summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRobbie Harwood <rharwood@redhat.com>2017-10-05 15:10:47 -0400
committerRobbie Harwood <rharwood@redhat.com>2017-10-05 20:29:13 +0000
commit533a73fdd1bf9988853f3eb1a23c3f28a87454b8 (patch)
tree99b7add9fe5875dd24bd0e924e2b1da95dfad595
parent0c7302b5bc5da01f88ea5ad6873a48a011c5fb54 (diff)
downloadkrb5-533a73fdd1bf9988853f3eb1a23c3f28a87454b8.tar.gz
krb5-533a73fdd1bf9988853f3eb1a23c3f28a87454b8.tar.xz
krb5-533a73fdd1bf9988853f3eb1a23c3f28a87454b8.zip
New upstream prerelease (1.16-beta1)
Diffstat
-rw-r--r--.gitignore3
-rw-r--r--Add-German-translation.patch9333
-rw-r--r--Add-KDC-policy-pluggable-interface.patch994
-rw-r--r--Add-PKINIT-UPN-tests-to-t_pkinit.py.patch101
-rw-r--r--Add-PKINIT-test-case-for-generic-client-cert.patch51
-rw-r--r--Add-certauth-pluggable-interface.patch1146
-rw-r--r--Add-hostname-based-ccselect-module.patch293
-rw-r--r--Add-k5test-expected_msg-expected_trace.patch96
-rw-r--r--Add-support-to-query-the-SSF-of-a-GSS-context.patch419
-rw-r--r--Add-test-case-for-PKINIT-DH-renegotiation.patch45
-rw-r--r--Add-test-cert-generation-to-make-certs.sh.patch968
-rw-r--r--Add-test-cert-with-no-extensions.patch1120
-rw-r--r--Add-the-client_name-kdcpreauth-callback.patch58
-rw-r--r--Add-timestamp-helper-functions.patch80
-rw-r--r--Add-timestamp-tests.patch599
-rw-r--r--Add-y2038-documentation.patch59
-rw-r--r--Build-with-Werror-implicit-int-where-supported.patch23
-rw-r--r--Convert-some-pkiDebug-messages-to-TRACE-macros.patch422
-rw-r--r--Correct-error-handling-bug-in-prior-commit.patch32
-rw-r--r--Deindent-crypto_retrieve_X509_sans.patch263
-rw-r--r--Fix-bugs-in-kdcpolicy-commit.patch130
-rw-r--r--Fix-certauth-built-in-module-returns.patch124
-rw-r--r--Fix-in_clock_skew-and-use-it-in-AS-client-code.patch58
-rw-r--r--Fix-more-time-manipulations-for-y2038.patch83
-rw-r--r--Improve-PKINIT-UPN-SAN-matching.patch151
-rw-r--r--Make-timestamp-manipulations-y2038-safe.patch1844
-rw-r--r--Remove-incomplete-PKINIT-OCSP-support.patch134
-rw-r--r--Use-GSSAPI-fallback-skiptest.patch2
-rw-r--r--Use-expected_msg-in-test-scripts.patch2584
-rw-r--r--Use-expected_trace-in-test-scripts.patch75
-rw-r--r--Use-fallback-realm-for-GSSAPI-ccache-selection.patch185
-rw-r--r--Use-krb5_timestamp-where-appropriate.patch327
-rw-r--r--Use-the-canonical-client-principal-name-for-OTP.patch28
-rw-r--r--krb5-1.11-kpasswdtest.patch2
-rw-r--r--krb5-1.11-run_user_0.patch2
-rw-r--r--krb5-1.12-api.patch2
-rw-r--r--krb5-1.12-ksu-path.patch2
-rw-r--r--krb5-1.12-ktany.patch2
-rw-r--r--krb5-1.12.1-pam.patch12
-rw-r--r--krb5-1.13-dirsrv-accountlock.patch10
-rw-r--r--krb5-1.15-beta1-buildconf.patch4
-rw-r--r--krb5-1.15.1-selinux-label.patch54
-rw-r--r--krb5-1.3.1-dns.patch6
-rw-r--r--krb5-1.9-debuginfo.patch2
-rw-r--r--krb5.spec48
-rw-r--r--sources6
46 files changed, 66 insertions, 21916 deletions
diff --git a/.gitignore b/.gitignore
index c78f6a3..df05a67 100644
--- a/.gitignore
+++ b/.gitignore
@@ -154,3 +154,6 @@ krb5-1.8.3-pdf.tar.gz
/krb5-1.15.2-pdfs.tar
/krb5-1.15.2.tar.gz
/krb5-1.15.2.tar.gz.asc
+/krb5-1.16-beta1-pdfs.tar
+/krb5-1.16-beta1.tar.gz
+/krb5-1.16-beta1.tar.gz.asc
diff --git a/Add-German-translation.patch b/Add-German-translation.patch
deleted file mode 100644
index bb3ecb3..0000000
--- a/Add-German-translation.patch
+++ /dev/null
@@ -1,9333 +0,0 @@
-From 914be6ccfa5e3cb52d0e0e72720eca8f2e528250 Mon Sep 17 00:00:00 2001
-From: Chris Leick <c.leick@vollbio.de>
-Date: Wed, 6 Apr 2016 18:14:40 -0400
-Subject: [PATCH] Add German translation
-
-ticket: 8515 (new)
-(cherry picked from commit 0c9a4d9734c29a77d3c7ac267e8e885a75f44b4f)
----
- src/po/Makefile.in | 2 +-
- src/po/de.po | 9301 ++++++++++++++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 9302 insertions(+), 1 deletion(-)
- create mode 100644 src/po/de.po
-
-diff --git a/src/po/Makefile.in b/src/po/Makefile.in
-index fdaf872a1..6753447dc 100644
---- a/src/po/Makefile.in
-+++ b/src/po/Makefile.in
-@@ -18,7 +18,7 @@ ETSRCS= $(BUILDTOP)/lib/gssapi/generic/gssapi_err_generic.c \
- $(BUILDTOP)/lib/krb5/error_tables/kv5m_err.c \
- $(BUILDTOP)/lib/krb5/error_tables/krb524_err.c
- # This is a placeholder until we have an actual translation.
--CATALOGS=en_US.mo
-+CATALOGS=en_US.mo de.mo
-
- .SUFFIXES: .po .mo
- .po.mo:
-diff --git a/src/po/de.po b/src/po/de.po
-new file mode 100644
-index 000000000..2144d7833
---- /dev/null
-+++ b/src/po/de.po
-@@ -0,0 +1,9301 @@
-+# German translation of mit-krb5.
-+# This file is distributed under the same license as the mit-krb5 package.
-+# Copyright (C) 1985-2013 by the Massachusetts Institute of Technology.
-+# Copyright (C) of this file 2014-2016 Chris Leick <c.leick@vollbio.de>.
-+#
-+msgid ""
-+msgstr ""
-+"Project-Id-Version: mit-krb5 13.2\n"
-+"Report-Msgid-Bugs-To: krbdev@mit.edu\n"
-+"POT-Creation-Date: 2015-05-06 14:59-0400\n"
-+"PO-Revision-Date: 2016-04-07 08:15+0200\n"
-+"Last-Translator: Chris Leick <c.leick@vollbio.de>\n"
-+"Language-Team: German <debian-l10n-german@lists.debian.org>\n"
-+"Language: de\n"
-+"MIME-Version: 1.0\n"
-+"Content-Type: text/plain; charset=UTF-8\n"
-+"Content-Transfer-Encoding: 8bit\n"
-+"Plural-Forms: nplurals=2; plural=n != 1;\n"
-+
-+#: ../../src/clients/kdestroy/kdestroy.c:62
-+#, c-format
-+msgid "Usage: %s [-A] [-q] [-c cache_name]\n"
-+msgstr "Aufruf: %s [-A] [-q] [-c Zwischenspeichername]\n"
-+
-+#: ../../src/clients/kdestroy/kdestroy.c:63
-+#, c-format
-+msgid "\t-A destroy all credential caches in collection\n"
-+msgstr "\t-A vernichtet alle Anmeldedatenzwischenspeicher in der Sammlung.\n"
-+
-+#: ../../src/clients/kdestroy/kdestroy.c:64
-+#, c-format
-+msgid "\t-q quiet mode\n"
-+msgstr "\t-q stiller Modus\n"
-+
-+#: ../../src/clients/kdestroy/kdestroy.c:65
-+#: ../../src/clients/kswitch/kswitch.c:45
-+#, c-format
-+msgid "\t-c specify name of credentials cache\n"
-+msgstr "\t-c gibt den Namen des Zwischenspeichers für Anmeldedaten an.\n"
-+
-+#: ../../src/clients/kdestroy/kdestroy.c:98
-+#: ../../src/clients/kinit/kinit.c:383 ../../src/clients/ksu/main.c:284
-+#, c-format
-+msgid "Only one -c option allowed\n"
-+msgstr "Nur eine »-c«-Option ist erlaubt.\n"
-+
-+#: ../../src/clients/kdestroy/kdestroy.c:105
-+#: ../../src/clients/kinit/kinit.c:412 ../../src/clients/klist/klist.c:182
-+#, c-format
-+msgid "Kerberos 4 is no longer supported\n"
-+msgstr "Kerberos 4 wird nicht mehr unterstützt.\n"
-+
-+#: ../../src/clients/kdestroy/kdestroy.c:126
-+#: ../../src/clients/klist/klist.c:253 ../../src/clients/ksu/main.c:131
-+#: ../../src/clients/ksu/main.c:137 ../../src/clients/kswitch/kswitch.c:97
-+#: ../../src/kadmin/ktutil/ktutil.c:52 ../../src/kdc/main.c:926
-+#: ../../src/slave/kprop.c:102 ../../src/slave/kpropd.c:1052
-+msgid "while initializing krb5"
-+msgstr "beim Initialisieren von Krb5"
-+
-+#: ../../src/clients/kdestroy/kdestroy.c:133
-+msgid "while listing credential caches"
-+msgstr "beim Auflisten der Anmeldedatenzwischenspeicher"
-+
-+#: ../../src/clients/kdestroy/kdestroy.c:140
-+msgid "composing ccache name"
-+msgstr "Ccache-Name wird zusammengesetzt."
-+
-+#: ../../src/clients/kdestroy/kdestroy.c:145
-+#, c-format
-+msgid "while destroying cache %s"
-+msgstr "beim Zerstören des Zwischenspeichers %s"
-+
-+#: ../../src/clients/kdestroy/kdestroy.c:157
-+#: ../../src/clients/kswitch/kswitch.c:104
-+#, c-format
-+msgid "while resolving %s"
-+msgstr "beim Auflösen von %s"
-+
-+#: ../../src/clients/kdestroy/kdestroy.c:163
-+#: ../../src/clients/kinit/kinit.c:501 ../../src/clients/klist/klist.c:460
-+msgid "while getting default ccache"
-+msgstr "beim Holen des Standard-Ccaches"
-+
-+#: ../../src/clients/kdestroy/kdestroy.c:170 ../../src/clients/ksu/main.c:986
-+msgid "while destroying cache"
-+msgstr "beim Zerstören des Zwischenspeichers"
-+
-+#: ../../src/clients/kdestroy/kdestroy.c:173
-+#, c-format
-+msgid "Ticket cache NOT destroyed!\n"
-+msgstr "Ticketzwischenspeicher NICHT vernichtet!\n"
-+
-+#: ../../src/clients/kdestroy/kdestroy.c:175
-+#, c-format
-+msgid "Ticket cache %cNOT%c destroyed!\n"
-+msgstr "Ticketzwischenspeicher %cNICHT%c vernichtet!\n"
-+
-+#: ../../src/clients/kinit/kinit.c:213
-+#, c-format
-+msgid "\t-V verbose\n"
-+msgstr "\t-V detaillierte Ausgabe\n"
-+
-+#: ../../src/clients/kinit/kinit.c:214
-+#, c-format
-+msgid "\t-l lifetime\n"
-+msgstr "\t-l Lebensdauer\n"
-+
-+#: ../../src/clients/kinit/kinit.c:215
-+#, c-format
-+msgid "\t-s start time\n"
-+msgstr "\t-s Startzeit\n"
-+
-+#: ../../src/clients/kinit/kinit.c:216
-+#, c-format
-+msgid "\t-r renewable lifetime\n"
-+msgstr "\t-r verlängerbare Lebensdauer\n"
-+
-+#: ../../src/clients/kinit/kinit.c:217
-+#, c-format
-+msgid "\t-f forwardable\n"
-+msgstr "\t-f weiterleitbar\n"
-+
-+#: ../../src/clients/kinit/kinit.c:218
-+#, c-format
-+msgid "\t-F not forwardable\n"
-+msgstr "\t-F nicht weiterleitbar\n"
-+
-+#: ../../src/clients/kinit/kinit.c:219
-+#, c-format
-+msgid "\t-p proxiable\n"
-+msgstr "\t-p Proxy nutzbar\n"
-+
-+#: ../../src/clients/kinit/kinit.c:220
-+#, c-format
-+msgid "\t-P not proxiable\n"
-+msgstr "\t-P Proxy nicht nutzbar\n"
-+
-+#: ../../src/clients/kinit/kinit.c:221
-+#, c-format
-+msgid "\t-n anonymous\n"
-+msgstr "\t-n anonym\n"
-+
-+#: ../../src/clients/kinit/kinit.c:222
-+#, c-format
-+msgid "\t-a include addresses\n"
-+msgstr "\t-a bezieht Adressen ein.\n"
-+
-+#: ../../src/clients/kinit/kinit.c:223
-+#, c-format
-+msgid "\t-A do not include addresses\n"
-+msgstr "\t-a bezieht Adressen nicht ein.\n"
-+
-+#: ../../src/clients/kinit/kinit.c:224
-+#, c-format
-+msgid "\t-v validate\n"
-+msgstr "\t-v überprüft\n"
-+
-+#: ../../src/clients/kinit/kinit.c:225
-+#, c-format
-+msgid "\t-R renew\n"
-+msgstr "\t-R erneuert\n"
-+
-+#: ../../src/clients/kinit/kinit.c:226
-+#, c-format
-+msgid "\t-C canonicalize\n"
-+msgstr "\t-C bringt in Normalform\n"
-+
-+#: ../../src/clients/kinit/kinit.c:227
-+#, c-format
-+msgid "\t-E client is enterprise principal name\n"
-+msgstr "\t-E Client ist der Principal-Name des Unternehmens\n"
-+
-+#: ../../src/clients/kinit/kinit.c:228
-+#, c-format
-+msgid "\t-k use keytab\n"
-+msgstr "\t-k verwendet Schlüsseltabelle\n"
-+
-+#: ../../src/clients/kinit/kinit.c:229
-+#, c-format
-+msgid "\t-i use default client keytab (with -k)\n"
-+msgstr "\t-i verwendet die Standardschlüsseltabelle des Clients (mit -k).\n"
-+
-+#: ../../src/clients/kinit/kinit.c:230
-+#, c-format
-+msgid "\t-t filename of keytab to use\n"
-+msgstr "\t-t Dateiname der zu verwendenden Schlüsseltabelle\n"
-+
-+#: ../../src/clients/kinit/kinit.c:231
-+#, c-format
-+msgid "\t-c Kerberos 5 cache name\n"
-+msgstr "\t-c Kerberos-5-Zwischenspeichername\n"
-+
-+#: ../../src/clients/kinit/kinit.c:232
-+#, c-format
-+msgid "\t-S service\n"
-+msgstr "\t-S Dienst\n"
-+
-+#: ../../src/clients/kinit/kinit.c:233
-+#, c-format
-+msgid "\t-T armor credential cache\n"
-+msgstr "\t-T gehärteter Anmeldedatenzwischenspeicher\n"
-+
-+#: ../../src/clients/kinit/kinit.c:234
-+#, c-format
-+msgid "\t-X <attribute>[=<value>]\n"
-+msgstr "\t-X <Attribut>[=<Wert>]\n"
-+
-+#: ../../src/clients/kinit/kinit.c:301 ../../src/clients/kinit/kinit.c:309
-+#, c-format
-+msgid "Bad lifetime value %s\n"
-+msgstr "falscher Wert für die Lebensdauer %s\n"
-+
-+#: ../../src/clients/kinit/kinit.c:343
-+#, c-format
-+msgid "Bad start time value %s\n"
-+msgstr "falscher Wert für die Startzeit %s\n"
-+
-+#: ../../src/clients/kinit/kinit.c:362
-+#, c-format
-+msgid "Only one -t option allowed.\n"
-+msgstr "Nur eine -t-Option ist erlaubt.\n"
-+
-+#: ../../src/clients/kinit/kinit.c:370
-+#, c-format
-+msgid "Only one armor_ccache\n"
-+msgstr "nur ein gehärteter Ccache\n"
-+
-+#: ../../src/clients/kinit/kinit.c:391
-+#, c-format
-+msgid "Only one -I option allowed\n"
-+msgstr "Nur eine -I-Option ist erlaubt.\n"
-+
-+#: ../../src/clients/kinit/kinit.c:401
-+msgid "while adding preauth option"
-+msgstr "beim Hinzufügen der Option »preauth«"
-+
-+#: ../../src/clients/kinit/kinit.c:425
-+#, c-format
-+msgid "Only one of -f and -F allowed\n"
-+msgstr "Nur eine der Optionen -f und -F ist erlaubt.\n"
-+
-+#: ../../src/clients/kinit/kinit.c:430
-+#, c-format
-+msgid "Only one of -p and -P allowed\n"
-+msgstr "Nur eine der Optionen -p und -P ist erlaubt.\n"
-+
-+#: ../../src/clients/kinit/kinit.c:435
-+#, c-format
-+msgid "Only one of -a and -A allowed\n"
-+msgstr "Nur eine der Optionen -a und -A ist erlaubt.\n"
-+
-+#: ../../src/clients/kinit/kinit.c:440
-+#, c-format
-+msgid "Only one of -t and -i allowed\n"
-+msgstr "Nur eine der Optionen -t und-i ist erlaubt.\n"
-+
-+#: ../../src/clients/kinit/kinit.c:447
-+#, c-format
-+msgid "keytab specified, forcing -k\n"
-+msgstr "Schlüsseltabelle angegeben, -k wird erzwungen\n"
-+
-+#: ../../src/clients/kinit/kinit.c:451 ../../src/clients/klist/klist.c:221
-+#, c-format
-+msgid "Extra arguments (starting with \"%s\").\n"
-+msgstr "zusätzliche Argumente (beginnend mit »%s«)\n"
-+
-+#: ../../src/clients/kinit/kinit.c:480
-+msgid "while initializing Kerberos 5 library"
-+msgstr "beim Initialisieren der Kerberos-5-Bibliothek"
-+
-+#: ../../src/clients/kinit/kinit.c:488 ../../src/clients/kinit/kinit.c:644
-+#, c-format
-+msgid "resolving ccache %s"
-+msgstr "Ccache %s wird ermittelt"
-+
-+#: ../../src/clients/kinit/kinit.c:493
-+#, c-format
-+msgid "Using specified cache: %s\n"
-+msgstr "Angegebener Zwischenspeicher wird verwendet: %s\n"
-+
-+#: ../../src/clients/kinit/kinit.c:515 ../../src/clients/kinit/kinit.c:595
-+#: ../../src/clients/kpasswd/kpasswd.c:28 ../../src/clients/ksu/main.c:238
-+#, c-format
-+msgid "when parsing name %s"
-+msgstr "wenn der Name %s ausgewertet wird"
-+
-+#: ../../src/clients/kinit/kinit.c:523 ../../src/kadmin/dbutil/kdb5_util.c:307
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:391
-+#: ../../src/slave/kprop.c:203
-+msgid "while getting default realm"
-+msgstr "beim Holen des Standard-Realms"
-+
-+#: ../../src/clients/kinit/kinit.c:535
-+msgid "while building principal"
-+msgstr "beim Erstellen des Principals"
-+
-+#: ../../src/clients/kinit/kinit.c:543
-+msgid "When resolving the default client keytab"
-+msgstr "beim Auflösen der Standardschlüsseltabelle des Clients"
-+
-+#: ../../src/clients/kinit/kinit.c:550
-+msgid "When determining client principal name from keytab"
-+msgstr "beim Bestimmen des Dienst-Principal-Namens anhand der Schlüsseltabelle"
-+
-+#: ../../src/clients/kinit/kinit.c:559
-+msgid "when creating default server principal name"
-+msgstr "wenn der Standard-Principal-Name des Servers erstellt wird"
-+
-+#: ../../src/clients/kinit/kinit.c:566
-+#, c-format
-+msgid "(principal %s)"
-+msgstr "(Principal %s)"
-+
-+#: ../../src/clients/kinit/kinit.c:569
-+msgid "for local services"
-+msgstr "für lokale Dienste"
-+
-+#: ../../src/clients/kinit/kinit.c:590 ../../src/clients/kpasswd/kpasswd.c:42
-+#, c-format
-+msgid "Unable to identify user\n"
-+msgstr "Benutzer kann nicht identifiziert werden\n"
-+
-+#: ../../src/clients/kinit/kinit.c:605 ../../src/clients/kswitch/kswitch.c:116
-+#, c-format
-+msgid "while searching for ccache for %s"
-+msgstr "beim Suchen nach Ccache für %s"
-+
-+#: ../../src/clients/kinit/kinit.c:611
-+#, c-format
-+msgid "Using existing cache: %s\n"
-+msgstr "Existierender Zwischenspeicher wird verwendet: %s\n"
-+
-+#: ../../src/clients/kinit/kinit.c:620
-+msgid "while generating new ccache"
-+msgstr "beim Erstellen von neuem Ccache"
-+
-+#: ../../src/clients/kinit/kinit.c:624
-+#, c-format
-+msgid "Using new cache: %s\n"
-+msgstr "Neuer Zwischenspeicher wird verwendet: %s\n"
-+
-+#: ../../src/clients/kinit/kinit.c:636
-+#, c-format
-+msgid "Using default cache: %s\n"
-+msgstr "Standardzwischenspeicher wird verwendet: %s\n"
-+
-+#: ../../src/clients/kinit/kinit.c:649
-+#, c-format
-+msgid "Using specified input cache: %s\n"
-+msgstr "Angegebener Eingabezwischenspeicher wird verwendet: %s\n"
-+
-+#: ../../src/clients/kinit/kinit.c:657 ../../src/clients/ksu/krb_auth_su.c:160
-+msgid "when unparsing name"
-+msgstr "beim Rückgängigmachen der Auswertung des Namens"
-+
-+#: ../../src/clients/kinit/kinit.c:661
-+#, c-format
-+msgid "Using principal: %s\n"
-+msgstr "verwendeter Principal: %s\n"
-+
-+#: ../../src/clients/kinit/kinit.c:752
-+msgid "getting local addresses"
-+msgstr "Lokale Adressen werden geholt."
-+
-+#: ../../src/clients/kinit/kinit.c:771
-+#, c-format
-+msgid "while setting up KDB keytab for realm %s"
-+msgstr "beim Einrichten der KDB-Schlüsseltabelle für Realm %s"
-+
-+#: ../../src/clients/kinit/kinit.c:780 ../../src/clients/kvno/kvno.c:201
-+#, c-format
-+msgid "resolving keytab %s"
-+msgstr "Schlüsseltabelle wird ermittelt: %s"
-+
-+#: ../../src/clients/kinit/kinit.c:785
-+#, c-format
-+msgid "Using keytab: %s\n"
-+msgstr "Schlüsseltabelle wird verwendet: %s\n"
-+
-+#: ../../src/clients/kinit/kinit.c:789
-+msgid "resolving default client keytab"
-+msgstr "Standardschlüsseltabelle des Clients wird ermittelt."
-+
-+#: ../../src/clients/kinit/kinit.c:799
-+#, c-format
-+msgid "while setting '%s'='%s'"
-+msgstr "beim Setzen von »%s«=»%s«"
-+
-+#: ../../src/clients/kinit/kinit.c:804
-+#, c-format
-+msgid "PA Option %s = %s\n"
-+msgstr "PA-Option %s = %s\n"
-+
-+#: ../../src/clients/kinit/kinit.c:849
-+msgid "getting initial credentials"
-+msgstr "Anfängliche Anmeldedaten werden geholt."
-+
-+#: ../../src/clients/kinit/kinit.c:852
-+msgid "validating credentials"
-+msgstr "Anmeldedaten werden geprüft."
-+
-+#: ../../src/clients/kinit/kinit.c:855
-+msgid "renewing credentials"
-+msgstr "Anmeldedaten werden erneuert."
-+
-+#: ../../src/clients/kinit/kinit.c:860
-+#, c-format
-+msgid "%s: Password incorrect while %s\n"
-+msgstr "%s: Passwort bei %s falsch\n"
-+
-+#: ../../src/clients/kinit/kinit.c:863
-+#, c-format
-+msgid "while %s"
-+msgstr "bei %s"
-+
-+#: ../../src/clients/kinit/kinit.c:871 ../../src/slave/kprop.c:224
-+#, c-format
-+msgid "when initializing cache %s"
-+msgstr "beim Initialisieren des Zwischenspeichers %s"
-+
-+#: ../../src/clients/kinit/kinit.c:876
-+#, c-format
-+msgid "Initialized cache\n"
-+msgstr "initialisierter Zwischenspeicher\n"
-+
-+#: ../../src/clients/kinit/kinit.c:880
-+msgid "while storing credentials"
-+msgstr "beim Speichern der Anmeldedaten"
-+
-+#: ../../src/clients/kinit/kinit.c:884
-+#, c-format
-+msgid "Stored credentials\n"
-+msgstr "gespeicherte Anmeldedaten\n"
-+
-+#: ../../src/clients/kinit/kinit.c:891
-+msgid "while switching to new ccache"
-+msgstr "beim Wechsel zum neuen Ccache"
-+
-+#: ../../src/clients/kinit/kinit.c:946
-+#, c-format
-+msgid "Authenticated to Kerberos v5\n"
-+msgstr "Authentifiziert für Kerberos v5\n"
-+
-+#: ../../src/clients/klist/klist.c:91
-+#, c-format
-+msgid ""
-+"Usage: %s [-e] [-V] [[-c] [-l] [-A] [-d] [-f] [-s] [-a [-n]]] [-k [-t] [-K]] "
-+"[name]\n"
-+msgstr ""
-+"Aufruf: %s [-e] [-V] [[-c] [-l] [-A] [-d] [-f] [-s] [-a [-n]]] [-k [-t] [-"
-+"K]] [Name]\n"
-+
-+#: ../../src/clients/klist/klist.c:93
-+#, c-format
-+msgid "\t-c specifies credentials cache\n"
-+msgstr "\t-c gibt den Anmeldedatenzwischenspeicher an\n"
-+
-+#: ../../src/clients/klist/klist.c:94
-+#, c-format
-+msgid "\t-k specifies keytab\n"
-+msgstr "\t-k gibt die Schlüsseltabelle an.\n"
-+
-+#: ../../src/clients/klist/klist.c:95
-+#, c-format
-+msgid "\t (Default is credentials cache)\n"
-+msgstr "\t (Voreinstellung ist Anmeldedatenzwischenspeicher)\n"
-+
-+#: ../../src/clients/klist/klist.c:96
-+#, c-format
-+msgid "\t-i uses default client keytab if no name given\n"
-+msgstr ""
-+"\t-i verwendet die Standardschlüsseltabelle des Clients, falls kein Name "
-+"angegeben wurde.\n"
-+
-+#: ../../src/clients/klist/klist.c:97
-+#, c-format
-+msgid "\t-l lists credential caches in collection\n"
-+msgstr "\t-l listet gesammelte Anmeldedatenzwischenspeicher auf.\n"
-+
-+#: ../../src/clients/klist/klist.c:98
-+#, c-format
-+msgid "\t-A shows content of all credential caches\n"
-+msgstr "\t-A zeigt den Inhalt aller Anmeldedatenzwischenspeicher an.\n"
-+
-+#: ../../src/clients/klist/klist.c:99
-+#, c-format
-+msgid "\t-e shows the encryption type\n"
-+msgstr "\t-e zeigt den Verschlüsselungstyp.\n"
-+
-+#: ../../src/clients/klist/klist.c:100
-+#, c-format
-+msgid "\t-V shows the Kerberos version and exits\n"
-+msgstr "\t-V zeigt die Kerberos-Version und wird beendet.\n"
-+
-+#: ../../src/clients/klist/klist.c:101
-+#, c-format
-+msgid "\toptions for credential caches:\n"
-+msgstr "\tOptionen für Anmeldedatenzwischenspeicher:\n"
-+
-+#: ../../src/clients/klist/klist.c:102
-+#, c-format
-+msgid "\t\t-d shows the submitted authorization data types\n"
-+msgstr "\t\t-d zeigt die übertragenen Autorisierungsdatentypen.\n"
-+
-+#: ../../src/clients/klist/klist.c:104
-+#, c-format
-+msgid "\t\t-f shows credentials flags\n"
-+msgstr "t\t-f zeigt die Anmeldedatenschalter.\n"
-+
-+#: ../../src/clients/klist/klist.c:105
-+#, c-format
-+msgid "\t\t-s sets exit status based on valid tgt existence\n"
-+msgstr ""
-+"\t\t-s setzt den Exit-Status auf Basis der Existenz eines gültigen TGTs.\n"
-+
-+#: ../../src/clients/klist/klist.c:107
-+#, c-format
-+msgid "\t\t-a displays the address list\n"
-+msgstr "\t\t-a zeigt die Adressliste.\n"
-+
-+#: ../../src/clients/klist/klist.c:108
-+#, c-format
-+msgid "\t\t\t-n do not reverse-resolve\n"
-+msgstr "\t\t\t-n löst nicht rückwärts auf.\n"
-+
-+#: ../../src/clients/klist/klist.c:109
-+#, c-format
-+msgid "\toptions for keytabs:\n"
-+msgstr "\tOptionen für Schlüsseltabellen:\n"
-+
-+#: ../../src/clients/klist/klist.c:110
-+#, c-format
-+msgid "\t\t-t shows keytab entry timestamps\n"
-+msgstr "\t\t-t zeigt die Zeitstempel der Schlüsseltabelleneinträge.\n"
-+
-+#: ../../src/clients/klist/klist.c:111
-+#, c-format
-+msgid "\t\t-K shows keytab entry keys\n"
-+msgstr "\t\t-K zeigt die Schlüssel der Schlüsseltabelleneinträge.\n"
-+
-+#: ../../src/clients/klist/klist.c:230
-+#, c-format
-+msgid "%s version %s\n"
-+msgstr "%s Version %s\n"
-+
-+#: ../../src/clients/klist/klist.c:282
-+msgid "while getting default client keytab"
-+msgstr "beim Holen der Standardschlüsseltabelle des Clients"
-+
-+#: ../../src/clients/klist/klist.c:287
-+msgid "while getting default keytab"
-+msgstr "beim Holen der Standardschlüsseltabelle"
-+
-+#: ../../src/clients/klist/klist.c:292 ../../src/kadmin/cli/keytab.c:108
-+#, c-format
-+msgid "while resolving keytab %s"
-+msgstr "beim Ermitteln der Schlüsseltabelle %s"
-+
-+#: ../../src/clients/klist/klist.c:298 ../../src/kadmin/cli/keytab.c:92
-+msgid "while getting keytab name"
-+msgstr "beim Holen des Schlüsseltabellennamens"
-+
-+#: ../../src/clients/klist/klist.c:305 ../../src/kadmin/cli/keytab.c:399
-+msgid "while starting keytab scan"
-+msgstr "beim Start des Schlüsseltabellen-Scans"
-+
-+#: ../../src/clients/klist/klist.c:326 ../../src/clients/klist/klist.c:500
-+#: ../../src/clients/ksu/ccache.c:465 ../../src/kadmin/dbutil/dump.c:550
-+msgid "while unparsing principal name"
-+msgstr "beim Rückgängigmachen des Auswertens des Principal-Namens"
-+
-+#: ../../src/clients/klist/klist.c:350 ../../src/kadmin/cli/keytab.c:443
-+msgid "while scanning keytab"
-+msgstr "beim Scannen der Schlüsseltabelle"
-+
-+#: ../../src/clients/klist/klist.c:354 ../../src/kadmin/cli/keytab.c:448
-+msgid "while ending keytab scan"
-+msgstr "beim Beenden des Schlüsseltabellen-Scans"
-+
-+#: ../../src/clients/klist/klist.c:371 ../../src/clients/klist/klist.c:434
-+msgid "while listing ccache collection"
-+msgstr "beim Aufführen der Ccache-Sammlung"
-+
-+#: ../../src/clients/klist/klist.c:411
-+msgid "(Expired)"
-+msgstr "(abgelaufen)"
-+
-+#: ../../src/clients/klist/klist.c:466
-+#, c-format
-+msgid "while resolving ccache %s"
-+msgstr "beim Ermitteln des Ccaches %s"
-+
-+#: ../../src/clients/klist/klist.c:504
-+#, c-format
-+msgid ""
-+"Ticket cache: %s:%s\n"
-+"Default principal: %s\n"
-+"\n"
-+msgstr ""
-+"Ticketzwischenspeicher: %s:%s\n"
-+"Standard-Principal: %s\n"
-+"\n"
-+
-+#: ../../src/clients/klist/klist.c:518
-+msgid "while starting to retrieve tickets"
-+msgstr "während das Abfragen der Tickets beginnt"
-+
-+#: ../../src/clients/klist/klist.c:539
-+msgid "while finishing ticket retrieval"
-+msgstr "während das Abfragem der Tickets endet"
-+
-+#: ../../src/clients/klist/klist.c:545
-+msgid "while closing ccache"
-+msgstr "beim Schließen des Ccaches"
-+
-+#: ../../src/clients/klist/klist.c:555
-+msgid "while retrieving a ticket"
-+msgstr "beim Abfragen eines Tickets"
-+
-+#: ../../src/clients/klist/klist.c:667 ../../src/clients/ksu/ccache.c:450
-+#: ../../src/slave/kpropd.c:1225 ../../src/slave/kpropd.c:1285
-+msgid "while unparsing client name"
-+msgstr "beim Rückgängigmachen des Auswertens des Client-Namens"
-+
-+#: ../../src/clients/klist/klist.c:672 ../../src/clients/ksu/ccache.c:455
-+#: ../../src/slave/kprop.c:240
-+msgid "while unparsing server name"
-+msgstr "beim Rückgängigmachen des Auswertens des Server-Namens"
-+
-+#: ../../src/clients/klist/klist.c:701 ../../src/clients/ksu/ccache.c:480
-+#, c-format
-+msgid "\tfor client %s"
-+msgstr "\tfür Client %s"
-+
-+#: ../../src/clients/klist/klist.c:713 ../../src/clients/ksu/ccache.c:489
-+msgid "renew until "
-+msgstr "erneuern bis "
-+
-+#: ../../src/clients/klist/klist.c:730 ../../src/clients/ksu/ccache.c:499
-+#, c-format
-+msgid "Flags: %s"
-+msgstr "Schalter: %s"
-+
-+#: ../../src/clients/klist/klist.c:749
-+#, c-format
-+msgid "Etype (skey, tkt): %s, "
-+msgstr "Etype (Skey, TKT): %s, "
-+
-+#: ../../src/clients/klist/klist.c:766
-+#, c-format
-+msgid "AD types: "
-+msgstr "AD-Typen"
-+
-+#: ../../src/clients/klist/klist.c:783
-+#, c-format
-+msgid "\tAddresses: (none)\n"
-+msgstr "\tAdressen: (keine)\n"
-+
-+#: ../../src/clients/klist/klist.c:785
-+#, c-format
-+msgid "\tAddresses: "
-+msgstr "\tAdressen: "
-+
-+#: ../../src/clients/klist/klist.c:818
-+#, c-format
-+msgid "broken address (type %d length %d)"
-+msgstr "kaputte Adresse (Typ %d Länge %d)"
-+
-+#: ../../src/clients/klist/klist.c:838
-+#, c-format
-+msgid "unknown addrtype %d"
-+msgstr "unbekannter »addrtype« %d"
-+
-+#: ../../src/clients/klist/klist.c:847
-+#, c-format
-+msgid "unprintable address (type %d, error %d %s)"
-+msgstr "nicht druckbare Adresse (Typ %d Fehler %d %s)"
-+
-+#: ../../src/clients/kpasswd/kpasswd.c:12 ../../src/lib/krb5/krb/gic_pwd.c:396
-+msgid "Enter new password"
-+msgstr "Geben Sie ein neues Passwort ein."
-+
-+#: ../../src/clients/kpasswd/kpasswd.c:13 ../../src/lib/krb5/krb/gic_pwd.c:404
-+msgid "Enter it again"
-+msgstr "Geben Sie es erneut ein."
-+
-+#: ../../src/clients/kpasswd/kpasswd.c:33
-+#, c-format
-+msgid "Unable to identify user from password file\n"
-+msgstr ""
-+"Der Benutzer kann nicht anhand der Passwortdatei identifiziert werden.\n"
-+
-+#: ../../src/clients/kpasswd/kpasswd.c:65
-+#, c-format
-+msgid "usage: %s [principal]\n"
-+msgstr "Aufruf: %s [Principal]\n"
-+
-+#: ../../src/clients/kpasswd/kpasswd.c:73
-+msgid "initializing kerberos library"
-+msgstr "Kerberos-Bibliothek wird initialisiert."
-+
-+#: ../../src/clients/kpasswd/kpasswd.c:77
-+msgid "allocating krb5_get_init_creds_opt"
-+msgstr "krb5_get_init_creds_opt wird reserviert."
-+
-+#: ../../src/clients/kpasswd/kpasswd.c:92
-+msgid "opening default ccache"
-+msgstr "Standard-Ccache wird geöffnet."
-+
-+#: ../../src/clients/kpasswd/kpasswd.c:97
-+msgid "getting principal from ccache"
-+msgstr "Principal wird vom Ccache geholt."
-+
-+#: ../../src/clients/kpasswd/kpasswd.c:104
-+msgid "while setting FAST ccache"
-+msgstr "beim Setzen des FAST-Ccaches"
-+
-+#: ../../src/clients/kpasswd/kpasswd.c:111
-+msgid "closing ccache"
-+msgstr "Ccache wird geschlossen."
-+
-+#: ../../src/clients/kpasswd/kpasswd.c:118
-+msgid "parsing client name"
-+msgstr "Client-Name wird ausgewertet."
-+
-+#: ../../src/clients/kpasswd/kpasswd.c:135
-+msgid "Password incorrect while getting initial ticket"
-+msgstr "Passwort beim Holen des anfänglichen Tickets falsch"
-+
-+#: ../../src/clients/kpasswd/kpasswd.c:137
-+msgid "getting initial ticket"
-+msgstr "Anfängliches Ticket wird geholt."
-+
-+#: ../../src/clients/kpasswd/kpasswd.c:144
-+msgid "while reading password"
-+msgstr "beim Lesen des Passworts"
-+
-+#: ../../src/clients/kpasswd/kpasswd.c:152
-+msgid "changing password"
-+msgstr "Passwort wird geändert."
