10 files changed, 472 insertions, 0 deletions

diff --git a/security/krb5-maint/Makefile b/security/krb5-maint/Makefile
new file mode 100644
index 000000000000..d0e01bee4f90
--- /dev/null
+++ b/security/krb5-maint/Makefile
@@ -0,0 +1,146 @@
+# Created by: nectar@FreeBSD.org
+# $FreeBSD$
+
+PORTNAME=		krb5
+PORTVERSION=		1.11.3
+PORTREVISION=		2
+CATEGORIES=		security
+MASTER_SITES=		http://web.mit.edu/kerberos/dist/${PORTNAME}/${PORTVERSION:C/^[0-9]*\.[0-9]*/&X/:C/X\.[0-9]*$//:C/X//}/
+DISTNAME=		${PORTNAME}-${PORTVERSION}-signed
+EXTRACT_SUFX=		.tar
+
+PATCH_SITES=		http://web.mit.edu/kerberos/advisories/
+PATCH_DIST_STRIP=	-p2
+
+MAINTAINER=		cy@FreeBSD.org
+COMMENT=		Authentication system developed at MIT, successor to Kerberos IV
+
+LICENSE=		MIT
+
+BUILD_DEPENDS=		gm4:${PORTSDIR}/devel/m4
+
+CONFLICTS=		heimdal-[0-9]* srp-[0-9]*
+
+LATEST_LINK=		${PORTNAME}-19
+KERBEROSV_URL=		http://web.mit.edu/kerberos/
+USE_PERL5=		build
+USE_LDCONFIG=		yes
+USE_CSTD=		gnu99
+USE_AUTOTOOLS=		libtool
+USES=		gettext gmake perl5
+CONFIGURE_ARGS?=	--enable-shared --without-system-verto
+CONFIGURE_ENV=		INSTALL="${INSTALL}" YACC="${YACC}"
+MAKE_ARGS=		INSTALL="${INSTALL}"
+
+OPTIONS_DEFINE=		KRB5_PDF KRB5_HTML DNS_FOR_REALM LDAP
+OPTIONS_DEFAULT=	KRB5_PDF KRB5_HTML
+KRB5_PDF_DESC=		Install krb5 PDF documentation
+KRB5_HTML_DESC=		Install krb5 HTML documentation
+DNS_FOR_REALM_DESC=	Enable DNS lookups for Kerberos realm names
+LDAP=			Enable LDAP support
+
+.if defined(KRB5_HOME)
+PREFIX=			${KRB5_HOME}
+CFLAGS+=		-rpath=${KRB5_HOME}/lib
+LDFLAGS+=		-rpath=${KRB5_HOME}/lib
+.endif
+LDFLAGS+=		-L${LOCALBASE}/lib
+CFLAGS+=		-I${LOCALBASE}/include
+
+USE_OPENSSL=		yes
+
+NO_STAGE=	yes
+.include <bsd.port.pre.mk>
+
+.if ${PORT_OPTIONS:MDNS_FOR_REALM}
+CONFIGURE_ARGS+=	--enable-dns-for-realm
+.endif
+
+.if ${PORT_OPTIONS:MLDAP}
+USE_OPENLDAP=		yes
+CONFIGURE_ARGS+=	--with-ldap
+PLIST_SUB+=		LDAP=""
+.else
+PLIST_SUB+=		LDAP="@comment "
+.endif
+
+.include "${PORTSDIR}/Mk/bsd.openssl.mk"
+
+MAN1=			k5srvutil.1 kadmin.1 krb5-config.1 krb5-send-pr.1 \
+			kpasswd.1 klist.1 kinit.1 kdestroy.1 kswitch.1 ksu.1 \
+			ktutil.1 \
+			sclient.1 kvno.1 compile_et.1
+MAN5=			kadm5.acl.5 kdc.conf.5 krb5.conf.5 .k5identity.5 \
+			.k5login.5 k5identity.5 k5login.5
+MAN8=			krb5kdc.8 kadmin.local.8 kdb5_ldap_util.8 kdb5_util.8 \
+			kadmind.8 kprop.8 kpropd.8 kproplog.8 sserver.8
+
+.if defined(PROGRAM_TRANSFORM_NAME) && ${PROGRAM_TRANSFORM_NAME} != ""
