberos release contains bug fixed upstream
241805 - incorporate fixup for "any" keytab type
248050 - login.krb5 incorrectly warns about missing home directories on NFS if root-squashing is enabled
253558 - start of kadmin is impossible