-+
-+#: ../../src/clients/kpasswd/kpasswd.c:174
-+#: ../lib/kadm5/chpass_util_strings.c:30
-+#, c-format
-+msgid "Password changed.\n"
-+msgstr "Passwort geändert\n"
-+
-+#: ../../src/clients/ksu/authorization.c:369
-+#, c-format
-+msgid ""
-+"Error: bad entry - %s in %s file, must be either full path or just the cmd "
-+"name\n"
-+msgstr ""
-+"Fehler: falscher Eintrag – %s in Datei %s muss entweder ein vollständiger "
-+"Pfad oder nur ein Befehlsname sein.\n"
-+
-+#: ../../src/clients/ksu/authorization.c:377
-+#, c-format
-+msgid ""
-+"Error: bad entry - %s in %s file, since %s is just the cmd name, CMD_PATH "
-+"must be defined \n"
-+msgstr ""
-+"Fehler: falscher Eintrag – %s in Datei %s. Da %s nur ein Befehlsname ist, "
-+"muss CMD_PATH definiert sein.\n"
-+
-+#: ../../src/clients/ksu/authorization.c:392
-+#, c-format
-+msgid "Error: bad entry - %s in %s file, CMD_PATH contains no paths \n"
-+msgstr ""
-+"Fehler: falscher Eintrag – %s in Datei %s. CMD_PATH enthält keine Pfade.\n"
-+
-+#: ../../src/clients/ksu/authorization.c:401
-+#, c-format
-+msgid "Error: bad path %s in CMD_PATH for %s must start with '/' \n"
-+msgstr "Fehler: falscher Pfad %s in CMD_PATH für %s muss mit »/« beginnen\n"
-+
-+#: ../../src/clients/ksu/authorization.c:517
-+msgid "Error: not found -> "
-+msgstr "Fehler: nicht gefunden -> "
-+
-+#: ../../src/clients/ksu/authorization.c:723
-+#, c-format
-+msgid "home directory name `%s' too long, can't search for .k5login\n"
-+msgstr ""
-+"Name des Home-Verzeichnisses »%s« ist zu lang, Suche nach .k5login nicht "
-+"möglich\n"
-+
-+#: ../../src/clients/ksu/ccache.c:368
-+#, c-format
-+msgid "home directory path for %s too long\n"
-+msgstr "Home-Verzeichnispfad für %s zu lang\n"
-+
-+#: ../../src/clients/ksu/ccache.c:461
-+msgid "while retrieving principal name"
-+msgstr "beim Abfragen des Principal-Namens"
-+
-+#: ../../src/clients/ksu/krb_auth_su.c:57
-+#: ../../src/clients/ksu/krb_auth_su.c:62 ../../src/slave/kprop.c:247
-+msgid "while copying client principal"
-+msgstr "beim Kopieren des Client-Principals"
-+
-+#: ../../src/clients/ksu/krb_auth_su.c:69
-+msgid "while creating tgt for local realm"
-+msgstr "beim Erstellen des TGTs für lokalen Realm"
-+
-+#: ../../src/clients/ksu/krb_auth_su.c:84
-+msgid "while retrieving creds from cache"
-+msgstr "beim Abfragen der Anmeldedaten aus dem Zwischenspeicher"
-+
-+#: ../../src/clients/ksu/krb_auth_su.c:95
-+msgid "while switching to target uid"
-+msgstr "beim Umschalten auf die Ziel-UID"
-+
-+#: ../../src/clients/ksu/krb_auth_su.c:100
-+#, c-format
-+msgid ""
-+"WARNING: Your password may be exposed if you enter it here and are logged \n"
-+msgstr ""
-+"WARNUNG: Ihr Passwort könnte offengelegt werden, falls Sie es hier eingeben "
-+"und\n"
-+
-+#: ../../src/clients/ksu/krb_auth_su.c:102
-+#, c-format
-+msgid " in remotely using an unsecure (non-encrypted) channel. \n"
-+msgstr ""
-+" in der Ferne mittels eines unsicheren (unverschlüsselten) Kanals\n"
-+" angemeldet sind.\n"
-+
-+#: ../../src/clients/ksu/krb_auth_su.c:114 ../../src/clients/ksu/main.c:464
-+msgid "while reclaiming root uid"
-+msgstr "beim erneuten Beanspruchen der Root-UID"
-+
-+#: ../../src/clients/ksu/krb_auth_su.c:121
-+#, c-format
-+msgid "does not have any appropriate tickets in the cache.\n"
-+msgstr "hat keine geeigneten Tickets im Zwischenspeicher.\n"
-+
-+#: ../../src/clients/ksu/krb_auth_su.c:133
-+msgid "while verifying ticket for server"
-+msgstr "beim Prüfen des Tickets für Server"
-+
-+#: ../../src/clients/ksu/krb_auth_su.c:167
-+msgid "while getting time of day"
-+msgstr "beim Holen der Tageszeit"
-+
-+#: ../../src/clients/ksu/krb_auth_su.c:171
-+#, c-format
-+msgid "Kerberos password for %s: "
-+msgstr "Kerberos-Passwort für %s: "
-+
-+#: ../../src/clients/ksu/krb_auth_su.c:175
-+#, c-format
-+msgid "principal name %s too long for internal buffer space\n"
-+msgstr "Principal-Name %s für den internen Pufferbereich zu groß\n"
-+
-+#: ../../src/clients/ksu/krb_auth_su.c:184
-+#, c-format
-+msgid "while reading password for '%s'\n"
-+msgstr "beim Lesen des Passworts für »%s«\n"
-+
-+#: ../../src/clients/ksu/krb_auth_su.c:191
-+#, c-format
-+msgid "No password given\n"
-+msgstr "kein Passwort angegeben\n"
-+
-+#: ../../src/clients/ksu/krb_auth_su.c:204
-+#, c-format
-+msgid "%s: Password incorrect\n"
-+msgstr "%s: Passwort falsch\n"
-+
-+#: ../../src/clients/ksu/krb_auth_su.c:206
-+msgid "while getting initial credentials"
-+msgstr "beim Holen der Anfangsanmeldedaten"
-+
-+#: ../../src/clients/ksu/krb_auth_su.c:226
-+#: ../../src/clients/ksu/krb_auth_su.c:240
-+#, c-format
-+msgid " %s while unparsing name\n"
-+msgstr "%s beim Rückgängigmachen der Namensauswertung\n"
-+
-+#: ../../src/clients/ksu/main.c:68
-+#, c-format
-+msgid ""
-+"Usage: %s [target user] [-n principal] [-c source cachename] [-k] [-D] [-r "
-+"time] [-pf] [-l lifetime] [-zZ] [-q] [-e command [args... ] ] [-a "
-+"[args... ] ]\n"
-+msgstr ""
-+"Aufruf: %s [Zielbenutzer] [-n Principal] [-c Quellenzwischenspeichername] [-"
-+"k] [-D] [-r Zeit] [-pf] [-l Lebensdauer] [-zZ] [-q] [-e Befehl [Argumente "
-+"…] ] [-a [Argumente …] ]\n"
-+
-+#: ../../src/clients/ksu/main.c:147
-+msgid ""
-+"program name too long - quitting to avoid triggering system logging bugs"
-+msgstr ""
-+"Programmname zu lang – wird beendet, um das Auslösen von "
-+"Systemprotokollierungsfehlern zu vermeiden"
-+
-+#: ../../src/clients/ksu/main.c:173
-+msgid "while allocating memory"
-+msgstr "bei Reservieren von Speicher"
-+
-+#: ../../src/clients/ksu/main.c:186
-+msgid "while setting euid to source user"
-+msgstr "beim Setzen der EUID auf dem Quellbenutzer"
-+
-+#: ../../src/clients/ksu/main.c:196 ../../src/clients/ksu/main.c:231
-+#, c-format
-+msgid "Bad lifetime value (%s hours?)\n"
-+msgstr "falscher Wert für Lebensdauer (%s Stunden?)\n"
-+
-+#: ../../src/clients/ksu/main.c:208 ../../src/clients/ksu/main.c:292
-+msgid "when gathering parameters"
-+msgstr "beim Zusammenstellen der Parameter"
-+
-+#: ../../src/clients/ksu/main.c:251
-+#, c-format
-+msgid "-z option is mutually exclusive with -Z.\n"
-+msgstr "Die Optionen -z und -Z schließen sich gegenseitig aus.\n"
-+
-+#: ../../src/clients/ksu/main.c:259
-+#, c-format
-+msgid "-Z option is mutually exclusive with -z.\n"
-+msgstr "Die Optionen -Z und -z schließen sich gegenseitig aus.\n"
-+
-+#: ../../src/clients/ksu/main.c:272
-+#, c-format
-+msgid "while looking for credentials cache %s"
-+msgstr "beim Suchen nach dem Anmeldedatenzwischenspeicher %s"
-+
-+#: ../../src/clients/ksu/main.c:278
-+#, c-format
-+msgid "malformed credential cache name %s\n"
-+msgstr "falsch gebildeter Anmeldedatenzwischenspeichername %s\n"
-+
-+# ksu ist eine Kerberos-Variante von su
-+#: ../../src/clients/ksu/main.c:336
-+#, c-format
-+msgid "ksu: who are you?\n"
-+msgstr "ksu: Wer sind Sie?\n"
-+
-+#: ../../src/clients/ksu/main.c:340
-+#, c-format
-+msgid "Your uid doesn't match your passwd entry?!\n"
-+msgstr "Ihre UID passt nicht zu Ihrem Passworteintrag.\n"
-+
-+#: ../../src/clients/ksu/main.c:355
-+#, c-format
-+msgid "ksu: unknown login %s\n"
-+msgstr "ksu: unbekannter Anmeldename %s\n"
-+
-+#: ../../src/clients/ksu/main.c:375
-+msgid "while getting source cache"
-+msgstr "beim Holen des Quellenzwischenspeichers"
-+
-+#: ../../src/clients/ksu/main.c:381 ../../src/clients/kvno/kvno.c:194
-+msgid "while opening ccache"
-+msgstr "beim Öffnen des Ccaches"
-+
-+#: ../../src/clients/ksu/main.c:389
-+msgid "while selecting the best principal"
-+msgstr "beim Auswählen des besten Principals"
-+
-+#: ../../src/clients/ksu/main.c:397
-+msgid "while returning to source uid after finding best principal"
-+msgstr ""
-+"bei der Rückkehr zur Quell-UID, nachdem der beste Principal gefunden wurde"
-+
-+#: ../../src/clients/ksu/main.c:417
-+#, c-format
-+msgid "account %s: authorization failed\n"
-+msgstr "Konto %s: Autorisierung fehlgeschlagen\n"
-+
-+#: ../../src/clients/ksu/main.c:442
-+msgid "while parsing temporary name"
-+msgstr "beim Auswertens des temporären Namens"
-+
-+#: ../../src/clients/ksu/main.c:447
-+msgid "while creating temporary cache"
-+msgstr "bei Erstellen des temporären Zwischenspeichers"
-+
-+#: ../../src/clients/ksu/main.c:453 ../../src/clients/ksu/main.c:693
-+#, c-format
-+msgid "while copying cache %s to %s"
-+msgstr "beim Kopieren des Zwischenspeichers %s nach %s"
-+
-+#: ../../src/clients/ksu/main.c:471
-+#, c-format
-+msgid ""
-+"WARNING: Your password may be exposed if you enter it here and are logged\n"
-+msgstr ""
-+"WARNUNG: Ihr Passwort könnte offengelegt werden, falls Sie es hier eingeben "
-+"und\n"
-+
-+#: ../../src/clients/ksu/main.c:473
-+#, c-format
-+msgid " in remotely using an unsecure (non-encrypted) channel.\n"
-+msgstr ""
-+" in der Ferne über einen unsicheren (unverschlüsselten) Kanal "
-+"angemeldet\n"
-+"sind.\n"
-+
-+#: ../../src/clients/ksu/main.c:479
-+#, c-format
-+msgid "Goodbye\n"
-+msgstr "Auf Wiedersehen\n"
-+
-+#: ../../src/clients/ksu/main.c:483
-+#, c-format
-+msgid "Could not get a tgt for "
-+msgstr "Es konnte kein TGT geholt werden für "
-+
-+#: ../../src/clients/ksu/main.c:505
-+#, c-format
-+msgid "Authentication failed.\n"
-+msgstr "Authentifizierung fehlgeschlagen.\n"
-+
-+#: ../../src/clients/ksu/main.c:513
-+msgid "When unparsing name"
-+msgstr "beim Rückgängigmachen der Namensauswertung"
-+
-+#: ../../src/clients/ksu/main.c:517
-+#, c-format
-+msgid "Authenticated %s\n"
-+msgstr "Authentifiziert %s\n"
-+
-+#: ../../src/clients/ksu/main.c:524
-+msgid "while switching to target for authorization check"
-+msgstr "beim Wechsel des Ziels der Autorisierungsprüfung"
-+
-+#: ../../src/clients/ksu/main.c:531
-+msgid "while checking authorization"
-+msgstr "beim Prüfen der Autorisierung"
-+
-+#: ../../src/clients/ksu/main.c:537
-+msgid "while switching back from target after authorization check"
-+msgstr "beim Zurückwechsel vom Ziel nach der Autorisierungsprüfung"
-+
-+#: ../../src/clients/ksu/main.c:544
-+#, c-format
-+msgid "Account %s: authorization for %s for execution of\n"
-+msgstr "Konto %s: Autorisierung für %s zum Ausführen von\n"
-+
-+#: ../../src/clients/ksu/main.c:546
-+#, c-format
-+msgid " %s successful\n"
-+msgstr " %s erfolgreich\n"
-+
-+#: ../../src/clients/ksu/main.c:552
-+#, c-format
-+msgid "Account %s: authorization for %s successful\n"
-+msgstr "Konto %s: Autorisierung für %s erfolgreich\n"
-+
-+#: ../../src/clients/ksu/main.c:564
-+#, c-format
-+msgid "Account %s: authorization for %s for execution of %s failed\n"
-+msgstr "Konto %s: Autorisierung für %s zum Ausführen von %s fehlgeschlagen\n"
-+
-+#: ../../src/clients/ksu/main.c:572
-+#, c-format
-+msgid "Account %s: authorization of %s failed\n"
-+msgstr "Konto %s: Autorisierung von %s fehlgeschlagen\n"
-+
-+#: ../../src/clients/ksu/main.c:587
-+msgid "while calling cc_filter"
-+msgstr "beim Aufruf von »cc_filter«"
-+
-+#: ../../src/clients/ksu/main.c:595
-+msgid "while erasing target cache"
-+msgstr "bei Löschen des Zielzwischenspeichers"
-+
-+#: ../../src/clients/ksu/main.c:615
-+#, c-format
-+msgid "ksu: permission denied (shell).\n"
-+msgstr "ksu: Zugriff verweigert (Shell)\n"
-+
-+#: ../../src/clients/ksu/main.c:624
-+#, c-format
-+msgid "ksu: couldn't set environment variable USER\n"
-+msgstr "ksu: Umgebungsvariable USER kann nicht gesetzt werden\n"
-+
-+#: ../../src/clients/ksu/main.c:630
-+#, c-format
-+msgid "ksu: couldn't set environment variable HOME\n"
-+msgstr "ksu: Umgebungsvariable HOME kann nicht gesetzt werden\n"
-+
-+#: ../../src/clients/ksu/main.c:635
-+#, c-format
-+msgid "ksu: couldn't set environment variable SHELL\n"
-+msgstr "ksu: Umgebungsvariable SHELL kann nicht gesetzt werden\n"
-+
-+#: ../../src/clients/ksu/main.c:646
-+#, c-format
-+msgid "ksu: initgroups failed.\n"
-+msgstr "ksu: »initgroups« fehlgeschlagen\n"
-+
-+#: ../../src/clients/ksu/main.c:651
-+#, c-format
-+msgid "Leaving uid as %s (%ld)\n"
-+msgstr "UID bleibt %s (%ld)\n"
-+
-+#: ../../src/clients/ksu/main.c:654
-+#, c-format
-+msgid "Changing uid to %s (%ld)\n"
-+msgstr "UID wird zu %s (%ld) geändert\n"
-+
-+#: ../../src/clients/ksu/main.c:680
-+msgid "while getting name of target ccache"
-+msgstr "beim Holen des Ziel-Ccache-Namens"
-+
-+#: ../../src/clients/ksu/main.c:700
-+#, c-format
-+msgid "%s does not have correct permissions for %s, %s aborted"
-+msgstr "%s hat nicht die korrekten Rechte für %s, %s wird abgebrochen."
-+
-+#: ../../src/clients/ksu/main.c:721
-+#, c-format
-+msgid "Internal error: command %s did not get resolved\n"
-+msgstr "Interner Fehler: Befehl %s wurde nicht aufgelöst\n"
-+
-+#: ../../src/clients/ksu/main.c:738 ../../src/clients/ksu/main.c:774
-+#, c-format
-+msgid "while trying to execv %s"
-+msgstr "beim Versuch von »execv %s«"
-+
-+#: ../../src/clients/ksu/main.c:764
-+msgid "while calling waitpid"
-+msgstr "beim Aufruf von »waitpid«"
-+
-+#: ../../src/clients/ksu/main.c:769
-+msgid "while trying to fork."
-+msgstr "beim Versuch zu verzweigen."
-+
-+#: ../../src/clients/ksu/main.c:791
-+msgid "while reading cache name from ccache"
-+msgstr "beim Lesen des Zwischenspeichernamens aus dem Ccache"
-+
-+#: ../../src/clients/ksu/main.c:797
-+#, c-format
-+msgid "ksu: couldn't set environment variable %s\n"
-+msgstr "ksu: Umgebungsvariable %s kann nicht gesetzt werden\n"
-+
-+#: ../../src/clients/ksu/main.c:820
-+#, c-format
-+msgid "while clearing the value of %s"
-+msgstr "beim Leeren des Werts von %s"
-+
-+#: ../../src/clients/ksu/main.c:828
-+msgid "while resetting target ccache name"
-+msgstr "beim Zurücksetzen des Ziel-Ccache-Namens"
-+
-+#: ../../src/clients/ksu/main.c:842
-+msgid "while determining target ccache name"
-+msgstr "beim Bestimmen des Ziel-Ccache-Namens"
-+
-+#: ../../src/clients/ksu/main.c:881
-+msgid "while generating part of the target ccache name"
-+msgstr "beim Erzeugen eines Teils des Ziel-Ccache-Namens"
-+
-+#: ../../src/clients/ksu/main.c:887
-+msgid "while allocating memory for the target ccache name"
-+msgstr "beim Reservieren von Speicher für den Ziel-Ccache-Namen"
-+
-+#: ../../src/clients/ksu/main.c:906
-+msgid "while creating new target ccache"
-+msgstr "bei Erstellen von neuem Ziel-Ccache"
-+
-+#: ../../src/clients/ksu/main.c:912
-+msgid "while initializing target cache"
-+msgstr "beim Initialisieren des Zielzwischenspeichers"
-+
-+#: ../../src/clients/ksu/main.c:952
-+#, c-format
-+msgid "terminal name %s too long\n"
-+msgstr "Terminal-Name %s ist zu lang.\n"
-+
-+#: ../../src/clients/ksu/main.c:980
-+msgid "while changing to target uid for destroying ccache"
-+msgstr "beim Ändern der Ziel-UID für das Zerstören von Ccache"
-+
-+#: ../../src/clients/kswitch/kswitch.c:44
-+#, c-format
-+msgid "Usage: %s {-c cache_name | -p principal}\n"
-+msgstr "Aufruf: %s {-c Zwischenspeichername | -p Principal}\n"
-+
-+#: ../../src/clients/kswitch/kswitch.c:46
-+#, c-format
-+msgid "\t-p specify name of principal\n"
-+msgstr "\t-p gibt den Namen des Principals an.\n"
-+
-+#: ../../src/clients/kswitch/kswitch.c:69
-+#, c-format
-+msgid "Only one -c or -p option allowed\n"
-+msgstr "Nur eine der Optionen -c oder -p ist erlaubt.\n"
-+
-+#: ../../src/clients/kswitch/kswitch.c:88
-+#, c-format
-+msgid "One of -c or -p must be specified\n"
-+msgstr "Entweder -c oder -p muss angegeben werden.\n"
-+
-+#: ../../src/clients/kswitch/kswitch.c:110 ../../src/clients/kvno/kvno.c:211
-+#: ../../src/clients/kvno/kvno.c:245 ../../src/kadmin/cli/keytab.c:350
-+#: ../../src/kadmin/dbutil/kdb5_util.c:576
-+#, c-format
-+msgid "while parsing principal name %s"
-+msgstr "beim Auswerten des Principal-Namens %s"
-+
-+#: ../../src/clients/kswitch/kswitch.c:124
-+msgid "while switching to credential cache"
-+msgstr "beim Wechsel auf den Anmeldedatenzwischenspeicher"
-+
-+#: ../../src/clients/kvno/kvno.c:46
-+#, c-format
-+msgid "usage: %s [-C] [-u] [-c ccache] [-e etype]\n"
-+msgstr "Aufruf: %s [-C] [-u] [-c Ccache] [-e Etype]\n"
-+
-+#: ../../src/clients/kvno/kvno.c:47
-+#, c-format
-+msgid "\t[-k keytab] [-S sname] [-U for_user [-P]]\n"
-+msgstr "\t[-k Schlüsseltabelle] [-S Sname] [-U für_Benutzer [-P]]\n"
-+
-+#: ../../src/clients/kvno/kvno.c:48
-+#, c-format
-+msgid "\tservice1 service2 ...\n"
-+msgstr "\tDienst1 Dienst2 …\n"
-+
-+#: ../../src/clients/kvno/kvno.c:103 ../../src/clients/kvno/kvno.c:111
-+#, c-format
-+msgid "Options -u and -S are mutually exclusive\n"
-+msgstr "Die Optionen -u und -S schließen sich gegenseitig aus.\n"
-+
-+#: ../../src/clients/kvno/kvno.c:126
-+#, c-format
-+msgid "Option -P (constrained delegation) requires keytab to be specified\n"
-+msgstr ""
-+"Die Option -P (eingeschränkte Abtretung) erfordert zur Angabe eine "
-+"Schlüsseltabelle.\n"
-+
-+#: ../../src/clients/kvno/kvno.c:130
-+#, c-format
-+msgid ""
-+"Option -P (constrained delegation) requires option -U (protocol transition)\n"
-+msgstr ""
-+"Die Option -P (eingeschränkte Abtretung) erfordert die Option -U "
-+"(Protokollübergang)\n"
-+
-+#: ../../src/clients/kvno/kvno.c:175 ../../src/kadmin/cli/kadmin.c:280
-+msgid "while initializing krb5 library"
-+msgstr "beim Initialisieren der Krb5-Bibliothek"
-+
-+#: ../../src/clients/kvno/kvno.c:182
-+msgid "while converting etype"
-+msgstr "bei der Etype-Umwandlung"
-+
-+#: ../../src/clients/kvno/kvno.c:218
-+msgid "while getting client principal name"
-+msgstr "beim Holen des Client-Principal-Namens"
-+
-+#: ../../src/clients/kvno/kvno.c:256
-+#, c-format
-+msgid "while formatting parsed principal name for '%s'"
-+msgstr "beim Formatieren des ausgewerteten Principal-Namens für »%s«"
-+
-+#: ../../src/clients/kvno/kvno.c:267
-+msgid "client and server principal names must match"
-+msgstr "Die Principal-Namen von Client und Server müssen übereinstimmen."
-+
-+#: ../../src/clients/kvno/kvno.c:284
-+#, c-format
-+msgid "while getting credentials for %s"
-+msgstr "beim Holen der Anmeldedaten für %s"
-+
-+#: ../../src/clients/kvno/kvno.c:291
-+#, c-format
-+msgid "while decoding ticket for %s"
-+msgstr "beim Dekodieren des Tickets für %s"
-+
-+#: ../../src/clients/kvno/kvno.c:302
-+#, c-format
-+msgid "while decrypting ticket for %s"
-+msgstr "beim Entschlüsseln des Tickets für %s"
-+
-+#: ../../src/clients/kvno/kvno.c:306
-+#, c-format
-+msgid "%s: kvno = %d, keytab entry valid\n"
-+msgstr "%s: KVNO = %d, Schlüsseltabelleneintrag gültig\n"
-+
-+#: ../../src/clients/kvno/kvno.c:324
-+#, c-format
-+msgid "%s: constrained delegation failed"
-+msgstr "%s: eingeschränkte Abtretung fehlgeschlagen"
-+
-+#: ../../src/clients/kvno/kvno.c:330
-+#, c-format
-+msgid "%s: kvno = %d\n"
-+msgstr "%s: KVNO = %d\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:118
-+#, c-format
-+msgid ""
-+"Usage: %s [-r realm] [-p principal] [-q query] [clnt|local args]\n"
-+"\tclnt args: [-s admin_server[:port]] [[-c ccache]|[-k [-t keytab]]]|[-n]\n"
-+"\tlocal args: [-x db_args]* [-d dbname] [-e \"enc:salt ...\"] [-m]\n"
-+"where,\n"
-+"\t[-x db_args]* - any number of database specific arguments.\n"
-+"\t\t\tLook at each database documentation for supported arguments\n"
-+msgstr ""
-+"Aufruf: %s [-r Realm] [-p Principal] [-q Abfrage] [clnt|lokale Argumente]\n"
-+"\tclnt Argumente: [-s Admin-Server[:Port]] [[-c Ccache]|\n"
-+"\t[-k [-t Schlüsseltabelle]]]|[-n] lokale Argumente: [-x DB-Argumente]*\n"
-+"\t[-d Datenbankname] [-e \"enc:Salt …\"] [-m]\n"
-+"wobei\n"
-+"\t[-x DB-Argumente]* - eine beliebige Anzahl datenbankspezifischer "
-+"Argumente\n"
-+"\tist. Die unterstützten Argumente finden Sie in den jeweiligen "
-+"\tDatenbankdokumentationen\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:292 ../../src/kadmin/cli/kadmin.c:333
-+#, c-format
-+msgid "%s: Cannot initialize. Not enough memory\n"
-+msgstr "%s: Zu wenig Speicher zum Initialisieren\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:353 ../../src/kadmin/cli/kadmin.c:804
-+#: ../../src/kadmin/cli/kadmin.c:1084 ../../src/kadmin/cli/kadmin.c:1634
-+#: ../../src/kadmin/cli/keytab.c:159 ../../src/kadmin/dbutil/kdb5_util.c:591
-+#, c-format
-+msgid "while parsing keysalts %s"
-+msgstr "beim Auswerten der Schlüssel-Salts %s"
-+
-+#: ../../src/kadmin/cli/kadmin.c:376
-+#, c-format
-+msgid "%s: unable to get default realm\n"
-+msgstr "%s: Standard-Realm kann nicht geholt werden\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:396
-+msgid "while opening default credentials cache"
-+msgstr "beim Öffnen des Standardanmeldedatenzwischenspeichers"
-+
-+#: ../../src/kadmin/cli/kadmin.c:402
-+#, c-format
-+msgid "while opening credentials cache %s"
-+msgstr "beim Öffnen des Anmeldedatenzwischenspeichers %s"
-+
-+#: ../../src/kadmin/cli/kadmin.c:424 ../../src/kadmin/cli/kadmin.c:479
-+#: ../../src/kadmin/cli/kadmin.c:487 ../../src/kadmin/cli/kadmin.c:494
-+#, c-format
-+msgid "%s: out of memory\n"
-+msgstr "%s: Speicherplatz reicht nicht aus\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:433 ../../src/kadmin/cli/kadmin.c:448
-+#: ../../src/slave/kpropd.c:681
-+msgid "while canonicalizing principal name"
-+msgstr "während der Principal-Name in die normale Form gebracht wird"
-+
-+#: ../../src/kadmin/cli/kadmin.c:442
-+msgid "creating host service principal"
-+msgstr "Principal des Rechnerdienstes wird erstellt"
-+
-+#: ../../src/kadmin/cli/kadmin.c:455
-+#, c-format
-+msgid "%s: unable to canonicalize principal\n"
-+msgstr "%s: Principal kann nicht in die normale Form gebracht werden\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:499
-+#, c-format
-+msgid "%s: unable to figure out a principal name\n"
-+msgstr "%s: Es kann kein Principal-Name herausgefunden werden.\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:507
-+msgid "while setting up logging"
-+msgstr "beim Einrichten der Protokollierung"
-+
-+#: ../../src/kadmin/cli/kadmin.c:516
-+#, c-format
-+msgid "Authenticating as principal %s with existing credentials.\n"
-+msgstr "Authentifizierung als Principal %s mit existierenden Anmeldedaten\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:522
-+#, c-format
-+msgid "Authenticating as principal %s with password; anonymous requested.\n"
-+msgstr ""
-+"Authentifizierung als Principal %s mit Passwort; Anonymität erwünscht\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:529
-+#, c-format
-+msgid "Authenticating as principal %s with keytab %s.\n"
-+msgstr "Authentifizierung als Principal %s mit Schlüsseltabelle %s\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:532
-+#, c-format
-+msgid "Authenticating as principal %s with default keytab.\n"
-+msgstr "Authentifizierung als Principal %s mit Standardschlüsseltabelle\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:538
-+#, c-format
-+msgid "Authenticating as principal %s with password.\n"
-+msgstr "Authentifizierung als Principal %s mit Passwort\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:546 ../../src/slave/kpropd.c:728
-+#, c-format
-+msgid "while initializing %s interface"
-+msgstr "beim Initialisieren der Schnittstelle %s"
-+
-+#: ../../src/kadmin/cli/kadmin.c:560
-+#, c-format
-+msgid "while closing ccache %s"
-+msgstr "beim Schließen von Ccache %s"
-+
-+#: ../../src/kadmin/cli/kadmin.c:566
-+msgid "while mapping update log"
-+msgstr "beim Abbilden des Aktualisierungsprotokolls"
-+
-+#: ../../src/kadmin/cli/kadmin.c:581
-+msgid "while unlocking locked database"
-+msgstr "beim Entsperren der Datenbank"
-+
-+#: ../../src/kadmin/cli/kadmin.c:590
-+msgid "Administration credentials NOT DESTROYED.\n"
-+msgstr "Verwaltungsanmeldedaten NICHT VERNICHTET\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:639
-+#, c-format
-+msgid "usage: delete_principal [-force] principal\n"
-+msgstr "Aufruf: delete_principal [-force] Principal\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:644 ../../src/kadmin/cli/kadmin.c:819
-+msgid "while parsing principal name"
-+msgstr "beim Auswerten des Principal-Namens"
-+
-+#: ../../src/kadmin/cli/kadmin.c:650 ../../src/kadmin/cli/kadmin.c:825
-+#: ../../src/kadmin/cli/kadmin.c:1217 ../../src/kadmin/cli/kadmin.c:1339
-+#: ../../src/kadmin/cli/kadmin.c:1409 ../../src/kadmin/cli/kadmin.c:1858
-+#: ../../src/kadmin/cli/kadmin.c:1902 ../../src/kadmin/cli/kadmin.c:1948
-+#: ../../src/kadmin/cli/kadmin.c:1988
-+msgid "while canonicalizing principal"
-+msgstr "während der Principal in die normale Form gebracht wird"
-+
-+#: ../../src/kadmin/cli/kadmin.c:654
-+#, c-format
-+msgid "Are you sure you want to delete the principal \"%s\"? (yes/no): "
-+msgstr ""
-+"Sind Sie sicher, dass Sie den Principal »%s« löschen möchten? (yes/no): "
-+
-+#: ../../src/kadmin/cli/kadmin.c:658
-+#, c-format
-+msgid "Principal \"%s\" not deleted\n"
-+msgstr "Principal »%s« nicht gelöscht\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:665
-+#, c-format
-+msgid "while deleting principal \"%s\""
-+msgstr "beim Löschen von Principal »%s«"
-+
-+#: ../../src/kadmin/cli/kadmin.c:668
-+#, c-format
-+msgid "Principal \"%s\" deleted.\n"
-+msgstr "Principal »%s« gelöscht\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:669
-+#, c-format
-+msgid ""
-+"Make sure that you have removed this principal from all ACLs before "
-+"reusing.\n"
-+msgstr ""
-+"Stellen Sie sicher, dass Sie diesen Principal aus allen ACLs entfernt haben, "
-+"bevor Sie ihn erneut benutzen.\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:686
-+#, c-format
-+msgid "usage: rename_principal [-force] old_principal new_principal\n"
-+msgstr "Aufruf: rename_principal [-force] alter_Principal neuer_Principal\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:693
-+msgid "while parsing old principal name"
-+msgstr "beim Auswerten des alten Principal-Namens"
-+
-+#: ../../src/kadmin/cli/kadmin.c:699
-+msgid "while parsing new principal name"
-+msgstr "beim Auswerten des neuen Principal-Namens"
-+
-+#: ../../src/kadmin/cli/kadmin.c:705
-+msgid "while canonicalizing old principal"
-+msgstr "während der alte Principal in die normale Form gebracht wird"
-+
-+#: ../../src/kadmin/cli/kadmin.c:711
-+msgid "while canonicalizing new principal"
-+msgstr "während der neue Principal in die normale Form gebracht wird"
-+
-+#: ../../src/kadmin/cli/kadmin.c:715
-+#, c-format
-+msgid ""
-+"Are you sure you want to rename the principal \"%s\" to \"%s\"? (yes/no): "
-+msgstr ""
-+"Sind Sie sicher, dass Sie den Principal »%s« in »%s« umbenennen möchten? "
-+"(yes/no): "
-+
-+#: ../../src/kadmin/cli/kadmin.c:719
-+#, c-format
-+msgid "Principal \"%s\" not renamed\n"
-+msgstr "Principal »%s« wurde nicht umbenannt.\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:726
-+#, c-format
-+msgid "while renaming principal \"%s\" to \"%s\""
-+msgstr "beim Umbenennen von Principal »%s« in »%s«"
-+
-+#: ../../src/kadmin/cli/kadmin.c:730
-+#, c-format
-+msgid "Principal \"%s\" renamed to \"%s\".\n"
-+msgstr "Principal »%s« wurde in »%s« umbenannt.\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:731
-+#, c-format
-+msgid ""
-+"Make sure that you have removed the old principal from all ACLs before "
-+"reusing.\n"
-+msgstr ""
-+"Stellen Sie sicher, dass Sie den alten Principal aus allen ACLs entfernt "
-+"haben, bevor Sie ihn erneut benutzen.\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:746
-+#, c-format
-+msgid ""
-+"usage: change_password [-randkey] [-keepold] [-e keysaltlist] [-pw password] "
-+"principal\n"
-+msgstr ""
-+"Aufruf: change_password [-randkey] [-keepold] [-e Schlüssel-Salt-Liste] [-pw "
-+"Passwort] Principal\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:772
-+msgid "change_password: missing db argument"
-+msgstr "change_password: fehlendes Datenbankargument"
-+
-+#: ../../src/kadmin/cli/kadmin.c:778
-+#, c-format
-+msgid "change_password: Not enough memory\n"
-+msgstr "change_password: zu wenig Speicher\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:786
-+msgid "change_password: missing password arg"
-+msgstr "change_password: fehlendes Passwortargument"
-+
-+#: ../../src/kadmin/cli/kadmin.c:797
-+msgid "change_password: missing keysaltlist arg"
-+msgstr "change_password: fehlendes Schlüssel-Salt-Listenargument"
-+
-+#: ../../src/kadmin/cli/kadmin.c:813
-+msgid "missing principal name"
-+msgstr "fehlender Principal-Name"
-+
-+#: ../../src/kadmin/cli/kadmin.c:837 ../../src/kadmin/cli/kadmin.c:874
-+#, c-format
-+msgid "while changing password for \"%s\"."
-+msgstr "beim Ändern des Passworts von »%s«."
-+
-+#: ../../src/kadmin/cli/kadmin.c:840 ../../src/kadmin/cli/kadmin.c:877
-+#, c-format
-+msgid "Password for \"%s\" changed.\n"
-+msgstr "Passwort von »%s« geändert\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:846 ../../src/kadmin/cli/kadmin.c:1290
-+#, c-format
-+msgid "while randomizing key for \"%s\"."
-+msgstr "beim Erzeugen eines zufälligen Schlüssels für »%s«."
-+
-+#: ../../src/kadmin/cli/kadmin.c:849
-+#, c-format
-+msgid "Key for \"%s\" randomized.\n"
-+msgstr "Es wurde ein zufälliger Schlüssel für %s erzeugt\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:854 ../../src/kadmin/cli/kadmin.c:1250
-+#, c-format
-+msgid "Enter password for principal \"%s\""
-+msgstr "Geben Sie das Passwort für Principal »%s« ein."
-+
-+#: ../../src/kadmin/cli/kadmin.c:856 ../../src/kadmin/cli/kadmin.c:1252
-+#, c-format
-+msgid "Re-enter password for principal \"%s\""
-+msgstr "Geben Sie das Passwort für Principal »%s« erneut ein."
-+
-+#: ../../src/kadmin/cli/kadmin.c:861 ../../src/kadmin/cli/kadmin.c:1256
-+#, c-format
-+msgid "while reading password for \"%s\"."
-+msgstr "beim Lesen des Passworts von »%s«."
-+
-+#: ../../src/kadmin/cli/kadmin.c:915
-+#, c-format
-+msgid "Not enough memory\n"
-+msgstr "Speicher reicht nicht aus\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:945 ../../src/kadmin/dbutil/kdb5_util.c:623
-+msgid "while getting time"
-+msgstr "beim Holen der Zeit"
-+
-+#: ../../src/kadmin/cli/kadmin.c:994 ../../src/kadmin/cli/kadmin.c:1007
-+#: ../../src/kadmin/cli/kadmin.c:1020 ../../src/kadmin/cli/kadmin.c:1033
-+#: ../../src/kadmin/cli/kadmin.c:1546 ../../src/kadmin/cli/kadmin.c:1558
-+#: ../../src/kadmin/cli/kadmin.c:1601 ../../src/kadmin/cli/kadmin.c:1618
-+#, c-format
-+msgid "Invalid date specification \"%s\".\n"
-+msgstr "ungültige Datumsangabe »%s«\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1118 ../../src/kadmin/cli/kadmin.c:1333
-+#: ../../src/kadmin/cli/kadmin.c:1404 ../../src/kadmin/cli/kadmin.c:1852
-+#: ../../src/kadmin/cli/kadmin.c:1896 ../../src/kadmin/cli/kadmin.c:1942
-+#: ../../src/kadmin/cli/kadmin.c:1982
-+msgid "while parsing principal"
-+msgstr "beim Auswerten des Principals"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1127
-+#, c-format
-+msgid "usage: add_principal [options] principal\n"
-+msgstr "Aufruf: add_principal [Optionen] Principal\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1128 ../../src/kadmin/cli/kadmin.c:1155
-+#: ../../src/kadmin/cli/kadmin.c:1657
-+#, c-format
-+msgid "\toptions are:\n"
-+msgstr "\tEs gibt folgende Optionen:\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1130
-+#, c-format
-+msgid ""
-+"\t\t[-randkey|-nokey] [-x db_princ_args]* [-expire expdate] [-pwexpire "
-+"pwexpdate] [-maxlife maxtixlife]\n"
-+"\t\t[-kvno kvno] [-policy policy] [-clearpolicy]\n"
-+"\t\t[-pw password] [-maxrenewlife maxrenewlife]\n"
-+"\t\t[-e keysaltlist]\n"
-+"\t\t[{+|-}attribute]\n"
-+msgstr ""
-+"\t\t[-randkey|-nokey] [-x DB-Principal-Argumente]* [-expire Ablaufdatum] [-"
-+"pwexpire Passwortablaufdatum] [-maxlife maximale_Ticketlebensdauer]\n"
-+"\t\t[-kvno KVNO] [-policy Richtlinie] [-clearpolicy]\n"
-+"\t\t[-pw Passwort] [-maxrenewlife maximale_Dauer_bis_zum_Erneuern]\n"
-+"\t\t[-e Schlüssel-Salt-Liste]\n"
-+"\t\t[{+|-}Attribut]\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1136
-+#, c-format
-+msgid "\tattributes are:\n"
-+msgstr "\tEs gibt folgende Attribute:\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1138 ../../src/kadmin/cli/kadmin.c:1164
-+#, c-format
-+msgid ""
-+"\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n"
-+"\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n"
-+"\t\trequires_hwauth needchange allow_svr password_changing_service\n"
-+"\t\tok_as_delegate ok_to_auth_as_delegate no_auth_data_required\n"
-+"\n"
-+"where,\n"
-+"\t[-x db_princ_args]* - any number of database specific arguments.\n"
-+"\t\t\tLook at each database documentation for supported arguments\n"
-+msgstr ""
-+"\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n"
-+"\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n"
-+"\t\trequires_hwauth needchange allow_svr password_changing_service\n"
-+"\t\tok_as_delegate ok_to_auth_as_delegate no_auth_data_required\n"
-+"\n"
-+"wobei\n"
-+"\t[-x DB-Principal-Argumente]* - eine beliebige Zahl\n"
-+"\tdatenbankspezifischer Argumente ist.\n"
-+"\t\t\tDie unterstützten Argumente finden Sie in der jeweiligen\n"
-+"Datenbankdokumentation.\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1154
-+#, c-format
-+msgid "usage: modify_principal [options] principal\n"
-+msgstr "Aufruf: modify_principal [Optionen] Principal\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1157
-+#, c-format
-+msgid ""
-+"\t\t[-x db_princ_args]* [-expire expdate] [-pwexpire pwexpdate] [-maxlife "
-+"maxtixlife]\n"
-+"\t\t[-kvno kvno] [-policy policy] [-clearpolicy]\n"
-+"\t\t[-maxrenewlife maxrenewlife] [-unlock] [{+|-}attribute]\n"
-+msgstr ""
-+"\t\t[-x DB-Principal-Argumente]* [-expire Ablaufdatum] [-pwexpire "
-+"Passwortablaufdatum] [-maxlife maximale_Ticketlebensdauer]\n"
-+"\t\t[-kvno KVNO] [-policy Richtlinie] [-clearpolicy]\n"
-+"\t\t[-maxrenewlife maximale_Dauer_bis_zum_Erneuern] [-unlock] [{+|-}"
-+"Attribut]\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1224 ../../src/kadmin/cli/kadmin.c:1362
-+#, c-format
-+msgid "WARNING: policy \"%s\" does not exist\n"
-+msgstr "WARNUNG: Richtlinie »%s« existiert nicht.\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1230
-+#, c-format
-+msgid "NOTICE: no policy specified for %s; assigning \"default\"\n"
-+msgstr ""
-+"HINWEIS: Für %s wurde keine Richtlinie angegeben, es wird »default« "
-+"zugewiesen\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1235
-+#, c-format
-+msgid "WARNING: no policy specified for %s; defaulting to no policy\n"
-+msgstr ""
-+"WARNUNG: Für %s wurde keine Richtlinie angegeben, es wird die Vorgabe "
-+"»keine\n"
-+"Richtlinie« verwandt.\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1276
-+#, c-format
-+msgid "Admin server does not support -nokey while creating \"%s\"\n"
-+msgstr ""
-+"Der Administrationsrechner unterstützt beim Erstellen von »%s« kein -nokey\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1298
-+#, c-format
-+msgid "while clearing DISALLOW_ALL_TIX for \"%s\"."
-+msgstr "beim Löschen von DISALLOW_ALL_TIX für »%s«."
-+
-+#: ../../src/kadmin/cli/kadmin.c:1345
-+#, c-format
-+msgid "while getting \"%s\"."
-+msgstr "beim Holen von »%s«."
-+
-+#: ../../src/kadmin/cli/kadmin.c:1371
-+#, c-format
-+msgid "while modifying \"%s\"."
-+msgstr "beim Ändern von »%s«."
-+
-+#: ../../src/kadmin/cli/kadmin.c:1375
-+#, c-format
-+msgid "Principal \"%s\" modified.\n"
-+msgstr "Principal »%s« wurde geändert.\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1396
-+#, c-format
-+msgid "usage: get_principal [-terse] principal\n"
-+msgstr "Aufruf: get_principal [-terse] Principal\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1415
-+#, c-format
-+msgid "while retrieving \"%s\"."
-+msgstr "beim Abfragen von »%s«."
-+
-+#: ../../src/kadmin/cli/kadmin.c:1420 ../../src/kadmin/cli/kadmin.c:1425
-+msgid "while unparsing principal"
-+msgstr "beim Rückgängigmachen der Auswertung des Principals"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1429
-+#, c-format
-+msgid "Principal: %s\n"
-+msgstr "Principal: %s\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1430
-+#, c-format
-+msgid "Expiration date: %s\n"
-+msgstr "Ablaufdatum: %s\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1431 ../../src/kadmin/cli/kadmin.c:1433
-+#: ../../src/kadmin/cli/kadmin.c:1444
-+msgid "[never]"
-+msgstr "[niemals]"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1432
-+#, c-format
-+msgid "Last password change: %s\n"
-+msgstr "Letzte Passwortänderung: %s\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1434
-+#, c-format
-+msgid "Password expiration date: %s\n"
-+msgstr "Passwortablaufdatum: %s\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1436 ../../src/kadmin/cli/kadmin.c:1478
-+msgid "[none]"
-+msgstr "[keins]"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1437
-+#, c-format
-+msgid "Maximum ticket life: %s\n"
-+msgstr "maximale Ticketlebensdauer: %s\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1438
-+#, c-format
-+msgid "Maximum renewable life: %s\n"
-+msgstr "maximale verlängerbare Lebensdauer: %s\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1440
-+#, c-format
-+msgid "Last modified: %s (%s)\n"
-+msgstr "zuletzt geändert: %s (%s)\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1442
-+#, c-format
-+msgid "Last successful authentication: %s\n"
-+msgstr "letzte erfolgreiche Authentifizierung: %s\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1448
-+#, c-format
-+msgid "Failed password attempts: %d\n"
-+msgstr "Fehlgeschlagene Anmeldeversuche: %d\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1450
-+#, c-format
-+msgid "Number of keys: %d\n"
-+msgstr "Anzahl der Schlüssel: %d\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1457
-+#, c-format
-+msgid "<Encryption type 0x%x>"
-+msgstr "<Verschlüsselungstyp 0x%x>"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1464
-+#, c-format
-+msgid "<Salt type 0x%x>"
-+msgstr "<Salt-Typ 0x%x>"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1470
-+#, c-format
-+msgid "MKey: vno %d\n"
-+msgstr "MKey: vno %d\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1472
-+#, c-format
-+msgid "Attributes:"
-+msgstr "Attribute:"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1480
-+msgid " [does not exist]"
-+msgstr " [existiert nicht]"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1481
-+#, c-format
-+msgid "Policy: %s%s\n"
-+msgstr "Richtlinie: %s%s\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1517
-+#, c-format
-+msgid "usage: get_principals [expression]\n"
-+msgstr "Aufruf: get_principals [Ausdruck]\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1522 ../../src/kadmin/cli/kadmin.c:1794
-+msgid "while retrieving list."
-+msgstr "beim Abfragen der Liste."
-+
-+#: ../../src/kadmin/cli/kadmin.c:1647
-+#, c-format
-+msgid "%s: parser lost count!\n"
-+msgstr "%s: Auswertungsprogramm verlor Anzahl!\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1656
-+#, c-format
-+msgid "usage; %s [options] policy\n"
-+msgstr "Aufruf: %s [Optionen] Richtlinie\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1659
-+#, c-format
-+msgid ""
-+"\t\t[-maxlife time] [-minlife time] [-minlength length]\n"
-+"\t\t[-minclasses number] [-history number]\n"
-+"\t\t[-maxfailure number] [-failurecountinterval time]\n"
-+"\t\t[-allowedkeysalts keysalts]\n"
-+msgstr ""
-+"\t\t[-maxlife Zeit] [-minlife Zeit] [-minlength Länge]\n"
-+"\t\t[-minclasses Anzahl] [-history Nummer]\n"
-+"\t\t[-maxfailure Anzahl] [-failurecountinterval Zeit]\n"
-+"\t\t[-allowedkeysalts Schlüssel-Salts]\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1663
-+#, c-format
-+msgid "\t\t[-lockoutduration time]\n"
-+msgstr "\t\t[-lockoutduration Dauer]\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1682
-+#, c-format
-+msgid "while creating policy \"%s\"."
-+msgstr "beim Erstellen der Richtlinie »%s«"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1703
-+#, c-format
-+msgid "while modifying policy \"%s\"."
-+msgstr "beim Ändern der Richtlinie »%s«"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1715
-+#, c-format
-+msgid "usage: delete_policy [-force] policy\n"
-+msgstr "Aufruf: delete_policy [-force] Richtlinie\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1719
-+#, c-format
-+msgid "Are you sure you want to delete the policy \"%s\"? (yes/no): "
-+msgstr ""
-+"Sind Sie sicher, dass Sie die Richtlinie »%s« löschen möchten? (yes/no): "
-+
-+#: ../../src/kadmin/cli/kadmin.c:1723
-+#, c-format
-+msgid "Policy \"%s\" not deleted.\n"
-+msgstr "Richtlinie »%s« nicht gelöscht\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1729
-+#, c-format
-+msgid "while deleting policy \"%s\""
-+msgstr "bei Löschen der Richtlinie »%s«"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1741
-+#, c-format
-+msgid "usage: get_policy [-terse] policy\n"
-+msgstr "Aufruf: get_policy [-terse] Richtlinie\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1746
-+#, c-format
-+msgid "while retrieving policy \"%s\"."
-+msgstr "beim Abfragen der Richtlinie »%s«."