+CONFIGURE_ARGS+=	--program-transform-name="${PROGRAM_TRANSFORM_NAME}"
+.endif
+
+WRKSRC=			${WRKDIR}/${PORTNAME}-${PORTVERSION}/src
+
+HTML_DOC_DIR=		${WRKDIR}/${PORTNAME}-${PORTVERSION}/doc/html
+PDF_DOC_DIR=		${WRKDIR}/${PORTNAME}-${PORTVERSION}/doc/pdf
+
+CONFIGURE_ARGS+=	CPPFLAGS="-I${OPENSSLINC} -L${OPENSSLLIB} -L${LOCALBASE}/include"
+
+post-extract:
+	@${TAR} -C ${WRKDIR} -xzf ${WRKDIR}/${PORTNAME}-${PORTVERSION}.tar.gz
+	@${RM} ${WRKDIR}/${PORTNAME}-${PORTVERSION}.tar.gz ${WRKDIR}/${PORTNAME}-${PORTVERSION}.tar.gz.asc
+.if !defined(EXTRACT_PRESERVE_OWNERSHIP)
+	@if [ `id -u` = 0 ]; then \
+		${CHMOD} -R ug-s,go-w ${WRKDIR}/${PORTNAME}-${PORTVERSION}; \
+		${CHOWN} -R 0:0 ${WRKDIR}/${PORTNAME}-${PORTVERSION}; \
+	fi
+.endif
+
+post-install:
+	@${MKDIR} ${PREFIX}/share/doc/krb5
+# html documentation
+.if ${PORT_OPTIONS:MKRB5_PDF}
+	pdf_files=`${FIND} ${PDF_DOC_DIR} ! -type d`
+	pdf_dirs=`${FIND} ${PDF_DOC_DIR} -type d`
+	for i in $${pdf_dirs}; do \
+		${MKDIR} ${PREFIX}/share/doc/krb5/$${i}; \
+	done; \
+	for i in $${pdf_files}; do \
+		${INSTALL_MAN} $${pdf} ${PREFIX}/share/doc/krb5/$${i}; \
+		${ECHO_CMD} share/doc/krb5/$${i} >> ${TMPPLIST}; \
+	done
+.endif
+.if ${PORT_OPTIONS:MKRB5_HTML}
+	html_files=`${FIND} ${HTML_DOC_DIR} ! -type d | ${GREP} -v /_sources`
+	html_dirs=`${FIND} ${HTML_DOC_DIR} -type d | ${GREP} -v /_sources`
+	for i in $${html_dirs}; do \
+		${MKDIR} ${PREFIX}/share/doc/krb5/$${i}; \
+	done; \
+	for i in $${html_files}; do \
+		${INSTALL_MAN} $${i} ${PREFIX}/share/doc/krb5/$${i}; \
+		${ECHO_CMD} share/doc/krb5/$${i} >> ${TMPPLIST}; \
+	done
+.endif
+.if ${PORT_OPTIONS:MKRB5_PDF}
+	for i in $${pdf_dirs}; do \
+		${ECHO_CMD} @dirrm share/doc/krb5/$${i} >> ${TMPPLIST}; \
+	done | ${TAIL} -r >> ${TMPPLIST}
+.endif
+.if ${PORT_OPTIONS:MKRB5_HTML}
+	for i in $${html_dirs}; do \
+		${ECHO_CMD} @dirrm share/doc/krb5/$${i} >> ${TMPPLIST}; \
+	done | ${TAIL} -r >> ${TMPPLIST}
+.endif
+	${ECHO_CMD} @dirrm share/doc/krb5 >> ${TMPPLIST}
+	@${SED} "s%\${PREFIX}%${PREFIX}%" ${FILESDIR}/README.FreeBSD > ${PREFIX}/share/doc/krb5/README.FreeBSD
+	@${CHMOD} 444 ${PREFIX}/share/doc/krb5/README.FreeBSD
+	@${ECHO} "------------------------------------------------------"
+	@${ECHO} "This port of MIT Kerberos 5 includes remote login     "
+	@${ECHO} "daemons (telnetd and klogind).  These daemons default "
+	@${ECHO} "to using the system login program (/usr/bin/login).   "
+	@${ECHO} "Please see the file                                   "
