Patch-ID# 105564-05 Keywords: security NIS+ domain non-root rpcsec authdes_refresh RPCSEC_GSS Synopsis: SunOS 5.6: /kernel/misc/rpcsec patch Date: Aug/23/2002 Install Requirements: Install in Single User Mode Reboot after installation See Special Install Instructions Solaris Release: 2.6 SunOS Release: 5.6 Unbundled Product: Unbundled Release: Xref: This patch available for x86 as patch 105565 Topic: SunOS 5.6: /kernel/misc/rpcsec patch NOTE: Refer to Special Install Instructions section for IMPORTANT specific information on this patch. Relevant Architectures: sparc BugId's fixed with this patch: 1168376 4080713 4082160 4086809 4144003 4198273 4240833 Changes incorporated in this version: 4240833 Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: /kernel/misc/rpcsec Problem Description: 4240833 RPC AUTH_DES credentials stays on stack. (from 105564-04) 4198273 desauthtab is hardcoded to 16 entries - causes performance problems (from 105564-03) 4082160 chgrp does not work on a RPCSEC_GSS mounted file system 4086809 rpcsec module should handle a NULL ucred returned by rpcsec_gss 4144003 sec_clnt_revoke() should allow root to revoke a non-root's key (from 105564-02) 4080713 NOTICE: authdes_refresh messages on console (from 105564-01) 1168376 NIS+ servers should be allowed to be in the domain they serve. Patch Installation Instructions: -------------------------------- Refer to the Install.info file within the patch for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch. Any other special or non-generic installation instructions should be described below. Special Install Instructions: ----------------------------- Reboot the system after patch installation. NOTE 1: If you are installing this patch to fix the "non-root NIS+ server not living in domain it serves" problem, you will also need to install the libnsl/NIS+ commands patch (105401-03 or newer) and the chkey/keylogin patch (105562-01 or newer). Instructions on how to set up the non-root NIS+ server to live in the domain it serves: Setting up an existing non-root NIS+ server: 1. Install the libnsl/NIS+ commands patch (105401-03 or newer) on the non-root NIS+ server. Also install this kernel/misc/rpcsec patch if this server is either a Secure NFS client or server. 2. Change the /etc/defaultdomain on the server to the domain it serves. 3. Reboot the server. Setting up a new non-root NIS+ server: 1. Set up the server as described in the NIS+ docs. 2. Install the libnsl/NIS+ commands patch (105401-03 or newer) on this new NIS+ server. Also install this kernel/misc/rpcsec patch if this server is either a Secure NFS client or server. 3. Change the /etc/defaultdomain on the server to the domain it serves. 4. Reboot the server. NOTE 2: For users of SEAM 1.0 (Sun Enterprise Authentication Mechanism) on Solaris 2.6, we recommend that the following patches (or newer) be installed: 106639-01 /kernel/strmod/rpcmod 105564-03 /kernel/misc/rpcsec 105472-04 /usr/lib/autofs/automountd 106641-01 /usr/lib/fs/nfs/mount 105615-04 /usr/lib/nfs/mountd README -- Last modified date: Friday, August 23, 2002