-+
-+#: ../../src/kadmin/cli/kadmin.c:1751
-+#, c-format
-+msgid "Policy: %s\n"
-+msgstr "Richtlinie: »%s«\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1752
-+#, c-format
-+msgid "Maximum password life: %ld\n"
-+msgstr "maximale Passwortlebensdauer: %ld\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1753
-+#, c-format
-+msgid "Minimum password life: %ld\n"
-+msgstr "minimale Passwortlebensdauer: %ld\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1754
-+#, c-format
-+msgid "Minimum password length: %ld\n"
-+msgstr "minimale Passwortlänge: %ld\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1755
-+#, c-format
-+msgid "Minimum number of password character classes: %ld\n"
-+msgstr "minimale Anzahl von Passwortzeichenklassen: %ld\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1757
-+#, c-format
-+msgid "Number of old keys kept: %ld\n"
-+msgstr "Anzahl aufbewahrter alter Schlüssel: %ld\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1758
-+#, c-format
-+msgid "Maximum password failures before lockout: %lu\n"
-+msgstr "maximale Anzahl falscher Passworteingaben vor dem Sperren: %lu\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1760
-+#, c-format
-+msgid "Password failure count reset interval: %s\n"
-+msgstr "Rücksetzintervall für zu viele falsch eingebene Passwörter: %s\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1762
-+#, c-format
-+msgid "Password lockout duration: %s\n"
-+msgstr "Passwortsperrdauer: %s\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1765
-+#, c-format
-+msgid "Allowed key/salt types: %s\n"
-+msgstr "erlaubte Schlüssel-/Salt-Typen: %s\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1789
-+#, c-format
-+msgid "usage: get_policies [expression]\n"
-+msgstr "Aufruf: get_policies [Ausdruck]\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1811
-+#, c-format
-+msgid "usage: get_privs\n"
-+msgstr "Aufruf: get_privs\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1816
-+msgid "while retrieving privileges"
-+msgstr "beim Abfragen von Rechten"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1819
-+#, c-format
-+msgid "current privileges:"
-+msgstr "aktuelle Rechte:"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1845
-+#, c-format
-+msgid "usage: purgekeys [-all|-keepkvno oldest_kvno_to_keep] principal\n"
-+msgstr ""
-+"Aufruf: purgekeys [-all|-keepkvno älteste_KVNO_die_behalten_wird] Principal\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1865
-+#, c-format
-+msgid "while purging keys for principal \"%s\""
-+msgstr "beim vollständigen Löschen der Schlüssel für Principal »%s«"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1870
-+#, c-format
-+msgid "All keys for principal \"%s\" removed.\n"
-+msgstr "Alle Schlüssel für Principal »%s« wurden entfernt.\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1872
-+#, c-format
-+msgid "Old keys for principal \"%s\" purged.\n"
-+msgstr "Alte Schlüssel für Principal »%s« wurden entfernt.\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1889
-+#, c-format
-+msgid "usage: get_strings principal\n"
-+msgstr "Aufruf: get_strings Principal\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1909
-+#, c-format
-+msgid "while getting attributes for principal \"%s\""
-+msgstr "beim Holen von Attributen für Principal »%s«"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1914
-+#, c-format
-+msgid "(No string attributes.)\n"
-+msgstr "(keine Zeichenkettenattribute)\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1933
-+#, c-format
-+msgid "usage: set_string principal key value\n"
-+msgstr "Aufruf: set_string Principal Schlüssel Wert\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1955
-+#, c-format
-+msgid "while setting attribute on principal \"%s\""
-+msgstr "beim Setzen eines Attributes für Principal »%s«"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1959
-+#, c-format
-+msgid "Attribute set for principal \"%s\".\n"
-+msgstr "Attribute für Principal »%s« wurden gesetzt.\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1974
-+#, c-format
-+msgid "usage: del_string principal key\n"
-+msgstr "Aufruf: del_string Principal Schlüssel\n"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1995
-+#, c-format
-+msgid "while deleting attribute from principal \"%s\""
-+msgstr "beim Löschen eines Attributs von Principal »%s«"
-+
-+#: ../../src/kadmin/cli/kadmin.c:1999
-+#, c-format
-+msgid "Attribute removed from principal \"%s\".\n"
-+msgstr "Attribut von Principal »%s« wurde gelöscht.\n"
-+
-+#: ../../src/kadmin/cli/keytab.c:56
-+#, c-format
-+msgid ""
-+"Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [-norandkey] "
-+"[principal | -glob princ-exp] [...]\n"
-+msgstr ""
-+"Aufruf: ktadd [-k[eytab] Schlüsseltabelle] [-q] [-e Schlüssel-Salt-Liste] [-"
-+"norandkey] [Principal | -glob Principal-Ausdruck] […]\n"
-+
-+#: ../../src/kadmin/cli/keytab.c:59
-+#, c-format
-+msgid ""
-+"Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [principal | -glob "
-+"princ-exp] [...]\n"
-+msgstr ""
-+"Aufruf: ktadd [-k[eytab] Schlüsseltabelle] [-q] [-e Schlüssel-Salt-Liste] "
-+"[Principal | -glob Principal-Ausdruck] […]\n"
-+
-+#: ../../src/kadmin/cli/keytab.c:67
-+#, c-format
-+msgid ""
-+"Usage: ktremove [-k[eytab] keytab] [-q] principal [kvno|\"all\"|\"old\"]\n"
-+msgstr ""
-+"Aufruf: ktremove [-k[eytab] Schlüsseltabelle] [-q] Principal "
-+"[kvno|»all«|»old«]\n"
-+
-+#: ../../src/kadmin/cli/keytab.c:81 ../../src/kadmin/cli/keytab.c:102
-+msgid "while creating keytab name"
-+msgstr "beim Erstellen des Schlüsseltabellennamens"
-+
-+#: ../../src/kadmin/cli/keytab.c:86
-+msgid "while opening default keytab"
-+msgstr "beim Öffnen der Standardschlüsseltabelle"
-+
-+#: ../../src/kadmin/cli/keytab.c:147
-+#, c-format
-+msgid "-norandkey option only valid for kadmin.local\n"
-+msgstr "Die Option »-norandkey« ist nur für »kadmin.local« gültig.\n"
-+
-+#: ../../src/kadmin/cli/keytab.c:176
-+#, c-format
-+msgid "cannot specify keysaltlist when not changing key\n"
-+msgstr ""
-+"Schlüssel-Salt-Liste kann nicht angegeben werden, wenn der Schlüssel nicht "
-+"geändert wird\n"
-+
-+#: ../../src/kadmin/cli/keytab.c:192
-+#, c-format
-+msgid "while expanding expression \"%s\"."
-+msgstr "beim Expandieren des Ausdrucks »%s«."
-+
-+#: ../../src/kadmin/cli/keytab.c:211 ../../src/kadmin/cli/keytab.c:251
-+msgid "while closing keytab"
-+msgstr "beim Schließen der Schlüsseltabelle"
-+
-+#: ../../src/kadmin/cli/keytab.c:275
-+#, c-format
-+msgid "while parsing -add principal name %s"
-+msgstr "beim Auswerten von »-add Principal-Name %s«"
-+
-+#: ../../src/kadmin/cli/keytab.c:289
-+#, c-format
-+msgid "%s: Principal %s does not exist.\n"
-+msgstr "%s: Principal %s existiert nicht.\n"
-+
-+#: ../../src/kadmin/cli/keytab.c:292
-+#, c-format
-+msgid "while changing %s's key"
-+msgstr "beim Ändern des Schlüssels von %s"
-+
-+#: ../../src/kadmin/cli/keytab.c:299
-+msgid "while retrieving principal"
-+msgstr "beim Abfragen des Principals"
-+
-+#: ../../src/kadmin/cli/keytab.c:311
-+msgid "while adding key to keytab"
-+msgstr "beim Hinzufügen des Schlüssels zur Schlüsseltabelle"
-+
-+#: ../../src/kadmin/cli/keytab.c:317
-+#, c-format
-+msgid ""
-+"Entry for principal %s with kvno %d, encryption type %s added to keytab %s.\n"
-+msgstr ""
-+"Der Eintrag für Principal %s mit KVNO %d und Verschlüsselungstyp %s wurde "
-+"der Schlüsseltabelle %s hinzugefügt.\n"
-+
-+#: ../../src/kadmin/cli/keytab.c:326
-+msgid "while freeing principal entry"
-+msgstr "beim Freigeben des Principal-Eintrags"
-+
-+#: ../../src/kadmin/cli/keytab.c:373
-+#, c-format
-+msgid "%s: Keytab %s does not exist.\n"
-+msgstr "%s: Schlüsseltabelle %s existiert nicht.\n"
-+
-+#: ../../src/kadmin/cli/keytab.c:377
-+#, c-format
-+msgid "%s: No entry for principal %s exists in keytab %s\n"
-+msgstr ""
-+"%s: Für Principal %s existiert kein Eintrag in der Schlüsseltabelle %s.\n"
-+
-+#: ../../src/kadmin/cli/keytab.c:381
-+#, c-format
-+msgid "%s: No entry for principal %s with kvno %d exists in keytab %s\n"
-+msgstr ""
-+"%s: Für den Principal %s mit der KVNO %d existiert kein Eintrag in der "
-+"Schlüsseltabelle %s.\n"
-+
-+#: ../../src/kadmin/cli/keytab.c:387
-+msgid "while retrieving highest kvno from keytab"
-+msgstr "beim Abfragen der höchsten KVNO der Schlüsseltabelle"
-+
-+#: ../../src/kadmin/cli/keytab.c:420
-+msgid "while temporarily ending keytab scan"
-+msgstr "beim Unterbrechen des Schlüsseltabellen-Scans"
-+
-+#: ../../src/kadmin/cli/keytab.c:425
-+msgid "while deleting entry from keytab"
-+msgstr "beim Löschen eines Eintrags aus der Schlüsseltabelle"
-+
-+#: ../../src/kadmin/cli/keytab.c:430
-+msgid "while restarting keytab scan"
-+msgstr "bei der Wiederaufnahme des Schlüsseltabellen-Scans"
-+
-+#: ../../src/kadmin/cli/keytab.c:436
-+#, c-format
-+msgid "Entry for principal %s with kvno %d removed from keytab %s.\n"
-+msgstr ""
-+"Der Eintrag für Principal %s mit KVNO %d wurde aus der Schlüsseltabelle %s "
-+"entfernt.\n"
-+
-+#: ../../src/kadmin/cli/keytab.c:458
-+#, c-format
-+msgid "%s: There is only one entry for principal %s in keytab %s\n"
-+msgstr ""
-+"%s: Es gibt nur einen Eintrag für Principal %s in der Schlüsseltabelle %s.\n"
-+
-+#: ../../src/kadmin/cli/ss_wrapper.c:49 ../../src/kadmin/ktutil/ktutil.c:58
-+msgid "creating invocation"
-+msgstr "Aufruf wird erstellt"
-+
-+#: ../../src/kadmin/dbutil/dump.c:165
-+msgid "while allocating temporary filename dump"
-+msgstr "beim Reservieren des temporären Dateinamenspeicherauszugs"
-+
-+#: ../../src/kadmin/dbutil/dump.c:176
-+msgid "while renaming dump file into place"
-+msgstr "während das Umbenennen der Auszugsdateien Gestalt annimmt"
-+
-+#: ../../src/kadmin/dbutil/dump.c:192
-+msgid "while allocating dump_ok filename"
-+msgstr "beim Reservieren des »dump_ok«-Dateinamens"
-+
-+#: ../../src/kadmin/dbutil/dump.c:199
-+#, c-format
-+msgid "while creating 'ok' file, '%s'"
-+msgstr "beim Erstellen der Datei »ok«, »%s«"
-+
-+#: ../../src/kadmin/dbutil/dump.c:206
-+#, c-format
-+msgid "while locking 'ok' file, '%s'"
-+msgstr "beim Sperren der Datei »ok«, »%s«"
-+
-+#: ../../src/kadmin/dbutil/dump.c:248 ../../src/kadmin/dbutil/dump.c:277
-+#, c-format
-+msgid "%s: regular expression error: %s\n"
-+msgstr "%s: Fehler im regulären Ausdruck: %s\n"
-+
-+#: ../../src/kadmin/dbutil/dump.c:260
-+#, c-format
-+msgid "%s: regular expression match error: %s\n"
-+msgstr "%s: Fehler beim Abgleich mit regulärem Ausdruck: %s\n"
-+
-+#: ../../src/kadmin/dbutil/dump.c:361
-+#, c-format
-+msgid "%s: tagged data list inconsistency for %s (counted %d, stored %d)\n"
-+msgstr ""
-+"%s: Unstimmigkeit in der markierten Datenliste für %s (%d gezählt, %d "
-+"gespeichert)\n"
-+
-+#: ../../src/kadmin/dbutil/dump.c:519
-+#, c-format
-+msgid ""
-+"Warning! Multiple DES-CBC-CRC keys for principal %s; skipping duplicates.\n"
-+msgstr ""
-+"Warnung! Mehrere DES-CBC-CRC-Schlüssel für Principal %s, Duplikate werden "
-+"übersprungen.\n"
-+
-+#: ../../src/kadmin/dbutil/dump.c:530
-+#, c-format
-+msgid ""
-+"Warning! No DES-CBC-CRC key for principal %s, cannot generate OV-compatible "
-+"record; skipping\n"
-+msgstr ""
-+"Warnung! Kein DES-CBC-CRC-Schlüssel für Principal %s, es kann kein OV-"
-+"kompatibler Datensatz erzeugt werden, wird übersprungen\n"
-+
-+#: ../../src/kadmin/dbutil/dump.c:558
-+#, c-format
-+msgid "while converting %s to new master key"
-+msgstr "beim Umwandeln von %s in den neuen Hauptschlüssel"
-+
-+#: ../../src/kadmin/dbutil/dump.c:579
-+#, c-format
-+msgid "%s(%d): %s\n"
-+msgstr "%s(%d): %s\n"
-+
-+#: ../../src/kadmin/dbutil/dump.c:622
-+#, c-format
-+msgid "%s(%d): ignoring trash at end of line: "
-+msgstr "%s(%d): Müll am Zeilenende wird ignoriert: "
-+
-+#: ../../src/kadmin/dbutil/dump.c:685
-+msgid "cannot read tagged data type and length"
-+msgstr "Markierter Datentyp und Länge können nicht gelesen werden."
-+
-+#: ../../src/kadmin/dbutil/dump.c:692
-+msgid "cannot read tagged data contents"
-+msgstr "Inhalt der markierten Daten kann nicht gelesen werden."
-+
-+#: ../../src/kadmin/dbutil/dump.c:726
-+msgid "cannot match size tokens"
-+msgstr "Größenmerkmale können nicht zugeordnet werden."
-+
-+#: ../../src/kadmin/dbutil/dump.c:755
-+msgid "cannot read name string"
-+msgstr "Namenszeichenkette kann nicht gelesen werden."
-+
-+#: ../../src/kadmin/dbutil/dump.c:760
-+#, c-format
-+msgid "while parsing name %s"
-+msgstr "beim Auswerten des Namens %s"
-+
-+#: ../../src/kadmin/dbutil/dump.c:768
-+msgid "cannot read principal attributes"
-+msgstr "Principal-Attribute können nicht gelesen werden."
-+
-+#: ../../src/kadmin/dbutil/dump.c:821
-+msgid "cannot read key size and version"
-+msgstr "Schlüssellänge und -version können nicht gelesen werden."
-+
-+#: ../../src/kadmin/dbutil/dump.c:832
-+msgid "cannot read key type and length"
-+msgstr "Schlüsseltyp und -länge können nicht gelesen werden."
-+
-+#: ../../src/kadmin/dbutil/dump.c:838
-+msgid "cannot read key data"
-+msgstr "Schlüsseldaten können nicht gelesen werden."
-+
-+#: ../../src/kadmin/dbutil/dump.c:848
-+msgid "cannot read extra data"
-+msgstr "Zusätzliche Daten können nicht gelesen werden."
-+
-+#: ../../src/kadmin/dbutil/dump.c:857
-+#, c-format
-+msgid "while storing %s"
-+msgstr "beim Speichern von %s"
-+
-+#: ../../src/kadmin/dbutil/dump.c:896 ../../src/kadmin/dbutil/dump.c:935
-+#: ../../src/kadmin/dbutil/dump.c:981
-+#, c-format
-+msgid "cannot parse policy (%d read)\n"
-+msgstr "Richtlinie kann nicht ausgewertet werden (%d gelesen)\n"
-+
-+#: ../../src/kadmin/dbutil/dump.c:904 ../../src/kadmin/dbutil/dump.c:943
-+#: ../../src/kadmin/dbutil/dump.c:1001
-+msgid "while creating policy"
-+msgstr "beim Erstellen der Richtlinie"
-+
-+#: ../../src/kadmin/dbutil/dump.c:908
-+#, c-format
-+msgid "created policy %s\n"
-+msgstr "erstellte Richtlinie %s\n"
-+
-+#: ../../src/kadmin/dbutil/dump.c:1038
-+#, c-format
-+msgid "unknown record type \"%s\"\n"
-+msgstr "unbekannter Datensatztyp »%s«\n"
-+
-+#: ../../src/kadmin/dbutil/dump.c:1167
-+#, c-format
-+msgid "%s: Unknown iprop dump version %d\n"
-+msgstr "%s: unbekannte Iprop-Auszugsversion %d\n"
-+
-+#: ../../src/kadmin/dbutil/dump.c:1270 ../../src/kadmin/dbutil/dump.c:1498
-+#, c-format
-+msgid "Iprop not enabled\n"
-+msgstr "Iprop nicht aktiviert\n"
-+
-+#: ../../src/kadmin/dbutil/dump.c:1308
-+msgid "Conditional dump is an undocumented option for use only for iprop dumps"
-+msgstr ""
-+"Bedingter Auszug ist eine nicht dokumentierte Option, die nur für Iprop-"
-+"Auszüge benutzt wird."
-+
-+#: ../../src/kadmin/dbutil/dump.c:1321
-+msgid "Database not currently opened!"
-+msgstr "Die Datenbank ist zur Zeit nicht geöffnet!"
-+
-+#: ../../src/kadmin/dbutil/dump.c:1335
-+#: ../../src/kadmin/dbutil/kdb5_stash.c:116
-+#: ../../src/kadmin/dbutil/kdb5_util.c:479
-+msgid "while reading master key"
-+msgstr "beim Lesen des Hauptschlüssels"
-+
-+#: ../../src/kadmin/dbutil/dump.c:1341
-+msgid "while verifying master key"
-+msgstr "beim Prüfen des Hauptschlüssels"
-+
-+#: ../../src/kadmin/dbutil/dump.c:1360 ../../src/kadmin/dbutil/dump.c:1370
-+msgid "while reading new master key"
-+msgstr "beim Lesen des neuen Hauptschlüssels"
-+
-+#: ../../src/kadmin/dbutil/dump.c:1364
-+#, c-format
-+msgid "Please enter new master key....\n"
-+msgstr "Bitte geben Sie den neuen Hauptschlüssel ein …\n"
-+
-+#: ../../src/kadmin/dbutil/dump.c:1388
-+#, c-format
-+msgid "while opening %s for writing"
-+msgstr "beim Öffnen von %s zum Schreiben"
-+
-+#: ../../src/kadmin/dbutil/dump.c:1403
-+msgid "while reading update log header"
-+msgstr "beim Lesen der Aktualisierungsprotokollkopfzeilen"
-+
-+#: ../../src/kadmin/dbutil/dump.c:1418 ../../src/kadmin/dbutil/dump.c:1425
-+#, c-format
-+msgid "performing %s dump"
-+msgstr "Auszug von %s wird durchgeführt"
-+
-+#: ../../src/kadmin/dbutil/dump.c:1455
-+#, c-format
-+msgid "%s: error processing line %d of %s\n"
-+msgstr "%s: Fehler beim Verarbeiten von Zeile %d von %s\n"
-+
-+#: ../../src/kadmin/dbutil/dump.c:1507
-+msgid "while parsing options"
-+msgstr "beim Auswerten der Optionen"
-+
-+#: ../../src/kadmin/dbutil/dump.c:1522
-+#, c-format
-+msgid "while opening %s"
-+msgstr "beim Öffnen von %s"
-+
-+#: ../../src/kadmin/dbutil/dump.c:1527 ../../src/kadmin/dbutil/dump.c:1626
-+msgid "standard input"
-+msgstr "Standardeingabe"
-+
-+#: ../../src/kadmin/dbutil/dump.c:1532
-+#, c-format
-+msgid "%s: can't read dump header in %s\n"
-+msgstr "%s: Kopfzeilen des Auszugs in %s können nicht gelesen werden.\n"
-+
-+#: ../../src/kadmin/dbutil/dump.c:1540 ../../src/kadmin/dbutil/dump.c:1557
-+#, c-format
-+msgid "%s: dump header bad in %s\n"
-+msgstr "%s: falsche Kopfzeilen des Auszugs in %s\n"
-+
-+#: ../../src/kadmin/dbutil/dump.c:1566
-+#, c-format
-+msgid "Could not open iprop ulog\n"
-+msgstr "Iprop-Ulog kann nicht geöffnet werden.\n"
-+
-+#: ../../src/kadmin/dbutil/dump.c:1571
-+#, c-format
-+msgid "%s: dump version %s can only be loaded with the -update flag\n"
-+msgstr ""
-+"%s: Die Auszugsversion %s kann nur mit dem Schalter -update geladen werden.\n"
-+
-+#: ../../src/kadmin/dbutil/dump.c:1580 ../../src/kadmin/dbutil/dump.c:1585
-+msgid "computing parameters for database"
-+msgstr "Parameter für die Datenbank werden berechnet."
-+
-+#: ../../src/kadmin/dbutil/dump.c:1591
-+msgid "while creating database"
-+msgstr "beim Erstellen der Datenbank"
-+
-+#: ../../src/kadmin/dbutil/dump.c:1600
-+msgid "while opening database"
-+msgstr "beim Öffnen der Datenbank"
-+
-+#: ../../src/kadmin/dbutil/dump.c:1610
-+msgid "while permanently locking database"
-+msgstr "beim dauerhaften Sperren der Datenbank"
-+
-+#: ../../src/kadmin/dbutil/dump.c:1628
-+#, c-format
-+msgid "%s: %s restore failed\n"
-+msgstr "%s: Wiederherstellen von %s fehlgeschlagen\n"
-+
-+#: ../../src/kadmin/dbutil/dump.c:1633
-+msgid "while unlocking database"
-+msgstr "beim Aufheben der Datenbanksperre"
-+
-+#: ../../src/kadmin/dbutil/dump.c:1643 ../../src/kadmin/dbutil/dump.c:1662
-+msgid "while reinitializing update log"
-+msgstr "beim erneuten Initialisieren des Aktualisierungsprotokolls"
-+
-+#: ../../src/kadmin/dbutil/dump.c:1653
-+msgid "while making newly loaded database live"
-+msgstr "beim Aktivieren der neu geladenen Datenbank"
-+
-+#: ../../src/kadmin/dbutil/dump.c:1669
-+msgid "while writing update log header"
-+msgstr "beim Schreiben der Aktualisierungsprotokollkopfzeilen"
-+
-+#: ../../src/kadmin/dbutil/dump.c:1683
-+#, c-format
-+msgid "while deleting bad database %s"
-+msgstr "beim Löschen der falschen Datenbank %s"
-+
-+#: ../../src/kadmin/dbutil/kadm5_create.c:84
-+msgid "while looking up the Kerberos configuration"
-+msgstr "beim Nachschlagen der Kerberos-Konfiguration"
-+
-+#: ../../src/kadmin/dbutil/kadm5_create.c:111
-+msgid "while initializing the Kerberos admin interface"
-+msgstr "beim Initialisieren der Kerberos-Administrationsoberfläche"
-+
-+#: ../../src/kadmin/dbutil/kadm5_create.c:169
-+#, c-format
-+msgid "getaddrinfo(%s): Cannot determine canonical hostname.\n"
-+msgstr ""
-+"getaddrinfo(%s): Die Normalform des Rechnernamens kann nicht bestimmt "
-+"werden.\n"
-+
-+#: ../../src/kadmin/dbutil/kadm5_create.c:190
-+#: ../../src/kadmin/dbutil/kadm5_create.c:196
-+#, c-format
-+msgid "Out of memory\n"
-+msgstr "Speicherplatz reicht nicht aus.\n"
-+
-+#: ../../src/kadmin/dbutil/kadm5_create.c:270
-+msgid "while appending realm to principal"
-+msgstr "beim Anhängen des Realms an den Principal"
-+
-+#: ../../src/kadmin/dbutil/kadm5_create.c:275
-+msgid "while parsing admin principal name"
-+msgstr "beim Auswerten des Principal-Namens des Administrators"
-+
-+#: ../../src/kadmin/dbutil/kadm5_create.c:286
-+#, c-format
-+msgid "while creating principal %s"
-+msgstr "beim Erstellen des Principals %s"
-+
-+#: ../../src/kadmin/dbutil/kdb5_create.c:175
-+#: ../../src/kadmin/dbutil/kdb5_util.c:241
-+#: ../../src/kadmin/dbutil/kdb5_util.c:248
-+msgid "while parsing command arguments\n"
-+msgstr "beim Auswerten der Befehlsargumente\n"
-+
-+#: ../../src/kadmin/dbutil/kdb5_create.c:198
-+#, c-format
-+msgid "Loading random data\n"
-+msgstr "Zufällige Daten werden geladen.\n"
-+
-+#: ../../src/kadmin/dbutil/kdb5_create.c:201
-+msgid "Loading random data"
-+msgstr "Zufällige Daten werden geladen."
-+
-+#: ../../src/kadmin/dbutil/kdb5_create.c:211
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:242
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:435
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:591
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1149
-+#: ../../src/kadmin/dbutil/kdb5_util.c:423
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:606
-+msgid "while setting up master key name"
-+msgstr "beim Einrichten des Hauptschlüsselnamens"
-+
-+#: ../../src/kadmin/dbutil/kdb5_create.c:222
-+#, c-format
-+msgid ""
-+"Initializing database '%s' for realm '%s',\n"
-+"master key name '%s'\n"
-+msgstr ""
-+"Datenbank »%s« für Realm »%s« wird initialisiert,\n"
-+"Hauptschlüsselname »%s«\n"
-+
-+#: ../../src/kadmin/dbutil/kdb5_create.c:227
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:516
-+#, c-format
-+msgid "You will be prompted for the database Master Password.\n"
-+msgstr "Sie werden nach dem Master-Passwort der Datenbank gefragt.\n"
-+
-+#: ../../src/kadmin/dbutil/kdb5_create.c:228
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:260
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:517
-+#, c-format
-+msgid "It is important that you NOT FORGET this password.\n"
-+msgstr "Es ist wichtig, dass Sie dieses Passwort NICHT VERGESSEN.\n"
-+
-+#: ../../src/kadmin/dbutil/kdb5_create.c:234
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:266
-+msgid "while creating new master key"
-+msgstr "beim Erstellen des neuen Hauptschlüssels"
-+
-+#: ../../src/kadmin/dbutil/kdb5_create.c:242
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:527
-+msgid "while reading master key from keyboard"
-+msgstr "beim Lesen des Hauptschlüssels von der Tastatur"
-+
-+#: ../../src/kadmin/dbutil/kdb5_create.c:252
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:285
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:618
-+msgid "while calculating master key salt"
-+msgstr "beim Berechnen des Hauptschlüssel-Salts"
-+
-+#: ../../src/kadmin/dbutil/kdb5_create.c:260
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:294
-+#: ../../src/kadmin/dbutil/kdb5_util.c:465
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:630
-+msgid "while transforming master key from password"
-+msgstr "beim Umwandeln des Hauptschlüssels vom Passwort"
-+
-+#: ../../src/kadmin/dbutil/kdb5_create.c:270
-+msgid "while initializing random key generator"
-+msgstr "beim Initialisieren des Zufallsschlüsselgenerators"
-+
-+#: ../../src/kadmin/dbutil/kdb5_create.c:275
-+#, c-format
-+msgid "while creating database '%s'"
-+msgstr "beim Erstellen der Datenbank »%s«"
-+
-+#: ../../src/kadmin/dbutil/kdb5_create.c:293
-+msgid "while creating update log"
-+msgstr "beim Erstellen des Aktualisierungsprotokolls"
-+
-+#: ../../src/kadmin/dbutil/kdb5_create.c:304
-+msgid "while initializing update log"
-+msgstr "beim Initialisieren des Aktualisierungsprotokolls"
-+
-+#: ../../src/kadmin/dbutil/kdb5_create.c:320
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:642
-+msgid "while adding entries to the database"
-+msgstr "beim Hinzufügen von Einträgen in die Datenbank"
-+
-+#: ../../src/kadmin/dbutil/kdb5_create.c:348
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:339
-+#: ../../src/kadmin/dbutil/kdb5_stash.c:133
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:667
-+msgid "while storing key"
-+msgstr "beim Speichern des Schlüssels"
-+
-+#: ../../src/kadmin/dbutil/kdb5_create.c:349
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:340
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:668
-+#, c-format
-+msgid "Warning: couldn't stash master key.\n"
-+msgstr "Warnung: Hauptschlüssel kann nicht gelagert werden.\n"
-+
-+#: ../../src/kadmin/dbutil/kdb5_destroy.c:57
-+msgid "while initializing krb5_context"
-+msgstr "beim Initialisieren von »krb5_context«"
-+
-+#: ../../src/kadmin/dbutil/kdb5_destroy.c:63
-+#: ../../src/kadmin/dbutil/kdb5_util.c:259
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:291
-+msgid "while setting default realm name"
-+msgstr "beim Einstellen des Standard-Realm-Namens"
-+
-+#: ../../src/kadmin/dbutil/kdb5_destroy.c:83
-+#, c-format
-+msgid "Deleting KDC database stored in '%s', are you sure?\n"
-+msgstr ""
-+"Die in »%s« gespeicherte KDC-Datenbank wird gelöscht. Sind Sie sicher?\n"
-+
-+#: ../../src/kadmin/dbutil/kdb5_destroy.c:85
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1166
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:360
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1482
-+#, c-format
-+msgid "(type 'yes' to confirm)? "
-+msgstr "(Geben Sie als Bestätigung »yes« ein)? "
-+
-+#: ../../src/kadmin/dbutil/kdb5_destroy.c:92
-+#, c-format
-+msgid "OK, deleting database '%s'...\n"
-+msgstr "OK, Datenbank »%s« wird gelöscht …\n"
-+
-+#: ../../src/kadmin/dbutil/kdb5_destroy.c:97
-+#, c-format
-+msgid "deleting database '%s'"
-+msgstr "Datenbank »%s« wird gelöscht."
-+
-+#: ../../src/kadmin/dbutil/kdb5_destroy.c:106
-+#, c-format
-+msgid "** Database '%s' destroyed.\n"
-+msgstr "** Datenbank »%s« vernichtet\n"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:218
-+#, c-format
-+msgid "%s is an invalid enctype"
-+msgstr "%s ist ein ungültiger Verschlüsselungstyp"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:250
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:443
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:599
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:986
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1157
-+#, c-format
-+msgid "while getting master key principal %s"
-+msgstr "beim Holen des Hauptschlüssels von Principal %s"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:256
-+#, c-format
-+msgid "Creating new master key for master key principal '%s'\n"
-+msgstr ""
-+"Es wird ein neuer Hauptschlüssel für den Hauptschlüssel-Principal »%s« "
-+"erstellt.\n"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:259
-+#, c-format
-+msgid "You will be prompted for a new database Master Password.\n"
-+msgstr "Sie werden nach einem neuen Datenbank-Master-Passwort gefragt.\n"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:275
-+msgid "while reading new master key from keyboard"
-+msgstr "beim Lesen des neuen Hauptschlüssels von der Tastatur"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:304
-+msgid "adding new master key to master principal"
-+msgstr "dem Haupt-Principal wird ein neuer Hauptschlüssel hinzugefügt"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:310
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:402
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:843
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1356
-+msgid "while getting current time"
-+msgstr "beim Holen der aktuellen Zeit"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:317
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:544
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1363
-+msgid "while updating the master key principal modification time"
-+msgstr "beim Aktulisieren der Änderungszeit des Hauptschlüssel-Principals"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:325
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:553
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1374
-+msgid "while adding master key entry to the database"
-+msgstr "beim Hinzufügen des Hauptschlüsseleintrags zur Datenbank"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:383
-+msgid "0 is an invalid KVNO value"
-+msgstr "0 ist kein gültiger KVNO-Wert"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:394
-+#, c-format
-+msgid "%d is an invalid KVNO value"
-+msgstr "%d ist kein gültiger KVNO-Wert"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:410
-+#, c-format
-+msgid "could not parse date-time string '%s'"
-+msgstr "»date-time«-Zeichenkette »%s« konnte nicht ausgewertet werden"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:452
-+msgid "while looking up active version of master key"
-+msgstr "beim Nachschlagen der aktiven Version des Hauptschlüssels"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:491
-+msgid "while adding new master key"
-+msgstr "beim Hinzufügen eines neuen Hauptschlüssels"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:529
-+msgid "there must be one master key currently active"
-+msgstr "ein Hauptschlüssel muss derzeit aktiv sein"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:537
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1342
-+msgid "while updating actkvno data for master principal entry"
-+msgstr "beim Aktualisieren der Actkvno-Daten für den Haupt-Principal-Eintrag"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:581
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:948
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1116
-+msgid "master keylist not initialized"
-+msgstr "Hauptschlüsselliste ist nicht initialisiert"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:607
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:994
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1254
-+msgid "while looking up active kvno list"
-+msgstr "beim Nachschlagen der Liste aktiver KVNOs"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:615
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1002
-+msgid "while looking up active master key"
-+msgstr "beim Nachschlagen des aktiven Hauptschlüssels"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:627
-+msgid "while getting enctype description"
-+msgstr "beim Holen des Verschlüsselungsbeschreibung"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:644
-+#, c-format
-+msgid "KVNO: %d, Enctype: %s, Active on: %s *\n"
-+msgstr "KVNO: %d, Verschlüsselungstyp: %s, aktiviert auf: %s *\n"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:649
-+#, c-format
-+msgid "KVNO: %d, Enctype: %s, Active on: %s\n"
-+msgstr "KVNO: %d, Verschlüsselungstyp: %s, aktiviert auf: %s\n"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:653
-+#, c-format
-+msgid "KVNO: %d, Enctype: %s, No activate time set\n"
-+msgstr "KVNO: %d, Verschlüsselungstyp: %s, keine Aktivierungszeit gesetzt\n"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:658
-+msgid "asprintf could not allocate enough memory to hold output"
-+msgstr ""
-+"Asprintf konnte nicht genug Speicher reservieren, um die Ausgabe "
-+"bereitzuhalten"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:793
-+msgid "getting string representation of principal name"
-+msgstr "Principal-Name wird im Klartext geholt"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:817
-+#, c-format
-+msgid "determining master key used for principal '%s'"
-+msgstr "Hauptschlüssel, der für Principal »%s« benutzt wird, wird bestimmt"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:823
-+#, c-format
-+msgid "would skip: %s\n"
-+msgstr "würde übersprungen: %s\n"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:825
-+#, c-format
-+msgid "skipping: %s\n"
-+msgstr "wird übersprungen: %s\n"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:831
-+#, c-format
-+msgid "would update: %s\n"
-+msgstr "würde aktualisiert: %s\n"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:835
-+#, c-format
-+msgid "updating: %s\n"
-+msgstr "wird aktualisiert: %s\n"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:839
-+#, c-format
-+msgid "error re-encrypting key for principal '%s'"
-+msgstr "Fehler beim erneuten Verschlüsseln des Schlüssels für Principal »%s«"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:850
-+#, c-format
-+msgid "while updating principal '%s' modification time"
-+msgstr "beim Aktualisieren der Änderungszeit von Principal »%s«"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:857
-+#, c-format
-+msgid "while updating principal '%s' key data in the database"
-+msgstr ""
-+"beim Aktualisieren der Schlüsseldaten von Principal »%s« in der Datenbank"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:889
-+#, c-format
-+msgid ""
-+"\n"
-+"(type 'yes' to confirm)? "
-+msgstr ""
-+"\n"
-+"(Geben Sie als Bestätigung »yes« ein) "
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:942
-+msgid "while formatting master principal name"
-+msgstr "beim Formatieren des Haupt-Principal-Namens"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:959
-+#, c-format
-+msgid "converting glob pattern '%s' to regular expression"
-+msgstr "Platzhalter »%s« wird in einen regulären Ausdruck umgewandelt"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:977
-+#, c-format
-+msgid "error compiling converted regexp '%s'"
-+msgstr "Fehler beim Kompilieren des umgewandelten regulären Ausdrucks »%s«"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1010
-+#, c-format
-+msgid "Re-encrypt all keys not using master key vno %u?"
-+msgstr ""
-+"Sollen alle Schlüssel neu verschlüsselt werden, die nicht die Hauptschlüssel-"
-+"VNO %u verwenden?"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1012
-+#, c-format
-+msgid "OK, doing nothing.\n"
-+msgstr "Ok, es wird nichts getan.\n"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1018
-+#, c-format
-+msgid "Principals whose keys WOULD BE re-encrypted to master key vno %u:\n"
-+msgstr ""
-+"Principals, deren Schlüssel mit dem Hauptschlüssel VNO %u neu verschlüsselt "
-+"WÜRDEN:\n"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1021
-+#, c-format
-+msgid ""
-+"Principals whose keys are being re-encrypted to master key vno %u if "
-+"necessary:\n"
-+msgstr ""
-+"Principals, deren Schlüssel mit dem Hauptschlüssel VNO %u neu verschlüsselt "
-+"werden, falls nötig:\n"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1037
-+msgid "trying to process principal database"
-+msgstr "es wird versucht, die Principal-Datenbank zu verarbeiten"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1042
-+#, c-format
-+msgid "%u principals processed: %u would be updated, %u already current\n"
-+msgstr ""
-+"%u Principals verarbeitet: %u würden aktualisiert, %u bereits aktuell\n"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1046
-+#, c-format
-+msgid "%u principals processed: %u updated, %u already current\n"
-+msgstr "%u Principals verarbeitet: %u aktualisiert, %u bereits aktuell\n"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1164
-+#, c-format
-+msgid ""
-+"Will purge all unused master keys stored in the '%s' principal, are you "
-+"sure?\n"
-+msgstr ""
-+"Sind Sie sicher, dass alle nicht verwendeten Hauptschlüssel, die für "
-+"Principal »%s« gespeichert sind, vollständig entfernt werden sollen?\n"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1175
-+#, c-format
-+msgid "OK, purging unused master keys from '%s'...\n"
-+msgstr ""
-+"Ok, die nicht verwendeten Hauptschlüssel von »%s« werden vollständig "
-+"entfernt …\n"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1183
-+#, c-format
-+msgid "There is only one master key which can not be purged.\n"
-+msgstr ""
-+"Es gibt nur einen einzigen Hauptschlüssel, der nicht vollständig entfernt "
-+"werden kann.\n"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1192
-+msgid "while allocating args.kvnos"
-+msgstr "beim Reservieren von »args.kvnos«"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1208
-+msgid "while finding master keys in use"
-+msgstr "bei der Suche nach den gerade verwendeten Hauptschlüsseln"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1217
-+#, c-format
-+msgid "Would purge the following master key(s) from %s:\n"
-+msgstr ""
-+"Der/Die folgende(n) Hauptschlüssel würden/würde von %s vollständig "
-+"entfernt:\n"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1220
-+#, c-format
-+msgid "Purging the following master key(s) from %s:\n"
-+msgstr ""
-+"Der/Die folgende(n) Hauptschlüssel werden/wird von %s vollständig entfernt:\n"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1232
-+msgid "master key stash file needs updating, command aborting"
-+msgstr ""
-+"Ablagedatei des Hauptschlüssels erfordert Aktualisierung, Befehl abgebrochen"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1238
-+#, c-format
-+msgid "KVNO: %d\n"
-+msgstr "KVNO: %d\n"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1243
-+#, c-format
-+msgid "All keys in use, nothing purged.\n"
-+msgstr "Alle Schlüssel sind in Gebrauch, keiner wurde vollständig entfernt.\n"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1248
-+#, c-format
-+msgid "%d key(s) would be purged.\n"
-+msgstr "%d Schlüssel würde(n) vollständig entfernt.\n"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1261
-+msgid "while looking up mkey aux data list"
-+msgstr "beim Nachschlagen der Mkey-Aux-Datenliste"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1269
-+msgid "while allocating key_data"
-+msgstr "beim Reservieren von »key_data«"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1350
-+msgid "while updating mkey_aux data for master principal entry"
-+msgstr "beim Aktualisieren der Mkey-Aux-Daten für den Haupt-Principal-Eintrag"
-+
-+#: ../../src/kadmin/dbutil/kdb5_mkey.c:1378
-+#, c-format
-+msgid "%d key(s) purged.\n"
-+msgstr "%d Schlüssel vollständig entfernt\n"
-+
-+#: ../../src/kadmin/dbutil/kdb5_stash.c:97
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:538
-+#, c-format
-+msgid "while setting up enctype %d"
-+msgstr "beim Einrichten des Verschlüsselungstyps %d"
-+
-+#: ../../src/kadmin/dbutil/kdb5_stash.c:123
-+msgid "while getting master key list"
-+msgstr "beim Holen der Hauptschlüsselliste"
-+
-+#: ../../src/kadmin/dbutil/kdb5_stash.c:127
-+#, c-format
-+msgid "Using existing stashed keys to update stash file.\n"
-+msgstr ""
-+"Zur Aktualisierung der Ablagedatei werden existierende gelagert Schlüssel "
-+"verwendet.\n"
-+
-+#: ../../src/kadmin/dbutil/kdb5_util.c:80
-+#, c-format
-+msgid ""
-+"Usage: kdb5_util [-x db_args]* [-r realm] [-d dbname] [-k mkeytype] [-M "
-+"mkeyname]\n"
-+"\t [-kv mkeyVNO] [-sf stashfilename] [-m] cmd [cmd_options]\n"
-+"\tcreate [-s]\n"
-+"\tdestroy [-f]\n"
-+"\tstash [-f keyfile]\n"
-+"\tdump [-old|-ov|-b6|-b7|-r13|-r18] [-verbose]\n"
-+"\t [-mkey_convert] [-new_mkey_file mkey_file]\n"
-+"\t [-rev] [-recurse] [filename [princs...]]\n"
-+"\tload [-old|-ov|-b6|-b7|-r13|-r18] [-verbose] [-update] filename\n"
-+"\tark [-e etype_list] principal\n"
-+"\tadd_mkey [-e etype] [-s]\n"
-+"\tuse_mkey kvno [time]\n"
-+"\tlist_mkeys\n"
-+msgstr ""
-+"Aufruf: kdb5_util [-x Datenbankargumente]* [-r Realm] [-d Datenbankname] [-k "
-+"Mkeytype] [-M Mkeyname]\n"
-+"\t [-kv MkeyVNO] [-sf Ablagedateiname] [-m] Befehl [Befehlsoptionen]\n"
-+"\tcreate [-s]\n"
-+"\tdestroy [-f]\n"
-+"\tstash [-f Schlüsseldatei]\n"
-+"\tdump [-old|-ov|-b6|-b7|-r13|-r18] [-verbose]\n"
-+"\t [-mkey_convert] [-new_mkey_file mkey-Datei]\n"
-+"\t [-rev] [-recurse] [Dateiname [Principals …]]\n"
-+"\tload [-old|-ov|-b6|-b7|-r13|-r18] [-verbose] [-update] Dateiname\n"
-+"\tark [-e Etype-Liste] Principal\n"
-+"\tadd_mkey [-e Etype] [-s]\n"
-+"\tuse_mkey kvno [Zeit]\n"
-+"\tlist_mkeys\n"
-+
-+#: ../../src/kadmin/dbutil/kdb5_util.c:98
-+#, c-format
-+msgid ""
-+"\tupdate_princ_encryption [-f] [-n] [-v] [princ-pattern]\n"
-+"\tpurge_mkeys [-f] [-n] [-v]\n"
-+"\n"
-+"where,\n"
-+"\t[-x db_args]* - any number of database specific arguments.\n"
-+"\t\t\tLook at each database documentation for supported arguments\n"
-+msgstr ""
-+"\tupdate_princ_encryption [-f] [-n] [-v] [Principal-Muster]\n"
-+"\tpurge_mkeys [-f] [-n] [-v]\n"
-+"\n"
-+"dabei sind\n"
-+"\t[-x Datenbankargumente]* - eine beliebige Anzahl datenbankspezifischer "
-+"Argumente.\n"
-+"\t\t\tWelche Argumente unterstützt werden, finden Sie in der Dokumentation "
-+"der jeweiligen Datenbank.\n"
-+
-+#: ../../src/kadmin/dbutil/kdb5_util.c:211
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:260
-+msgid "while initializing Kerberos code"
-+msgstr "beim Initialisieren von Kerberos-Code"
-+
-+#: ../../src/kadmin/dbutil/kdb5_util.c:217
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:267
-+msgid "while creating sub-command arguments"
-+msgstr "beim Erstellen von Unterbefehlsargumenten"
-+
-+#: ../../src/kadmin/dbutil/kdb5_util.c:235
-+msgid "while parsing command arguments"
-+msgstr "beim Auswerten von Befehlsargumenten"
-+
-+#: ../../src/kadmin/dbutil/kdb5_util.c:264
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:298
-+#, c-format
-+msgid ": %s is an invalid enctype"
-+msgstr ": %s ist kein gültiger Verschlüsselungstyp"
-+
-+#: ../../src/kadmin/dbutil/kdb5_util.c:272
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:307
-+#, c-format
-+msgid ": %s is an invalid mkeyVNO"
-+msgstr ": %s ist kein gültiger MkeyVNO"
-+
-+# FIXME s/retreiving/retrieving/
-+#: ../../src/kadmin/dbutil/kdb5_util.c:317
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:431
-+msgid "while retreiving configuration parameters"
-+msgstr "beim Abfragen der Konfigurationsparameter"
-+
-+#: ../../src/kadmin/dbutil/kdb5_util.c:368
-+msgid "Too few arguments"
-+msgstr "zu wenige Argumente"
-+
-+#: ../../src/kadmin/dbutil/kdb5_util.c:369
-+#, c-format
-+msgid "Usage: %s dbpathname realmname"
-+msgstr "Aufruf: %s Datenbankpfadname Realm-Name"
-+
-+#: ../../src/kadmin/dbutil/kdb5_util.c:375
-+msgid "while closing previous database"
-+msgstr "beim Schließen der vorherigen Datenbank"
-+
-+#: ../../src/kadmin/dbutil/kdb5_util.c:412
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:877
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1497
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:564
-+msgid "while initializing database"
-+msgstr "beim Initialisieren der Datenbank"
-+
-+#: ../../src/kadmin/dbutil/kdb5_util.c:429
-+msgid "while retrieving master entry"
-+msgstr "beim Abfragen des Haupteintrags"
-+
-+#: ../../src/kadmin/dbutil/kdb5_util.c:448
-+msgid "while calculated master key salt"
-+msgstr "beim Berechnen des Hauptschlüssel-Salts"
-+
-+#: ../../src/kadmin/dbutil/kdb5_util.c:480
-+msgid "Warning: proceeding without master key"
-+msgstr "Warnung: Es wird ohne Hauptschlüssel fortgefahren"
-+
-+#: ../../src/kadmin/dbutil/kdb5_util.c:498
-+msgid "while seeding random number generator"
-+msgstr "beim Erzeugen des Startwerts des Zufallszahlengenerators"
-+
-+#: ../../src/kadmin/dbutil/kdb5_util.c:508
-+#, c-format
-+msgid "%s: Could not map log\n"
-+msgstr "%s: Protokolldatei konnte nicht abgebildet werden\n"
-+
-+#: ../../src/kadmin/dbutil/kdb5_util.c:535
-+msgid "while closing database"
-+msgstr "beim Schließen der Datenbank"
-+
-+#: ../../src/kadmin/dbutil/kdb5_util.c:582
-+#, c-format
-+msgid "while fetching principal %s"
-+msgstr "beim Abrufen von Principal %s"
-+
-+#: ../../src/kadmin/dbutil/kdb5_util.c:605
-+msgid "while finding mkey"
-+msgstr "beim Suchen nach Mkey"
-+
-+#: ../../src/kadmin/dbutil/kdb5_util.c:630
-+msgid "while setting changetime"
-+msgstr "beim Setzen der Änderungszeit der Datei"
-+
-+#: ../../src/kadmin/dbutil/kdb5_util.c:638
-+#, c-format
-+msgid "while saving principal %s"
-+msgstr "beim Speichern von Principal %s"
-+
-+#: ../../src/kadmin/dbutil/kdb5_util.c:642
-+#, c-format
-+msgid "%s changed\n"
-+msgstr "%s geändert\n"
-+
-+#: ../../src/kadmin/ktutil/ktutil.c:73
-+#, c-format
-+msgid "%s: invalid arguments\n"
-+msgstr "%s: ungültige Argumente\n"
-+
-+#: ../../src/kadmin/ktutil/ktutil.c:78
-+msgid "while freeing ktlist"
-+msgstr "beim Freigeben von »ktlist«"
-+
-+#: ../../src/kadmin/ktutil/ktutil.c:89
-+#, c-format
-+msgid "%s: must specify keytab to read\n"
-+msgstr ""
-+"%s: Die Schlüsseltabelle, die gelesen werden soll, muss angegeben werden.\n"
-+
-+#: ../../src/kadmin/ktutil/ktutil.c:94
-+#, c-format
-+msgid "while reading keytab \"%s\""
-+msgstr "beim Lesen der Schlüsseltabelle »%s«"
-+
-+#: ../../src/kadmin/ktutil/ktutil.c:104
-+#, c-format
-+msgid "%s: must specify the srvtab to read\n"
-+msgstr "%s: Die zu lesende Dienstschlüsseltabelle muss angegeben werden.\n"
-+
-+#: ../../src/kadmin/ktutil/ktutil.c:109
-+#, c-format
-+msgid "while reading srvtab \"%s\""
-+msgstr "beim Lesen der Dienstschlüsseltabelle »%s«"
-+
-+#: ../../src/kadmin/ktutil/ktutil.c:119
-+#, c-format
-+msgid "%s: must specify keytab to write\n"
-+msgstr "%s: Die zu schreibende Schlüsseltabelle muss angegeben werden.\n"
-+
-+#: ../../src/kadmin/ktutil/ktutil.c:124
-+#, c-format
-+msgid "while writing keytab \"%s\""
-+msgstr "beim Schreiben der Schlüsseltabelle »%s«"
-+
-+#: ../../src/kadmin/ktutil/ktutil.c:131
-+#, c-format
-+msgid "%s: writing srvtabs is no longer supported\n"
-+msgstr ""
-+"%s: Schreiben der Dienstschlüsseltabelle wird nicht länger unterstützt\n"
-+
-+#: ../../src/kadmin/ktutil/ktutil.c:169
-+#, c-format
-+msgid "usage: %s (-key | -password) -p principal -k kvno -e enctype\n"
-+msgstr ""
-+"Aufruf: %s (-key | -password) -p Principal -k KVNO -e Verschlüsselungstyp\n"
-+
-+#: ../../src/kadmin/ktutil/ktutil.c:176
-+msgid "while adding new entry"
-+msgstr "beim Hinzufügen eines neuen Eintrags"
-+
-+#: ../../src/kadmin/ktutil/ktutil.c:186
-+#, c-format
-+msgid "%s: must specify entry to delete\n"
-+msgstr "%s: zu löschender Eintrag muss angegeben werden\n"
-+
-+#: ../../src/kadmin/ktutil/ktutil.c:191
-+#, c-format
-+msgid "while deleting entry %d"
-+msgstr "beim Löschen von Eintrag %d"
-+
-+#: ../../src/kadmin/ktutil/ktutil.c:219
-+#, c-format
-+msgid "%s: usage: %s [-t] [-k] [-e]\n"
-+msgstr "%s: Aufruf: %s [-t] [-k] [-e]\n"
-+
-+#: ../../src/kadmin/ktutil/ktutil.c:259
-+msgid "While converting enctype to string"
-+msgstr "beim Umwandeln des Verschlüsselungstyps in eine Zeichenkette"
-+
-+#: ../../src/kadmin/ktutil/ktutil_funcs.c:162
-+#, c-format
-+msgid "Password for %.1000s"
-+msgstr "Passwort für %.1000s"
-+
-+#: ../../src/kadmin/ktutil/ktutil_funcs.c:179
-+#, c-format
-+msgid "Key for %s (hex): "
-+msgstr "Schlüssel für %s (hexadezimal): "
-+
-+#: ../../src/kadmin/ktutil/ktutil_funcs.c:191
-+#, c-format
-+msgid "addent: Error reading key.\n"
-+msgstr "addent: Fehler beim Lesen des Schlüssels\n"
-+
-+#: ../../src/kadmin/ktutil/ktutil_funcs.c:206
-+#, c-format
-+msgid "addent: Illegal character in key.\n"
-+msgstr "addent: unerlaubtes Zeichen im Schlüssel\n"
-+
-+#: ../../src/kadmin/server/ipropd_svc.c:48
-+#, c-format
-+msgid "Unauthorized request: %s, client=%s, service=%s, addr=%s"
-+msgstr "unberechtigte Anfrage: %s, Client=%s, Dienst=%s, Adresse=%s"
-+
-+#: ../../src/kadmin/server/ipropd_svc.c:49
-+#: ../../src/kadmin/server/ipropd_svc.c:212
-+#, c-format
-+msgid "Request: %s, %s, %s, client=%s, service=%s, addr=%s"
-+msgstr "Anfrage: %s, %s, %s, Client=%s, Dienst=%s, Adresse=%s"
-+
-+#: ../../src/kadmin/server/ipropd_svc.c:146
-+#: ../../src/kadmin/server/ipropd_svc.c:271
-+#, c-format
-+msgid "%s: server handle is NULL"
-+msgstr "%s: Server-Identifikator ist NULL"
-+
-+#: ../../src/kadmin/server/ipropd_svc.c:156
-+#: ../../src/kadmin/server/ipropd_svc.c:284
-+#, c-format
-+msgid "%s: setup_gss_names failed"
-+msgstr "%s: setup_gss_names fehlgeschlagen"
-+
-+#: ../../src/kadmin/server/ipropd_svc.c:166
-+#: ../../src/kadmin/server/ipropd_svc.c:295
-+#, c-format
-+msgid "%s: out of memory recording principal names"
-+msgstr "%s: Speicher reicht nicht zur Aufzeichnung der Principal-Namen aus"
-+
-+#: ../../src/kadmin/server/ipropd_svc.c:195
-+#, c-format
-+msgid "%s; Incoming SerialNo=%lu; Outgoing SerialNo=%lu"
-+msgstr "%s; eingehende Seriennummer=%lu; ausgehende Seriennummer=%lu"
-+
-+#: ../../src/kadmin/server/ipropd_svc.c:201
-+#, c-format
-+msgid "%s; Incoming SerialNo=%lu; Outgoing SerialNo=N/A"
-+msgstr "%s; eingehende Seriennummer=%lu; ausgehende Seriennummer=N/A"
-+
-+#: ../../src/kadmin/server/ipropd_svc.c:320
-+#, c-format
-+msgid "%s: getclhoststr failed"
-+msgstr "%s: getclhoststr fehlgeschlagen"
-+
-+#: ../../src/kadmin/server/ipropd_svc.c:342
-+#, c-format
-+msgid "%s: cannot construct kdb5 util dump string too long; out of memory"
-+msgstr ""
-+"Ausgabenzeichenkette des KDB5-Hilfswerkzeugs nicht konstruierbar, da zu "
-+"lang; Speicher reicht nicht aus.%s: Die Ausgabezeichenkette des KDB5-"
-+"Hilfswerkzeugs kann nicht erstellt werden, weil sie zu lang ist. Der "
-+"Speicherplatz reicht nicht aus."