+	@${ECHO} "${PREFIX}/share/doc/krb5/README.FreeBSD"
+	@${ECHO} "for more information.                                 "
+	@${ECHO} "------------------------------------------------------"
+
+.include <bsd.port.post.mk>
diff --git a/security/krb5-maint/distinfo b/security/krb5-maint/distinfo
new file mode 100644
index 000000000000..203e595f6d7b
--- /dev/null
+++ b/security/krb5-maint/distinfo
@@ -0,0 +1,2 @@
+SHA256 (krb5-1.11.3-signed.tar) = 9abd94bb94a70996da0f8d90408957154bb543271b097e86c63eb33e5f5751b5
+SIZE (krb5-1.11.3-signed.tar) = 11673600
diff --git a/security/krb5-maint/files/README.FreeBSD b/security/krb5-maint/files/README.FreeBSD
new file mode 100644
index 000000000000..e888e689eb04
--- /dev/null
+++ b/security/krb5-maint/files/README.FreeBSD
@@ -0,0 +1,32 @@
+The MIT KRB5 port provides its own login program at
+${PREFIX}/sbin/login.krb5.  However, login.krb5 does not make use of
+the FreeBSD login.conf and login.access files that provide a means of
+setting up and controlling sessions under FreeBSD.  To overcome this,
+the MIT KRB5 port uses the FreeBSD /usr/bin/login program to provide
+interactive login password authentication instead of the login.krb5
+program provided by MIT KRB5.  The FreeBSD /usr/bin/login program does
+not have support for Kerberos V password authentication,
+e.g. authentication at the console.  The pam_krb5 port must be used to
+provide Kerberos V password authentication.
+
+For more information about pam_krb5, please see pam(8) and pam_krb5(8).
+
+If you wish to use login.krb5 that is provided by the MIT KRB5 port,
+the arguments "-L ${PREFIX}/sbin/login.krb5" must be
+specified as arguments to klogind and KRB5 telnetd, e.g.
+
+klogin	stream	tcp	nowait	root	${PREFIX}/sbin/klogind	klogind -k -c -L ${PREFIX}/sbin/login.krb5
+eklogin	stream	tcp	nowait	root	${PREFIX}/sbin/klogind	klogind -k -c -e -L ${PREFIX}/sbin/login.krb5
+telnet	stream	tcp	nowait	root	${PREFIX}/sbin/telnetd	telnetd -a none -L ${PREFIX}/sbin/login.krb5
+
+Additionally, if you wish to use the MIT KRB5 provided login.krb5 instead
+of the FreeBSD provided /usr/bin/login for local tty logins,
+"lo=${PREFIX}/sbin/login.krb5" must be specified in /etc/gettytab, e.g.,
+
+default:\
+	:cb:ce:ck:lc:fd#1000:im=\r\n%s/%m (%h) (%t)\r\n\r\n:sp#1200:\
+	:if=/etc/issue:\
+	:lo=${PREFIX}/sbin/login.krb5:
+
+It is recommended that the FreeBSD /usr/bin/login be used with the
+pam_krb5 port instead of the MIT KRB5 provided login.krb5.