-+
-+#: ../../src/kadmin/server/ipropd_svc.c:362
-+#, c-format
-+msgid "%s: fork failed: %s"
-+msgstr "%s: Verzweigen fehlgeschlagen: %s"
-+
-+#: ../../src/kadmin/server/ipropd_svc.c:374
-+#, c-format
-+msgid "%s: popen failed: %s"
-+msgstr "%s: popen fehlgeschlagen: %s"
-+
-+#: ../../src/kadmin/server/ipropd_svc.c:388
-+#, c-format
-+msgid "%s: pclose(popen) failed: %s"
-+msgstr "%s: pclose(popen) fehlgeschlagen: %s"
-+
-+#: ../../src/kadmin/server/ipropd_svc.c:405
-+#, c-format
-+msgid "%s: exec failed: %s"
-+msgstr "%s: exec fehlgeschlagen: %s"
-+
-+#: ../../src/kadmin/server/ipropd_svc.c:421
-+#, c-format
-+msgid "Request: %s, spawned resync process %d, client=%s, service=%s, addr=%s"
-+msgstr ""
-+"Anfrage: %s, hervorgebrachter Neusynchronisationsprozess %d, Client=%s, "
-+"Dienst=%s, Adresse=%s"
-+
-+#: ../../src/kadmin/server/ipropd_svc.c:485
-+#: ../../src/kadmin/server/kadm_rpc_svc.c:275
-+#, c-format
-+msgid "check_rpcsec_auth: failed inquire_context, stat=%u"
-+msgstr "check_rpcsec_auth: inquire_context fehlgeschlagen, Stat=%u"
-+
-+#: ../../src/kadmin/server/ipropd_svc.c:515
-+#: ../../src/kadmin/server/kadm_rpc_svc.c:304
-+#, c-format
-+msgid "bad service principal %.*s%s"
-+msgstr "falscher Dienst-Principal %.*s%s"
-+
-+#: ../../src/kadmin/server/ipropd_svc.c:538
-+#, c-format
-+msgid "authentication attempt failed: %s, RPC authentication flavor %d"
-+msgstr ""
-+"Authentifizierungsversuche gescheitert: %s, PRC-Authentifizierungsvariante %d"
-+
-+#: ../../src/kadmin/server/ipropd_svc.c:572
-+#, c-format
-+msgid "RPC unknown request: %d (%s)"
-+msgstr "unbekannte PRC-Anfrage: %d (%s)"
-+
-+#: ../../src/kadmin/server/ipropd_svc.c:580
-+#, c-format
-+msgid "RPC svc_getargs failed (%s)"
-+msgstr "RPC-»svc_getargs« fehlgeschlagen (%s)"
-+
-+#: ../../src/kadmin/server/ipropd_svc.c:590
-+#, c-format
-+msgid "RPC svc_sendreply failed (%s)"
-+msgstr "RPC-»svc_sendreply« fehlgeschlagen (%s)"
-+
-+#: ../../src/kadmin/server/ipropd_svc.c:596
-+#, c-format
-+msgid "RPC svc_freeargs failed (%s)"
-+msgstr "RPC-»svc_freeargs« fehlgeschlagen (%s)"
-+
-+#: ../../src/kadmin/server/kadm_rpc_svc.c:325
-+#, c-format
-+msgid "gss_to_krb5_name: failed display_name status %d"
-+msgstr "gss_to_krb5_name: display_name fehlgeschlagen, Status %d"
-+
-+#: ../../src/kadmin/server/ovsec_kadmd.c:86
-+#, c-format
-+msgid ""
-+"Usage: kadmind [-x db_args]* [-r realm] [-m] [-nofork] [-port port-number]\n"
-+"\t\t[-proponly] [-p path-to-kdb5_util] [-F dump-file]\n"
-+"\t\t[-K path-to-kprop] [-P pid_file]\n"
-+"\n"
-+"where,\n"
-+"\t[-x db_args]* - any number of database specific arguments.\n"
-+"\t\t\tLook at each database documentation for supported arguments\n"
-+msgstr ""
-+"Aufruf: kadmind [-x Datenbankargumente]* [-r Realm] [-m] [-nofork]\n"
-+"\t\t[-port Portummer] [-p Pfad_zum_KDB5-Hilfswerkzeug] [-F Auszugsdatei]\n"
-+"\t\t[-K Pfad_zu_Kprop] [-P PID-Datei]\n"
-+"\n"
-+"dabei sind\n"
-+"\t[-x Datenbankargumente]* - eine beliebige Anzahl datenbankspezifischer "
-+"Argumente.\n"
-+"\t\t\tWelche Argumente unterstützt werden, finden Sie in der Dokumentation "
-+"der jeweiligen Datenbank.\n"
-+
-+#: ../../src/kadmin/server/ovsec_kadmd.c:111
-+#, c-format
-+msgid "%s: %s while %s, aborting\n"
-+msgstr "%s: %s bei %s, wird abgebrochen\n"
-+
-+#: ../../src/kadmin/server/ovsec_kadmd.c:113
-+#, c-format
-+msgid "%s while %s, aborting\n"
-+msgstr "%s bei %s, wird abgebrochen\n"
-+
-+#: ../../src/kadmin/server/ovsec_kadmd.c:115
-+#, c-format
-+msgid "%s: %s, aborting\n"
-+msgstr "%s: %s, wird abgebrochen\n"
-+
-+#: ../../src/kadmin/server/ovsec_kadmd.c:116
-+#, c-format
-+msgid "%s, aborting"
-+msgstr "%s, wird abgebrochen"
-+
-+#: ../../src/kadmin/server/ovsec_kadmd.c:282
-+#, c-format
-+msgid ""
-+"WARNING! Forged/garbled request: %s, claimed client = %.*s%s, server = %.*s"
-+"%s, addr = %s"
-+msgstr ""
-+"WARNUNG! Gefälschte/verstümmelte Anfrage: %s, geforderter Client = %.*s%s, "
-+"Server = %.*s%s, Adresse = %s"
-+
-+#: ../../src/kadmin/server/ovsec_kadmd.c:288
-+#, c-format
-+msgid ""
-+"WARNING! Forged/garbled request: %d, claimed client = %.*s%s, server = %.*s"
-+"%s, addr = %s"
-+msgstr ""
-+"WARNUNG! Gefälschte/verstümmelte Anfrage: %d, Client = %.*s%s, Server = "
-+"%.*s%s, Adresse = %s"
-+
-+#: ../../src/kadmin/server/ovsec_kadmd.c:302
-+#, c-format
-+msgid "Miscellaneous RPC error: %s, %s"
-+msgstr "sonstiger PRC-Fehler: %s, %s"
-+
-+#: ../../src/kadmin/server/ovsec_kadmd.c:318
-+#, c-format
-+msgid "%s Cannot decode status %d"
-+msgstr "%s: Status %d kann nicht dekodiert werden"
-+
-+#: ../../src/kadmin/server/ovsec_kadmd.c:336
-+#, c-format
-+msgid "Authentication attempt failed: %s, GSS-API error strings are:"
-+msgstr "Authentifizierungsversuch fehlgeschlagen: %s, GSS-API-Fehlermeldungen:"
-+
-+#: ../../src/kadmin/server/ovsec_kadmd.c:341
-+msgid " GSS-API error strings complete."
-+msgstr " GSS-API-Fehlermeldungen vollständig"
-+
-+#: ../../src/kadmin/server/ovsec_kadmd.c:378
-+#, c-format
-+msgid "%s: cannot initialize. Not enough memory\n"
-+msgstr "%s: kann nicht initialisiert werden: Speicher reicht nicht aus.\n"
-+
-+#: ../../src/kadmin/server/ovsec_kadmd.c:445
-+#, c-format
-+msgid "%s: %s while initializing context, aborting\n"
-+msgstr "%s: %s beim Initialisieren des Kontextes, wird abgebrochen\n"
-+
-+#: ../../src/kadmin/server/ovsec_kadmd.c:456
-+msgid "initializing"
-+msgstr "wird initialisiert"
-+
-+#: ../../src/kadmin/server/ovsec_kadmd.c:460
-+msgid "getting config parameters"
-+msgstr "beim Holen der Konfigurationsparameter"
-+
-+#: ../../src/kadmin/server/ovsec_kadmd.c:462
-+msgid "Missing required realm configuration"
-+msgstr "erforderliche Realm-Konfiguration fehlt"
-+
-+#: ../../src/kadmin/server/ovsec_kadmd.c:464
-+msgid "Missing required ACL file configuration"
-+msgstr "erforderliche ACL-Dateikonfiguration fehlt"
-+
-+#: ../../src/kadmin/server/ovsec_kadmd.c:468
-+msgid "initializing network"
-+msgstr "Netzwerk wird initialisiert"
-+
-+#: ../../src/kadmin/server/ovsec_kadmd.c:473
-+msgid "Cannot build GSSAPI auth names"
-+msgstr "GSS-API-Authentifizierungsnamen können nicht gebildet werden."
-+
-+#: ../../src/kadmin/server/ovsec_kadmd.c:477
-+msgid "Cannot set up KDB keytab"
-+msgstr "Die KDB-Schlüsseltabelle kann nicht eingerichtet werden."
-+
-+#: ../../src/kadmin/server/ovsec_kadmd.c:480
-+msgid "Cannot set GSSAPI authentication names"
-+msgstr "GSS-API-Authentifizierungsnamen können nicht gesetzt werden."
-+
-+#: ../../src/kadmin/server/ovsec_kadmd.c:497
-+msgid "Cannot initialize GSSAPI service name"
-+msgstr "GSSAPI-Dienstname kann nicht initialisiert werden"
-+
-+#: ../../src/kadmin/server/ovsec_kadmd.c:501
-+msgid "initializing ACL file"
-+msgstr "ACL-Datei wird initialisiert"
-+
-+#: ../../src/kadmin/server/ovsec_kadmd.c:504
-+msgid "spawning daemon process"
-+msgstr "Daemon-Prozess wird erzeugt"
-+
-+#: ../../src/kadmin/server/ovsec_kadmd.c:508
-+msgid "creating PID file"
-+msgstr "PID-Datei wird erstellt"
-+
-+#: ../../src/kadmin/server/ovsec_kadmd.c:511
-+msgid "Seeding random number generator"
-+msgstr "Startwert des Zufallszahlengenerators wird erzeugt"
-+
-+#: ../../src/kadmin/server/ovsec_kadmd.c:514
-+msgid "getting random seed"
-+msgstr "Zufallsstartwert wird geholt"
-+
-+#: ../../src/kadmin/server/ovsec_kadmd.c:521
-+msgid "mapping update log"
-+msgstr "Aktualisierungsprotokoll wird abgebildet"
-+
-+#: ../../src/kadmin/server/ovsec_kadmd.c:525
-+#, c-format
-+msgid "%s: create IPROP svc (PROG=%d, VERS=%d)\n"
-+msgstr "%s: IPROP-Dienst wird erstellt (PROG=%d, VERS=%d)\n"
-+
-+#: ../../src/kadmin/server/ovsec_kadmd.c:530
-+msgid "starting"
-+msgstr "startet"
-+
-+#: ../../src/kadmin/server/ovsec_kadmd.c:532 ../../src/kdc/main.c:1061
-+#, c-format
-+msgid "%s: starting...\n"
-+msgstr "%s: startet …\n"
-+
-+#: ../../src/kadmin/server/ovsec_kadmd.c:535
-+msgid "finished, exiting"
-+msgstr "fertig, wird beendet"
-+
-+#: ../../src/kadmin/server/schpw.c:282
-+#, c-format
-+msgid "setpw request from %s by %.*s%s for %.*s%s: %s"
-+msgstr "»setpw«-Anfrage von %s durch %.*s%s für %.*s%s: %s"
-+
-+#: ../../src/kadmin/server/schpw.c:287
-+#, c-format
-+msgid "chpw request from %s for %.*s%s: %s"
-+msgstr "»chpw«-Anfrage von %s für %.*s%s: %s"
-+
-+#: ../../src/kadmin/server/schpw.c:464
-+#, c-format
-+msgid "chpw: Couldn't open admin keytab %s"
-+msgstr "chpw«: Administratorschlüsseltabelle %s konnte nicht geöffnet werden"
-+
-+#: ../../src/kadmin/server/server_stubs.c:293
-+#, c-format
-+msgid ""
-+"Unauthorized request: %s, %.*s%s, client=%.*s%s, service=%.*s%s, addr=%s"
-+msgstr ""
-+"Unauthorisierte Anfrage: %s, %.*s%s, Client=%.*s%s, Dienst=%.*s%s, Adresse=%s"
-+
-+#: ../../src/kadmin/server/server_stubs.c:314
-+#: ../../src/kadmin/server/server_stubs.c:649
-+#: ../../src/kadmin/server/server_stubs.c:1792
-+msgid "success"
-+msgstr "erfolgreich"
-+
-+#: ../../src/kadmin/server/server_stubs.c:324
-+#, c-format
-+msgid "Request: %s, %.*s%s, %s, client=%.*s%s, service=%.*s%s, addr=%s"
-+msgstr "Anfrage: %s, %.*s%s, %s, Client=%.*s%s, Dienst=%.*s%s, Adresse=%s"
-+
-+#: ../../src/kadmin/server/server_stubs.c:628
-+#, c-format
-+msgid ""
-+"Unauthorized request: kadm5_rename_principal, %.*s%s to %.*s%s, client=%.*s"
-+"%s, service=%.*s%s, addr=%s"
-+msgstr ""
-+"Unauthorisierte Anfrage: kadm5_rename_principal, %.*s%s bis %.*s%s, Client="
-+"%.*s%s, Dienst=%.*s%s, Adresse=%s"
-+
-+#: ../../src/kadmin/server/server_stubs.c:644
-+#, c-format
-+msgid ""
-+"Request: kadm5_rename_principal, %.*s%s to %.*s%s, %s, client=%.*s%s, "
-+"service=%.*s%s, addr=%s"
-+msgstr ""
-+"Anfrage: kadm5_rename_principal, %.*s%s bis %.*s%s, %s, Client=%.*s%s, "
-+"Dienst=%.*s%s, Adresse=%s"
-+
-+#: ../../src/kadmin/server/server_stubs.c:1788
-+#, c-format
-+msgid ""
-+"Request: kadm5_init, %.*s%s, %s, client=%.*s%s, service=%.*s%s, addr=%s, "
-+"vers=%d, flavor=%d"
-+msgstr ""
-+"Anfrage: kadm5_init, %.*s%s, %s, Client=%.*s%s, Dienst=%.*s%s, Adresse=%s, "
-+"Version=%d, Variante=%d"
-+
-+#: ../../src/kdc/do_as_req.c:273
-+#, c-format
-+msgid "AS_REQ : handle_authdata (%d)"
-+msgstr "AS_REQ: handle_authdata (%d)"
-+
-+#: ../../src/kdc/do_tgs_req.c:593
-+#, c-format
-+msgid "TGS_REQ : handle_authdata (%d)"
-+msgstr "TGS_REQ: handle_authdata (%d)"
-+
-+#: ../../src/kdc/do_tgs_req.c:655
-+msgid "not checking transit path"
-+msgstr "Übergangspfad wird nicht geprüft"
-+
-+#: ../../src/kdc/fast_util.c:62
-+#, c-format
-+msgid "%s while handling ap-request armor"
-+msgstr "%s bei der Handhabung des »ap-request«-Schutzes"
-+
-+#: ../../src/kdc/fast_util.c:71
-+msgid "ap-request armor for something other than the local TGS"
-+msgstr "»ap-request«-Schutz für etwas anderes als den lokalen TGS"
-+
-+#: ../../src/kdc/fast_util.c:80
-+msgid "ap-request armor without subkey"
-+msgstr "»ap-request«-Schutz ohne Unterschlüssel"
-+
-+#: ../../src/kdc/fast_util.c:162
-+msgid "Ap-request armor not permitted with TGS"
-+msgstr "»ap-request«-Schutz nicht mit TGS gestattet"
-+
-+#: ../../src/kdc/fast_util.c:169
-+#, c-format
-+msgid "Unknown FAST armor type %d"
-+msgstr "unbekanntet FAST-Schutztyp %d"
-+
-+#: ../../src/kdc/fast_util.c:183
-+msgid "No armor key but FAST armored request present"
-+msgstr "Es gibt keinen Schutzschlüssel aber eine FAST-geschützte Anfrage"
-+
-+#: ../../src/kdc/fast_util.c:219
-+msgid "FAST req_checksum invalid; request modified"
-+msgstr "FAST-»req_checksum« ungültig; Anfrage geändert"
-+
-+#: ../../src/kdc/fast_util.c:225
-+msgid "Unkeyed checksum used in fast_req"
-+msgstr "in fast_req wurde eine Prüfsumme ohne Schlüssel benutzt"
-+
-+#: ../../src/kdc/kdc_audit.c:110
-+#, c-format
-+msgid "audit plugin %s failed to open. error=%i"
-+msgstr "Öffnen der Audit-Erweiterung %s fehlgeschlagen. Fehler=%i"
-+
-+#: ../../src/kdc/kdc_authdata.c:292 ../../src/kdc/kdc_authdata.c:328
-+#, c-format
-+msgid "authdata %s failed to initialize: %s"
-+msgstr "Initialisieren von »authdata« %s fehlgeschlagen: %s"
-+
-+#: ../../src/kdc/kdc_authdata.c:779
-+#, c-format
-+msgid "authdata (%s) handling failure: %s"
-+msgstr "Handhabung von »authdata« %s fehlgeschlagen: %s"
-+
-+#: ../../src/kdc/kdc_log.c:82
-+#, c-format
-+msgid "AS_REQ (%s) %s: ISSUE: authtime %d, %s, %s for %s"
-+msgstr "AS_REQ (%s) %s: PROBLEM: Authentifizierungszeit %d, %s, %s für %s"
-+
-+#: ../../src/kdc/kdc_log.c:88
-+#, c-format
-+msgid "AS_REQ (%s) %s: %s: %s for %s%s%s"
-+msgstr "AS_REQ (%s) %s: %s: %s für %s%s%s"
-+
-+#: ../../src/kdc/kdc_log.c:159
-+#, c-format
-+msgid "TGS_REQ (%s) %s: %s: authtime %d, %s%s %s for %s%s%s"
-+msgstr "TGS_REQ (%s) %s: %s: Authentifizierungszeit %d, %s%s %s für %s%s%s"
-+
-+#: ../../src/kdc/kdc_log.c:166
-+#, c-format
-+msgid "... PROTOCOL-TRANSITION s4u-client=%s"
-+msgstr "… PROTOKOLLÜBERGANG s4u-client=%s"
-+
-+#: ../../src/kdc/kdc_log.c:170
-+#, c-format
-+msgid "... CONSTRAINED-DELEGATION s4u-client=%s"
-+msgstr "… EINHESCHRÄNKTE DELEGIERUNG s4u-client=%s"
-+
-+#: ../../src/kdc/kdc_log.c:174
-+#, c-format
-+msgid "TGS_REQ %s: %s: authtime %d, %s for %s, 2nd tkt client %s"
-+msgstr "TGS_REQ %s: %s: Authentifizierungszeit %d, %s für %s, 2. TKT-Client %s"
-+
-+#: ../../src/kdc/kdc_log.c:208
-+#, c-format
-+msgid "bad realm transit path from '%s' to '%s' via '%.*s%s'"
-+msgstr "falscher Realm-Übergangspfad von »%s« zu »%s« über »%.*s%s«"
-+
-+#: ../../src/kdc/kdc_log.c:214
-+#, c-format
-+msgid "unexpected error checking transit from '%s' to '%s' via '%.*s%s': %s"
-+msgstr ""
-+"unerwarteter Fehler bei der Prüfung des Übergangs von »%s« zu »%s« über »%.*s"
-+"%s«: %s"
-+
-+#: ../../src/kdc/kdc_log.c:232
-+msgid "TGS_REQ: issuing alternate <un-unparseable> TGT"
-+msgstr "TGS_REQ: alternativer <nicht nicht auswertbarer> TGT wird erstellt"
-+
-+#: ../../src/kdc/kdc_log.c:235
-+#, c-format
-+msgid "TGS_REQ: issuing TGT %s"
-+msgstr "TGS_REQ: TGT %s wird erstellt"
-+
-+#: ../../src/kdc/kdc_preauth.c:328
-+#, c-format
-+msgid "preauth %s failed to initialize: %s"
-+msgstr "Initialisieren von »preauth« %s fehlgeschlagen: %s"
-+
-+#: ../../src/kdc/kdc_preauth.c:339
-+#, c-format
-+msgid "preauth %s failed to setup loop: %s"
-+msgstr "Einrichten der Schleife von »preauth« %s fehlgeschlagen: %s"
-+
-+#: ../../src/kdc/kdc_preauth.c:760
-+#, c-format
-+msgid "%spreauth required but hint list is empty"
-+msgstr "%spreauth benötigt, aber Hinweisliste ist leer"
-+
-+#: ../../src/kdc/kdc_preauth_ec.c:75
-+msgid "Encrypted Challenge used outside of FAST tunnel"
-+msgstr "verschlüsselte Aufforderung wurde außerhalb des FAST-Tunnels verwendet"
-+
-+#: ../../src/kdc/kdc_preauth_ec.c:110
-+msgid "Incorrect password in encrypted challenge"
-+msgstr "falsches Passwort in verschlüsselter Aufforderung"
-+
-+#: ../../src/kdc/kdc_util.c:236
-+msgid "TGS_REQ: SESSION KEY or MUTUAL"
-+msgstr "TGS_REQ: SITZUNGSSCHLÜSSEL oder BEIDERSEITIG"
-+
-+#: ../../src/kdc/kdc_util.c:314
-+msgid "PROCESS_TGS: failed lineage check"
-+msgstr "PROCESS_TGS: Abstammungsprüfung fehlgeschlagen"
-+
-+#: ../../src/kdc/kdc_util.c:468
-+#, c-format
-+msgid "TGS_REQ: UNKNOWN SERVER: server='%s'"
-+msgstr "TGS_REQ: UNBEKANNTER SERVER: Server=»%s«"
-+
-+#: ../../src/kdc/main.c:231
-+#, c-format
-+msgid "while getting context for realm %s"
-+msgstr "beim Holen des Kontextes für Realm %s"
-+
-+#: ../../src/kdc/main.c:329
-+#, c-format
-+msgid "while setting default realm to %s"
-+msgstr "beim Setzen des Standard-Realms auf %s"
-+
-+#: ../../src/kdc/main.c:337
-+#, c-format
-+msgid "while initializing database for realm %s"
-+msgstr "beim Initialisieren der Datenbank für Realm %s"
-+
-+#: ../../src/kdc/main.c:346
-+#, c-format
-+msgid "while setting up master key name %s for realm %s"
-+msgstr "beim Einrichten des Hauptschlüsselnamens %s für Realm %s"
-+
-+#: ../../src/kdc/main.c:359
-+#, c-format
-+msgid "while fetching master key %s for realm %s"
-+msgstr "beim Abholen des Hauptschlüssels %s für Realm %s"
-+
-+#: ../../src/kdc/main.c:367
-+#, c-format
-+msgid "while fetching master keys list for realm %s"
-+msgstr "beim Abholen der Hauptschlüsselliste für Realm %s"
-+
-+#: ../../src/kdc/main.c:376
-+#, c-format
-+msgid "while resolving kdb keytab for realm %s"
-+msgstr "beim Ermitteln der KDB-Schlüsseltabelle für Realm %s"
-+
-+#: ../../src/kdc/main.c:385
-+#, c-format
-+msgid "while building TGS name for realm %s"
-+msgstr "beim Bilden des TGS-Namens für Realm %s"
-+
-+#: ../../src/kdc/main.c:503
-+#, c-format
-+msgid "creating %d worker processes"
-+msgstr "%d Arbeitsprozesse werden erzeugt"
-+
-+#: ../../src/kdc/main.c:513
-+msgid "Unable to reinitialize main loop"
-+msgstr "Hauptschleife konnte nicht neu initialisiert werden"
-+
-+#: ../../src/kdc/main.c:518
-+#, c-format
-+msgid "Unable to initialize signal handlers in pid %d"
-+msgstr ""
-+"Signalbehandlungsprogramme in PID %d konnten nicht initialisiert werden"
-+
-+#: ../../src/kdc/main.c:548
-+#, c-format
-+msgid "worker %ld exited with status %d"
-+msgstr "Arbeitsprozess %ld endete mit Status %d"
-+
-+#: ../../src/kdc/main.c:572
-+#, c-format
-+msgid "signal %d received in supervisor"
-+msgstr "Überwachungsprogramm empfing Signal %d"
-+
-+#: ../../src/kdc/main.c:591
-+#, c-format
-+msgid ""
-+"usage: %s [-x db_args]* [-d dbpathname] [-r dbrealmname]\n"
-+"\t\t[-R replaycachename] [-m] [-k masterenctype]\n"
-+"\t\t[-M masterkeyname] [-p port] [-P pid_file]\n"
-+"\t\t[-n] [-w numworkers] [/]\n"
-+"\n"
-+"where,\n"
-+"\t[-x db_args]* - Any number of database specific arguments.\n"
-+"\t\t\tLook at each database module documentation for \t\t\tsupported "
-+"arguments\n"
-+msgstr ""
-+"Aufruf: %s [-x Datenbankargumente]* [-d Datenbankpfadname]\n"
-+"\t\t[-r Datenbank-Realm-Name] [-m] [-k Hauptverschlüsselungstyp]\n"
-+"\t\t[-M Hauptschlüsselname] [-p Port] [-P PID-Datei]\n"
-+"\t\t[-n] [-w Arbeitsprozessanzahl] [/]\n"
-+"\n"
-+"dabei sind\n"
-+"\t[-x Datenbankargumente]* - eine beliebige Anzahl datenbankspezifischer "
-+"Argumente.\n"
-+"\t\t\tWelche Argumente unterstützt werden, finden Sie in der Dokumentation "
-+"der jeweiligen Datenbank.\n"
-+
-+#: ../../src/kdc/main.c:653 ../../src/kdc/main.c:660 ../../src/kdc/main.c:774
-+#, c-format
-+msgid " KDC cannot initialize. Not enough memory\n"
-+msgstr "KDC kann nicht initialisiert werden. Speicher reicht nicht aus\n"
-+
-+#: ../../src/kdc/main.c:679 ../../src/kdc/main.c:722 ../../src/kdc/main.c:733
-+#, c-format
-+msgid "%s: KDC cannot initialize. Not enough memory\n"
-+msgstr "%s: KDC kann nicht initialisiert werden. Speicher reicht nicht aus\n"
-+
-+#: ../../src/kdc/main.c:699 ../../src/kdc/main.c:816
-+#, c-format
-+msgid "%s: cannot initialize realm %s - see log file for details\n"
-+msgstr ""
-+"%s: Realm %s kann nicht initialisiert werden - Einzelheiten finden Sie in "
-+"der Protokolldatei\n"
-+
-+#: ../../src/kdc/main.c:710
-+#, c-format
-+msgid "%s: cannot initialize realm %s. Not enough memory\n"
-+msgstr ""
-+"%s: Realm %s kann nicht initialisiert werden. Speicher reicht nicht aus\n"
-+
-+#: ../../src/kdc/main.c:761
-+#, c-format
-+msgid "invalid enctype %s"
-+msgstr "ungültiger Verschlüsselungstyp %s"
-+
-+#: ../../src/kdc/main.c:804
-+msgid "while attempting to retrieve default realm"
-+msgstr "beim Versuch, den Standard-Realm abzufragen"
-+
-+#: ../../src/kdc/main.c:806
-+#, c-format
-+msgid "%s: %s, attempting to retrieve default realm\n"
-+msgstr "%s: %s, es wird versucht, den Standard-Realm abzufragen\n"
-+
-+#: ../../src/kdc/main.c:912
-+#, c-format
-+msgid "%s: cannot get memory for realm list\n"
-+msgstr "%s: Speicher für die Realm-Liste kann nicht erlangt werden\n"
-+
-+# http://www.oreilly.de/german/freebooks/linuxdrive2ger/getcache.html
-+#: ../../src/kdc/main.c:947
-+msgid "while initializing lookaside cache"
-+msgstr "beim Initialisieren des Lookaside-Zwischenspeichers"
-+
-+#: ../../src/kdc/main.c:955
-+msgid "while creating main loop"
-+msgstr "beim Erzeugen der Hauptschleife"
-+
-+# SAM=Security Accounts Manager
-+#: ../../src/kdc/main.c:965
-+msgid "while initializing SAM"
-+msgstr "beim Initialisieren des SAMs"
-+
-+#: ../../src/kdc/main.c:1011
-+msgid "while initializing routing socket"
-+msgstr "beim Initialisieren des Routing-Sockets"
-+
-+#: ../../src/kdc/main.c:1017
-+msgid "while initializing signal handlers"
-+msgstr "beim Initialisieren des Signalbehandlungsprogramms"
-+
-+#: ../../src/kdc/main.c:1024
-+msgid "while initializing network"
-+msgstr "beim Initialisieren des Netzwerks"
-+
-+#: ../../src/kdc/main.c:1029
-+msgid "while detaching from tty"
-+msgstr "beim Lösen vom Terminal"
-+
-+#: ../../src/kdc/main.c:1036
-+msgid "while creating PID file"
-+msgstr "beim Erstellen der PID-Datei"
-+
-+#: ../../src/kdc/main.c:1045
-+msgid "creating worker processes"
-+msgstr "Arbeitsprozesse werden erzeugt"
-+
-+#: ../../src/kdc/main.c:1055
-+msgid "while loading audit plugin module(s)"
-+msgstr "beim Laden des/der Auditerweiterungsmoduls/Auditerweiterungsmodule"
-+
-+#: ../../src/kdc/main.c:1059
-+msgid "commencing operation"
-+msgstr "Aktion wird begonnen"
-+
-+#: ../../src/kdc/main.c:1067
-+msgid "shutting down"
-+msgstr "wird heruntergefahren"
-+
-+#: ../../src/lib/apputils/net-server.c:258
-+msgid "Got signal to request exit"
-+msgstr "Signal zur Anfrage des Beendens empfangen"
-+
-+#: ../../src/lib/apputils/net-server.c:272
-+msgid "Got signal to reset"
-+msgstr "Signal zum Zurücksetzen empfangen"
-+
-+#: ../../src/lib/apputils/net-server.c:429
-+#, c-format
-+msgid "closing down fd %d"
-+msgstr "Dateideskriptor %d wird geschlossen"
-+
-+#: ../../src/lib/apputils/net-server.c:443
-+#, c-format
-+msgid "descriptor %d closed but still in svc_fdset"
-+msgstr "Deskriptor %d geschlossen, aber immer noch in »svc_fdset«"
-+
-+#: ../../src/lib/apputils/net-server.c:469
-+msgid "cannot create io event"
-+msgstr "E/A-Ereignis kann nicht erzeugt werden"
-+
-+#: ../../src/lib/apputils/net-server.c:475
-+msgid "cannot save event"
-+msgstr "Ereignis kann nicht gesichert werden"
-+
-+#: ../../src/lib/apputils/net-server.c:495
-+#, c-format
-+msgid "file descriptor number %d too high"
-+msgstr "Dateideskriptornummer %d zu hoch"
-+
-+#: ../../src/lib/apputils/net-server.c:503
-+msgid "cannot allocate storage for connection info"
-+msgstr "Speicher für Verbindungsinformation kann nicht reserviert werden"
-+
-+#: ../../src/lib/apputils/net-server.c:562
-+#, c-format
-+msgid "Cannot create TCP server socket on %s"
-+msgstr "Auf %s kann kein TCP-Server-Socket erstellt werden."
-+
-+#: ../../src/lib/apputils/net-server.c:571
-+#, c-format
-+msgid "TCP socket fd number %d (for %s) too high"
-+msgstr "TCP-Socket-Deskriptornummer %d (für %s) zu hoch"
-+
-+#: ../../src/lib/apputils/net-server.c:579
-+#, c-format
-+msgid "Cannot enable SO_REUSEADDR on fd %d"
-+msgstr "SO_REUSEADDR kann nicht für Dateideskriptor %d aktiviert werden"
-+
-+#: ../../src/lib/apputils/net-server.c:586
-+#, c-format
-+msgid "setsockopt(%d,IPV6_V6ONLY,1) failed"
-+msgstr "setsockopt(%d,IPV6_V6ONLY,1) fehlgeschlagen"
-+
-+#: ../../src/lib/apputils/net-server.c:588
-+#, c-format
-+msgid "setsockopt(%d,IPV6_V6ONLY,1) worked"
-+msgstr "setsockopt(%d,IPV6_V6ONLY,1) funktioniert"
-+
-+#: ../../src/lib/apputils/net-server.c:591
-+msgid "no IPV6_V6ONLY socket option support"
-+msgstr "keine Socket-Option für IPV6_V6ONLY unterstützt"
-+
-+#: ../../src/lib/apputils/net-server.c:597
-+#, c-format
-+msgid "Cannot bind server socket on %s"
-+msgstr "Server-Socket kann nicht an %s gebunden werden"
-+
-+#: ../../src/lib/apputils/net-server.c:624
-+#, c-format
-+msgid "Cannot create RPC service: %s; continuing"
-+msgstr "RPC-Dienst kann nicht erstellt werden: %s; es wird fortgefahren"
-+
-+#: ../../src/lib/apputils/net-server.c:633
-+#, c-format
-+msgid "Cannot register RPC service: %s; continuing"
-+msgstr "RPC-Dienst kann nicht registriert werden: %s; es wird fortgefahren"
-+
-+#: ../../src/lib/apputils/net-server.c:682
-+#, c-format
-+msgid "Cannot listen on TCP server socket on %s"
-+msgstr ""
-+"Auf dem TCP-Server-Socket kann nicht auf eine Verbindung gewartet werden auf "
-+"%s."
-+
-+#: ../../src/lib/apputils/net-server.c:688
-+#, c-format
-+msgid "cannot set listening tcp socket on %s non-blocking"
-+msgstr ""
-+"Das auf eine Verbindung wartende TCP-Socket kann nicht auf nicht-"
-+"blockierendes %s gesetzt werden."
-+
-+#: ../../src/lib/apputils/net-server.c:695
-+#, c-format
-+msgid "disabling SO_LINGER on TCP socket on %s"
-+msgstr "SO_LINGER auf dem TCP-Socket auf %s wird deaktiviert"
-+
-+#: ../../src/lib/apputils/net-server.c:743
-+#: ../../src/lib/apputils/net-server.c:752
-+#, c-format
-+msgid "listening on fd %d: tcp %s"
-+msgstr "auf Dateideskriptor %d wird auf eine Verbindung gewartet: TCP %s"
-+
-+#: ../../src/lib/apputils/net-server.c:757
-+msgid "assuming IPv6 socket accepts IPv4"
-+msgstr "es wird davon ausgegangen, dass das IPv6-Socket IPv4 akzeptiert"
-+
-+#: ../../src/lib/apputils/net-server.c:791
-+#: ../../src/lib/apputils/net-server.c:804
-+#, c-format
-+msgid "listening on fd %d: rpc %s"
-+msgstr "auf Dateideskriptor %d wird auf eine Verbindung gewartet: RPC %s"
-+
-+#: ../../src/lib/apputils/net-server.c:883
-+#, c-format
-+msgid "Cannot request packet info for udp socket address %s port %d"
-+msgstr ""
-+"Paketinformation für UDP-Socket-Adresse %s, Port %d, kann nicht abgefragt "
-+"werden"
-+
-+#: ../../src/lib/apputils/net-server.c:889
-+#, c-format
-+msgid "listening on fd %d: udp %s%s"
-+msgstr "auf Dateideskriptor %d wird auf eine Verbindung gewartet: UDP %s%s"
-+
-+#: ../../src/lib/apputils/net-server.c:918
-+msgid "Failed to reconfigure network, exiting"
-+msgstr "Neukonfiguration des Netzwerks fehlgeschlagen, wird beendet"
-+
-+#: ../../src/lib/apputils/net-server.c:979
-+#, c-format
-+msgid ""
-+"unhandled routing message type %d, will reconfigure just for the fun of it"
-+msgstr ""
-+"nicht behandelter Routing-Meldungstyp %d, es wird es nur zum Spaß neu "
-+"konfiguriert"
-+
-+#: ../../src/lib/apputils/net-server.c:1013
-+#, c-format
-+msgid "short read (%d/%d) from routing socket"
-+msgstr "ungenügende Daten (%d/%d) vom Routing-Socket gelesen"
-+
-+#: ../../src/lib/apputils/net-server.c:1023
-+#, c-format
-+msgid "read %d from routing socket but msglen is %d"
-+msgstr "%d vom Routing-Socket gelesen, Nachrichtenlänge ist jedoch %d"
-+
-+#: ../../src/lib/apputils/net-server.c:1055
-+#, c-format
-+msgid "couldn't set up routing socket: %s"
-+msgstr "Routing-Socket konnte nicht eingerichtet werden: %s"
-+
-+#: ../../src/lib/apputils/net-server.c:1058
-+#, c-format
-+msgid "routing socket is fd %d"
-+msgstr "Das Routing-Socket hat den Dateideskriptor %d."
-+
-+#: ../../src/lib/apputils/net-server.c:1084
-+msgid "setting up network..."
-+msgstr "Netzwerk wird eingerichtet …"
-+
-+#: ../../src/lib/apputils/net-server.c:1101
-+#, c-format
-+msgid "set up %d sockets"
-+msgstr "%d Sockets werden eingerichtet"
-+
-+#: ../../src/lib/apputils/net-server.c:1103
-+msgid "no sockets set up?"
-+msgstr "keine Sockets eingerichtet?"
-+
-+#: ../../src/lib/apputils/net-server.c:1351
-+#: ../../src/lib/apputils/net-server.c:1405
-+msgid "while dispatching (udp)"
-+msgstr "beim Versenden (UDP)"
-+
-+#: ../../src/lib/apputils/net-server.c:1380
-+#, c-format
-+msgid "while sending reply to %s/%s from %s"
-+msgstr "beim Senden der Antwort zu %s/%s von %s"
-+
-+#: ../../src/lib/apputils/net-server.c:1385
-+#, c-format
-+msgid "short reply write %d vs %d\n"
-+msgstr "ungenügende Ausgabe der Antwort %d gegenüber %d\n"
-+
-+#: ../../src/lib/apputils/net-server.c:1430
-+msgid "while receiving from network"
-+msgstr "beim Empfangen vom Netzwerk"
-+
-+#: ../../src/lib/apputils/net-server.c:1446
-+#, c-format
-+msgid "pktinfo says local addr is %s"
-+msgstr "Pktinfo sagt, die lokale Adresse sei %s"
-+
-+#: ../../src/lib/apputils/net-server.c:1479
-+msgid "too many connections"
-+msgstr "zu viele Verbindungen"
-+
-+#: ../../src/lib/apputils/net-server.c:1502
-+#, c-format
-+msgid "dropping %s fd %d from %s"
-+msgstr "%s Dateideskriptor %d von %s wird verworfen"
-+
-+#: ../../src/lib/apputils/net-server.c:1580
-+#, c-format
-+msgid "allocating buffer for new TCP session from %s"
-+msgstr "Puffer für neue TCP-Sitzung von %s wird reserviert"
-+
-+#: ../../src/lib/apputils/net-server.c:1610
-+msgid "while dispatching (tcp)"
-+msgstr "beim Versenden (TCP)"
-+
-+#: ../../src/lib/apputils/net-server.c:1642
-+msgid "error allocating tcp dispatch private!"
-+msgstr "Fehler beim Reservieren zum nicht öffentlichen TCP-Versand!"
-+
-+#: ../../src/lib/apputils/net-server.c:1689
-+#, c-format
-+msgid "TCP client %s wants %lu bytes, cap is %lu"
-+msgstr "TCP-Client %s will %lu Byte, Cap ist %lu"
-+
-+#: ../../src/lib/apputils/net-server.c:1697
-+#, c-format
-+msgid "error constructing KRB_ERR_FIELD_TOOLONG error! %s"
-+msgstr "Fehler beim Erzeugen des KRB_ERR_FIELD_TOOLONG-Fehlers! %s"
-+
-+#: ../../src/lib/apputils/net-server.c:1876
-+#, c-format
-+msgid "accepted RPC connection on socket %d from %s"
-+msgstr "akzeptierte PRC-Verbindung auf Socket %d von %s"
-+
-+# pseudo random function
-+#: ../../src/lib/crypto/krb/cf2.c:114
-+#, c-format
-+msgid "Enctype %d has no PRF"
-+msgstr "Verschlüsselungstyp %d hat keine PRF"
-+
-+#: ../../src/lib/crypto/krb/prng_fortuna.c:428
-+msgid "Random number generator could not be seeded"
-+msgstr "Zufallszahlengenerator konnte kein Startwert zugewiesen werden"
-+
-+#: ../../src/lib/gssapi/generic/disp_major_status.c:43
-+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:165
-+msgid "A required input parameter could not be read"
-+msgstr "Ein benötigter Eingabeparameter konnte nicht gelesen werden."
-+
-+#: ../../src/lib/gssapi/generic/disp_major_status.c:44
-+msgid "A required input parameter could not be written"
-+msgstr "Ein benötigter Eingabeparameter konnte nicht geschrieben werden."
-+
-+#: ../../src/lib/gssapi/generic/disp_major_status.c:45
-+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:175
-+msgid "A parameter was malformed"
-+msgstr "Ein Parameter hatte eine falsche Form"
-+
-+#: ../../src/lib/gssapi/generic/disp_major_status.c:48
-+msgid "calling error"
-+msgstr "Aufruffehler"
-+
-+#: ../../src/lib/gssapi/generic/disp_major_status.c:59
-+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:195
-+msgid "An unsupported mechanism was requested"
-+msgstr "Ein nicht unterstützter Mechanismus wurde angefordert."
-+
-+#: ../../src/lib/gssapi/generic/disp_major_status.c:60
-+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:199
-+msgid "An invalid name was supplied"
-+msgstr "Ein ungültiger Name wurde übergeben."
-+
-+#: ../../src/lib/gssapi/generic/disp_major_status.c:61
-+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:203
-+msgid "A supplied name was of an unsupported type"
-+msgstr "Ein übergebener Name hatte einen nicht unterstützten Typ."
-+
-+#: ../../src/lib/gssapi/generic/disp_major_status.c:62
-+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:208
-+msgid "Incorrect channel bindings were supplied"
-+msgstr "Falsche Kanalbindungen wurden übergeben."
-+
-+#: ../../src/lib/gssapi/generic/disp_major_status.c:63
-+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:179
-+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:274
-+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:334
-+msgid "An invalid status code was supplied"
-+msgstr "Ein ungültiger Statuscode wurde übergeben."
-+
-+#: ../../src/lib/gssapi/generic/disp_major_status.c:64
-+msgid "A token had an invalid signature"
-+msgstr "Ein Merkmal hatte eine ungültige Signatur."
-+
-+#: ../../src/lib/gssapi/generic/disp_major_status.c:65
-+msgid "No credentials were supplied"
-+msgstr "Es wurden keine Anmeldedaten übergeben."
-+
-+#: ../../src/lib/gssapi/generic/disp_major_status.c:66
-+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:223
-+msgid "No context has been established"
-+msgstr "Es wurde keine Kontext etabliert."
-+
-+#: ../../src/lib/gssapi/generic/disp_major_status.c:67
-+msgid "A token was invalid"
-+msgstr "Ein Merkmal war ungültig."
-+
-+#: ../../src/lib/gssapi/generic/disp_major_status.c:68
-+msgid "A credential was invalid"
-+msgstr "Eine der Anmeldedaten war ungültig."
-+
-+#: ../../src/lib/gssapi/generic/disp_major_status.c:69
-+msgid "The referenced credentials have expired"
-+msgstr "Die referenzierten Anmeldedaten sind abgelaufen."
-+
-+#: ../../src/lib/gssapi/generic/disp_major_status.c:70
-+msgid "The context has expired"
-+msgstr "Der Kontext ist abgelaufen."
-+
-+#: ../../src/lib/gssapi/generic/disp_major_status.c:71
-+msgid "Miscellaneous failure"
-+msgstr "sonstiger Fehlschlag"
-+
-+#: ../../src/lib/gssapi/generic/disp_major_status.c:72
-+msgid "The quality-of-protection requested could not be provided"
-+msgstr ""
-+"Die angeforderte Qualität des Schutzes konnte nicht bereitgestellt werden."
-+
-+#: ../../src/lib/gssapi/generic/disp_major_status.c:73
-+msgid "The operation is forbidden by the local security policy"
-+msgstr "Die Aktion wird durch die lokale Sicherheitsrichtinie verboten."
-+
-+#: ../../src/lib/gssapi/generic/disp_major_status.c:74
-+msgid "The operation or option is not available"
-+msgstr "Die Aktion oder Option ist nicht verfügbar."
-+
-+#: ../../src/lib/gssapi/generic/disp_major_status.c:77
-+msgid "routine error"
-+msgstr "Fehler in einer Routine"
-+
-+#: ../../src/lib/gssapi/generic/disp_major_status.c:89
-+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:311
-+msgid "The routine must be called again to complete its function"
-+msgstr ""
-+"Die Routine muss erneut aufgerufen werden, um ihre Funktion zu "
-+"vervollständigen."
-+
-+#: ../../src/lib/gssapi/generic/disp_major_status.c:90
-+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:316
-+msgid "The token was a duplicate of an earlier token"
-+msgstr "Das Merkmal war ein Zweitexemplar eines früheren Merkmals."
-+
-+#: ../../src/lib/gssapi/generic/disp_major_status.c:91
-+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:321
-+msgid "The token's validity period has expired"
-+msgstr "Die Gültigkeitsperiode des Merkmals ist abgelaufen."
-+
-+#: ../../src/lib/gssapi/generic/disp_major_status.c:92
-+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:325
-+msgid "A later token has already been processed"
-+msgstr "Es wurde bereits ein neueres Merkmal verarbeitet."
-+
-+#: ../../src/lib/gssapi/generic/disp_major_status.c:95
-+msgid "supplementary info code"
-+msgstr "zusätzlicher Informationscode"
-+
-+#: ../../src/lib/gssapi/generic/disp_major_status.c:106
-+#: ../lib/krb5/error_tables/krb5_err.c:23
-+msgid "No error"
-+msgstr "kein Fehler"
-+
-+#: ../../src/lib/gssapi/generic/disp_major_status.c:107
-+#, c-format
-+msgid "Unknown %s (field = %d)"
-+msgstr "%s unbekannt (Feld = %d)"
-+
-+#: ../../src/lib/gssapi/krb5/acquire_cred.c:165
-+#, c-format
-+msgid "No key table entry found matching %s"
-+msgstr "Es wurde kein zu %s passender Schlüsseltabelleneintrag gefunden."
-+
-+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:161
-+msgid "The routine completed successfully"
-+msgstr "Die Routine wurde erfolgreich abgeschlossen"
-+
-+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:170
-+msgid "A required output parameter could not be written"
-+msgstr "Ein erforderlicher Ausgabeparameter konnte nicht geschrieben werden."
-+
-+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:212
-+msgid "A token had an invalid Message Integrity Check (MIC)"
-+msgstr ""
-+"Ein Merkmal hatte eine ungültige Meldungsintegritätsprüfung (Message "
-+"Integrity Check/MIC)."
-+
-+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:217
-+msgid ""
-+"No credentials were supplied, or the credentials were unavailable or "
-+"inaccessible"
-+msgstr ""
-+"Es wurden keine Anmeldedaten übergeben oder die Anmeldedaten waren nicht "
-+"verfügbar bzw. ein Zugriff darauf nicht möglich."
-+
-+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:227
-+msgid "Invalid token was supplied"
-+msgstr "Es wurde ein ungültiges Token übergeben."
-+
-+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:231
-+msgid "Invalid credential was supplied"
-+msgstr "ungültige Anmeldedaten wurden übergeben"
-+
-+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:235
-+msgid "The referenced credential has expired"
-+msgstr "Die referenzierten Anmeldedaten sind abgelaufen."
-+
-+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:239
-+msgid "The referenced context has expired"
-+msgstr "Der referenzierte Kontext ist abgelaufen."
-+
-+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:243
-+msgid "Unspecified GSS failure. Minor code may provide more information"
-+msgstr ""
-+"nicht spezifizierter GSS-Fehlschlag. Möglicherweise stellt der "
-+"untergeordnete Code weitere Informationen bereit."
-+
-+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:248
-+msgid "The quality-of-protection (QOP) requested could not be provided"
-+msgstr ""
-+"Die Qualität des Schutzes (quality-of-protection/QOP) konnte nicht "
-+"bereitgestellt werden."
-+
-+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:253
-+msgid "The operation is forbidden by local security policy"
-+msgstr "Die Aktion wird durch die lokale Sicherheitsrichtinie verboten."
-+
-+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:258
-+msgid "The operation or option is not available or unsupported"
-+msgstr ""
-+"Die Aktion oder Option ist nicht verfügbar oder wird nicht unterstützt."
-+
-+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:263
-+msgid "The requested credential element already exists"
-+msgstr "Das angeforderte Anmeldedatenelement existiert bereits."
-+
-+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:268
-+msgid "The provided name was not mechanism specific (MN)"
-+msgstr "Der bereitgestellte Name war nicht mechanismusspezifisch (MN)."
-+
-+#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:329
-+msgid "An expected per-message token was not received"
-+msgstr "Ein erwartetes nachrichtenspezifisches Token wurde nicht empfangen."
-+
-+#: ../../src/lib/gssapi/spnego/spnego_mech.c:1860
-+msgid "SPNEGO cannot find mechanisms to negotiate"
-+msgstr "SPNEGO kann keine Mechanismen zum Aushandeln finden."
-+
-+#: ../../src/lib/gssapi/spnego/spnego_mech.c:1865
-+msgid "SPNEGO failed to acquire creds"
-+msgstr "SPNEGO ist beim Beschaffen von Anmeldedaten gescheitert"
-+
-+#: ../../src/lib/gssapi/spnego/spnego_mech.c:1870
-+msgid "SPNEGO acceptor did not select a mechanism"
-+msgstr "SPNEGO-Abnehmer hat keinen Mechanismus ausgewählt"
-+
-+#: ../../src/lib/gssapi/spnego/spnego_mech.c:1875
-+msgid "SPNEGO failed to negotiate a mechanism"
-+msgstr "SPNEGO ist beim Aushandeln eines Mechanismus gescheitert."
-+
-+#: ../../src/lib/gssapi/spnego/spnego_mech.c:1880
-+msgid "SPNEGO acceptor did not return a valid token"
-+msgstr "SPNEGO-Abnehmer hat kein gültiges Token zurückgeliefert"
-+
-+#: ../../src/lib/kadm5/alt_prof.c:854
-+#, c-format
-+msgid "Cannot resolve address of admin server \"%s\" for realm \"%s\""
-+msgstr ""
-+"Adresse des Admin-Servers »%s« für Realm »%s« kann nicht ermittelt werden"
-+
-+#: ../../src/lib/kadm5/logger.c:56
-+#, c-format
-+msgid "%s: cannot parse <%s>\n"
-+msgstr "%s: <%s> kann nicht ausgewertet werden\n"
-+
-+#: ../../src/lib/kadm5/logger.c:57
-+#, c-format
-+msgid "%s: warning - logging entry syntax error\n"
-+msgstr "%s: Warnung – Syntaxfehler bei Protokolleintrag\n"
-+
-+#: ../../src/lib/kadm5/logger.c:58
-+#, c-format
-+msgid "%s: error writing to %s\n"
-+msgstr "%s: Fehler beim Schreiben auf %s\n"
-+
-+#: ../../src/lib/kadm5/logger.c:59
-+#, c-format
-+msgid "%s: error writing to %s device\n"
-+msgstr "%s: Fehler beim Schreiben auf Gerät %s\n"
-+
-+#: ../../src/lib/kadm5/logger.c:61
-+msgid "EMERGENCY"
-+msgstr "NOTFALL"
-+
-+#: ../../src/lib/kadm5/logger.c:62
-+msgid "ALERT"
-+msgstr "ALARM"
-+
-+#: ../../src/lib/kadm5/logger.c:63
-+msgid "CRITICAL"
-+msgstr "KRITISCH"
-+
-+#: ../../src/lib/kadm5/logger.c:64
-+msgid "Error"
-+msgstr "Fehler"
-+
-+#: ../../src/lib/kadm5/logger.c:65
-+msgid "Warning"
-+msgstr "Warnung"
-+
-+#: ../../src/lib/kadm5/logger.c:66
-+msgid "Notice"
-+msgstr "Hinweis"
-+
-+#: ../../src/lib/kadm5/logger.c:67
-+msgid "info"
-+msgstr "Information"
-+
-+#: ../../src/lib/kadm5/logger.c:68
-+msgid "debug"
-+msgstr "Fehlersuchmeldung"
-+
-+#: ../../src/lib/kadm5/logger.c:967
-+#, c-format
-+msgid "Couldn't open log file %s: %s\n"
-+msgstr "Protokolldatei %s konnte nicht geöffnet werden: %s\n"
-+
-+#: ../../src/lib/kadm5/srv/kadm5_hook.c:119
-+#, c-format
-+msgid "kadm5_hook %s failed postcommit %s: %s"
-+msgstr "»kadm5_hook« %s ist beim Nach-Commit %s gescheitert: %s"
-+
-+#: ../../src/lib/kadm5/srv/pwqual_dict.c:106
-+msgid "No dictionary file specified, continuing without one."
-+msgstr "keine Wörterbuchdatei angegeben, es wird ohne fortgefahren"
-+
-+#: ../../src/lib/kadm5/srv/pwqual_dict.c:113
-+#, c-format
-+msgid "WARNING! Cannot find dictionary file %s, continuing without one."
-+msgstr ""
-+"WARNUNG! Wörterbuchdatei %s kann nicht gefunden werden, es wird ohne "
-+"fortgefahren"
-+
-+#: ../../src/lib/kadm5/srv/pwqual_empty.c:42
-+msgid "Empty passwords are not allowed"
-+msgstr "Leere Passwörter sind nicht erlaubt."
-+
-+#: ../../src/lib/kadm5/srv/pwqual_hesiod.c:114
-+msgid "Password may not match user information."
-+msgstr "Das Passwort darf keinen Anwenderdaten entsprechen."
-+
-+#: ../../src/lib/kadm5/srv/pwqual_princ.c:54
-+msgid "Password may not match principal name"
-+msgstr "Das Passwort darf nicht mit dem Principal-Namen übereinstimmen."
-+
-+#: ../../src/lib/kadm5/srv/server_acl.c:89
-+#, c-format
-+msgid "%s: line %d too long, truncated"
-+msgstr "%s: Zeile %d zu lang, wurde gekürzt"
-+
-+#: ../../src/lib/kadm5/srv/server_acl.c:90
-+#, c-format
-+msgid "Unrecognized ACL operation '%c' in %s"
-+msgstr "unbekannte ACL-Aktion »%c« in %s"
-+
-+#: ../../src/lib/kadm5/srv/server_acl.c:92
-+#, c-format
-+msgid "%s: syntax error at line %d <%10s...>"
-+msgstr "%s: Syntaxfehler in Zeile %d <%10s …>"
-+
-+#: ../../src/lib/kadm5/srv/server_acl.c:94
-+#, c-format
-+msgid "%s while opening ACL file %s"
-+msgstr "%s beim Öffnen der ACL-Datei %s"
-+
-+#: ../../src/lib/kadm5/srv/server_acl.c:353
-+#, c-format
-+msgid "%s: invalid restrictions: %s"
-+msgstr "%s: ungültige Beschränkung: %s"
-+
-+#: ../../src/lib/kadm5/srv/server_kdb.c:192
-+msgid "History entry contains no key data"
-+msgstr "Chronikeintrag enthält keine Schlüsseldaten"
-+
-+#: ../../src/lib/kadm5/srv/server_misc.c:128
-+#, c-format
-+msgid "password quality module %s rejected password for %s: %s"
-+msgstr ""
-+"Das Modul %s für Passwortqualität hat das Passwort für %s abgelehnt: %s"
-+
-+#: ../../src/lib/kadm5/str_conv.c:80
-+msgid "Not Postdateable"
-+msgstr "nicht vordatierbar"
-+
-+#: ../../src/lib/kadm5/str_conv.c:81
-+msgid "Not Forwardable"
-+msgstr "nicht weiterleitbar"
-+
-+#: ../../src/lib/kadm5/str_conv.c:82
-+msgid "No TGT-based requests"
-+msgstr "keine TGT-basierten Anfragen"
-+
-+#: ../../src/lib/kadm5/str_conv.c:83
-+msgid "Not renewable"
-+msgstr "nicht erneuerbar"
-+
-+#: ../../src/lib/kadm5/str_conv.c:84
-+msgid "Not proxiable"
-+msgstr "Proxy nicht nutzbar"
-+
-+#: ../../src/lib/kadm5/str_conv.c:85
-+msgid "No DUP_SKEY requests"
-+msgstr "keine DUP_SKEY-Anfragen"
-+
-+#: ../../src/lib/kadm5/str_conv.c:86
-+msgid "All Tickets Disallowed"
-+msgstr "keine Tickets erlaubt"
-+
-+#: ../../src/lib/kadm5/str_conv.c:87
-+msgid "Preauthentication required"
-+msgstr "Vorauthentifizierung erforderlich"
-+
-+#: ../../src/lib/kadm5/str_conv.c:88
-+msgid "HW authentication required"
-+msgstr "HW-Authentifizierung erforderlich"
-+
-+#: ../../src/lib/kadm5/str_conv.c:89
-+msgid "OK as Delegate"
-+msgstr "OK als Vertreter"
-+
-+#: ../../src/lib/kadm5/str_conv.c:90
-+msgid "Password Change required"
-+msgstr "Passwortänderung erforderlich"
-+
-+#: ../../src/lib/kadm5/str_conv.c:91
-+msgid "Service Disabled"
-+msgstr "Dienst deaktiviert"
-+
-+#: ../../src/lib/kadm5/str_conv.c:92
-+msgid "Password Changing Service"
-+msgstr "Passwortänderungsdienst"
-+
-+#: ../../src/lib/kadm5/str_conv.c:93
-+msgid "RSA-MD5 supported"
-+msgstr "RSA-MD5 unterstützt"
-+
-+#: ../../src/lib/kadm5/str_conv.c:94
-+msgid "Protocol transition with delegation allowed"
-+msgstr "Protokollübergang mit Vertretung erlaubt"
-+
-+#: ../../src/lib/kadm5/str_conv.c:95
-+msgid "No authorization data required"
-+msgstr "keine Autorisierungsdaten erforderlich"
-+
-+#: ../../src/lib/kdb/kdb5.c:219
-+msgid "No default realm set; cannot initialize KDB"
-+msgstr "kein Standard-Realm gesetzt; KDB kann nicht initialisiert werden"
-+
-+#: ../../src/lib/kdb/kdb5.c:324 ../../src/lib/kdb/kdb5.c:406
-+#, c-format
-+msgid "Unable to find requested database type: %s"
-+msgstr "angeforderter Datenbanktyp kann nicht gefunden werden. %s"
-+
-+#: ../../src/lib/kdb/kdb5.c:416
-+#, c-format
-+msgid "plugin symbol 'kdb_function_table' lookup failed: %s"
-+msgstr ""
-+"Nachschlagen des Erweiterungssymbols »kdb_function_table« fehlgeschlagen: %s"
-+
-+#: ../../src/lib/kdb/kdb5.c:426
-+#, c-format
-+msgid ""
-+"Unable to load requested database module '%s': plugin symbol "
-+"'kdb_function_table' not found"
-+msgstr ""
-+"angefordertes Datenbankmodul »%s« kann nicht geladen werden: "
-+"Erweiterungssymbol »kdb_function_table« nicht gefunden"
-+
-+#: ../../src/lib/kdb/kdb5.c:1650
-+#, c-format
-+msgid "Illegal version number for KRB5_TL_MKEY_AUX %d\n"
-+msgstr "Ungültige Versionsnummer für KRB5_TL_MKEY_AUX %d\n"
-+
-+#: ../../src/lib/kdb/kdb5.c:1819
-+#, c-format
-+msgid "Illegal version number for KRB5_TL_ACTKVNO %d\n"
-+msgstr "Ungültige Versionsnummer für KRB5_TL_ACTKVNO %d\n"
-+
-+#: ../../src/lib/kdb/kdb_default.c:164
-+#, c-format
-+msgid "keyfile (%s) is not a regular file: %s"
-+msgstr "Schlüsseldatei (%s) ist keine normale Datei: %s"
-+
-+#: ../../src/lib/kdb/kdb_default.c:177
-+msgid "Could not create temp keytab file name."
-+msgstr "Temporärer Schlüsseltabellendateiname konnte nicht erstellt werden."
-+
-+#: ../../src/lib/kdb/kdb_default.c:202
-+#, c-format
-+msgid "Temporary stash file already exists: %s."
-+msgstr "Temporäre Ablagedatei existiert bereits: %s."
-+
-+#: ../../src/lib/kdb/kdb_default.c:230
-+#, c-format
-+msgid "rename of temporary keyfile (%s) to (%s) failed: %s"
-+msgstr ""
-+"Umbenennen von temporärer Schlüsseldatei (%s) in (%s) fehlgeschlagen: %s"
-+
-+#: ../../src/lib/kdb/kdb_default.c:419
-+#, c-format
-+msgid "Can not fetch master key (error: %s)."
-+msgstr "Hauptschlüssel kann nicht abgeholt werden (Fehler: %s)"
-+
-+#: ../../src/lib/kdb/kdb_default.c:482
-+msgid "Unable to decrypt latest master key with the provided master key\n"
-+msgstr ""
-+"Letzter Hauptschlüssel kann nicht mit dem bereitgestellten Hauptschlüssel "
-+"entschlüsselt werden.\n"
-+
-+#: ../../src/lib/kdb/kdb_log.c:83
-+msgid "could not sync ulog header to disk"
-+msgstr "Ulog-Kopfzeilen konnten nicht auf die Platte synchronisiert werden"
-+
-+#: ../../src/lib/krb5/ccache/cc_dir.c:122
-+#, c-format
-+msgid "Subsidiary cache path %s has no parent directory"
-+msgstr ""
-+"Ergänzender Zwischenspeicherpfad %s hat kein übergeordnetes Verzeichnis."
-+
-+#: ../../src/lib/krb5/ccache/cc_dir.c:128
-+#, c-format
-+msgid "Subsidiary cache path %s filename does not begin with \"tkt\""
-+msgstr ""
-+"Dateiname des ergänzenden Zwischenspeicherpfads %s beginnt nicht mit »tkt«"
-+
-+#: ../../src/lib/krb5/ccache/cc_dir.c:169
-+#, c-format
-+msgid "%s contains invalid filename"
-+msgstr "%s enthält einen ungültigen Dateinamen."
-+
-+#: ../../src/lib/krb5/ccache/cc_dir.c:229
-+#, c-format
-+msgid "Credential cache directory %s does not exist"
-+msgstr "Anmeldedatenzwischenspeicherverzeichnis %s existiert nicht."
-+
-+#: ../../src/lib/krb5/ccache/cc_dir.c:235
-+#, c-format
-+msgid "Credential cache directory %s exists but is not a directory"
-+msgstr ""
-+"Anmeldedatenzwischenspeicherverzeichnis %s existiert, ist jedoch kein "
-+"Verzeichnis"
-+
-+#: ../../src/lib/krb5/ccache/cc_dir.c:400
-+msgid ""
-+"Can't create new subsidiary cache because default cache is not a directory "
-+"collection"
-+msgstr ""
-+"Der neue ergänzende Zwischenspeicher kann nicht erstellt werden, da der "
-+"Standardzwischenspeicher keine Ansammlung von Verzeichnissen ist."
-+
-+#: ../../src/lib/krb5/ccache/cc_file.c:569
-+#, c-format
-+msgid "Credentials cache file '%s' not found"
-+msgstr "Anmeldedatenzwischenspeicherdatei »%s« nicht gefunden"
-+
-+#: ../../src/lib/krb5/ccache/cc_file.c:1575
-+#, c-format
-+msgid "Credentials cache I/O operation failed (%s)"
-+msgstr "Anmeldedatenzwischenspeicher-E/A-Aktion fehlgeschlagen (%s)"
-+
-+#: ../../src/lib/krb5/ccache/cc_keyring.c:1151
-+msgid ""
-+"Can't create new subsidiary cache because default cache is already a "
-+"subsidiary"
-+msgstr ""
-+"Der neue ergänzende Zwischenspeicher kann nicht erstellt werden, da der "
-+"Standardzwischenspeicher bereits eine Ergänzung ist."
-+
-+#: ../../src/lib/krb5/ccache/cc_keyring.c:1219
-+#, c-format
-+msgid "Credentials cache keyring '%s' not found"
-+msgstr "Schlüsselbund %s des Anmeldedatenzwischenspeichers nicht gefunden"
-+
-+#: ../../src/lib/krb5/ccache/cccursor.c:212
-+#, c-format
-+msgid "Can't find client principal %s in cache collection"
-+msgstr ""
-+"Client-Principal %s kann nicht in der Zwischenspeicheransammlung gefunden "
-+"werden"
-+
-+#: ../../src/lib/krb5/ccache/cccursor.c:253
-+msgid "No Kerberos credentials available"
-+msgstr "keine Kerberos-Anmeldedaten verfügbar"
-+
-+#: ../../src/lib/krb5/keytab/kt_file.c:398
-+#, c-format
-+msgid "No key table entry found for %s"
-+msgstr "Für %s wurde kein Schlüsseltabelleneintrag gefunden."
-+
-+#: ../../src/lib/krb5/keytab/kt_file.c:815
-+#: ../../src/lib/krb5/keytab/kt_file.c:848
-+msgid "Cannot change keytab with keytab iterators active"
-+msgstr ""
-+"Schlüsseltabelle mit aktiven Schlüsseltabelleniteratoren kann nicht geändert "
-+"werden"
-+
-+#: ../../src/lib/krb5/keytab/kt_file.c:1047
-+#, c-format
-+msgid "Key table file '%s' not found"
-+msgstr "Schlüsseltabellendatei »%s« nicht gefunden"
-+
-+#: ../../src/lib/krb5/keytab/ktfns.c:127
-+#, c-format
-+msgid "Keytab %s is nonexistent or empty"
-+msgstr "Schlüsseltabelle %s existiert nicht oder ist leer"
-+
-+#: ../../src/lib/krb5/krb/chpw.c:251
-+msgid "Malformed request error"
-+msgstr "Fehler wegen Anfrage in falscher Form"
-+
-+#: ../../src/lib/krb5/krb/chpw.c:254 ../lib/krb5/error_tables/kdb5_err.c:58
-+msgid "Server error"
-+msgstr "Serverfehler"
-+
-+#: ../../src/lib/krb5/krb/chpw.c:257
-+msgid "Authentication error"
-+msgstr "Authentifizierungsfehler"
-+
-+#: ../../src/lib/krb5/krb/chpw.c:260
-+msgid "Password change rejected"
-+msgstr "Passwortänderung abgelehnt"
-+
-+#: ../../src/lib/krb5/krb/chpw.c:263
-+msgid "Access denied"
-+msgstr "Zugriff verweigert"
-+
-+#: ../../src/lib/krb5/krb/chpw.c:266
-+msgid "Wrong protocol version"
-+msgstr "falsche Protokollversion"
-+
-+#: ../../src/lib/krb5/krb/chpw.c:269
-+msgid "Initial password required"
-+msgstr "Erstpasswort erforderlich"
-+
-+#: ../../src/lib/krb5/krb/chpw.c:272
-+msgid "Success"
-+msgstr "Erfolg"
-+
-+#: ../../src/lib/krb5/krb/chpw.c:275 ../lib/krb5/error_tables/krb5_err.c:257
-+msgid "Password change failed"
-+msgstr "Ändern des Passworts fehlgeschlagen"
-+
-+#: ../../src/lib/krb5/krb/chpw.c:433
-+msgid ""
-+"The password must include numbers or symbols. Don't include any part of "
-+"your name in the password."
-+msgstr ""
-+"Das Passwort muss Zahlen oder Symbole enthalten. Fügen Sie keinen Teil Ihres "
-+"Namens in das Passwort ein."
-+
-+#: ../../src/lib/krb5/krb/chpw.c:439
-+#, c-format
-+msgid "The password must contain at least %d character."
-+msgid_plural "The password must contain at least %d characters."
-+msgstr[0] "Das Passwort muss mindestens %d Zeichen enthalten."
-+msgstr[1] "Das Passwort muss mindestens %d Zeichen enthalten."
-+
-+#: ../../src/lib/krb5/krb/chpw.c:448
-+#, c-format
-+msgid "The password must be different from the previous password."
-+msgid_plural "The password must be different from the previous %d passwords."
-+msgstr[0] "Das Passwort muss sich vom vorhergehenden Passwort unterscheiden."
-+msgstr[1] ""
-+"Das Passwort muss sich von den vorhergehenden %d Passwörtern unterscheiden."
-+
-+#: ../../src/lib/krb5/krb/chpw.c:460
-+#, c-format
-+msgid "The password can only be changed once a day."
-+msgid_plural "The password can only be changed every %d days."
-+msgstr[0] "Das Passwort kann nur einmal täglich geändert werden."
-+msgstr[1] "Das Passwort kann nur alle %d Tage geändert werden."
-+
-+#: ../../src/lib/krb5/krb/chpw.c:506
-+msgid "Try a more complex password, or contact your administrator."
-+msgstr ""
-+"Versuchen Sie es mit einem etwas komplexeren Passwort oder wenden Sie sich "
-+"an Ihren Administrator."
-+
-+#: ../../src/lib/krb5/krb/fast.c:217
-+#, c-format
-+msgid "%s constructing AP-REQ armor"
-+msgstr "%s-Konstruktion von AP-REQ-Schutz"
-+
-+#: ../../src/lib/krb5/krb/fast.c:399
-+#, c-format
-+msgid "%s while decrypting FAST reply"
-+msgstr "%s beim Entschlüsseln der FAST-Antwort"
-+
-+#: ../../src/lib/krb5/krb/fast.c:408
-+msgid "nonce modified in FAST response: KDC response modified"
-+msgstr ""
-+"Nummer für einmaligen Gebrauch in der FAST-Anwort geändert: KDC-Anwort "
-+"geändert"
-+
-+#: ../../src/lib/krb5/krb/fast.c:474
-+msgid "Expecting FX_ERROR pa-data inside FAST container"
-+msgstr "Innerhalb des FAST-Containers wird »FX_ERROR pa-data« erwartet."
-+
-+#: ../../src/lib/krb5/krb/fast.c:545
-+msgid "FAST response missing finish message in KDC reply"
-+msgstr "Der FAST-Anwort fehlt die Beendigungsnachricht in der KDC-Anwort"
-+
-+#: ../../src/lib/krb5/krb/fast.c:558
-+msgid "Ticket modified in KDC reply"
-+msgstr "Ticket in der KDC-Antwort verändert"
-+
-+#: ../../src/lib/krb5/krb/gc_via_tkt.c:208
-+#, c-format
-+msgid "KDC returned error string: %.*s"
-+msgstr "KDC gab eine Fehlermeldung zurück: %.*s"
-+
-+#: ../../src/lib/krb5/krb/gc_via_tkt.c:217
-+#, c-format
-+msgid "Server %s not found in Kerberos database"
-+msgstr "Server %s wurde nicht in der Kerberos-Datenbank gefunden"
-+
-+#: ../../src/lib/krb5/krb/get_in_tkt.c:133
-+msgid "Reply has wrong form of session key for anonymous request"
-+msgstr ""
-+"Antwort hat die falsche Form des Sitzungschlüssels für eine anonyme Anfrage"
-+
-+#: ../../src/lib/krb5/krb/get_in_tkt.c:1628
-+#, c-format
-+msgid "%s while storing credentials"
-+msgstr "%s beim Speichern der Anmeldedaten"
-+
-+#: ../../src/lib/krb5/krb/get_in_tkt.c:1715
-+#, c-format
-+msgid "Client '%s' not found in Kerberos database"
-+msgstr "Client »%s« wurde nicht in der Kerberos-Datenbank gefunden"
-+
-+#: ../../src/lib/krb5/krb/gic_keytab.c:207
-+#, c-format
-+msgid "Keytab contains no suitable keys for %s"
-+msgstr "Schlüsseltabelle enthält keine passenden Schlüssel für %s"
-+
-+#: ../../src/lib/krb5/krb/gic_pwd.c:75
-+#, c-format
-+msgid "Password for %s"
-+msgstr "Passwort for %s"
-+
-+#: ../../src/lib/krb5/krb/gic_pwd.c:227
-+#, c-format
-+msgid "Warning: Your password will expire in less than one hour on %s"
-+msgstr ""
-+"Warnung: Ihr Passwort auf %s wird in weniger als einer Stunde ablaufen."
-+
-+# FIXME in German impossible; plural without »s«
-+#: ../../src/lib/krb5/krb/gic_pwd.c:231
-+#, c-format
-+msgid "Warning: Your password will expire in %d hour%s on %s"
-+msgstr "Warnung: Ihr Passwort wird in %d Stunden%s auf %s ablaufen."
-+
-+#: ../../src/lib/krb5/krb/gic_pwd.c:235
-+#, c-format
-+msgid "Warning: Your password will expire in %d days on %s"
-+msgstr "Warnung: Ihr Passwort wird in %d Tagen auf %s ablaufen."
-+
-+#: ../../src/lib/krb5/krb/gic_pwd.c:409
-+msgid "Password expired. You must change it now."
-+msgstr "Passwort abgelaufen. Sie müssen es nun ändern."
-+
-+#: ../../src/lib/krb5/krb/gic_pwd.c:428 ../../src/lib/krb5/krb/gic_pwd.c:432
-+#, c-format
-+msgid "%s. Please try again."
-+msgstr "%s. Bitte versuchen Sie es erneut."
-+
-+#: ../../src/lib/krb5/krb/gic_pwd.c:471
-+#, c-format
-+msgid "%.*s%s%s. Please try again.\n"
-+msgstr "%.*s%s%s. Bitte versuchen Sie es erneut.\n"
-+
-+#: ../../src/lib/krb5/krb/parse.c:203
-+#, c-format
-+msgid "Principal %s is missing required realm"
-+msgstr "Principal %s fehlt erforderlicher Realm"
-+
-+#: ../../src/lib/krb5/krb/parse.c:215
-+#, c-format
-+msgid "Principal %s has realm present"
-+msgstr "Für Principal %s ist Realm vorhanden"
-+
-+#: ../../src/lib/krb5/krb/plugin.c:165
-+#, c-format
-+msgid "Invalid module specifier %s"
-+msgstr "ungültiger Modulbezeichner %s"
-+
-+#: ../../src/lib/krb5/krb/plugin.c:402
-+#, c-format
-+msgid "Could not find %s plugin module named '%s'"
-+msgstr "Das Erweiterungsmodul %s namens »%s« konnte nicht gefunden werden."
-+
-+#: ../../src/lib/krb5/krb/preauth2.c:1018
-+msgid "Unable to initialize preauth context"
-+msgstr "Vorauthentifizierungskontext konnte nicht initialisiert werden."
-+
-+#: ../../src/lib/krb5/krb/preauth2.c:1032
-+#, c-format
-+msgid "Preauth module %s: %s"
-+msgstr "Vorauthentifizierungsmodul %s: %s"
-+
-+#: ../../src/lib/krb5/krb/preauth_otp.c:510
-+msgid "Please choose from the following:\n"
-+msgstr "Bitte wählen Sie aus dem Folgenden aus:\n"
-+
-+#: ../../src/lib/krb5/krb/preauth_otp.c:511
-+msgid "Vendor:"
-+msgstr "Anbieter:"
-+
-+#: ../../src/lib/krb5/krb/preauth_otp.c:523
-+msgid "Enter #"
-+msgstr "Geben Sie # ein"
-+
-+#: ../../src/lib/krb5/krb/preauth_otp.c:559
-+msgid "OTP Challenge:"
-+msgstr "Anforderung des Einwegpassworts:"
-+
-+#: ../../src/lib/krb5/krb/preauth_otp.c:588
-+msgid "OTP Token PIN"
-+msgstr "Einwegpasswort-Token-PIN"
-+
-+#: ../../src/lib/krb5/krb/preauth_otp.c:702
-+msgid "OTP value doesn't match any token formats"
-+msgstr "Wert des Einwegpassworts entspricht keinem Token-Format"
-+
-+#: ../../src/lib/krb5/krb/preauth_otp.c:769
-+msgid "Enter OTP Token Value"
-+msgstr "Geben Sie den Wert des Einwegpasswort-Tokens an"
-+
-+#: ../../src/lib/krb5/krb/preauth_otp.c:914
-+msgid "No supported tokens"
-+msgstr "keine unterstützten Token"
-+
-+#: ../../src/lib/krb5/krb/preauth_sam2.c:49
-+msgid "Challenge for Enigma Logic mechanism"
-+msgstr "Anforderung für Enigma-Logic-Mechanismus"
-+
-+#: ../../src/lib/krb5/krb/preauth_sam2.c:53
-+msgid "Challenge for Digital Pathways mechanism"
-+msgstr "Anforderung für Digital-Pathway-Mechanismus"
-+
-+#: ../../src/lib/krb5/krb/preauth_sam2.c:57
-+msgid "Challenge for Activcard mechanism"
-+msgstr "Anforderung für Activcard-Mechanismus"
-+
-+#: ../../src/lib/krb5/krb/preauth_sam2.c:60
-+msgid "Challenge for Enhanced S/Key mechanism"
-+msgstr "Anforderung für erweiterten S/Key-Mechanismus"
-+
-+#: ../../src/lib/krb5/krb/preauth_sam2.c:63
-+msgid "Challenge for Traditional S/Key mechanism"
-+msgstr "Anforderung für traditionellen S/Key-Mechanismus"
-+
-+#: ../../src/lib/krb5/krb/preauth_sam2.c:66
-+#: ../../src/lib/krb5/krb/preauth_sam2.c:69
-+msgid "Challenge for Security Dynamics mechanism"
-+msgstr "Anforderung für Security-Dynamics-Mechanismus"
-+
-+#: ../../src/lib/krb5/krb/preauth_sam2.c:72
-+msgid "Challenge from authentication server"
-+msgstr "Anforderung vom Authentifizierungsserver"
-+
-+#: ../../src/lib/krb5/krb/preauth_sam2.c:166
-+msgid "SAM Authentication"
-+msgstr "SAM-Authentifizierung"
-+
-+#: ../../src/lib/krb5/krb/rd_req_dec.c:145
-+#, c-format
-+msgid "Cannot find key for %s kvno %d in keytab"
-+msgstr ""
-+"Schlüssel für %s-KNVO %d kann nicht in der Schlüsseltabelle gefunden werden"
-+
-+#: ../../src/lib/krb5/krb/rd_req_dec.c:150
-+#, c-format
-+msgid "Cannot find key for %s kvno %d in keytab (request ticket server %s)"
-+msgstr ""
-+"Schlüssel für %s-KNVO %d kann nicht in der Schlüsseltabelle gefunden werden "
-+"(angefragter Ticketserver %s)"
-+
-+#: ../../src/lib/krb5/krb/rd_req_dec.c:175
-+#, c-format
-+msgid "Cannot decrypt ticket for %s using keytab key for %s"
-+msgstr ""
-+"Ticket für %s kann nicht mittels des Schlüsseltabellenschlüssels für %s "
-+"entschlüsselt werden"
-+
-+#: ../../src/lib/krb5/krb/rd_req_dec.c:197
-+#, c-format
-+msgid "Server principal %s does not match request ticket server %s"
-+msgstr "Server-Principal %s passt nicht zum abgefragten Ticketserver %s"
-+
-+#: ../../src/lib/krb5/krb/rd_req_dec.c:226
-+msgid "No keys in keytab"
-+msgstr "keine Schlüssel in der Schlüsseltabelle"
-+
-+#: ../../src/lib/krb5/krb/rd_req_dec.c:229
-+#, c-format
-+msgid "Server principal %s does not match any keys in keytab"
-+msgstr ""
-+"Server-Principal %s hat keinen passenden Schlüssel in der Schlüsseltabelle"
-+
-+#: ../../src/lib/krb5/krb/rd_req_dec.c:236
-+#, c-format
-+msgid ""
-+"Request ticket server %s found in keytab but does not match server principal "
-+"%s"
-+msgstr ""
-+"abgefragter Ticketserver %s wurde in der Schlüsseltabelle gefunden, er passte "
-+"jedoch nicht zu Server-Principal %s"
-+
-+#: ../../src/lib/krb5/krb/rd_req_dec.c:241
-+#, c-format
-+msgid "Request ticket server %s not found in keytab (ticket kvno %d)"
-+msgstr ""
-+"Abgefragter Ticketserver %s wurde nicht in der Schlüsseltabelle gefunden "
-+"(Ticket KVNO %d)."
-+
-+#: ../../src/lib/krb5/krb/rd_req_dec.c:247
-+#, c-format
-+msgid ""
-+"Request ticket server %s kvno %d not found in keytab; ticket is likely out "
-+"of date"
-+msgstr ""
-+"Abgefragter Ticketserver %s KVNO %d wurde nicht in der Schlüsseltabelle "
-+"gefunden; Ticket ist wahrscheinlich abgelaufen."
-+
-+#: ../../src/lib/krb5/krb/rd_req_dec.c:252
-+#, c-format
-+msgid ""
-+"Request ticket server %s kvno %d not found in keytab; keytab is likely out "
-+"of date"
-+msgstr ""
-+"Abgefragter Ticketserver %s KVNO %d wurde nicht in der Schlüsseltabelle "
-+"gefunden; Schlüsseltabelle ist wahrscheinlich nicht mehr aktuell."