diff --git a/security/krb5-maint/files/patch-av b/security/krb5-maint/files/patch-av
new file mode 100644
index 000000000000..95394e43c0a0
--- /dev/null
+++ b/security/krb5-maint/files/patch-av
@@ -0,0 +1,15 @@
+*** clients/ksu/Makefile.in.ORIG	Sun Aug  2 16:51:18 1998
+--- clients/ksu/Makefile.in	Sun Aug  2 16:53:48 1998
+***************
+*** 3,7 ****
+  mydir=ksu
+  BUILDTOP=$(REL)$(U)$(S)$(U)
+! DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
+  CFLAGS = $(CCOPTS) $(DEFINES) $(DEFS) $(LOCALINCLUDE)
+  
+--- 3,7 ----
+  mydir=ksu
+  BUILDTOP=$(REL)$(U)$(S)$(U)
+! DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/bin /bin /usr/sbin /sbin"' -DDEBUG
+  CFLAGS = $(CCOPTS) $(DEFINES) $(DEFS) $(LOCALINCLUDE)
+  
diff --git a/security/krb5-maint/files/patch-config::pre.in b/security/krb5-maint/files/patch-config::pre.in
new file mode 100644
index 000000000000..bdd183e98ad4
--- /dev/null
+++ b/security/krb5-maint/files/patch-config::pre.in
@@ -0,0 +1,11 @@
+--- config/pre.in.orig	Fri Nov 19 13:47:51 2004
++++ config/pre.in	Thu Jan 27 17:43:12 2005
+@@ -177,7 +177,7 @@
+ INSTALL=@INSTALL@
+ INSTALL_STRIP=
+ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INSTALL_STRIP)
+-INSTALL_SCRIPT=@INSTALL_PROGRAM@
++INSTALL_SCRIPT=@INSTALL_SCRIPT@
+ INSTALL_DATA=@INSTALL_DATA@
+ INSTALL_SHLIB=@INSTALL_SHLIB@
+ INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 -o root
diff --git a/security/krb5-maint/files/patch-config::shlib.conf b/security/krb5-maint/files/patch-config::shlib.conf
new file mode 100644
index 000000000000..55f967d8a505
--- /dev/null
+++ b/security/krb5-maint/files/patch-config::shlib.conf
@@ -0,0 +1,33 @@
+--- config/shlib.conf.orig	2012-08-08 15:27:55.000000000 -0700
++++ config/shlib.conf	2012-11-02 17:49:31.140500618 -0700
+@@ -306,24 +306,18 @@
+ 	;;
+ 
+ *-*-freebsd*)
+-	if test -x /usr/bin/objformat ; then
+-		objformat=`/usr/bin/objformat`
+-	else
+-		objformat="elf"
+-	fi
+-	PICFLAGS=-fpic
+-	if test "x$objformat" = "xelf" ; then
++	case $krb5_cv_host in
++	sparc64-*)      PICFLAGS=-fPIC;;
++	*)              PICFLAGS=-fpic;;
++	esac
++ 
+ 		SHLIBVEXT='.so.$(LIBMAJOR)'
++		LDCOMBINE="libtool --mode=link cc -Xcompiler -shared"
+ 		RPATH_FLAG='-Wl,-rpath -Wl,'
+-	else
+-		RPATH_FLAG=-R
+-		SHLIBVEXT='.so.$(LIBMAJOR).$(LIBMINOR)'
+-	fi
+ 	PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
+ 	CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
+ 	CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
+ 	SHLIBEXT=.so
+-	LDCOMBINE='ld -Bshareable'
+ 	SHLIB_RPATH_FLAGS='-R$(SHLIB_RDIRS)'
+ 	SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
+ 	CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
diff --git a/security/krb5-maint/files/patch-lib-krb5-os-localaddr.c b/security/krb5-maint/files/patch-lib-krb5-os-localaddr.c
new file mode 100644
index 000000000000..06b6043f22c9
--- /dev/null
+++ b/security/krb5-maint/files/patch-lib-krb5-os-localaddr.c
@@ -0,0 +1,75 @@
+--- lib/krb5/os/localaddr.c.orig	2009-10-30 20:17:27.000000000 -0700
++++ lib/krb5/os/localaddr.c	2010-04-19 12:39:56.707090973 -0700
+@@ -175,6 +175,7 @@
+ }
+ #endif
+ 
++#if 0
+ static int
+ is_loopback_address(struct sockaddr *sa)
+ {
+@@ -191,6 +192,7 @@
+         return 0;
+     }
+ }
++#endif
+ 
+ #ifdef HAVE_IFADDRS_H
+ #include <ifaddrs.h>
+@@ -467,12 +469,14 @@
+             ifp->ifa_flags &= ~IFF_UP;
+             continue;
+         }
++#if 0
+         if (is_loopback_address(ifp->ifa_addr)) {
+             /* Pretend it's not up, so the second pass will skip
+                it.  */
+             ifp->ifa_flags &= ~IFF_UP;
+             continue;
+         }
++#endif
+         /* If this address is a duplicate, punt.  */
+         match = 0;
+         for (ifp2 = ifp_head; ifp2 && ifp2 != ifp; ifp2 = ifp2->ifa_next) {
+@@ -601,11 +605,13 @@
+             }
+             /*@=moduncon@*/
+ 
++#if 0
+             /* None of the current callers want loopback addresses.  */
+             if (is_loopback_address((struct sockaddr *)&lifr->lifr_addr)) {
+                 Tprintf (("  loopback\n"));
+                 goto skip;
+             }
++#endif
+             /* Ignore interfaces that are down.  */
+             if ((lifreq.lifr_flags & IFF_UP) == 0) {
+                 Tprintf (("  down\n"));
+@@ -772,11 +778,13 @@
+             }
+             /*@=moduncon@*/
+ 
++#if 0
+             /* None of the current callers want loopback addresses.  */
+             if (is_loopback_address(&lifr->iflr_addr)) {
+                 Tprintf (("  loopback\n"));
+                 goto skip;
+             }
++#endif
+             /* Ignore interfaces that are down.  */
+             if ((lifreq.iflr_flags & IFF_UP) == 0) {
+                 Tprintf (("  down\n"));
+@@ -987,11 +995,13 @@
+         }
+         /*@=moduncon@*/
+ 
++#if 0
+         /* None of the current callers want loopback addresses.  */
+         if (is_loopback_address(&ifreq.ifr_addr)) {
+             Tprintf (("  loopback\n"));
+             goto skip;
+         }
++#endif
+         /* Ignore interfaces that are down.  */
+         if ((ifreq.ifr_flags & IFF_UP) == 0) {
+             Tprintf (("  down\n"));
diff --git a/security/krb5-maint/files/patch-lib::gssapi::krb5::import_name.c b/security/krb5-maint/files/patch-lib::gssapi::krb5::import_name.c
new file mode 100644
index 000000000000..40f116af2196
--- /dev/null
+++ b/security/krb5-maint/files/patch-lib::gssapi::krb5::import_name.c
@@ -0,0 +1,14 @@
+--- lib/gssapi/krb5/import_name.c.orig	Mon Jul 18 15:12:42 2005
++++ lib/gssapi/krb5/import_name.c	Tue Nov  8 09:53:58 2005
+@@ -33,6 +33,11 @@
+ #endif
+ #endif
+ 
++#include <sys/param.h>
++#if __FreeBSD_version < 500100
++#include <stdio.h>
++#endif
++
+ #ifdef HAVE_STRING_H
+ #include <string.h>
+ #else
diff --git a/security/krb5-maint/pkg-descr b/security/krb5-maint/pkg-descr
new file mode 100644
index 000000000000..d11e2e6d1c15
--- /dev/null
+++ b/security/krb5-maint/pkg-descr
@@ -0,0 +1,24 @@
+Kerberos V5 is an authentication system developed at MIT.  
+WWW: http://web.mit.edu/kerberos/
+
+Abridged from the User Guide:
+       Under Kerberos, a client sends a request for a ticket to the 
+   Key Distribution Center (KDC). The KDC creates a ticket-granting 
+   ticket (TGT) for the client, encrypts it using the client's 
+   password as the key, and sends the encrypted TGT back to the 
+   client. The client then attempts to decrypt the TGT, using
+   its password. If the client successfully decrypts the TGT, it 
+   keeps the decrypted TGT, which indicates proof of the client's 
+   identity. The TGT permits the client to obtain additional tickets, 
+   which give permission for specific services.
+       Since Kerberos negotiates authenticated, and optionally encrypted,   
+   communications between two points anywhere on the internet, it
+   provides a layer of security that is not dependent on which side of a
+   firewall either client is on.
+       The Kerberos V5 package is designed to be easy to use. Most of the  
+   commands are nearly identical to UNIX network programs you are already
+   used to. Kerberos V5 is a single-sign-on system, which means that you 
+   have to type your password only once per session, and Kerberos does   
+   the authenticating and encrypting transparently.  