-+
-+#: ../../src/lib/krb5/krb/rd_req_dec.c:261
-+#, c-format
-+msgid ""
-+"Request ticket server %s kvno %d found in keytab but not with enctype %s"
-+msgstr ""
-+"Abgefragter Ticketserver %s KVNO %d wurde in der Schlüsseltabelle gefunden, "
-+"jedoch nicht mit Verschlüsselungstyp %s."
-+
-+#: ../../src/lib/krb5/krb/rd_req_dec.c:266
-+#, c-format
-+msgid ""
-+"Request ticket server %s kvno %d enctype %s found in keytab but cannot "
-+"decrypt ticket"
-+msgstr ""
-+"Abgefragter Ticketserver %s KVNO %d mit Verschlüsselungstyp %s in der "
-+"Schlüsseltabelle gefunden, Ticket kann jedoch nicht entschlüsselt werden."
-+
-+#: ../../src/lib/krb5/krb/rd_req_dec.c:897
-+#, c-format
-+msgid "Encryption type %s not permitted"
-+msgstr "Verschlüsselungstyp %s nicht erlaubt"
-+
-+#: ../../src/lib/krb5/os/expand_path.c:316
-+#, c-format
-+msgid "Can't find username for uid %lu"
-+msgstr "Zu UID %lu kann kein Benutzername gefunden werden."
-+
-+#: ../../src/lib/krb5/os/expand_path.c:405
-+#: ../../src/lib/krb5/os/expand_path.c:421
-+msgid "Invalid token"
-+msgstr "ungültiges Token"
-+
-+#: ../../src/lib/krb5/os/expand_path.c:506
-+msgid "variable missing }"
-+msgstr "Variable fehlt }"
-+
-+#: ../../src/lib/krb5/os/locate_kdc.c:660
-+#, c-format
-+msgid "Cannot find KDC for realm \"%.*s\""
-+msgstr "KDC für Realm »%.*s« kann nicht gefunden werden"
-+
-+#: ../../src/lib/krb5/os/sendto_kdc.c:475
-+#, c-format
-+msgid "Cannot contact any KDC for realm '%.*s'"
-+msgstr "für Realm »%.*s« kann nicht KDC kontaktiert werden"
-+
-+#: ../../src/lib/krb5/rcache/rc_io.c:106
-+#, c-format
-+msgid "Cannot fstat replay cache file %s: %s"
-+msgstr "»fstat« für Antwortzwischenspeicherdatei %s nicht möglich: %s"
-+
-+#: ../../src/lib/krb5/rcache/rc_io.c:112
-+#, c-format
-+msgid ""
-+"Insecure mkstemp() file mode for replay cache file %s; try running this "
-+"program with umask 077"
-+msgstr ""
-+"unsicherer mkstemp()-Dateimodus für Antwortzwischenspeicherdatei %s; "
-+"versuchen Sie, dieses Programm mit der Umask 077 auszuführen"
-+
-+#: ../../src/lib/krb5/rcache/rc_io.c:144
-+#, c-format
-+msgid "Cannot %s replay cache file %s: %s"
-+msgstr "%s der Wiederholungszwischenspeicherdatei %s nicht möglich: %s"
-+
-+#: ../../src/lib/krb5/rcache/rc_io.c:149
-+#, c-format
-+msgid "Cannot %s replay cache: %s"
-+msgstr "%s des Wiederholungszwischenspeichers nicht möglich: %s"
-+
-+#: ../../src/lib/krb5/rcache/rc_io.c:272
-+#, c-format
-+msgid "Insecure file mode for replay cache file %s"
-+msgstr "unsicherer Dateimodus für Wiederholungszwischenspeicherdatei %s"
-+
-+#: ../../src/lib/krb5/rcache/rc_io.c:278
-+#, c-format
-+msgid "rcache not owned by %d"
-+msgstr "Rcache gehört nicht %d"
-+
-+#: ../../src/lib/krb5/rcache/rc_io.c:402 ../../src/lib/krb5/rcache/rc_io.c:406
-+#: ../../src/lib/krb5/rcache/rc_io.c:411
-+#, c-format
-+msgid "Can't write to replay cache: %s"
-+msgstr ""
-+"in Wiederholungszwischenspeicherdatei kann nicht geschrieben werden: %s"
-+
-+#: ../../src/lib/krb5/rcache/rc_io.c:432
-+#, c-format
-+msgid "Cannot sync replay cache file: %s"
-+msgstr ""
-+"Wiederholungszwischenspeicherdatei kann nicht synchronisiert werden: %s"
-+
-+#: ../../src/lib/krb5/rcache/rc_io.c:451
-+#, c-format
-+msgid "Can't read from replay cache: %s"
-+msgstr "aus dem Wiederholungszwischenspeicher kann nicht gelesen werden: %s"
-+
-+#: ../../src/lib/krb5/rcache/rc_io.c:482 ../../src/lib/krb5/rcache/rc_io.c:488
-+#: ../../src/lib/krb5/rcache/rc_io.c:493
-+#, c-format
-+msgid "Can't destroy replay cache: %s"
-+msgstr "Wiederholungszwischenspeicher kann nicht vernichtet werden: %s"
-+
-+#: ../../src/plugins/kdb/db2/kdb_db2.c:245
-+#: ../../src/plugins/kdb/db2/kdb_db2.c:830
-+#, c-format
-+msgid "Unsupported argument \"%s\" for db2"
-+msgstr "nicht unterstütztes Argument »%s« für DB2"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:69
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:887
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1088
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1507
-+msgid "while reading kerberos container information"
-+msgstr "beim Lesen der Kerberos-Container-Information"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:129
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:143
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:504
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:518
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:151
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:166
-+msgid "while providing time specification"
-+msgstr "beim Bereitstellen der Zeitspezifikation"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:268
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:304
-+msgid "while creating policy object"
-+msgstr "beim Erstellen des Richtlinienobjekts"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:279
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1515
-+msgid "while reading realm information"
-+msgstr "beim Lesen der Realm-Information"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:348
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:407
-+msgid "while destroying policy object"
-+msgstr "beim Zerstören des Richtlinienobjekts"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:358
-+#, c-format
-+msgid "This will delete the policy object '%s', are you sure?\n"
-+msgstr "Dies wird das Richtlinienobjekt »%s« löschen, sind Sie sicher?\n"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:473
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:663
-+msgid "while modifying policy object"
-+msgstr "beim Ändern des Richtlinienobjekts"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:487
-+#, c-format
-+msgid "while reading information of policy '%s'"
-+msgstr "beim Lesen der Information der Richtlinie »%s«"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:692
-+msgid "while viewing policy"
-+msgstr "beim Betrachten der Richtlinie"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:701
-+#, c-format
-+msgid "while viewing policy '%s'"
-+msgstr "beim Betrachten der Richtlinie »%s«"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:835
-+msgid "while listing policy objects"
-+msgstr "beim Auflisten der Richtlinienobjekte"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:453
-+#, c-format
-+msgid "for subtree while creating realm '%s'"
-+msgstr "für einen Teilbaum beim Erstellen von Realm »%s«"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:465
-+#, c-format
-+msgid "for container reference while creating realm '%s'"
-+msgstr "für Container-Bezug beim Erstellen von Realm »%s«"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:489
-+#, c-format
-+msgid "invalid search scope while creating realm '%s'"
-+msgstr "ungültiger Suchbereich beim Erstellen von Realm »%s«"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:504
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:823
-+#, c-format
-+msgid "'%s' is an invalid option\n"
-+msgstr "»%s« ist keine gültige Option\n"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:512
-+#, c-format
-+msgid "Initializing database for realm '%s'\n"
-+msgstr "Datenbank für Realm »%s« wird initialisiert\n"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:536
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:696
-+#, c-format
-+msgid "while creating realm '%s'"
-+msgstr "beim Erstellen von Realm »%s«"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:556
-+#, c-format
-+msgid "Enter DN of Kerberos container: "
-+msgstr "Geben Sie die den DN des Kerberos-Containers ein: "
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:591
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:894
-+#, c-format
-+msgid "while reading information of realm '%s'"
-+msgstr "beim Lesen der Information von Realm »%s«"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:733
-+msgid "while reading Kerberos container information"
-+msgstr "beim Lesen der Kerberos-Container-Information"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:774
-+#, c-format
-+msgid "for subtree while modifying realm '%s'"
-+msgstr "für einen Teilbaum beim Ändern von Realm »%s«"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:785
-+#, c-format
-+msgid "for container reference while modifying realm '%s'"
-+msgstr "für Container-Bezug beim Ändern von Realm »%s«"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:812
-+#, c-format
-+msgid "specified for search scope while modifying information of realm '%s'"
-+msgstr ""
-+"angegeben für Suchbereich, während die Information für Realm »%s« geändert "
-+"wird"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:851
-+#, c-format
-+msgid "while modifying information of realm '%s'"
-+msgstr "beim Ändern der Information von Realm »%s«"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:940
-+msgid "Realm Name"
-+msgstr "Realm-Name"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:943
-+msgid "Subtree"
-+msgstr "Teilbaum"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:946
-+msgid "Principal Container Reference"
-+msgstr "Principal-Container-Bezug"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:951
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:953
-+msgid "SearchScope"
-+msgstr "Suchbereich"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:951
-+msgid "Invalid !"
-+msgstr "ungültig!"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:958
-+msgid "KDC Services"
-+msgstr "KDC-Dienste"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:973
-+msgid "Admin Services"
-+msgstr "Administratordienste"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:988
-+msgid "Passwd Services"
-+msgstr "Passwortdienste"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1004
-+msgid "Maximum Ticket Life"
-+msgstr "maximale Ticketlebensdauer"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1009
-+msgid "Maximum Renewable Life"
-+msgstr "maximale verlängerbare Lebensdauer"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1016
-+msgid "Ticket flags"
-+msgstr "Ticket-Flags"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1095
-+msgid "while listing realms"
-+msgstr "beim Auflisten der Realms"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1439
-+msgid "while adding entries to database"
-+msgstr "beim Hinzufügen von Einträgen zur Datenbank"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1480
-+#, c-format
-+msgid "Deleting KDC database of '%s', are you sure?\n"
-+msgstr ""
-+"Sind Sie sicher, dass die KDC-Datenbank von »%s« gelöscht werden soll?\n"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1491
-+#, c-format
-+msgid "OK, deleting database of '%s'...\n"
-+msgstr "OK, die Datenbank von »%s« wird gelöscht …\n"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1524
-+#, c-format
-+msgid "deleting database of '%s'"
-+msgstr "Die Datenbank von »%s« wird gelöscht."
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1529
-+#, c-format
-+msgid "** Database of '%s' destroyed.\n"
-+msgstr "** Datenbank von »%s« vernichtet\n"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:81
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:88
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:96
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:104
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:120
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:148
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:227
-+msgid "while setting service object password"
-+msgstr "beim Setzen des Passworts für das Dienstobjekt"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:140
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:477
-+#, c-format
-+msgid "Password for \"%s\""
-+msgstr "Passwort für »%s«"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:143
-+#, c-format
-+msgid "Re-enter password for \"%s\""
-+msgstr "Geben Sie das Passwort für »%s« erneut ein."
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:154
-+#, c-format
-+msgid "%s: Invalid password\n"
-+msgstr "%s: ungültiges Passwort\n"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:170
-+msgid "Failed to convert the password to hexadecimal"
-+msgstr "Das Umwandeln des Passworts in Dezimalschreibweise ist fehlgeschlagen."
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:183
-+#, c-format
-+msgid "Failed to open file %s: %s"
-+msgstr "Datei %s konnte nicht geöffnet werden: %s"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:205
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:247
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:256
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:283
-+msgid "Failed to write service object password to file"
-+msgstr ""
-+"Schreiben des Passworts für das Dienstobjekt in eine Datei fehlgeschlagen"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:211
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:268
-+msgid "Error reading service object password file"
-+msgstr "Fehler beim Lesen der Passwortdatei für das Dienstobjekt"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:236
-+#, c-format
-+msgid "Error creating file %s"
-+msgstr "Fehler beim Erstellen der Datei %s"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:105
-+#, c-format
-+msgid ""
-+"Usage: kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldapuri]\n"
-+"\tcmd [cmd_options]\n"
-+"create [-subtrees subtree_dn_list] [-sscope search_scope] [-"
-+"containerref container_reference_dn]\n"
-+"\t\t[-m|-P password|-sf stashfilename] [-k mkeytype] [-kv mkeyVNO] [-s]\n"
-+"\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n"
-+"\t\t[ticket_flags] [-r realm]\n"
-+"modify [-subtrees subtree_dn_list] [-sscope search_scope] [-"
-+"containerref container_reference_dn]\n"
-+"\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n"
-+"\t\t[ticket_flags] [-r realm]\n"
-+"view [-r realm]\n"
-+"destroy [-f] [-r realm]\n"
-+"list\n"
-+"stashsrvpw [-f filename] service_dn\n"
-+"create_policy [-r realm] [-maxtktlife max_ticket_life]\n"
-+"\t\t[-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy\n"
-+"modify_policy [-r realm] [-maxtktlife max_ticket_life]\n"
-+"\t\t[-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy\n"
-+"view_policy [-r realm] policy\n"
-+"destroy_policy [-r realm] [-force] policy\n"
-+"list_policy [-r realm]\n"
-+msgstr ""
-+"Aufruf: kdb5_ldap_util [-D Benutzer-DN [-w Passwort]] [-H LDAP-URI]\n"
-+"\tcmd [Befehlsoptionen]\n"
-+"create [-subtrees DN-Liste_Teilbäume] [-sscope Suchbereich] [-"
-+"containerref Container-Bezug-DN]\n"
-+"\t\t[-m|-P Passwort|-sf Ablagedateiname] [-k mkeytype] [-kv mkeyVNO] [-s]\n"
-+"\t\t[-maxtktlife maximale_Ticketlebensdauer]\n"
-+"\t\t[-maxrenewlife maximale_Dauer_bis_zum_Erneuern_des_Tickets]\n"
-+"\t\t[Ticket_Flags] [-r Realm]\n"
-+"modify [-subtrees DN-Liste_Teilbäume] [-sscope Suchbereich] [-"
-+"containerref Container-Bezug-DN]\n"
-+"\t\t[-maxtktlife maximale_Ticketlebensdauer]\n"
-+"\t\t[-maxrenewlife maximale_Dauer_bis_zum_Erneuern_des_Tickets]\n"
-+"\t\t[Ticket_Flags] [-r Realm]\n"
-+"view [-r Realm]\n"
-+"destroy [-f] [-r Realm]\n"
-+"list\n"
-+"stashsrvpw [-f Dateiname] Dienst-DN\n"
-+"create_policy [-r Realm] [-maxtktlife maximale_Ticketlebensdauer]\n"
-+"\t\t[-maxrenewlife maximale_Dauer_bis_zum_Erneuern_des_Tickets]\n"
-+"\t\t[Ticket_Flags] Richtlinie\n"
-+"modify_policy [-r Realm] [-maxtktlife maximale_Ticketlebensdauer]\n"
-+"\t\t[-maxrenewlife maximale_Dauer_bis_zum_Erneuern_des_Tickets]\n"
-+"\t\t[Ticket_Flags] Richtlinie\n"
-+"view_policy [-r Realm] Richtlinie\n"
-+"destroy_policy [-r Realm] [-force] Richtlinie\n"
-+"list_policy [-r Realm]\n"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:325
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:333
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:341
-+msgid "while reading ldap parameters"
-+msgstr "beim Lesen der LDAP-Parameter"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:439
-+msgid "while initializing error handling"
-+msgstr "beim Initialisieren der Fehlerbehandlung"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:447
-+msgid "while initializing ldap handle"
-+msgstr "beim Initialisieren des LDAP-Identifikators"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:461
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:470
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:483
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:525
-+msgid "while retrieving ldap configuration"
-+msgstr "beim Abfragen der LDAP-Konfiguration"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:500
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:507
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:516
-+msgid "while initializing server list"
-+msgstr "beim Initialisieren der Serverliste"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:547
-+msgid "while setting up lib handle"
-+msgstr "ein Einrichten der BibliotheksIdentifikators"
-+
-+#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:556
-+msgid "while reading ldap configuration"
-+msgstr "beim Lesen der LDAP-Konfiguration"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:68
-+msgid "Unable to read Kerberos container"
-+msgstr "Kerberos-Container kann nicht gelesen werden"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:74
-+msgid "Unable to read Realm"
-+msgstr "Realm kann nicht gelesen werden"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:215
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c:73
-+msgid "Error processing LDAP DB params:"
-+msgstr "Fehler beim Verarbeiten der LDAP-Datenbankparameter:"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:222
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c:80
-+msgid "Error reading LDAP server params:"
-+msgstr "Fehler beim Lesen der LDAP-Server-Parameters:"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:64
-+msgid "LDAP bind dn value missing"
-+msgstr "LDAP-Bindungs-DN-Wert fehlt"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:69
-+msgid "LDAP bind password value missing"
-+msgstr "LDAP-Bindungs-Passwortwert fehlt"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:77
-+msgid "Error reading password from stash: "
-+msgstr "Fehler beim Lesen des Passworts aus der Ablage: "
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:85
-+msgid "Service password length is zero"
-+msgstr "Länge des Dienstpassworts ist Null"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:145
-+#, c-format
-+msgid "Cannot bind to LDAP server '%s' with SASL mechanism '%s': %s"
-+msgstr ""
-+"mit LDAP-Server »%s« kann keine Verbindung mit SASL-Mechanismus »%s« "
-+"hergestellt werden: %s"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:158
-+#, c-format
-+msgid "Cannot bind to LDAP server '%s' as '%s': %s"
-+msgstr ""
-+"mit LDAP-Server »%s« kann keine Verbindung als »%s« hergestellt werden: %s"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:183
-+#, c-format
-+msgid "Cannot create LDAP handle for '%s': %s"
-+msgstr "LDAP-Identifikator für »%s« kann nicht erstellt werden: %s"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c:131
-+msgid "could not complete roll-back, error deleting Kerberos Container"
-+msgstr ""
-+"Zurücksetzen kann nicht abgeschlossen werden, Fehler beim Löschen des "
-+"Kerberos-Containers"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c:56
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c:67
-+msgid "Error reading kerberos container location from krb5.conf"
-+msgstr ""
-+"Fehler beim Lesen des Kerberos-Container-Speicherorts aus der »krb5.conf«."
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c:75
-+msgid "Kerberos container location not specified"
-+msgstr "Kerberos-Container-Speicherort nicht angegeben"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:55
-+#, c-format
-+msgid "Error reading '%s' attribute: %s"
-+msgstr "Fehler beim Lesen des Attributs »%s«: %s"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:218
-+msgid "KDB module requires -update argument"
-+msgstr "KDB-Modul benötigt Argument »-update«"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:224
-+#, c-format
-+msgid "'%s' value missing"
-+msgstr "Wert »%s« fehlt"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:282
-+#, c-format
-+msgid "unknown option '%s'"
-+msgstr "unbekannte Option »%s«"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:342
-+msgid "Minimum connections required per server is 2"
-+msgstr "Die benötigte Mindestanzahl von Verbindungen pro Server ist zwei"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c:159
-+msgid "Default realm not set"
-+msgstr "Standard-Realm nicht gesetzt"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c:262
-+msgid "DN information missing"
-+msgstr "DN-Information fehlt"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:108
-+msgid "Principal does not belong to realm"
-+msgstr "Principal gehört nicht zum Realm"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:278
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:287
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:295
-+#, c-format
-+msgid "%s option not supported"
-+msgstr "Option %s wird nicht unterstützt"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:302
-+#, c-format
-+msgid "unknown option: %s"
-+msgstr "unbekannte Option: %s"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:309
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:316
-+#, c-format
-+msgid "%s option value missing"
-+msgstr "Wert der Option %s fehlt"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:542
-+msgid "Principal does not belong to the default realm"
-+msgstr "Principal gehört nicht zum Standard-Realm"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:610
-+#, c-format
-+msgid ""
-+"operation can not continue, more than one entry with principal name \"%s\" "
-+"found"
-+msgstr ""
-+"Die Aktion kann nicht fortfahren, da mehr als ein Principal namens »%s« "
-+"gefunden wurde."
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:673
-+#, c-format
-+msgid "'%s' not found: "
-+msgstr "»%s« nicht gefunden: "
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:751
-+msgid "DN is out of the realm subtree"
-+msgstr "DN liegt außerhalb ders Teilbaums des Realms"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:807
-+#, c-format
-+msgid "ldap object is already kerberized"
-+msgstr "LDAP-Objekt ist bereits an Kerberos angepasst"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:827
-+#, c-format
-+msgid ""
-+"link information can not be set/updated as the kerberos principal belongs to "
-+"an ldap object"
-+msgstr ""
-+"Verweisinformation kann nicht eingerichtet/aktualisiert werden, da der "
-+"Kerberos-Principal zu einem LDAP-Objekt gehört."
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:842
-+#, c-format
-+msgid "Failed getting object references"
-+msgstr "Holen von Objektbezügen fehlgeschlagen"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:849
-+#, c-format
-+msgid "kerberos principal is already linked to a ldap object"
-+msgstr "Kerberos-Principal ist bereits mit einem LDAP-Objekt verknüpft"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1167
-+msgid "ticket policy object value: "
-+msgstr "Wert des Ticket-Richtlinienobjekts: "
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1215
-+#, c-format
-+msgid "Principal delete failed (trying to replace entry): %s"
-+msgstr ""
-+"Löschen des Principals fehlgeschlagen (es wird versucht, den Eintrag zu "
-+"ersetzen): %s"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1225
-+#, c-format
-+msgid "Principal add failed: %s"
-+msgstr "Hinzufügen des Principals fehlgeschlagen: %s"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1263
-+#, c-format
-+msgid "User modification failed: %s"
-+msgstr "Änderung des Benutzers fehlgeschlagen: %s"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1336
-+msgid "Error reading ticket policy. "
-+msgstr "Fehler beim Lesen der Ticket-Richtlinie"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1402
-+#, c-format
-+msgid "unable to decode stored principal key data (%s)"
-+msgstr ""
-+"Die gespeicherten Schlüsseldaten des Principals (%s) konnten nicht "
-+"dekodiert werden."
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:223
-+msgid "Realm information not available"
-+msgstr "Realm-Information nicht verfügbar"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:294
-+msgid "Error reading ticket policy: "
-+msgstr "Fehler beim Lesen der Ticket-Richtlinie:"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:307
-+#, c-format
-+msgid "Realm Delete FAILED: %s"
-+msgstr "Löschen des Realms FEHLGESCHLAGEN: %s"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:387
-+msgid "subtree value: "
-+msgstr "Wert des Teilbaums: "
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:404
-+msgid "container reference value: "
-+msgstr "Wert des Container-Bezugs: "
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:487
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:550
-+msgid "Kerberos Container information is missing"
-+msgstr "Kerberos-Container-Information fehlt"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:499
-+msgid "Invalid Kerberos container DN"
-+msgstr "ungültiger Kerberos-Container-DN"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:515
-+#, c-format
-+msgid "Kerberos Container create FAILED: %s"
-+msgstr "Erstellen des Kerberos-Containers FEHLGESCHLAGEN: %s"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:558
-+#, c-format
-+msgid "Kerberos Container delete FAILED: %s"
-+msgstr "Löschen des Kerberos-Containers FEHLGESCHLAGEN: %s"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:634
-+msgid "realm object value: "
-+msgstr "Wert des Realm-Objekts: "
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:48
-+msgid "Not a hexadecimal password"
-+msgstr "kein hexadezimales Passwort"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:55
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:66
-+msgid "Password corrupt"
-+msgstr "Passwort beschädigt"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:93
-+#, c-format
-+msgid "Cannot open LDAP password file '%s': %s"
-+msgstr "LDAP-Passwortdatei »%s« kann nicht geöffnet werden: %s"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:123
-+#, c-format
-+msgid "Bind DN entry '%s' missing in LDAP password file '%s'"
-+msgstr "Bind-DN-Eintrag »%s« fehlt in der LDAP-Passwortdatei »%s«"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:56
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:132
-+msgid "Ticket Policy Name missing"
-+msgstr "Ticket-Richtlinienname fehlt"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:144
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:221
-+msgid "ticket policy object: "
-+msgstr "Ticket-Richtlinienobjekt: "
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:209
-+msgid "Ticket Policy Object information missing"
-+msgstr "Ticket-Richtlinienobjekt-Information fehlt"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:300
-+msgid "Ticket Policy Object DN missing"
-+msgstr "DN des Ticket-Richtlinienobjekts fehlt"
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:327
-+msgid "Delete Failed: One or more Principals associated with the Ticket Policy"
-+msgstr ""
-+"Löschen fehlgeschlagen: Ein oder mehrere Principals gehören zur Ticket-"
-+"Richtlinie."
-+
-+#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:435
-+msgid "Error reading container object: "
-+msgstr "Fehler beim Lesen des Container-Objekts: "
-+
-+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_nss.c:667
-+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:652
-+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4153
-+msgid "Pass phrase for"
-+msgstr "Passphrase für"
-+
-+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1081
-+#, c-format
-+msgid "Cannot create cert chain: %s"
-+msgstr "Zertifikatskette kann nicht erstellt werden: %s"
-+
-+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1408
-+msgid "Invalid pkinit packet: octet string expected"
-+msgstr "ungültiges Pkinit-Paket: Achtbit-Zeichenkette erwartet"
-+
-+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1427
-+msgid "wrong oid\n"
-+msgstr "falsche OID\n"
-+
-+#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:5994
-+#, c-format
-+msgid "unknown code 0x%x"
-+msgstr "unbekannter Code 0x%x"
-+
-+#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:424
-+#, c-format
-+msgid "Unsupported type while processing '%s'\n"
-+msgstr "nicht unterstützter Typ bei der Verarbeitung von »%s«\n"
-+
-+#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:465
-+msgid "Internal error parsing X509_user_identity\n"
-+msgstr "interner Fehler beim Auswerten von »X509_user_identity«\n"
-+
-+#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:560
-+msgid "No user identity options specified"
-+msgstr "keine Optionen der Nutzeridentität angegeben"
-+
-+#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:414
-+msgid "Pkinit request not signed, but client not anonymous."
-+msgstr "Pkinit-Anfrage nicht signiert, Client ist jedoch nicht anonym"
-+
-+# DH = Diffie-Hellman
-+#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:447
-+msgid "Anonymous pkinit without DH public value not supported."
-+msgstr "Anonymes Pkinit wird nicht ohne öffentlichen DH-Wert unterstützt."
-+
-+#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1147
-+#, c-format
-+msgid "No pkinit_identity supplied for realm %s"
-+msgstr "Für Realm %s wird keine »pkinit_identity« bereitgestellt."
-+
-+#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1158
-+#, c-format
-+msgid "No pkinit_anchors supplied for realm %s"
-+msgstr "Für Realm %s werden keine »pkinit_anchors« bereitgestellt."
-+
-+#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1346
-+msgid "No realms configured correctly for pkinit support"
-+msgstr "Für Pkinit-Unterstützung wurden keine Realms korrekt konfiguriert."
-+
-+#: ../../src/slave/kprop.c:85
-+#, c-format
-+msgid ""
-+"\n"
-+"Usage: %s [-r realm] [-f file] [-d] [-P port] [-s srvtab] slave_host\n"
-+"\n"
-+msgstr ""
-+"\n"
-+"Aufruf: %s [-r Realm] [-f Datei] [-d] [-P Port] [-s Dienstschlüsseltabelle] "
-+"untergeordneter_Rechner\n"
-+"\n"
-+
-+#: ../../src/slave/kprop.c:114
-+#, c-format
-+msgid "Database propagation to %s: SUCCEEDED\n"
-+msgstr "Datenbankverbreitung auf %s: ERFOLGREICH\n"
-+
-+#: ../../src/slave/kprop.c:187
-+msgid "while setting client principal name"
-+msgstr "beim Setzen des Client-Principal-Namens"
-+
-+#: ../../src/slave/kprop.c:194 ../../src/slave/kprop.c:209
-+msgid "while setting client principal realm"
-+msgstr "beim Setzen des Client-Principal-Realms"
-+
-+#: ../../src/slave/kprop.c:217
-+#, c-format
-+msgid "while opening credential cache %s"
-+msgstr "beim Öffnen des Anmeldedatenzwischenspeichers %s"
-+
-+#: ../../src/slave/kprop.c:233
-+msgid "while setting server principal name"
-+msgstr "beim Setzen des Server-Principal-Namens"
-+
-+#: ../../src/slave/kprop.c:255
-+msgid "while resolving keytab"
-+msgstr "beim Ermitteln der Schlüsseltabelle"
-+
-+#: ../../src/slave/kprop.c:264
-+msgid "while getting initial credentials\n"
-+msgstr "beim Holen der Anfangsanmeldedaten\n"
-+
-+#: ../../src/slave/kprop.c:301
-+msgid "while creating socket"
-+msgstr "beim Erstellen eines Sockets"
-+
-+#: ../../src/slave/kprop.c:317
-+msgid "while converting server address"
-+msgstr "beim Umwandeln der Server-Adresse"
-+
-+#: ../../src/slave/kprop.c:327
-+msgid "while connecting to server"
-+msgstr "beim Verbinden mit dem Server"
-+
-+#: ../../src/slave/kprop.c:334 ../../src/slave/kpropd.c:1215
-+msgid "while getting local socket address"
-+msgstr "beim Holen der lokalen Socket-Adresse"
-+
-+#: ../../src/slave/kprop.c:339
-+msgid "while converting local address"
-+msgstr "beim Umwandeln der lokalen Socket-Adresse"
-+
-+#: ../../src/slave/kprop.c:362
-+msgid "in krb5_auth_con_setaddrs"
-+msgstr "in »krb5_auth_con_setaddrs«"
-+
-+#: ../../src/slave/kprop.c:370
-+msgid "while authenticating to server"
-+msgstr "beim Authentifizieren am Server"
-+
-+#: ../../src/slave/kprop.c:374 ../../src/slave/kprop.c:573
-+#: ../../src/slave/kpropd.c:1521
-+#, c-format
-+msgid "Generic remote error: %s\n"
-+msgstr "allgemeiner ferner Fehler: %s\n"
-+
-+#: ../../src/slave/kprop.c:380 ../../src/slave/kprop.c:579
-+msgid "signalled from server"
-+msgstr "signalisiert vom Server"
-+
-+#: ../../src/slave/kprop.c:382 ../../src/slave/kprop.c:581
-+#, c-format
-+msgid "Error text from server: %s\n"
-+msgstr "Fehlermeldung vom Server: %s\n"
-+
-+#: ../../src/slave/kprop.c:410
-+#, c-format
-+msgid "allocating database file name '%s'"
-+msgstr "Datenbankdateiname »%s« wird reserviert"
-+
-+#: ../../src/slave/kprop.c:416
-+#, c-format
-+msgid "while trying to open %s"
-+msgstr "beim Versuch, %s zu öffnen"
-+
-+#: ../../src/slave/kprop.c:423
-+msgid "database locked"
-+msgstr "Datenbank gesperrt"
-+
-+#: ../../src/slave/kprop.c:426 ../../src/slave/kpropd.c:525
-+#, c-format
-+msgid "while trying to lock '%s'"
-+msgstr "beim Versuch, »%s« zu sperren"
-+
-+#: ../../src/slave/kprop.c:430 ../../src/slave/kprop.c:438
-+#, c-format
-+msgid "while trying to stat %s"
-+msgstr "beim Versuch, »stat« für %s auszuführen"
-+
-+#: ../../src/slave/kprop.c:434
-+msgid "while trying to malloc data_ok_fn"
-+msgstr "beim Versuch, Speicher für »data_ok_fn« zu reservieren"
-+
-+#: ../../src/slave/kprop.c:443
-+#, c-format
-+msgid "'%s' more recent than '%s'."
-+msgstr "»%s« ist aktueller als »%s«."
-+
-+#: ../../src/slave/kprop.c:459
-+#, c-format
-+msgid "while unlocking database '%s'"
-+msgstr "beim Entsperren von Datenbank »%s«"
-+
-+#: ../../src/slave/kprop.c:492 ../../src/slave/kprop.c:493
-+msgid "while encoding database size"
-+msgstr "beim Aufbereiten der Datenbankgröße"
-+
-+#: ../../src/slave/kprop.c:501
-+msgid "while sending database size"
-+msgstr "beim Senden der Datenbankgröße"
-+
-+#: ../../src/slave/kprop.c:511
-+msgid "while allocating i_vector"
-+msgstr "beim Reservieren von »i_vector«"
-+
-+#: ../../src/slave/kprop.c:534
-+#, c-format
-+msgid "while sending database block starting at %d"
-+msgstr "beim Senden des Datenbankblocks, der bei %d beginnt"
-+
-+#: ../../src/slave/kprop.c:544
-+msgid "Premature EOF found for database file!"
-+msgstr "vorzeitiges EOF für Datenbankdatei gefunden!"
-+
-+#: ../../src/slave/kprop.c:557
-+msgid "while reading response from server"
-+msgstr "beim Lesen der Antwort vom Servers"
-+
-+#: ../../src/slave/kprop.c:568
-+msgid "while decoding error response from server"
-+msgstr "beim Aufschlüsseln der Fehlerantwort vom Server"
-+
-+#: ../../src/slave/kprop.c:599
-+#, c-format
-+msgid "Kpropd sent database size %d, expecting %d"
-+msgstr "Kpropd sendet Datenbankgröße %d, erwartet wurde %d"
-+
-+#: ../../src/slave/kprop.c:643
-+msgid "while allocating filename for update_last_prop_file"
-+msgstr "beim Reservieren des Dateinamens für »update_last_prop_file«"
-+
-+#: ../../src/slave/kprop.c:648
-+#, c-format
-+msgid "while creating 'last_prop' file, '%s'"
-+msgstr "beim Erstellen der Datei »last_prop«, »%s«"
-+
-+#: ../../src/slave/kpropd.c:170
-+#, c-format
-+msgid ""
-+"\n"
-+"Usage: %s [-r realm] [-s srvtab] [-dS] [-f slave_file]\n"
-+msgstr ""
-+"\n"
-+"Aufruf: %s [-r Realm] [-s Dienstschlüsseltabelle] [-dS] [-f "
-+"untergeordnete_Datei]\n"
-+
-+#: ../../src/slave/kpropd.c:172
-+#, c-format
-+msgid "\t[-F kerberos_db_file ] [-p kdb5_util_pathname]\n"
-+msgstr "\t[-F Kerberos-Datenbankdatei ] [-p KDB5-Hilfswerkzeugpfadname]\n"
-+
-+#: ../../src/slave/kpropd.c:173
-+#, c-format
-+msgid "\t[-x db_args]* [-P port] [-a acl_file]\n"
-+msgstr "\t[-x Datenbankargumente]* [-P Port] [-a ACL-Datei]\n"
-+
-+#: ../../src/slave/kpropd.c:174
-+#, c-format
-+msgid "\t[-A admin_server]\n"
-+msgstr "\t[-A Serveradministrator]\n"
-+
-+#: ../../src/slave/kpropd.c:215
-+#, c-format
-+msgid "Killing fullprop child (%d)\n"
-+msgstr "Beenden des Fullprop-Kindprozesses (%d) wird erzwungen\n"
-+
-+#: ../../src/slave/kpropd.c:244
-+msgid "while checking if stdin is a socket"
-+msgstr "beim Prüfen, ob die Standardeingabe ein Socket ist"
-+
-+#: ../../src/slave/kpropd.c:262
-+#, c-format
-+msgid "ready\n"
-+msgstr "bereit\n"
-+
-+#: ../../src/slave/kpropd.c:272
-+#, c-format
-+msgid "Could not open /dev/null: %s"
-+msgstr "/dev/null konnte nicht geöffnet werden: %s"
-+
-+#: ../../src/slave/kpropd.c:279
-+#, c-format
-+msgid "Could not dup the inetd socket: %s"
-+msgstr "Das Inetd-Socket konnte nicht dupliziert werden: %s"
-+
-+#: ../../src/slave/kpropd.c:314 ../../src/slave/kpropd.c:327
-+msgid "do_iprop failed.\n"
-+msgstr "»do_iprop« fehlgeschlagen\n"
-+
-+#: ../../src/slave/kpropd.c:366
-+#, c-format
-+msgid "getaddrinfo: %s\n"
-+msgstr "getaddrinfo: %s\n"
-+
-+#: ../../src/slave/kpropd.c:372
-+msgid "while obtaining socket"
-+msgstr "beim Erlangen des Sockets"
-+
-+#: ../../src/slave/kpropd.c:378
-+msgid "while setting SO_REUSEADDR option"
-+msgstr "beim Setzen der Option SO_REUSEADDR"
-+
-+#: ../../src/slave/kpropd.c:386
-+msgid "while unsetting IPV6_V6ONLY option"
-+msgstr "beim Entfernen der Option IPV6_V6ONLY"
-+
-+#: ../../src/slave/kpropd.c:391
-+msgid "while binding listener socket"
-+msgstr "beim Anbinden an das auf Verbindung wartende Socket"
-+
-+#: ../../src/slave/kpropd.c:402
-+#, c-format
-+msgid "waiting for a kprop connection\n"
-+msgstr "warten auf Kprop-Verbindung\n"
-+
-+#: ../../src/slave/kpropd.c:408
-+msgid "while accepting connection"
-+msgstr "beim Akzeptieren der Verbindung"
-+
-+#: ../../src/slave/kpropd.c:414
-+msgid "while forking"
-+msgstr "beim Erzeugen eines Kindprozesses"
-+
-+#: ../../src/slave/kpropd.c:429
-+#, c-format
-+msgid "waitpid() failed to wait for doit() (%d %s)\n"
-+msgstr "waitpid() schlug beim Warten auf doit() fehl (%d %s)\n"
-+
-+#: ../../src/slave/kpropd.c:433
-+msgid "while waiting to receive database"
-+msgstr "beim Warten auf den Erhalt der Datenbank"
-+
-+#: ../../src/slave/kpropd.c:437
-+#, c-format
-+msgid "Database load process for full propagation completed.\n"
-+msgstr ""
-+"Der Datenbankladeprozess für eine vollständige Verbreitung ist "
-+"abgeschlossen.\n"
-+
-+#: ../../src/slave/kpropd.c:471
-+#, c-format
-+msgid ""
-+"%s: Standard input does not appear to be a network socket.\n"
-+"\t(Not run from inetd, and missing the -S option?)\n"
-+msgstr ""
-+"%s: Bei der Standardeingabe scheint es sich nicht um ein Netzwerk-Socket zu\n"
-+"\thandeln (läuft nicht aus Inetd und die Option -S fehlt?).\n"
-+
-+#: ../../src/slave/kpropd.c:485
-+msgid "while attempting setsockopt (SO_KEEPALIVE)"
-+msgstr "beim Versuch, »setsockopt« auszuführen (SO_KEEPALIVE)"
-+
-+#: ../../src/slave/kpropd.c:490
-+#, c-format
-+msgid "Connection from %s"
-+msgstr "Verbindung von %s"
-+
-+#: ../../src/slave/kpropd.c:510
-+#, c-format
-+msgid "Rejected connection from unauthorized principal %s\n"
-+msgstr "Zurückgewiesene Verbindung von nicht autorisiertem Principal %s\n"
-+
-+#: ../../src/slave/kpropd.c:514
-+#, c-format
-+msgid "Rejected connection from unauthorized principal %s"
-+msgstr "Zurückgewiesene Verbindung von nicht authorisiertem Principal %s"
-+
-+#: ../../src/slave/kpropd.c:531
-+#, c-format
-+msgid "while opening database file, '%s'"
-+msgstr "beim Öffnen der Datenbankdatei, »%s«"
-+
-+#: ../../src/slave/kpropd.c:537
-+#, c-format
-+msgid "while renaming %s to %s"
-+msgstr "beim Umbenennen von %s in %s"
-+
-+#: ../../src/slave/kpropd.c:543
-+#, c-format
-+msgid "while downgrading lock on '%s'"
-+msgstr "beim Downgrade der Sperre auf »%s«"
-+
-+#: ../../src/slave/kpropd.c:550
-+#, c-format
-+msgid "while unlocking '%s'"
-+msgstr "beim Aufheben der Sperre »%s«"
-+
-+#: ../../src/slave/kpropd.c:562
-+msgid "while sending # of received bytes"
-+msgstr "beim Senden n empfangener Byte"
-+
-+#: ../../src/slave/kpropd.c:568
-+msgid "while trying to close database file"
-+msgstr "beim Versuch, die Datenbankdatei zu schließen"
-+
-+#: ../../src/slave/kpropd.c:624
-+#, c-format
-+msgid "Incremental propagation enabled\n"
-+msgstr "inkrementelle Verbreitung aktiviert\n"
-+
-+#: ../../src/slave/kpropd.c:634
-+msgid "Unable to get default realm"
-+msgstr "Standard-Realm kann nicht geholt werden"
-+
-+#: ../../src/slave/kpropd.c:647
-+#, c-format
-+msgid "%s: unable to get kiprop host based service name for realm %s\n"
-+msgstr ""
-+"%s: Kiprop-rechnerbasierter Dienstname für Realm %s kann nicht geholt "
-+"werden\n"
-+
-+#: ../../src/slave/kpropd.c:658
-+msgid "while trying to construct host service principal"
-+msgstr "beim Versuch, den Rechnerdienst-Principal zu erstellen"
-+
-+#: ../../src/slave/kpropd.c:672
-+msgid "while determining local service principal name"
-+msgstr "beim Bestimmen des lokalen Dienst-Principal-Namens"
-+
-+#: ../../src/slave/kpropd.c:692
-+#, c-format
-+msgid "Initializing kadm5 as client %s\n"
-+msgstr "Kadm5 wird als Client %s initialisiert\n"
-+
-+#: ../../src/slave/kpropd.c:706
-+#, c-format
-+msgid "kadm5 initialization failed!\n"
-+msgstr "Initialisierung von Kadm5 fehlgeschlagen!\n"
-+
-+#: ../../src/slave/kpropd.c:715
-+msgid "while attempting to connect to master KDC ... retrying"
-+msgstr ""
-+"beim Versuch, eine Verbindung zum Master-KDC aufzubauen … wird erneut "
-+"versucht"
-+
-+#: ../../src/slave/kpropd.c:719
-+#, c-format
-+msgid "Sleeping %d seconds to re-initialize kadm5 (RPC ERROR)\n"
-+msgstr ""
-+"Um Kadm5 neu zu initialisieren, wird %d Sekunden gewartet (RPC-FEHLER).\n"
-+
-+#: ../../src/slave/kpropd.c:735
-+#, c-format
-+msgid "while initializing %s interface, retrying"
-+msgstr "beim Initialisieren der Schnittstelle %s, wird erneut versucht"
-+
-+#: ../../src/slave/kpropd.c:739
-+#, c-format
-+msgid "Sleeping %d seconds to re-initialize kadm5 (krb5kdc not running?)\n"
-+msgstr ""
-+"Um Kadm5 neu zu initialisieren, wird %d Sekunden gewartet (läuft Krb5kdc "
-+"nicht?).\n"
-+
-+#: ../../src/slave/kpropd.c:749
-+#, c-format
-+msgid "kadm5 initialization succeeded\n"
-+msgstr "Initialisieren von Kadm5 erfolgreich\n"
-+
-+#: ../../src/slave/kpropd.c:771
-+msgid "reading update log header"
-+msgstr "Aktualisierungsprotokollkopfzeilen werden gelesen"
-+
-+#: ../../src/slave/kpropd.c:782
-+#, c-format
-+msgid "Calling iprop_get_updates_1 (sno=%u sec=%u usec=%u)\n"
-+msgstr "»iprop_get_updates_1()« wird aufgerufen (sno=%u sec=%u usec=%u)\n"
-+
-+#: ../../src/slave/kpropd.c:792
-+msgid "iprop_get_updates call failed"
-+msgstr "Aufruf von »iprop_get_updates« fehlgeschlagen"
-+
-+#: ../../src/slave/kpropd.c:798
-+#, c-format
-+msgid "Reinitializing iprop because get updates failed\n"
-+msgstr ""
-+"Iprop wird neu initialisiert, da Aktualisierungen fehlgeschlagen sind\n"
-+
-+#: ../../src/slave/kpropd.c:819
-+#, c-format
-+msgid "Still waiting for full resync\n"
-+msgstr ""
-+"Es wird immer noch auf das vollständige erneute Synchronisieren gewartet.\n"
-+
-+#: ../../src/slave/kpropd.c:824
-+#, c-format
-+msgid "Full resync needed\n"
-+msgstr "erneutes vollständiges Synchronisieren erforderlich\n"
-+
-+#: ../../src/slave/kpropd.c:825
-+msgid "kpropd: Full resync needed."
-+msgstr "Kpropd: erneutes vollständiges Synchronisieren erforderlich"
-+
-+#: ../../src/slave/kpropd.c:830
-+msgid "iprop_full_resync call failed"
-+msgstr "Aufruf von »iprop_full_resync« fehlgeschlagen"
-+
-+#: ../../src/slave/kpropd.c:841
-+#, c-format
-+msgid "Full resync request granted\n"
-+msgstr "Anfrage nach vollständigem erneuten Synchronisieren genehmigt\n"
-+
-+#: ../../src/slave/kpropd.c:842
-+msgid "Full resync request granted."
-+msgstr "Anfrage nach vollständigem erneuten Synchronisieren genehmigt"
-+
-+# FIXME s/backoff/back-off/
-+#: ../../src/slave/kpropd.c:851
-+#, c-format
-+msgid "Exponential backoff\n"
-+msgstr "exponentieller Wartezyklus\n"
-+
-+#: ../../src/slave/kpropd.c:857
-+#, c-format
-+msgid "Full resync permission denied\n"
-+msgstr "vollständiges erneutes Synchronisieren nicht gestattet\n"
-+
-+#: ../../src/slave/kpropd.c:858
-+msgid "Full resync, permission denied."
-+msgstr "vollständiges erneutes Synchronisieren, nicht gestattet"
-+
-+#: ../../src/slave/kpropd.c:863
-+#, c-format
-+msgid "Full resync error from master\n"
-+msgstr "Fehler beim vollständigen erneuten Synchronisieren vom Master\n"
-+
-+#: ../../src/slave/kpropd.c:864
-+msgid " Full resync, error returned from master KDC."
-+msgstr ""
-+"vollständiges erneutes Synchronisieren, das Master-KDC gab einen Fehler "
-+"zurück"
-+
-+#: ../../src/slave/kpropd.c:872
-+#, c-format
-+msgid "Full resync invalid result from master\n"
-+msgstr ""
-+"Beim vollständigen erneuten Synchronisieren gab der Master ein ungültiges "
-+"Ergebnis zurück.\n"
-+
-+#: ../../src/slave/kpropd.c:874
-+msgid "Full resync, invalid return from master KDC."
-+msgstr ""
-+"vollständiges erneutes Synchronisieren, ungültiger Rückgabewert vom Master-"
-+"KDC"
-+
-+#: ../../src/slave/kpropd.c:890
-+#, c-format
-+msgid "Got incremental updates (sno=%u sec=%u usec=%u)\n"
-+msgstr ""
-+"inkrementelle Aktualisierungen erhalten (sno=%u sec=%u usec=%u)\n"
-+
-+#: ../../src/slave/kpropd.c:902
-+#, c-format
-+msgid "ulog_replay failed (%s), updates not registered\n"
-+msgstr ""
-+"»ulog_replay« fehlgeschlagen (%s), Aktualisierungen nicht registriert\n"
-+
-+#: ../../src/slave/kpropd.c:905
-+#, c-format
-+msgid "ulog_replay failed (%s), updates not registered."
-+msgstr "»ulog_replay« fehlgeschlagen (%s), Aktualisierungen nicht registriert"
-+
-+#: ../../src/slave/kpropd.c:914
-+#, c-format
-+msgid "Incremental updates: %d updates / %lu us"
-+msgstr "inkrementelle Aktualisierungen: %d Aktualisierungen / %lu us"
-+
-+#: ../../src/slave/kpropd.c:917
-+#, c-format
-+msgid "Incremental updates: %d updates / %lu us\n"
-+msgstr "inkrementelle Aktualisierungen: %d Aktualisierungen / %lu us\n"
-+
-+#: ../../src/slave/kpropd.c:925
-+#, c-format
-+msgid "get_updates permission denied\n"
-+msgstr "Zugriff bei »get_updates« verweigert\n"
-+
-+#: ../../src/slave/kpropd.c:926
-+msgid "get_updates, permission denied."
-+msgstr "»get_updates«, Zugriff verweigert"
-+
-+#: ../../src/slave/kpropd.c:931
-+#, c-format
-+msgid "get_updates error from master\n"
-+msgstr "»get_updates«-Fehler vom Master\n"
-+
-+#: ../../src/slave/kpropd.c:932
-+msgid "get_updates, error returned from master KDC."
-+msgstr "Vom Master-KDC wurde ein »get_updates«-Fehler zurückgegeben."
-+
-+# FIXME s/backoff/back-off/
-+#: ../../src/slave/kpropd.c:940
-+#, c-format
-+msgid "get_updates master busy; backoff\n"
-+msgstr "»get_updates«-Master ausgelastet; hält sich zurück\n"
-+
-+#: ../../src/slave/kpropd.c:949
-+#, c-format
-+msgid "KDC is synchronized with master.\n"
-+msgstr "KDC wurde mit dem Master synchronisiert.\n"
-+
-+#: ../../src/slave/kpropd.c:957
-+#, c-format
-+msgid "get_updates invalid result from master\n"
-+msgstr "ungültiges »get_updates«-Ergebnis vom Master\n"
-+
-+#: ../../src/slave/kpropd.c:958
-+msgid "get_updates, invalid return from master KDC."
-+msgstr "»get_updates«, ungültiger Rückgabewert vom Master-KDC"
-+
-+# FIXME s/backoff/back-off/
-+#: ../../src/slave/kpropd.c:973
-+#, c-format
-+msgid "Busy signal received from master, backoff for %d secs\n"
-+msgstr ""
-+"Vom Master wurde ein Signal empfangen, dass er ausgelastet ist, "
-+"Zurückhaltung für %d Sekunden\n"
-+
-+#: ../../src/slave/kpropd.c:980
-+#, c-format
-+msgid "Waiting for %d seconds before checking for updates again\n"
-+msgstr ""
-+"vor der erneuten Prufung auf Aktualisierungen wird %d Sekunden gewartet\n"
-+
-+#: ../../src/slave/kpropd.c:991
-+#, c-format
-+msgid "ERROR returned by master, bailing\n"
-+msgstr "FEHLER vom Master zurückgegeben, Ausstieg\n"
-+
-+#: ../../src/slave/kpropd.c:992
-+msgid "ERROR returned by master KDC, bailing.\n"
-+msgstr "FEHLER vom Master-KDC zurückgegeben, Ausstieg\n"
-+
-+#: ../../src/slave/kpropd.c:1134
-+msgid "copying db args"
-+msgstr "Datenbankargumente werden kopiert"
-+
-+#: ../../src/slave/kpropd.c:1161
-+msgid "while trying to construct my service name"
-+msgstr "beim Versuch, meinen Dienstnamen zu erstellen"
-+
-+#: ../../src/slave/kpropd.c:1167
-+msgid "while constructing my service realm"
-+msgstr "beim Erstellen meines Dienst-Realms"
-+
-+#: ../../src/slave/kpropd.c:1175
-+msgid "while allocating filename for temp file"
-+msgstr "beim Reservieren des Dateinamens für die temporäre Datei"
-+
-+#: ../../src/slave/kpropd.c:1181
-+msgid "while initializing"
-+msgstr "bei der Initialisierung"
-+
-+#: ../../src/slave/kpropd.c:1189
-+msgid "Unable to map log!\n"
-+msgstr "Protokoll kann nicht abgebildet werden!\n"
-+
-+#: ../../src/slave/kpropd.c:1235
-+#, c-format
-+msgid "Error in krb5_auth_con_ini: %s"
-+msgstr "Fehler in »krb5_auth_con_ini«: %s"
-+
-+#: ../../src/slave/kpropd.c:1243
-+#, c-format
-+msgid "Error in krb5_auth_con_setflags: %s"
-+msgstr "Fehler in »krb5_auth_con_setflags«: %s"
-+
-+#: ../../src/slave/kpropd.c:1251
-+#, c-format
-+msgid "Error in krb5_auth_con_setaddrs: %s"
-+msgstr "Fehler in »krb5_auth_con_setaddrs«: %s"
-+
-+#: ../../src/slave/kpropd.c:1259
-+#, c-format
-+msgid "Error in krb5_kt_resolve: %s"
-+msgstr "Fehler in »krb5_kt_resolve«: %s"
-+
-+#: ../../src/slave/kpropd.c:1268
-+#, c-format
-+msgid "Error in krb5_recvauth: %s"
-+msgstr "Fehler in »krb5_recvauth«: %s"
-+
-+#: ../../src/slave/kpropd.c:1275
-+#, c-format
-+msgid "Error in krb5_copy_prinicpal: %s"
-+msgstr "Fehler in »krb5_copy_prinicpal«: %s"
-+
-+#: ../../src/slave/kpropd.c:1291
-+msgid "while unparsing ticket etype"
-+msgstr "beim Rückgängigmachen der Auswertung des »etype«s des Tickets"
-+
-+#: ../../src/slave/kpropd.c:1295
-+#, c-format
-+msgid "authenticated client: %s (etype == %s)\n"
-+msgstr "Authentifizierter Client: %s (etype == %s)\n"
-+
-+#: ../../src/slave/kpropd.c:1374
-+msgid "while reading size of database from client"
-+msgstr "beim Lesen der Datenbankgröße vom Client"
-+
-+#: ../../src/slave/kpropd.c:1384
-+msgid "while decoding database size from client"
-+msgstr "beim Dekodieren der Datenbankgröße vom Client"
-+
-+#: ../../src/slave/kpropd.c:1397
-+msgid "while initializing i_vector"
-+msgstr "beim Initialisieren von »i_vector«"
-+
-+#: ../../src/slave/kpropd.c:1402
-+#, c-format
-+msgid "Full propagation transfer started.\n"
-+msgstr "vollständige Verbreitungsübertragung gestartet\n"
-+
-+#: ../../src/slave/kpropd.c:1455
-+#, c-format
-+msgid "Full propagation transfer finished.\n"
-+msgstr "vollständige Verbreitungsübertragung beendet\n"
-+
-+#: ../../src/slave/kpropd.c:1516
-+msgid "while decoding error packet from client"
-+msgstr "beim Dekodieren des Fehlerpakets vom Client"
-+
-+#: ../../src/slave/kpropd.c:1525
-+msgid "signaled from server"
-+msgstr "signalisiert vom Server"
-+
-+#: ../../src/slave/kpropd.c:1527
-+#, c-format
-+msgid "Error text from client: %s\n"
-+msgstr "Fehlermeldung vom Client: %s\n"
-+
-+#: ../../src/slave/kpropd.c:1576
-+#, c-format
-+msgid "while trying to fork %s"
-+msgstr "beim Versuch, einen Kindprozess von %s zu erzeugen"
-+
-+#: ../../src/slave/kpropd.c:1580
-+#, c-format
-+msgid "while trying to exec %s"
-+msgstr "beim Versuch, %s auszuführen"
-+
-+#: ../../src/slave/kpropd.c:1587
-+#, c-format
-+msgid "while waiting for %s"
-+msgstr "beim Warten auf %s"
-+
-+#: ../../src/slave/kpropd.c:1593
-+#, c-format
-+msgid "%s load terminated"
-+msgstr "Laden von %s beendet"
-+
-+#: ../../src/slave/kpropd.c:1599
-+#, c-format
-+msgid "%s returned a bad exit status (%d)"
-+msgstr "%s gab einen falschen Exit-Status (%d) zurück"
-+
-+#: ../../src/slave/kproplog.c:27
-+#, c-format
-+msgid ""
-+"\n"
-+"Usage: %s [-h] [-v] [-v] [-e num]\n"
-+"\t%s -R\n"
-+"\n"
-+msgstr ""
-+"\n"
-+"Aufruf: %s [-h] [-v] [-v] [-e Zahl]\n"
-+"\t%s -R\n"
-+"\n"
-+
-+#: ../../src/slave/kproplog.c:129
-+#, c-format
-+msgid ""
-+"\n"
-+"Couldn't allocate memory"
-+msgstr ""
-+"\n"
-+"Speicher konnte nicht reserviert werden"
-+
-+#: ../../src/slave/kproplog.c:223
-+#, c-format
-+msgid "\t\tAttribute flags\n"
-+msgstr "\t\tAttributschalter\n"
-+
-+#: ../../src/slave/kproplog.c:228
-+#, c-format
-+msgid "\t\tMaximum ticket life\n"
-+msgstr "\t\tmaximale Ticketlebensdauer\n"
-+
-+#: ../../src/slave/kproplog.c:233
-+#, c-format
-+msgid "\t\tMaximum renewable life\n"
-+msgstr "\t\tmaximale verlängerbare Lebensdauer\n"
-+
-+#: ../../src/slave/kproplog.c:238
-+#, c-format
-+msgid "\t\tPrincipal expiration\n"
-+msgstr "\t\tAblauf des Principals\n"
-+
-+#: ../../src/slave/kproplog.c:243
-+#, c-format
-+msgid "\t\tPassword expiration\n"
-+msgstr "\t\tAblauf des Passworts\n"
-+
-+#: ../../src/slave/kproplog.c:248
-+#, c-format
-+msgid "\t\tLast successful auth\n"
-+msgstr "\t\tletzte erfolgreiche Authentifizierung\n"
-+
-+#: ../../src/slave/kproplog.c:253
-+#, c-format
-+msgid "\t\tLast failed auth\n"
-+msgstr "\t\tletzte fehlgeschlagene Authentifizierung\n"
-+
-+#: ../../src/slave/kproplog.c:258
-+#, c-format
-+msgid "\t\tFailed passwd attempt\n"
-+msgstr "\t\tfehlgeschlagener Passwortversuch\n"
-+
-+#: ../../src/slave/kproplog.c:263
-+#, c-format
-+msgid "\t\tPrincipal\n"
-+msgstr "\t\tPrincipal\n"
-+
-+#: ../../src/slave/kproplog.c:268
-+#, c-format
-+msgid "\t\tKey data\n"
-+msgstr "\t\tSchlüsseldaten\n"
-+
-+#: ../../src/slave/kproplog.c:275
-+#, c-format
-+msgid "\t\tTL data\n"
-+msgstr "\t\tTL-Daten\n"
-+
-+#: ../../src/slave/kproplog.c:282
-+#, c-format
-+msgid "\t\tLength\n"
-+msgstr "\t\tLänge\n"
-+
-+#: ../../src/slave/kproplog.c:287
-+#, c-format
-+msgid "\t\tPassword last changed\n"
-+msgstr "\t\tletzte Passwortänderung\n"
-+
-+#: ../../src/slave/kproplog.c:292
-+#, c-format
-+msgid "\t\tModifying principal\n"
-+msgstr "\t\ttPrincipal wird geändert\n"
-+
-+#: ../../src/slave/kproplog.c:297
-+#, c-format
-+msgid "\t\tModification time\n"
-+msgstr "\t\tÄnderungszeit\n"
-+
-+#: ../../src/slave/kproplog.c:302
-+#, c-format
-+msgid "\t\tModified where\n"
-+msgstr "\t\tGeändert wobei\n"
-+
-+#: ../../src/slave/kproplog.c:307
-+#, c-format
-+msgid "\t\tPassword policy\n"
-+msgstr "\t\tPasswortrichtlinie\n"
-+
-+#: ../../src/slave/kproplog.c:312
-+#, c-format
-+msgid "\t\tPassword policy switch\n"
-+msgstr "\t\tPasswortrichtlinienumschalter\n"
-+
-+#: ../../src/slave/kproplog.c:317
-+#, c-format
-+msgid "\t\tPassword history KVNO\n"
-+msgstr "\t\tPasswortchronik KVNO\n"
-+
-+#: ../../src/slave/kproplog.c:322
-+#, c-format
-+msgid "\t\tPassword history\n"
-+msgstr "\t\tPasswortchronik\n"
-+
-+#: ../../src/slave/kproplog.c:356
-+#, c-format
-+msgid ""
-+"Corrupt update entry\n"
-+"\n"
-+msgstr ""
-+"beschädigter Aktualisierungseintrag\n"
-+"\n"
-+
-+#: ../../src/slave/kproplog.c:364
-+#, c-format
-+msgid ""
-+"Entry data decode failure\n"
-+"\n"
-+msgstr ""
-+"Dekodieren der eingetragenen Daten fehlgeschlagen\n"
-+"\n"
-+
-+#: ../../src/slave/kproplog.c:369
-+#, c-format
-+msgid "Update Entry\n"
-+msgstr "Aktualisierungseintrag\n"
-+
-+#: ../../src/slave/kproplog.c:371
-+#, c-format
-+msgid "\tUpdate serial # : %u\n"
-+msgstr "\tAktualisierung der Seriennummer: %u\n"
-+
-+#: ../../src/slave/kproplog.c:373
-+#, c-format
-+msgid "\tUpdate operation : "
-+msgstr "\tAktualisierungsaktion: "
-+
-+#: ../../src/slave/kproplog.c:375
-+#, c-format
-+msgid "Delete\n"
-+msgstr "Löschen\n"
-+
-+#: ../../src/slave/kproplog.c:377
-+#, c-format
-+msgid "Add\n"
-+msgstr "Hinzufügen\n"
-+
-+#: ../../src/slave/kproplog.c:381
-+#, c-format
-+msgid ""
-+"Could not allocate principal name\n"
-+"\n"
-+msgstr ""
-+"Der Principal-Name konnte nicht reserviert werden.\n"
-+"\n"
-+
-+#: ../../src/slave/kproplog.c:387
-+#, c-format
-+msgid "\tUpdate principal : %s\n"
-+msgstr "\tAktualisierung des Principals: %s\n"
-+
-+#: ../../src/slave/kproplog.c:389
-+#, c-format
-+msgid "\tUpdate size : %u\n"
-+msgstr "\tGröße der Aktualisierung: %u\n"
-+
-+#: ../../src/slave/kproplog.c:390
-+#, c-format
-+msgid "\tUpdate committed : %s\n"
-+msgstr "\tAktualisierung übergeben: %s\n"
-+
-+#: ../../src/slave/kproplog.c:394
-+#, c-format
-+msgid "\tUpdate time stamp : None\n"
-+msgstr "\tZeitstempel der Aktualisierung: keiner\n"
-+
-+#: ../../src/slave/kproplog.c:396
-+#, c-format
-+msgid "\tUpdate time stamp : %s"
-+msgstr "\tZeitstempel der Aktualisierung: %s"
-+
-+#: ../../src/slave/kproplog.c:400
-+#, c-format
-+msgid "\tAttributes changed : %d\n"
-+msgstr "\tgeänderte Attribute: %d\n"
-+
-+#: ../../src/slave/kproplog.c:465
-+#, c-format
-+msgid ""
-+"Unable to initialize Kerberos\n"
-+"\n"
-+msgstr ""
-+"Kerberos kann nicht initialisiert werden\n"
-+"\n"
-+
-+#: ../../src/slave/kproplog.c:472
-+#, c-format
-+msgid ""
-+"Couldn't read database_name\n"
-+"\n"
-+msgstr ""
-+"»database_name« kann nicht gelesen werden\n"
-+"\n"
-+
-+#: ../../src/slave/kproplog.c:476
-+#, c-format
-+msgid ""
-+"\n"
-+"Kerberos update log (%s)\n"
-+msgstr ""
-+"\n"
-+"Kerberos-Aktualisierungsprotokoll (%s)\n"
-+
-+#: ../../src/slave/kproplog.c:480 ../../src/slave/kproplog.c:495
-+#, c-format
-+msgid ""
-+"Unable to map log file %s\n"
-+"\n"
-+msgstr ""
-+"Protokolldatei %s kann nicht abgebildet werden\n"
-+"\n"
-+
-+#: ../../src/slave/kproplog.c:485
-+#, c-format
-+msgid ""
-+"Couldn't reinitialize ulog file %s\n"
-+"\n"
-+msgstr ""
-+"Ulog-Datei %s konnte nicht neu initialisiert werden\n"
-+"\n"
-+
-+#: ../../src/slave/kproplog.c:489
-+#, c-format
-+msgid "Reinitialized the ulog.\n"
-+msgstr "Das Ulog wurde neu initialisiert.\n"
-+
-+#: ../../src/slave/kproplog.c:501
-+#, c-format
-+msgid ""
-+"Corrupt header log, exiting\n"
-+"\n"
-+msgstr ""
-+"beschädigtes Kopfzeilenprotokoll, wird beendet\n"
-+"\n"
-+
-+#: ../../src/slave/kproplog.c:505
-+#, c-format
-+msgid "Update log dump :\n"
-+msgstr "Aktualisierungsprotokollauszug :\n"
-+
-+#: ../../src/slave/kproplog.c:506
-+#, c-format
-+msgid "\tLog version # : %u\n"
-+msgstr "\tProtokollversion #: %u\n"
-+
-+#: ../../src/slave/kproplog.c:507
-+#, c-format
-+msgid "\tLog state : "
-+msgstr "\tProtokollstatus: "
-+
-+#: ../../src/slave/kproplog.c:510
-+#, c-format
-+msgid "Stable\n"
-+msgstr "stabil\n"
-+
-+#: ../../src/slave/kproplog.c:513
-+#, c-format
-+msgid "Unstable\n"
-+msgstr "instabil\n"
-+
-+#: ../../src/slave/kproplog.c:516
-+#, c-format
-+msgid "Corrupt\n"
-+msgstr "beschädigt\n"
-+
-+#: ../../src/slave/kproplog.c:519
-+#, c-format
-+msgid "Unknown state: %d\n"
-+msgstr "unbekannter Status: %d\n"
-+
-+#: ../../src/slave/kproplog.c:522
-+#, c-format
-+msgid "\tEntry block size : %u\n"
-+msgstr "\tBlockgrößeneintrag: %u\n"
-+
-+#: ../../src/slave/kproplog.c:523
-+#, c-format
-+msgid "\tNumber of entries : %u\n"
-+msgstr "\tAnzahl der Einträge: %u\n"
-+
-+#: ../../src/slave/kproplog.c:526
-+#, c-format
-+msgid "\tLast serial # : None\n"
-+msgstr "\tletzte Seriennummer: keine\n"
-+
-+#: ../../src/slave/kproplog.c:529
-+#, c-format
-+msgid "\tFirst serial # : None\n"
-+msgstr "\terste Seriennummer: keine\n"
-+
-+#: ../../src/slave/kproplog.c:531
-+#, c-format
-+msgid "\tFirst serial # : "
-+msgstr "\terste Seriennummer: "
-+
-+#: ../../src/slave/kproplog.c:535
-+#, c-format
-+msgid "\tLast serial # : "
-+msgstr "\tletzte Seriennummer: "
-+
-+#: ../../src/slave/kproplog.c:540
-+#, c-format
-+msgid "\tLast time stamp : None\n"
-+msgstr "\tletzter Zeitstempel: keiner\n"
-+
-+#: ../../src/slave/kproplog.c:543
-+#, c-format
-+msgid "\tFirst time stamp : None\n"
-+msgstr "\terster Zeitstempel: keiner\n"
-+
-+#: ../../src/slave/kproplog.c:545
-+#, c-format
-+msgid "\tFirst time stamp : %s"
-+msgstr "\terster Zeitstempel: %s"
-+
-+#: ../../src/slave/kproplog.c:549
-+#, c-format
-+msgid "\tLast time stamp : %s\n"
-+msgstr "\tletzter Zeitstempel: %s\n"
-+
-+#: ../../src/util/support/errors.c:77
-+msgid "Kerberos library initialization failure"
-+msgstr "Initialisieren der Kerberos-Bibliothek fehlgeschlagen"
-+
-+#: ../../src/util/support/errors.c:93
-+#, c-format
-+msgid "error %ld"
-+msgstr "Fehler %ld"
-+
-+#: ../../src/util/support/plugins.c:186
-+#, c-format
-+msgid "unable to find plugin [%s]: %s"
-+msgstr "Erweiterung [%s] konnte nicht gefunden werden: %s"
-+
-+#: ../../src/util/support/plugins.c:274
-+msgid "unknown failure"
-+msgstr "unbekannter Fehlschlag"
-+
-+#: ../../src/util/support/plugins.c:277
-+#, c-format
-+msgid "unable to load plugin [%s]: %s"
-+msgstr "Erweiterung [%s] konnte nicht geladen werden: %s"
-+
-+#: ../../src/util/support/plugins.c:300
-+#, c-format
-+msgid "unable to load DLL [%s]"
-+msgstr "DLL [%s] konnte nicht geladen werden"
-+
-+#: ../../src/util/support/plugins.c:316
-+#, c-format
-+msgid "plugin unavailable: %s"
-+msgstr "Erweiterung nicht verfügbar: %s"
-+
-+#: ../lib/gssapi/generic/gssapi_err_generic.c:23
-+msgid "No @ in SERVICE-NAME name string"
-+msgstr "keine @ in der Namenszeichenkette SERVICE-NAME"
-+
-+#: ../lib/gssapi/generic/gssapi_err_generic.c:24
-+msgid "STRING-UID-NAME contains nondigits"
-+msgstr "STRING-UID-NAME enthält etwas anderes als Ziffern"
-+
-+#: ../lib/gssapi/generic/gssapi_err_generic.c:25
-+msgid "UID does not resolve to username"
-+msgstr "UID lässt sich nicht zu Benutzernamen ermitteln"
-+
-+#: ../lib/gssapi/generic/gssapi_err_generic.c:26
-+msgid "Validation error"
-+msgstr "Überprüfungsfehler"
-+
-+#: ../lib/gssapi/generic/gssapi_err_generic.c:27
-+msgid "Couldn't allocate gss_buffer_t data"
-+msgstr "»gss_buffer_t«-Daten konnten reserviert werden"
-+
-+#: ../lib/gssapi/generic/gssapi_err_generic.c:28
-+msgid "Message context invalid"
-+msgstr "Nachrichtenkontext ungültig"
-+
-+#: ../lib/gssapi/generic/gssapi_err_generic.c:29
-+msgid "Buffer is the wrong size"
-+msgstr "Puffer hat die falsche Größe"
-+
-+#: ../lib/gssapi/generic/gssapi_err_generic.c:30
-+msgid "Credential usage type is unknown"
-+msgstr "Typ des Anmeldedatenaufrufs ist unbekannt"
-+
-+#: ../lib/gssapi/generic/gssapi_err_generic.c:31
-+msgid "Unknown quality of protection specified"
-+msgstr "unbekannte Schutzqualität angegeben"
-+
-+#: ../lib/gssapi/generic/gssapi_err_generic.c:32
-+msgid "Local host name could not be determined"
-+msgstr "lokaler Rechnername konnte nicht bestimmt werden"
-+
-+#: ../lib/gssapi/generic/gssapi_err_generic.c:33
-+msgid "Hostname in SERVICE-NAME string could not be canonicalized"
-+msgstr ""
-+"Rechnername in der Zeichenkette »SERVICE-NAME« konnte nicht in Normalform "
-+"gebracht werden"
-+
-+#: ../lib/gssapi/generic/gssapi_err_generic.c:34
-+msgid "Mechanism is incorrect"
-+msgstr "Mechanismus ist nicht korrekt"
-+
-+#: ../lib/gssapi/generic/gssapi_err_generic.c:35
-+msgid "Token header is malformed or corrupt"
-+msgstr "Token-Kopfzeilen haben die falsche Form oder sind beschädigt"
-+
-+#: ../lib/gssapi/generic/gssapi_err_generic.c:36
-+msgid "Packet was replayed in wrong direction"
-+msgstr "Paket wurde in falscher Richtung erneut abgespielt"
-+
-+#: ../lib/gssapi/generic/gssapi_err_generic.c:37
-+msgid "Token is missing data"
-+msgstr "dem Token fehlen Daten"
-+
-+#: ../lib/gssapi/generic/gssapi_err_generic.c:38
-+msgid "Token was reflected"
-+msgstr "Token wurde zurückgeworfen"
-+
-+#: ../lib/gssapi/generic/gssapi_err_generic.c:39
-+msgid "Received token ID does not match expected token ID"
-+msgstr "Die empfangene Token-Kennung passt nicht zur erwarteten Token-Kennung."
-+
-+#: ../lib/gssapi/generic/gssapi_err_generic.c:40
-+msgid "The given credential's usage does not match the requested usage"
-+msgstr ""
-+"Die Verwendung der angegebenen Anmeldedaten passt nicht zur angeforderten "
-+"Verwendung."
-+
-+#: ../lib/gssapi/generic/gssapi_err_generic.c:41
-+msgid "Storing of acceptor credentials is not supported by the mechanism"
-+msgstr ""
-+"Das Speichern von Abnehmeranmeldedaten wird nicht durch den Mechanismus "
-+"unterstützt."
-+
-+#: ../lib/gssapi/generic/gssapi_err_generic.c:42
-+msgid "Storing of non-default credentials is not supported by the mechanism"
-+msgstr ""
-+"Das Speichern von Nichtstandardanmeldedaten wird nicht durch den Mechanismus "
-+"unterstützt."
-+
-+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:23
-+msgid "Principal in credential cache does not match desired name"
-+msgstr ""
-+"Principal im Anmeldedatenzwischenspeicher entspricht nicht dem gewünschten "
-+"Namen"
-+
-+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:24
-+msgid "No principal in keytab matches desired name"
-+msgstr "Kein Principal in der Schlüsseltabelle passt zum gewünschten Namen."
-+
-+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:25
-+msgid "Credential cache has no TGT"
-+msgstr "Anmeldedatenzwischenspeicher hat kein TGT"
-+
-+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:26
-+msgid "Authenticator has no subkey"
-+msgstr "Schlüsselziffer hat keinen Unterschlüssel"
-+
-+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:27
-+msgid "Context is already fully established"
-+msgstr "Kontext wurde bereits vollständig eingerichtet"
-+
-+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:28
-+msgid "Unknown signature type in token"
-+msgstr "unbekannter Signaturtyp im Token"
-+
-+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:29
-+msgid "Invalid field length in token"
-+msgstr "falsche Feldlänge im Token"
-+
-+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:30
-+msgid "Attempt to use incomplete security context"
-+msgstr ""
-+"Es wurde versucht, einen unvollständigen Sicherheitskontext zu verwenden."
-+
-+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:31
-+msgid "Bad magic number for krb5_gss_ctx_id_t"
-+msgstr "falsche magische Zahl für »krb5_gss_ctx_id_t«"
-+
-+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:32
-+msgid "Bad magic number for krb5_gss_cred_id_t"
-+msgstr "falsche magische Zahl für »krb5_gss_cred_id_t«"
-+
-+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:33
-+msgid "Bad magic number for krb5_gss_enc_desc"
-+msgstr "falsche magische Zahl für »krb5_gss_enc_desc«"
-+
-+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:34
-+msgid "Sequence number in token is corrupt"
-+msgstr "Sequnznummer im Token ist beschädigt"
-+
-+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:35
-+msgid "Credential cache is empty"
-+msgstr "Anmeldedatenzwischenspeicher ist leer"
-+
-+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:36
-+msgid "Acceptor and Initiator share no checksum types"
-+msgstr "Abnehmer und Initiator haben keinen gemeinsamen Prüfsummentyp"
-+
-+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:37
-+msgid "Requested lucid context version not supported"
-+msgstr "angeforderte »lucid«-Kontextversion nicht unterstützt"
-+
-+# PRF = Pseudo Random Function
-+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:38
-+msgid "PRF input too long"
-+msgstr "PRF-Eingabe zu lang"
-+
-+#: ../lib/gssapi/krb5/gssapi_err_krb5.c:39
-+msgid "Bad magic number for iakerb_ctx_id_t"
-+msgstr "falsche magische Zahl für »iakerb_ctx_id_t«"
-+
-+#: ../lib/kadm5/chpass_util_strings.c:23
-+msgid "while getting policy info."
-+msgstr "beim Holen der Richtlinieninformation."
-+
-+#: ../lib/kadm5/chpass_util_strings.c:24
-+msgid "while getting principal info."
-+msgstr "beim Holen der Principal-Information."
-+
-+#: ../lib/kadm5/chpass_util_strings.c:25
-+msgid "New passwords do not match - password not changed.\n"
-+msgstr "neue Passwörter stimmen nicht überein – Passwort nicht geändert\n"
-+
-+#: ../lib/kadm5/chpass_util_strings.c:26
-+msgid "New password"
-+msgstr "neues Passwort"
-+
-+#: ../lib/kadm5/chpass_util_strings.c:27
-+msgid "New password (again)"
-+msgstr "neues Passwort (erneut)"
-+
-+#: ../lib/kadm5/chpass_util_strings.c:28
-+msgid ""
-+"You must type a password. Passwords must be at least one character long.\n"
-+msgstr ""
-+"Sie müssen ein Passwort eingeben. Passwörter müssen mindestens ein Zeichen "
-+"lang sein.\n"
-+
-+#: ../lib/kadm5/chpass_util_strings.c:29
-+msgid "yet no policy set! Contact your system security administrator."
-+msgstr ""
-+"noch keine Richtlinie gesetzt! Kontaktieren Sie Ihren "
-+"Systemsicherheitsadministrator"
-+
-+#: ../lib/kadm5/chpass_util_strings.c:31
-+msgid ""
-+"New password was found in a dictionary of possible passwords and\n"
-+"therefore may be easily guessed. Please choose another password.\n"
-+"See the kpasswd man page for help in choosing a good password."
-+msgstr ""
-+"Das neue Passwort wurde in einem Wörterbuch mit möglichen Passwörtern "
-+"gefunden\n"
-+"und kann daher leicht erraten werden. Bitte wählen Sie ein anderes "
-+"Passwort.\n"
-+"Hilfe bei der Wahl guter Passwörter finden Sie in der Handbuchseite von\n"
-+"»kpasswd«."
-+
-+#: ../lib/kadm5/chpass_util_strings.c:32
-+msgid "Password not changed."
-+msgstr "Passwort nicht geändert"
-+
-+#: ../lib/kadm5/chpass_util_strings.c:33
-+#, c-format
-+msgid ""
-+"New password is too short.\n"
-+"Please choose a password which is at least %d characters long."
-+msgstr ""
-+"Das neue Passwort ist zu kurz.\n"
-+"Bitte wählen Sie ein Passwort, das mindestens %d Zeichen lang ist."
-+
-+#: ../lib/kadm5/chpass_util_strings.c:34
-+#, c-format
-+msgid ""
-+"New password does not have enough character classes.\n"
-+"The character classes are:\n"
-+"\t- lower-case letters,\n"
-+"\t- upper-case letters,\n"
-+"\t- digits,\n"
-+"\t- punctuation, and\n"
-+"\t- all other characters (e.g., control characters).\n"
-+"Please choose a password with at least %d character classes."
-+msgstr ""
-+"Das neue Passwort besteht aus zu wenigen Zeichenklassen.\n"
-+"Die Zeichenklassen sind:\n"
-+"\t- Kleinbuchstaben,\n"
-+"\t- Großbuchstaben,\n"
-+"\t- Ziffern,\n"
-+"\t- Satzzeichen und\n"
-+"\t- alle anderen Zeichen (z.B. Steuerzeichen).\n"
-+"Bitte wählen Sie ein Passwort mit mindestens %d Zeichenklassen."
-+
-+#: ../lib/kadm5/chpass_util_strings.c:35
-+#, c-format
-+msgid ""
-+"Password cannot be changed because it was changed too recently.\n"
-+"Please wait until %s before you change it.\n"
-+"If you need to change your password before then, contact your system\n"
-+"security administrator."
-+msgstr ""
-+"Das Passwort kann nicht geändert werden, da es erst vor kurzem geändert "
-+"wurde.\n"
-+"Bitte warten Sie bis %s, ehe Sie es ändern.\n"
-+"Falls Sie es vorher ändern müssen, kontaktieren Sie Ihren\n"
-+"Systemsicherheitsadministrator."
-+
-+#: ../lib/kadm5/chpass_util_strings.c:36
-+msgid "New password was used previously. Please choose a different password."
-+msgstr ""
-+"Das neue Passwort wurde zuvor schon benutzt. Bitte wählen Sie ein anderes "
-+"Passwort."
-+
-+#: ../lib/kadm5/chpass_util_strings.c:37
-+msgid "while trying to change password."
-+msgstr "beim Versuch, das Passwort zu ändern."
-+
-+#: ../lib/kadm5/chpass_util_strings.c:38
-+msgid "while reading new password."
-+msgstr "beim Lesen des neuen Passworts."
-+
-+#: ../lib/kadm5/kadm_err.c:23
-+msgid "Operation failed for unspecified reason"
-+msgstr "Aktion aus nicht näher beschriebenem Grund fehlgeschlagen"
-+
-+#: ../lib/kadm5/kadm_err.c:24
-+msgid "Operation requires ``get'' privilege"
-+msgstr "Aktion erfordert »get«-Recht"
-+
-+#: ../lib/kadm5/kadm_err.c:25
-+msgid "Operation requires ``add'' privilege"
-+msgstr "Aktion erfordert »add«-Recht"
-+
-+#: ../lib/kadm5/kadm_err.c:26
-+msgid "Operation requires ``modify'' privilege"
-+msgstr "Aktion erfordert »modify«-Recht"
-+
-+#: ../lib/kadm5/kadm_err.c:27
-+msgid "Operation requires ``delete'' privilege"
-+msgstr "Aktion erfordert »delete«-Recht"
-+
-+#: ../lib/kadm5/kadm_err.c:28
-+msgid "Insufficient authorization for operation"
-+msgstr "unzureichende Berechtigung für diese Aktion"
-+
-+#: ../lib/kadm5/kadm_err.c:29 ../lib/kdb/adb_err.c:29
-+msgid "Database inconsistency detected"
-+msgstr "Datenbankinkonsistenz entdeckt"
-+
-+#: ../lib/kadm5/kadm_err.c:30 ../lib/kdb/adb_err.c:24
-+msgid "Principal or policy already exists"
-+msgstr "Principal oder Richtlinie existiert bereits"
-+
-+#: ../lib/kadm5/kadm_err.c:31
-+msgid "Communication failure with server"
-+msgstr "Kommunikation mit dem Server fehlgeschlagen"
-+
-+#: ../lib/kadm5/kadm_err.c:32
-+msgid "No administration server found for realm"
-+msgstr "kein Administrationsserver für den Realm gefunden"
-+
-+#: ../lib/kadm5/kadm_err.c:33
-+msgid "Password history principal key version mismatch"
-+msgstr "Die Passwortchronikschlüssel des Principals passen nicht zusammen."
-+
-+#: ../lib/kadm5/kadm_err.c:34
-+msgid "Connection to server not initialized"
-+msgstr "Verbindung zum Server nicht initialisiert"
-+
-+#: ../lib/kadm5/kadm_err.c:35
-+msgid "Principal does not exist"
-+msgstr "Principal existiert nicht"
-+
-+#: ../lib/kadm5/kadm_err.c:36
-+msgid "Policy does not exist"
-+msgstr "Richtlinie existiert nicht"
-+
-+#: ../lib/kadm5/kadm_err.c:37
-+msgid "Invalid field mask for operation"
-+msgstr "ungültige Feldmaske für Aktion"
-+
-+#: ../lib/kadm5/kadm_err.c:38
-+msgid "Invalid number of character classes"
-+msgstr "ungültige Anzahl von Zeichenklassen"
-+
-+#: ../lib/kadm5/kadm_err.c:39
-+msgid "Invalid password length"
-+msgstr "ungültige Passwortlänge"
-+
-+#: ../lib/kadm5/kadm_err.c:40
-+msgid "Illegal policy name"
-+msgstr "unzulässiger Richtlinienname"
-+
-+#: ../lib/kadm5/kadm_err.c:41
-+msgid "Illegal principal name"
-+msgstr "unzulässiger Principal-Name"
-+
-+# FIXME s/auxillary/auxilary/
-+#: ../lib/kadm5/kadm_err.c:42
-+msgid "Invalid auxillary attributes"
-+msgstr "ungültige Zusatzattribute"
-+
-+#: ../lib/kadm5/kadm_err.c:43
-+msgid "Invalid password history count"
-+msgstr "ungültige Passwortchronikanzahl"
-+
-+#: ../lib/kadm5/kadm_err.c:44
-+msgid "Password minimum life is greater than password maximum life"
-+msgstr "Die minimale Lebensdauer des Passworts ist größer als die maximale."
-+
-+#: ../lib/kadm5/kadm_err.c:45
-+msgid "Password is too short"
-+msgstr "Das Passwort ist zu kurz."
-+
-+#: ../lib/kadm5/kadm_err.c:46
-+msgid "Password does not contain enough character classes"
-+msgstr "Das Passwort enthält nicht genug Zeichenklassen."
-+
-+#: ../lib/kadm5/kadm_err.c:47
-+msgid "Password is in the password dictionary"
-+msgstr "Das Passwort steht im Passwortwörterbuch."
-+
-+#: ../lib/kadm5/kadm_err.c:48
-+msgid "Cannot reuse password"
-+msgstr "Das Passwort kann nicht erneut verwendet werden."
-+
-+#: ../lib/kadm5/kadm_err.c:49
-+msgid "Current password's minimum life has not expired"
-+msgstr "Die aktuell minimale Lebensdauer des Passworts ist nicht abgelaufen."
-+
-+#: ../lib/kadm5/kadm_err.c:50 ../lib/krb5/error_tables/kdb5_err.c:67
-+msgid "Policy is in use"
-+msgstr "Richtlinie ist in Benutzung"
-+
-+#: ../lib/kadm5/kadm_err.c:51
-+msgid "Connection to server already initialized"
-+msgstr "Verbindung zum Server ist bereits initialisiert"
-+
-+#: ../lib/kadm5/kadm_err.c:52
-+msgid "Incorrect password"
-+msgstr "falsches Passwort"
-+
-+#: ../lib/kadm5/kadm_err.c:53
-+msgid "Cannot change protected principal"
-+msgstr "geschützter Principal kann nicht geändert werden"
-+
-+#: ../lib/kadm5/kadm_err.c:54
-+msgid "Programmer error! Bad Admin server handle"
-+msgstr "Fehler des Programmierers! Falscher Admin-Server-Identifikator"
-+
-+#: ../lib/kadm5/kadm_err.c:55
-+msgid "Programmer error! Bad API structure version"
-+msgstr "Fehler des Programmierers! Falsche API-Strukturversion"
-+
-+#: ../lib/kadm5/kadm_err.c:56
-+msgid ""
-+"API structure version specified by application is no longer supported (to "
-+"fix, recompile application against current KADM5 API header files and "
-+"libraries)"
-+msgstr ""
-+"Die von der Anwendung angegebene Version der API-Struktur wird nicht länger "
-+"unterstützt. (Kompilieren Sie die Anwendung mit den aktuellen KADM5-API-"
-+"Header-Dateien und -Bibliotheken, um dies zu beheben.)"
-+
-+#: ../lib/kadm5/kadm_err.c:57
-+msgid ""
-+"API structure version specified by application is unknown to libraries (to "
-+"fix, obtain current KADM5 API header files and libraries and recompile "
-+"application)"
-+msgstr ""
-+"Die von der Anwendung angegebene Version der API-Struktur ist den "
-+"Bibliotheken unbekannt. (Besorgen Sie sich die aktuellen KADM5-API-Header-"
-+"Dateien und -Bibliotheken und kompilieren Sie die Anwendung neu, um dies zu "
-+"beheben.)"
-+
-+#: ../lib/kadm5/kadm_err.c:58
-+msgid "Programmer error! Bad API version"
-+msgstr "Fehler des Programmierers! Falsche API-Version"
-+
-+#: ../lib/kadm5/kadm_err.c:59
-+msgid ""
-+"API version specified by application is no longer supported by libraries (to "
-+"fix, update application to adhere to current API version and recompile)"
-+msgstr ""
-+"Die von der Anwendung angegebene Version der API-Struktur wird nicht länger "
-+"von den Bibliotheken unterstützt. (Aktualisieren Sie die Anwendung, dass sie "
-+"zu der aktuellen API-Version passt, und kompilieren Sie sie, um dies zu "
-+"beheben.)"
-+
-+#: ../lib/kadm5/kadm_err.c:60
-+msgid ""
-+"API version specified by application is no longer supported by server (to "
-+"fix, update application to adhere to current API version and recompile)"
-+msgstr ""
-+"Die von der Anwendung angegebene Version der API-Struktur wird nicht länger "
-+"vom Server unterstützt. (Aktualisieren Sie die Anwendung, dass sie zu der "
-+"aktuellen API-Version passt, und kompilieren Sie sie, um dies zu beheben.)"
-+
-+#: ../lib/kadm5/kadm_err.c:61
-+msgid ""
-+"API version specified by application is unknown to libraries (to fix, obtain "
-+"current KADM5 API header files and libraries and recompile application)"
-+msgstr ""
-+"Die von der Anwendung angegebenene API-Version ist den Bibliotheken "
-+"unbekannt. (Besorgen Sie sich die aktuellen KADM5-API-Header-Dateien und -"
-+"Bibliotheken und kompilieren Sie die Anwendung neu, um dies zu beheben.)"
-+
-+#: ../lib/kadm5/kadm_err.c:62
-+msgid ""
-+"API version specified by application is unknown to server (to fix, obtain "
-+"and install newest KADM5 Admin Server)"
-+msgstr ""
-+"Die von der Anwendung angegebene API-Version ist dem Server unbekannt. "
-+"(Besorgen und installieren Sie sich den neuesten KADM5-Admin-Server, um dies "
-+"zu beheben.)"
-+
-+#: ../lib/kadm5/kadm_err.c:63
-+msgid "Database error! Required KADM5 principal missing"
-+msgstr "Datenbankfehler! Erforderlicher KADM5-Principal fehlt"
-+
-+#: ../lib/kadm5/kadm_err.c:64
-+msgid "The salt type of the specified principal does not support renaming"
-+msgstr "Der Salt-Typ des angegebenen Principals unterstützt kein Umbenennen."