+
+Jacques Vidrine <n@nectar.com>
diff --git a/security/krb5-maint/pkg-plist b/security/krb5-maint/pkg-plist
new file mode 100644
index 000000000000..10295cfb0acf
--- /dev/null
+++ b/security/krb5-maint/pkg-plist
@@ -0,0 +1,120 @@
+bin/compile_et
+bin/gss-client
+bin/k5srvutil
+bin/kadmin
+bin/kdestroy
+bin/kinit
+bin/klist
+bin/kpasswd
+bin/krb5-config
+bin/kswitch
+bin/ksu
+bin/ktutil
+bin/kvno
+bin/sclient
+bin/sim_client
+bin/uuclient
+include/com_err.h
+include/gssapi.h
+include/gssapi/gssapi.h
+include/gssapi/gssapi_ext.h
+include/gssapi/gssapi_generic.h
+include/gssapi/gssapi_krb5.h
+include/gssapi/mechglue.h
+include/gssrpc/auth.h
+include/gssrpc/auth_gss.h
+include/gssrpc/auth_gssapi.h
+include/gssrpc/auth_unix.h
+include/gssrpc/clnt.h
+include/gssrpc/netdb.h
+include/gssrpc/pmap_clnt.h
+include/gssrpc/pmap_prot.h
+include/gssrpc/pmap_rmt.h
+include/gssrpc/rename.h
+include/gssrpc/rpc.h
+include/gssrpc/rpc_msg.h
+include/gssrpc/svc.h
+include/gssrpc/svc_auth.h
+include/gssrpc/types.h
+include/gssrpc/xdr.h
+include/krb5.h
+%%LDAP%%include/krb5/ccselect_plugin.h
+include/krb5/kadm5_hook_plugin.h
+include/krb5/krb5.h
+include/krb5/locate_plugin.h
+include/krb5/plugin.h
+include/krb5/pwqual_plugin.h
+include/kadm5/admin.h
+include/kadm5/chpass_util_strings.h
+include/kadm5/kadm_err.h
+include/kdb.h
+include/krb5/preauth_plugin.h
+include/profile.h
+include/verto-module.h
+include/verto.h
+lib/libcom_err.so
+lib/libcom_err.so.3
+lib/libgssapi_krb5.so
+lib/libgssapi_krb5.so.2
+lib/libgssrpc.so
+lib/libgssrpc.so.4
+lib/libk5crypto.so
+lib/libk5crypto.so.3
+lib/libkadm5clnt.so
+lib/libkadm5clnt_mit.so
+lib/libkadm5clnt_mit.so.8
+lib/libkadm5srv.so
+lib/libkadm5srv_mit.so
+lib/libkadm5srv_mit.so.8
+lib/libkdb5.so
+lib/libkdb5.so.7
+lib/libkrb5.so
+lib/libkrb5.so.3
+lib/libkrb5support.so
+lib/libkrb5support.so.0
+lib/krb5/plugins/kdb/db2.so
+%%LDAP%%lib/krb5/plugins/kdb/kldap.so
+lib/krb5/plugins/preauth/pkinit.so
+%%LDAP%%lib/libkdb_ldap.so
+%%LDAP%%lib/libkdb_ldap.so.1
+lib/libverto.so.0
+lib/libverto.so
+sbin/gss-server
+sbin/kadmin.local
+sbin/kadmind
+%%LDAP%%sbin/kdb5_ldap_util
+sbin/kdb5_util
+sbin/kprop
+sbin/kpropd
+sbin/kproplog
+sbin/krb5-send-pr
+sbin/krb5kdc
+sbin/sim_server
+sbin/sserver
+sbin/uuserver
+share/doc/krb5/README.FreeBSD
+share/et/et_c.awk
+share/et/et_h.awk
+share/examples/krb5/kdc.conf
+share/examples/krb5/krb5.conf
+share/examples/krb5/services.append
+share/gnats/mit
+share/locale/en_US/LC_MESSAGES/mit-krb5.mo
+@exec mkdir -p %D/var/krb5kdc
+@dirrmtry var/krb5kdc
+@dirrmtry var
+@dirrmtry share/locale/en_US/LC_MESSAGES
+@dirrmtry share/locale/en_US
+@dirrm lib/krb5/plugins/preauth
+@dirrm lib/krb5/plugins/libkrb5
+@dirrm lib/krb5/plugins/kdb
+@dirrm lib/krb5/plugins/authdata
+@dirrm lib/krb5/plugins
+@dirrm lib/krb5
+@dirrm include/gssapi
+@dirrm include/gssrpc
+@dirrm include/krb5
+@dirrm include/kadm5
+@dirrm share/et
+@dirrmtry share/gnats
+@dirrm share/examples/krb5