-+
-+#: ../lib/kadm5/kadm_err.c:65
-+msgid "Illegal configuration parameter for remote KADM5 client"
-+msgstr "widerrechtlicher Konfigurationsparameter für fernen KADM5-Client"
-+
-+#: ../lib/kadm5/kadm_err.c:66
-+msgid "Illegal configuration parameter for local KADM5 client"
-+msgstr "widerrechtlicher Konfigurationsparameter für lokalen KADM5-Client"
-+
-+#: ../lib/kadm5/kadm_err.c:67
-+msgid "Operation requires ``list'' privilege"
-+msgstr "Aktion erfordert das »list«-Recht"
-+
-+#: ../lib/kadm5/kadm_err.c:68
-+msgid "Operation requires ``change-password'' privilege"
-+msgstr "Aktion erfordert das »change-password«-Recht"
-+
-+#: ../lib/kadm5/kadm_err.c:69
-+msgid "GSS-API (or Kerberos) error"
-+msgstr "GSS-API- (oder Kerberos-) Fehler"
-+
-+#: ../lib/kadm5/kadm_err.c:70
-+msgid "Programmer error! Illegal tagged data list type"
-+msgstr ""
-+"Fehler des Programmierers! Widerrechlicher Listentyp für gekennzeichnete "
-+"Daten"
-+
-+#: ../lib/kadm5/kadm_err.c:71
-+msgid "Required parameters in kdc.conf missing"
-+msgstr "erforderliche Parameter in »kdc.conf« fehlen"
-+
-+#: ../lib/kadm5/kadm_err.c:72
-+msgid "Bad krb5 admin server hostname"
-+msgstr "falscher Rechnername des KRB5-Admin-Servers"
-+
-+#: ../lib/kadm5/kadm_err.c:73
-+msgid "Operation requires ``set-key'' privilege"
-+msgstr "Aktion erfordert das »set-key«-Recht"
-+
-+#: ../lib/kadm5/kadm_err.c:74
-+msgid "Multiple values for single or folded enctype"
-+msgstr ""
-+"mehrere Werte für einzelnen Verschlüsselungstyp oder Verschlüsselungstyp mit "
-+"Salt"
-+
-+#: ../lib/kadm5/kadm_err.c:75
-+msgid "Invalid enctype for setv4key"
-+msgstr "widerrechtlicher Verschlüsselungstyp für Setv4key"
-+
-+#: ../lib/kadm5/kadm_err.c:76
-+msgid "Mismatched enctypes for setkey3"
-+msgstr "nicht zusammenpassende Verschlüsselungstypen für Setkey3"
-+
-+#: ../lib/kadm5/kadm_err.c:77
-+msgid "Missing parameters in krb5.conf required for kadmin client"
-+msgstr "für Kadmin-Client benötigte Parameter fehlen in »krb5.conf«"
-+
-+#: ../lib/kadm5/kadm_err.c:78 ../lib/kdb/adb_err.c:30
-+msgid "XDR encoding error"
-+msgstr "XDR-Verschlüsselungsfehler"
-+
-+#: ../lib/kadm5/kadm_err.c:79
-+msgid "Cannot resolve network address for admin server in requested realm"
-+msgstr ""
-+"Die Netzwerkadresse für den Admin-Server im angeforderten Realm kann nicht "
-+"aufgelöst werden."
-+
-+#: ../lib/kadm5/kadm_err.c:80
-+msgid "Unspecified password quality failure"
-+msgstr "nicht näher angegebener Passwortqualitätsfehlschlag"
-+
-+#: ../lib/kadm5/kadm_err.c:81
-+msgid "Invalid key/salt tuples"
-+msgstr "ungültige Schlüssel-/Salt-Tupel"
-+
-+#: ../lib/kdb/adb_err.c:23
-+msgid "No Error"
-+msgstr "kein Fehler"
-+
-+#: ../lib/kdb/adb_err.c:25
-+msgid "Principal or policy does not exist"
-+msgstr "Principal oder Richtlinie existiert nicht"
-+
-+#: ../lib/kdb/adb_err.c:26
-+msgid "Database not initialized"
-+msgstr "Datenbank nicht initialisiert"
-+
-+#: ../lib/kdb/adb_err.c:27
-+msgid "Invalid policy name"
-+msgstr "ungültiger Richtlinienname"
-+
-+#: ../lib/kdb/adb_err.c:28
-+msgid "Invalid principal name"
-+msgstr "ungültiger Principal-Name"
-+
-+#: ../lib/kdb/adb_err.c:31
-+msgid "Failure!"
-+msgstr "Fehlschlag!"
-+
-+#: ../lib/kdb/adb_err.c:32
-+msgid "Bad lock mode"
-+msgstr "falscher Sperrmodus"
-+
-+#: ../lib/kdb/adb_err.c:33
-+msgid "Cannot lock database"
-+msgstr "Datenbank kann nicht gesperrt werden"
-+
-+#: ../lib/kdb/adb_err.c:34
-+msgid "Database not locked"
-+msgstr "Datenbank nicht gesperrt"
-+
-+#: ../lib/kdb/adb_err.c:35
-+msgid "KADM5 administration database lock file missing"
-+msgstr "Sperrdatei der KADM5-Verwaltungsdatenbank fehlt"
-+
-+#: ../lib/kdb/adb_err.c:36
-+msgid "Insufficient permission to lock file"
-+msgstr "keine ausreichenden Rechte zum Sperren der Datei"
-+
-+#: ../lib/krb5/error_tables/k5e1_err.c:23
-+msgid "Plugin does not support interface version"
-+msgstr "Erweiterung unterstützt nicht die Schnittstellenversion"
-+
-+#: ../lib/krb5/error_tables/k5e1_err.c:24
-+msgid "Invalid module specifier"
-+msgstr "ungültige Modulangabe"
-+
-+#: ../lib/krb5/error_tables/k5e1_err.c:25
-+msgid "Plugin module name not found"
-+msgstr "Erweiterungsmodulname nicht gefunden"
-+
-+#: ../lib/krb5/error_tables/k5e1_err.c:26
-+msgid "The KDC should discard this request"
-+msgstr "Das KDC sollte diese Anfrage verwerfen"
-+
-+#: ../lib/krb5/error_tables/k5e1_err.c:27
-+msgid "Can't create new subsidiary cache"
-+msgstr "Der neue ergänzende Zwischenspeicher kann nicht erzeugt werden"
-+
-+#: ../lib/krb5/error_tables/k5e1_err.c:28
-+msgid "Invalid keyring anchor name"
-+msgstr "ungültiger Schlüsselbundverankerungsname"
-+
-+#: ../lib/krb5/error_tables/k5e1_err.c:29
-+msgid "Unknown keyring collection version"
-+msgstr "unbekannte Schlüsselbundsammlungsversion"
-+
-+#: ../lib/krb5/error_tables/k5e1_err.c:30
-+msgid "Invalid UID in persistent keyring name"
-+msgstr "ungültige UID im beständigen Schlüsselbundnamen"
-+
-+#: ../lib/krb5/error_tables/k5e1_err.c:31
-+msgid "Malformed reply from KCM daemon"
-+msgstr "Antwort des KCM-Daemons hat die falsche Form"
-+
-+#: ../lib/krb5/error_tables/k5e1_err.c:32
-+msgid "Mach RPC error communicating with KCM daemon"
-+msgstr "Mach-RPC-Fehler beim der Kommunikation mit dem KCM-Daemon"
-+
-+#: ../lib/krb5/error_tables/k5e1_err.c:33
-+msgid "KCM daemon reply too big"
-+msgstr "Antwort des KCM-Daemons zu groß"
-+
-+#: ../lib/krb5/error_tables/k5e1_err.c:34
-+msgid "No KCM server found"
-+msgstr "Kein KCM-Server gefunden"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:24
-+msgid "Client's entry in database has expired"
-+msgstr "Eintrag des Clients in der Datenbank ist abgelaufen"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:25
-+msgid "Server's entry in database has expired"
-+msgstr "Eintrag des Servers in der Datenbank ist abgelaufen"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:26
-+msgid "Requested protocol version not supported"
-+msgstr "angeforderte Protokollversion nicht unterstützt"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:27
-+msgid "Client's key is encrypted in an old master key"
-+msgstr ""
-+"Der Schlüssel des Clients wurde mit einem alten Hauptschlüssel verschlüsselt."
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:28
-+msgid "Server's key is encrypted in an old master key"
-+msgstr ""
-+"Der Schlüssel des Servers wurde mit einem alten Hauptschlüssel verschlüsselt."
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:29
-+msgid "Client not found in Kerberos database"
-+msgstr "Client nicht in der Kerberos-Datenbank gefunden"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:30
-+msgid "Server not found in Kerberos database"
-+msgstr "Server nicht in der Kerberos-Datenbank gefunden"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:31
-+msgid "Principal has multiple entries in Kerberos database"
-+msgstr "Principal hat in der Kerberos-Datenbank mehrere Einträge"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:32
-+msgid "Client or server has a null key"
-+msgstr "Client oder Server hat einen Nullschlüssel"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:33
-+msgid "Ticket is ineligible for postdating"
-+msgstr "Ticket ist zum Vordatieren ungeeignet"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:34
-+msgid "Requested effective lifetime is negative or too short"
-+msgstr "Die angeforderte effektive Lebensdauer ist negativ oder zu kurz."
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:35
-+msgid "KDC policy rejects request"
-+msgstr "KDC-Richtlinie weist die Anfrage zurück"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:36
-+msgid "KDC can't fulfill requested option"
-+msgstr "KDC kann erforderliche Option nicht erfüllen"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:37
-+msgid "KDC has no support for encryption type"
-+msgstr "KDC unterstützt diesen Verschlüsselungstyp nicht"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:38
-+msgid "KDC has no support for checksum type"
-+msgstr "KDC unterstützt diesen Prüfsummentyp nicht"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:39
-+msgid "KDC has no support for padata type"
-+msgstr "KDC unterstützt diesen Padata-Typ nicht"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:40
-+msgid "KDC has no support for transited type"
-+msgstr "KDC unterstützt diesen Übergangstyp nicht"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:41
-+msgid "Clients credentials have been revoked"
-+msgstr "Anmeldedaten des Clients wurden widerrufen"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:42
-+msgid "Credentials for server have been revoked"
-+msgstr "Anmeldedaten für den Server wurden widerrufen"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:43
-+msgid "TGT has been revoked"
-+msgstr "TGT wurde widerrufen"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:44
-+msgid "Client not yet valid - try again later"
-+msgstr "Client noch nicht gültig – versuchen Sie es später noch einmal"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:45
-+msgid "Server not yet valid - try again later"
-+msgstr "Server noch nicht gültig – versuchen Sie es später noch einmal"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:46
-+msgid "Password has expired"
-+msgstr "Passwort ist abgelaufen"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:47
-+msgid "Preauthentication failed"
-+msgstr "Vorauthentifizierung fehlgeschlagen"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:48
-+msgid "Additional pre-authentication required"
-+msgstr "zusätzlich Vorauthentifizierung erforderlich"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:49
-+msgid "Requested server and ticket don't match"
-+msgstr "abgefragter Server und Ticket passen nicht zusammen"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:50
-+msgid "Server principal valid for user2user only"
-+msgstr "Der Server-Principal ist nur für »user2user« gültig"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:51
-+msgid "KDC policy rejects transited path"
-+msgstr "KDC-Richtlinie verwirft durchgereichten Pfad"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:52
-+msgid "A service is not available that is required to process the request"
-+msgstr ""
-+"Ein Dienst, der zum Verarbeiten der Abfrage erforderlich ist, ist nicht "
-+"verfügbar."
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:53
-+msgid "KRB5 error code 30"
-+msgstr "KRB5-Fehlercode 30"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:54
-+msgid "Decrypt integrity check failed"
-+msgstr "Entschlüsselungsintegritätsprüfung fehlgeschlagen"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:55
-+msgid "Ticket expired"
-+msgstr "Ticket abgelaufen"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:56
-+msgid "Ticket not yet valid"
-+msgstr "Ticket noch nicht gültig"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:57
-+msgid "Request is a replay"
-+msgstr "Anfrage ist eine Wiederholung"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:58
-+msgid "The ticket isn't for us"
-+msgstr "Das Ticket ist nicht für uns."
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:59
-+msgid "Ticket/authenticator don't match"
-+msgstr "Ticket/Schlüsselziffer passen nicht zueinander"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:60
-+msgid "Clock skew too great"
-+msgstr "Uhrzeitabweichung zu groß"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:61
-+msgid "Incorrect net address"
-+msgstr "falsche Netzwerkadresse"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:62
-+msgid "Protocol version mismatch"
-+msgstr "Protokollversion passt nicht"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:63
-+msgid "Invalid message type"
-+msgstr "ungültiger Nachrichtentyp"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:64
-+msgid "Message stream modified"
-+msgstr "Nachrichtendatenstrom geändert"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:65
-+msgid "Message out of order"
-+msgstr "Nachricht nicht in Ordnung"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:66
-+msgid "Illegal cross-realm ticket"
-+msgstr "Widerrechliches Realm-übergreifendes Ticket"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:67
-+msgid "Key version is not available"
-+msgstr "Schlüsselversion ist nicht verfügbar"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:68
-+msgid "Service key not available"
-+msgstr "Dienstschlüssel nicht verfügbar"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:69
-+#: ../lib/krb5/error_tables/krb5_err.c:181
-+msgid "Mutual authentication failed"
-+msgstr "gegenseitige Authentifizierung fehlgeschlagen"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:70
-+msgid "Incorrect message direction"
-+msgstr "falsche Nachrichtenrichtung"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:71
-+msgid "Alternative authentication method required"
-+msgstr "alternative Authentifizierungsmethode erforderlich"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:72
-+msgid "Incorrect sequence number in message"
-+msgstr "falsche Sequenznummer in der Nachricht"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:73
-+msgid "Inappropriate type of checksum in message"
-+msgstr "ungeeigneter Prüfsummentyp in der Nachricht"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:74
-+msgid "Policy rejects transited path"
-+msgstr "Richtlinie verwirft durchgereichten Pfad"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:75
-+msgid "Response too big for UDP, retry with TCP"
-+msgstr "Antwort für UDP zu groß, erneuter Versuch mit TCP"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:76
-+msgid "KRB5 error code 53"
-+msgstr "KRB5-Fehlercode 53"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:77
-+msgid "KRB5 error code 54"
-+msgstr "KRB5-Fehlercode 54"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:78
-+msgid "KRB5 error code 55"
-+msgstr "KRB5-Fehlercode 55"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:79
-+msgid "KRB5 error code 56"
-+msgstr "KRB5-Fehlercode 56"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:80
-+msgid "KRB5 error code 57"
-+msgstr "KRB5-Fehlercode 57"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:81
-+msgid "KRB5 error code 58"
-+msgstr "KRB5-Fehlercode 58"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:82
-+msgid "KRB5 error code 59"
-+msgstr "KRB5-Fehlercode 59"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:83
-+msgid "Generic error (see e-text)"
-+msgstr "allgemeiner Fehler (siehe E-Text)"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:84
-+msgid "Field is too long for this implementation"
-+msgstr "Feld ist für diese Implementierung zu lang"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:85
-+msgid "Client not trusted"
-+msgstr "Client nicht vertrauenswürdig"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:86
-+msgid "KDC not trusted"
-+msgstr "KDC nicht vertrauenswürdig"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:87
-+msgid "Invalid signature"
-+msgstr "ungültige Signatur"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:88
-+msgid "Key parameters not accepted"
-+msgstr "Schlüsselparameter nicht akzeptiert"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:89
-+msgid "Certificate mismatch"
-+msgstr "Zertifikat passt nicht"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:90
-+msgid "No ticket granting ticket"
-+msgstr "kein ticketgewährendes Ticket"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:91
-+msgid "Realm not local to KDC"
-+msgstr "Realm für KDC nicht lokal"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:92
-+msgid "User to user required"
-+msgstr "Benutzer-zu-Benutzer erforderlich"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:93
-+msgid "Can't verify certificate"
-+msgstr "Zertifikat kann nicht überprüft werden"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:94
-+msgid "Invalid certificate"
-+msgstr "ungültiges Zertifikat"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:95
-+msgid "Revoked certificate"
-+msgstr "widerrufenes Zertifikat"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:96
-+msgid "Revocation status unknown"
-+msgstr "Widerrufsstatus unbekannt"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:97
-+msgid "Revocation status unavailable"
-+msgstr "Widerrufsstatus nicht verfügbar"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:98
-+msgid "Client name mismatch"
-+msgstr "Client-Name passt nicht"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:99
-+msgid "KDC name mismatch"
-+msgstr "KDC-Name passt nicht"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:100
-+msgid "Inconsistent key purpose"
-+msgstr "inkonstistenter Schlüsselzweck"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:101
-+msgid "Digest in certificate not accepted"
-+msgstr "Kurzfassung im Zertifikat nicht akzeptiert"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:102
-+msgid "Checksum must be included"
-+msgstr "Prüfsumme muss enthalten sein"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:103
-+msgid "Digest in signed-data not accepted"
-+msgstr "Kurzfassung in signierten Daten nicht akzeptiert"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:104
-+msgid "Public key encryption not supported"
-+msgstr "Asymetrische Verschlüsselung nicht unterstützt"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:105
-+msgid "KRB5 error code 82"
-+msgstr "KRB5-Fehlercode 82"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:106
-+msgid "KRB5 error code 83"
-+msgstr "KRB5-Fehlercode 83"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:107
-+msgid "KRB5 error code 84"
-+msgstr "KRB5-Fehlercode 84"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:108
-+msgid "The IAKERB proxy could not find a KDC"
-+msgstr "Der IAKERB-Proxy konnte kein KDC finden."
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:109
-+msgid "The KDC did not respond to the IAKERB proxy"
-+msgstr "Das KDC anwortete dem IAKERB-Proxy nicht."
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:110
-+msgid "KRB5 error code 87"
-+msgstr "KRB5-Fehlercode 87"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:111
-+msgid "KRB5 error code 88"
-+msgstr "KRB5-Fehlercode 88"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:112
-+msgid "KRB5 error code 89"
-+msgstr "KRB5-Fehlercode 89"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:113
-+msgid "KRB5 error code 90"
-+msgstr "KRB5-Fehlercode 90"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:114
-+msgid "KRB5 error code 91"
-+msgstr "KRB5-Fehlercode 91"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:115
-+msgid "KRB5 error code 92"
-+msgstr "KRB5-Fehlercode 92"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:116
-+msgid "An unsupported critical FAST option was requested"
-+msgstr "Es wurde eine nicht unterstützte kritische FAST-Aktion angefordert."
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:117
-+msgid "KRB5 error code 94"
-+msgstr "KRB5-Fehlercode 94"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:118
-+msgid "KRB5 error code 95"
-+msgstr "KRB5-Fehlercode 95"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:119
-+msgid "KRB5 error code 96"
-+msgstr "KRB5-Fehlercode 96"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:120
-+msgid "KRB5 error code 97"
-+msgstr "KRB5-Fehlercode 97"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:121
-+msgid "KRB5 error code 98"
-+msgstr "KRB5-Fehlercode 98"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:122
-+msgid "KRB5 error code 99"
-+msgstr "KRB5-Fehlercode 99"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:123
-+msgid "No acceptable KDF offered"
-+msgstr "kein akzeptables KDF angeboten"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:124
-+msgid "KRB5 error code 101"
-+msgstr "KRB5-Fehlercode 101"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:125
-+msgid "KRB5 error code 102"
-+msgstr "KRB5-Fehlercode 102"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:126
-+msgid "KRB5 error code 103"
-+msgstr "KRB5-Fehlercode 103"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:127
-+msgid "KRB5 error code 104"
-+msgstr "KRB5-Fehlercode 104"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:128
-+msgid "KRB5 error code 105"
-+msgstr "KRB5-Fehlercode 105"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:129
-+msgid "KRB5 error code 106"
-+msgstr "KRB5-Fehlercode 106"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:130
-+msgid "KRB5 error code 107"
-+msgstr "KRB5-Fehlercode 107"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:131
-+msgid "KRB5 error code 108"
-+msgstr "KRB5-Fehlercode 108"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:132
-+msgid "KRB5 error code 109"
-+msgstr "KRB5-Fehlercode 109"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:133
-+msgid "KRB5 error code 110"
-+msgstr "KRB5-Fehlercode 110"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:134
-+msgid "KRB5 error code 111"
-+msgstr "KRB5-Fehlercode 111"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:135
-+msgid "KRB5 error code 112"
-+msgstr "KRB5-Fehlercode 112"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:136
-+msgid "KRB5 error code 113"
-+msgstr "KRB5-Fehlercode 113"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:137
-+msgid "KRB5 error code 114"
-+msgstr "KRB5-Fehlercode 114"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:138
-+msgid "KRB5 error code 115"
-+msgstr "KRB5-Fehlercode 115"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:139
-+msgid "KRB5 error code 116"
-+msgstr "KRB5-Fehlercode 116"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:140
-+msgid "KRB5 error code 117"
-+msgstr "KRB5-Fehlercode 117"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:141
-+msgid "KRB5 error code 118"
-+msgstr "KRB5-Fehlercode 118"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:142
-+msgid "KRB5 error code 119"
-+msgstr "KRB5-Fehlercode 119"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:143
-+msgid "KRB5 error code 120"
-+msgstr "KRB5-Fehlercode 120"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:144
-+msgid "KRB5 error code 121"
-+msgstr "KRB5-Fehlercode 121"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:145
-+msgid "KRB5 error code 122"
-+msgstr "KRB5-Fehlercode 122"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:146
-+msgid "KRB5 error code 123"
-+msgstr "KRB5-Fehlercode 123"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:147
-+msgid "KRB5 error code 124"
-+msgstr "KRB5-Fehlercode 124"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:148
-+msgid "KRB5 error code 125"
-+msgstr "KRB5-Fehlercode 125"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:149
-+msgid "KRB5 error code 126"
-+msgstr "KRB5-Fehlercode 126"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:150
-+msgid "KRB5 error code 127"
-+msgstr "KRB5-Fehlercode 127"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:151
-+#: ../lib/krb5/error_tables/kdb5_err.c:23
-+msgid "$Id$"
-+msgstr "$Id$"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:152
-+msgid "Invalid flag for file lock mode"
-+msgstr "ungültiger Schalter für den Datei-Sperrmodus"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:153
-+msgid "Cannot read password"
-+msgstr "Passwort kann nicht gelesen werden"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:154
-+msgid "Password mismatch"
-+msgstr "Passwort stimmt nicht überein"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:155
-+msgid "Password read interrupted"
-+msgstr "Lesen des Passworts unterbrochen"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:156
-+msgid "Illegal character in component name"
-+msgstr "ungültiges Zeichen in Komponentenname"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:157
-+msgid "Malformed representation of principal"
-+msgstr "Darstellung des Principals in falscher Form"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:158
-+msgid "Can't open/find Kerberos configuration file"
-+msgstr "Kerberos-Konfigurationsdatei kann nicht geöffnet/gefunden werden"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:159
-+msgid "Improper format of Kerberos configuration file"
-+msgstr "Format der Kerberos-Konfigurationsdatei ist ungeeignet"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:160
-+msgid "Insufficient space to return complete information"
-+msgstr "Platz reicht nicht zur Rückgabe aller Informationen aus"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:161
-+msgid "Invalid message type specified for encoding"
-+msgstr "der zum Kodieren angegebene Nachrichtentyp ist ungültig"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:162
-+msgid "Credential cache name malformed"
-+msgstr "falsche Form des Anmeldedatenzwischenspeichernamens"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:163
-+msgid "Unknown credential cache type"
-+msgstr "unbekannter Anmeldedatenzwischenspeichertyp"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:164
-+msgid "Matching credential not found"
-+msgstr "keine passenden Anmeldedaten gefunden"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:165
-+msgid "End of credential cache reached"
-+msgstr "Ende des Anmeldedatenzwischenspeichers erreicht"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:166
-+msgid "Request did not supply a ticket"
-+msgstr "Anfrage lieferte kein Ticket"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:167
-+msgid "Wrong principal in request"
-+msgstr "falscher Principal in der Anfrage"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:168
-+msgid "Ticket has invalid flag set"
-+msgstr "Das Ticket hat einen falsch gesetzten Schalter."
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:169
-+msgid "Requested principal and ticket don't match"
-+msgstr "angeforderter Principal und Ticket passen nicht zusammen"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:170
-+msgid "KDC reply did not match expectations"
-+msgstr "KDC-Antwort entsprach nicht den Erwartungen"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:171
-+msgid "Clock skew too great in KDC reply"
-+msgstr "Zeitversatz in der KDC-Antwort zu groß"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:172
-+msgid "Client/server realm mismatch in initial ticket request"
-+msgstr ""
-+"Client-/Server-Realm passen in der anfänglichen Ticketanfrage nicht zusammen."
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:173
-+msgid "Program lacks support for encryption type"
-+msgstr ""
-+"Dem Programm fehlt es an der Unterstützung für den Verschlüsselungstyp."
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:174
-+msgid "Program lacks support for key type"
-+msgstr "Dem Programm fehlt es an der Unterstützung für den Schlüsseltyp."
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:175
-+msgid "Requested encryption type not used in message"
-+msgstr ""
-+"Der angeforderte Verschlüsselungstyp wird in der Nachricht nicht verwendet."
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:176
-+msgid "Program lacks support for checksum type"
-+msgstr "Dem Programm fehlt es an der Unterstützung für den Prüfsummentyp."
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:177
-+msgid "Cannot find KDC for requested realm"
-+msgstr "KDC für angeforderten Realm kann nicht gefunden werden"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:178
-+msgid "Kerberos service unknown"
-+msgstr "Kerberos-Dienst unbekannt"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:179
-+msgid "Cannot contact any KDC for requested realm"
-+msgstr "Für den angeforderten Realm kann kein KDC kontaktiert werden."
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:180
-+msgid "No local name found for principal name"
-+msgstr "Für den Principal-Namen wurde kein lokaler Name gefunden."
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:182
-+msgid "Replay cache type is already registered"
-+msgstr "Wiederholungszwischenspeichertyp ist bereits registriert"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:183
-+msgid "No more memory to allocate (in replay cache code)"
-+msgstr ""
-+"kein Speicher mehr zu reservieren (im Wiederholungszwischenspeichercode)"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:184
-+msgid "Replay cache type is unknown"
-+msgstr "Wiederholungszwischenspeichertyp ist unbekannt"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:185
-+msgid "Generic unknown RC error"
-+msgstr "allgemeiner unbekannter Wiederholungszwischenspeicherfehler"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:186
-+msgid "Message is a replay"
-+msgstr "Nachricht ist eine Wiederholung"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:187
-+msgid "Replay cache I/O operation failed"
-+msgstr "Wiederholungszwischenspeicher-E/A-Aktion fehlgeschlagen"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:188
-+msgid "Replay cache type does not support non-volatile storage"
-+msgstr ""
-+"Wiederholungszwischenspeichertyp unterstützt keinen beständigen Speicher"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:189
-+msgid "Replay cache name parse/format error"
-+msgstr "Auswerte-/Formatfehler im Wiederholungszwischenspeichernamens"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:190
-+msgid "End-of-file on replay cache I/O"
-+msgstr "Dateiende bei der E/A des Wiederholungszwischenspeichers"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:191
-+msgid "No more memory to allocate (in replay cache I/O code)"
-+msgstr ""
-+"kein weiterer Speicher reservierbar (im Wiederholungszwischenspeicher-E/A-"
-+"Code)"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:192
-+msgid "Permission denied in replay cache code"
-+msgstr "Zugriff im Wiederholungszwischenspeichercode verweigert"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:193
-+msgid "I/O error in replay cache i/o code"
-+msgstr "E/A-Fehler im Wiederholungszwischenspeicher-E/A-Code"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:194
-+msgid "Generic unknown RC/IO error"
-+msgstr "allgemeiner unbekannter Wiederholungszwischenspeicher-/E/A-Fehler"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:195
-+msgid "Insufficient system space to store replay information"
-+msgstr ""
-+"Platz im System reicht nicht zum Speichern der Wiederholungsinformationen"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:196
-+msgid "Can't open/find realm translation file"
-+msgstr "Realm-Übersetzungsdatei kann nicht geöffnet/gefunden werden"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:197
-+msgid "Improper format of realm translation file"
-+msgstr "Format der Realm-Übersetzungsdatei ist ungeeignet"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:198
-+msgid "Can't open/find lname translation database"
-+msgstr "die Lname-Übersetzungsdatenbank kann nicht geöffnet/gefunden werden"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:199
-+msgid "No translation available for requested principal"
-+msgstr "Für den angeforderten Principal ist keine Übersetzung verfügbar."
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:200
-+msgid "Improper format of translation database entry"
-+msgstr "Format des Eintrags der Übersetzungsdatenbank ist ungeeignet"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:201
-+msgid "Cryptosystem internal error"
-+msgstr "interner Fehler des Verschlüsselungssystems"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:202
-+msgid "Key table name malformed"
-+msgstr "falsche Form des Schlüsseltabellennamens"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:203
-+msgid "Unknown Key table type"
-+msgstr "unbekannter Schlüsseltabellentyp"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:204
-+msgid "Key table entry not found"
-+msgstr "Schlüsseltabelleneintrag nicht gefunden"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:205
-+msgid "End of key table reached"
-+msgstr "Ende der Schlüsseltabelle erreicht"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:206
-+msgid "Cannot write to specified key table"
-+msgstr "in angegebene Schlüsseltabelle kann nicht geschrieben werden"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:207
-+msgid "Error writing to key table"
-+msgstr "Fehler beim Schreiben in Schlüsseltabelle"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:208
-+msgid "Cannot find ticket for requested realm"
-+msgstr "Ticket für angeforderten Realm kann nicht gefunden werden"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:209
-+msgid "DES key has bad parity"
-+msgstr "DES-Schlüssel hat falsche Parität"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:210
-+msgid "DES key is a weak key"
-+msgstr "DES-Schlüssel ist schwach"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:211
-+msgid "Bad encryption type"
-+msgstr "falscher Verschlüsselungstyp"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:212
-+msgid "Key size is incompatible with encryption type"
-+msgstr "Schlüssellänge ist nicht mit dem Verschlüsselungstyp kompatibel"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:213
-+msgid "Message size is incompatible with encryption type"
-+msgstr "Nachrichtengröße ist nicht mit Verschlüsselungstyp kompatibel"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:214
-+msgid "Credentials cache type is already registered."
-+msgstr "Anmeldedatenzwischenspeichertyp ist bereits registriert"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:215
-+msgid "Key table type is already registered."
-+msgstr "Schlüsseltabellentyp ist bereits registriert"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:216
-+msgid "Credentials cache I/O operation failed XXX"
-+msgstr "E/A-Aktion für Anmeldedatenzwischenspeicher fehlgeschlagen XXX"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:217
-+msgid "Credentials cache permissions incorrect"
-+msgstr "Anmeldedatenzwischenspeicherrechte nicht korrekt"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:218
-+msgid "No credentials cache found"
-+msgstr "kein Anmeldedatenzwischenspeicher gefunden"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:219
-+msgid "Internal credentials cache error"
-+msgstr "interner Anmeldedatenzwischenspeicherfehler"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:220
-+msgid "Error writing to credentials cache"
-+msgstr "Fehler beim Schreiben in den Anmeldedatenzwischenspeicher"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:221
-+msgid "No more memory to allocate (in credentials cache code)"
-+msgstr ""
-+"kein weiterer Speicher zu reservieren (im Anmeldedatenzwischenspeichercode)"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:222
-+msgid "Bad format in credentials cache"
-+msgstr "falsches Format im Anmeldedatenzwischenspeicher"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:223
-+msgid "No credentials found with supported encryption types"
-+msgstr "keine Anmeldedaten mit unterstützten Verschlüsselungstypen gefunden"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:224
-+msgid "Invalid KDC option combination (library internal error)"
-+msgstr "ungültige Kombination von KDC-Optionen (interner Bibliotheksfehler)"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:225
-+msgid "Request missing second ticket"
-+msgstr "Der Anfrage fehlt das zweite Ticket."
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:226
-+msgid "No credentials supplied to library routine"
-+msgstr "der Bibliotheks-Routine wurden keine Anmeldedaten geliefert"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:227
-+msgid "Bad sendauth version was sent"
-+msgstr "Es wurde eine falsche Sendauth-Version verschickt"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:228
-+msgid "Bad application version was sent (via sendauth)"
-+msgstr "Es wurde eine falsche Anwendungsversion (über Sendauth) verschickt"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:229
-+msgid "Bad response (during sendauth exchange)"
-+msgstr "falsche Antwort (beim Sendauth-Austausch)"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:230
-+msgid "Server rejected authentication (during sendauth exchange)"
-+msgstr "Server wies Authentifizierung (beim Sendauth-Austausch) zurück"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:231
-+msgid "Unsupported preauthentication type"
-+msgstr "nicht unterstützter Vorauthentifizierungstyp"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:232
-+msgid "Required preauthentication key not supplied"
-+msgstr "erforderlicher Vorauthentifizierungsschlüssel nicht bereitgestellt"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:233
-+msgid "Generic preauthentication failure"
-+msgstr "allgemeiner Fehlschlag der Vorauthentifizierung"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:234
-+msgid "Unsupported replay cache format version number"
-+msgstr ""
-+"nicht unterstütztes Versionsnummernformat des Wiederholungszwischenspeichers"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:235
-+msgid "Unsupported credentials cache format version number"
-+msgstr ""
-+"nicht unterstütztes Versionsnummernformat des Anmeldedatenzwischenspeichers"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:236
-+msgid "Unsupported key table format version number"
-+msgstr "nicht unterstütztes Versionsnummernformat der Schlüsseltabelle"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:237
-+msgid "Program lacks support for address type"
-+msgstr "Dem Programm fehlt es an der Unterstützung des Adresstyps."
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:238
-+msgid "Message replay detection requires rcache parameter"
-+msgstr "Erkennung der Antwortnachricht erfordert den Parameter »rcache«"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:239
-+msgid "Hostname cannot be canonicalized"
-+msgstr "Rechnername kann nicht in Normalform gebracht werden"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:240
-+msgid "Cannot determine realm for host"
-+msgstr "Realm für Rechner kann nicht bestimmt werden"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:241
-+msgid "Conversion to service principal undefined for name type"
-+msgstr "Umwandlung in Dienst-Principal für Namenstyp nicht definiert"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:242
-+msgid "Initial Ticket response appears to be Version 4 error"
-+msgstr "anfängliche Ticket-Antwort scheint ein Fehler der Version 4 zu sein"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:243
-+msgid "Cannot resolve network address for KDC in requested realm"
-+msgstr ""
-+"Netzwerkadresse für KDC im angeforderten Realm kann nicht aufgelöst werden"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:244
-+msgid "Requesting ticket can't get forwardable tickets"
-+msgstr "anforderndes Ticket kann keine weiterleitbaren Tickets holen"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:245
-+msgid "Bad principal name while trying to forward credentials"
-+msgstr "falscher Principal beim Versuch, Anmeldedaten weiterzuleiten"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:246
-+msgid "Looping detected inside krb5_get_in_tkt"
-+msgstr "Schleife innerhalb von »krb5_get_in_tkt« entdeckt"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:247
-+msgid "Configuration file does not specify default realm"
-+msgstr "Konfigurationsdatei gibt keinen Standard-Realm an"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:248
-+msgid "Bad SAM flags in obtain_sam_padata"
-+msgstr "falsche SAM-Schalter in »obtain_sam_padata«"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:249
-+msgid "Invalid encryption type in SAM challenge"
-+msgstr "ungültiger Verschlüsselungstyp in der SAM-Aufforderung"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:250
-+msgid "Missing checksum in SAM challenge"
-+msgstr "fehlende Prüfsumme in der SAM-Aufforderung"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:251
-+msgid "Bad checksum in SAM challenge"
-+msgstr "falsche Prüfsumme in der SAM-Aufforderung"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:252
-+msgid "Keytab name too long"
-+msgstr "Schlüsseltabellennamen zu lang"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:253
-+msgid "Key version number for principal in key table is incorrect"
-+msgstr ""
-+"Schlüsselversionsnummer des Principals in der Schlüsseltabelle ist nicht "
-+"korrekt"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:254
-+msgid "This application has expired"
-+msgstr "Diese Anwendung ist abgelaufen."
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:255
-+msgid "This Krb5 library has expired"
-+msgstr "Diese Krb5-Bibliothek ist abgelaufen."
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:256
-+msgid "New password cannot be zero length"
-+msgstr "Das neue Passwort kann nicht die Länge Null haben."
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:258
-+msgid "Bad format in keytab"
-+msgstr "falsches Format in der Schlüsseltabelle"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:259
-+msgid "Encryption type not permitted"
-+msgstr "Verschlüsselungstyp nicht erlaubt"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:260
-+msgid "No supported encryption types (config file error?)"
-+msgstr ""
-+"keine unterstützten Verschlüsselungstypen (Fehler in der "
-+"Konfigurationsdatei?)"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:261
-+msgid "Program called an obsolete, deleted function"
-+msgstr "Das Programm rief eine veraltete, gelöschte Funktion auf."
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:262
-+msgid "unknown getaddrinfo failure"
-+msgstr "unbekannter Getaddrinfo-Fehlschlag"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:263
-+msgid "no data available for host/domain name"
-+msgstr "keine Daten für Rechner/Domain-Namen verfügbar"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:264
-+msgid "host/domain name not found"
-+msgstr "Rechner/Domain-Name nicht gefunden"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:265
-+msgid "service name unknown"
-+msgstr "Dienstname unbekannt"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:266
-+msgid "Cannot determine realm for numeric host address"
-+msgstr "Realm für numerische Rechneradresse kann nicht bestimmt werden"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:267
-+msgid "Invalid key generation parameters from KDC"
-+msgstr "ungültige Parameter zum Erzeugen von Schlüsseln vom KDC"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:268
-+msgid "service not available"
-+msgstr "Dienst nicht verfügbar"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:269
-+msgid "Ccache function not supported: read-only ccache type"
-+msgstr "Ccache-Funktion nicht unterstützt: Ccache-Typ nur lesbar"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:270
-+msgid "Ccache function not supported: not implemented"
-+msgstr "Ccache-Funktion nicht unterstützt: nicht implementiert"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:271
-+msgid "Invalid format of Kerberos lifetime or clock skew string"
-+msgstr ""
-+"ungültiges Format der Kerberos-Lebensdauer oder der Zeitversatzzeichenkette"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:272
-+msgid "Supplied data not handled by this plugin"
-+msgstr ""
-+"Die bereitgestellten Daten werden nicht von dieser Erweiterung behandelt."
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:273
-+msgid "Plugin does not support the operation"
-+msgstr "Erweiterung unterstützt diese Aktion nicht"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:274
-+msgid "Invalid UTF-8 string"
-+msgstr "ungültige UTF-8-Zeichenkette"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:275
-+msgid "FAST protected pre-authentication required but not supported by KDC"
-+msgstr ""
-+"FAST-geschützte Vorauthentifizierung erforderlich, aber nicht vom KDC "
-+"unterstützt"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:276
-+msgid "Auth context must contain local address"
-+msgstr "Authentifizierungskontext muss lokale Adresse enthalten"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:277
-+msgid "Auth context must contain remote address"
-+msgstr "Authentifizierungskontext muss ferne Adresse enthalten"
-+
-+#: ../lib/krb5/error_tables/krb5_err.c:278
-+msgid "Tracing unsupported"
-+msgstr "Verfolgung nicht unterstützt"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:24
-+msgid "Entry already exists in database"
-+msgstr "Eintrag existiert bereits in der Datenbank"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:25
-+msgid "Database store error"
-+msgstr "Datenbank-Speicherfehler"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:26
-+msgid "Database read error"
-+msgstr "Datenbank-Lesefehler"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:27
-+msgid "Insufficient access to perform requested operation"
-+msgstr "Zugriffsrechte reichen nicht zur Durchführung der angeforderten Aktion"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:28
-+msgid "No such entry in the database"
-+msgstr "kein derartiger Eintrag in der Datenbank"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:29
-+msgid "Illegal use of wildcard"
-+msgstr "ungültige Verwendung eines Platzhalters"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:30
-+msgid "Database is locked or in use--try again later"
-+msgstr ""
-+"Datenbank ist gesperrt oder wird gerade benutzt – versuchen Sie es später "
-+"wieder"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:31
-+msgid "Database was modified during read"
-+msgstr "Datenbank wurde während des Lesens geändert"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:32
-+msgid "Database record is incomplete or corrupted"
-+msgstr "Datensatz ist unvollständig oder beschädigt"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:33
-+msgid "Attempt to lock database twice"
-+msgstr "Es wurde zweimal versucht, die Datenbank zu sperren."
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:34
-+msgid "Attempt to unlock database when not locked"
-+msgstr ""
-+"Es wurde versucht, die Datenbank zu entsperren, obwohl sie nicht gesperrt "
-+"ist."
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:35
-+msgid "Invalid kdb lock mode"
-+msgstr "ungültiger KDB-Sperrmodus"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:36
-+msgid "Database has not been initialized"
-+msgstr "Datenbank wurde nicht initialisiert"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:37
-+msgid "Database has already been initialized"
-+msgstr "Datenbank wurde bereits initialisiert"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:38
-+msgid "Bad direction for converting keys"
-+msgstr "falsche Richtung zum Umwandeln von Schlüsseln"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:39
-+msgid "Cannot find master key record in database"
-+msgstr "Hauptschlüsseldatensatz kann nicht in der Datenbank gefunden werden"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:40
-+msgid "Master key does not match database"
-+msgstr "Hauptschlüssel passt nicht zur Datenbank"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:41
-+msgid "Key size in database is invalid"
-+msgstr "Die Schlüssellänge in der Datenbank ist ungültig,"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:42
-+msgid "Cannot find/read stored master key"
-+msgstr "Der gespeicherte Hauptschlüssel kann nicht gefunden/gelesen werden."
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:43
-+msgid "Stored master key is corrupted"
-+msgstr "Der gespeicherte Hauptschlüssel ist beschädigt."
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:44
-+msgid "Cannot find active master key"
-+msgstr "Der aktive Hauptschlüssel kann nicht gefunden werden."
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:45
-+msgid "KVNO of new master key does not match expected value"
-+msgstr "KVNO des neuen Hauptschlüssels passt nicht zum erwarteten Wert"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:46
-+msgid "Stored master key is not current"
-+msgstr "gespeicherter Hauptschlüssel ist nicht aktuell"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:47
-+msgid "Insufficient access to lock database"
-+msgstr "keine ausreichenden Zugriffsrechte zum Sperren der Datenbank"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:48
-+msgid "Database format error"
-+msgstr "fehlerhaftes Datenbankformat"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:49
-+msgid "Unsupported version in database entry"
-+msgstr "nicht unterstützte Version im Datenbankeintrag"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:50
-+msgid "Unsupported salt type"
-+msgstr "nicht unterstützter Salt-Typ"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:51
-+msgid "Unsupported encryption type"
-+msgstr "nicht unterstützter Verschlüsselungstyp"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:52
-+msgid "Bad database creation flags"
-+msgstr "falsche Schalter zum Erstellen der Datenbank"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:53
-+msgid "No matching key in entry having a permitted enctype"
-+msgstr ""
-+"kein passender Schlüssel in einem Eintrag mit erlaubtem Verschlüsselungstyp"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:54
-+msgid "No matching key in entry"
-+msgstr "kein passender Schlüssel im Eintrag"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:55
-+msgid "Unable to find requested database type"
-+msgstr "angeforderter Datenbanktyp kann nicht gefunden werden"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:56
-+msgid "Database type not supported"
-+msgstr "Datenbanktyp nicht unterstützt"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:57
-+msgid "Database library failed to initialize"
-+msgstr "Initialisieren der Datenbankbibliothek fehlgeschlagen"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:59
-+msgid "Unable to access Kerberos database"
-+msgstr "auf die Kerberos-Datenbank kann nicht zugegriffen werden"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:60
-+msgid "Kerberos database internal error"
-+msgstr "interner Kerberos-Datenbankfehler"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:61
-+msgid "Kerberos database constraints violated"
-+msgstr "Kerberos-Datenbankbeschränkungen verletzt"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:62
-+msgid "Update log conversion error"
-+msgstr "Fehler beim Umwandeln des Aktualisierungsprotokolls"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:63
-+msgid "Update log is unstable"
-+msgstr "Aktualisierungsprotokoll ist instabil"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:64
-+msgid "Update log is corrupt"
-+msgstr "Aktualisierungsprotokoll ist beschädigt"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:65
-+msgid "Generic update log error"
-+msgstr "allgemeiner Aktualisierungsprotokollfehler"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:66
-+msgid "Database module does not match KDC version"
-+msgstr "Datenbankmodul passt nicht zur KDC-Version"
-+
-+#: ../lib/krb5/error_tables/kdb5_err.c:68
-+msgid "Too much string mapping data"
-+msgstr "zu viele zeichenkettenabbildenden Daten"
-+
-+#: ../lib/krb5/error_tables/asn1_err.c:23
-+msgid "ASN.1 failed call to system time library"
-+msgstr "ASN.1 beim Aufruf der Systemzeitbibliothek gescheitert"
-+
-+#: ../lib/krb5/error_tables/asn1_err.c:24
-+msgid "ASN.1 structure is missing a required field"
-+msgstr "ein erforderliches Feld fehlt in der ASN.1-Struktur"
-+
-+#: ../lib/krb5/error_tables/asn1_err.c:25
-+msgid "ASN.1 unexpected field number"
-+msgstr "ASN.1 unerwartete Feldnummer"
-+
-+#: ../lib/krb5/error_tables/asn1_err.c:26
-+msgid "ASN.1 type numbers are inconsistent"
-+msgstr "ASN.1-Typnummern sind inkonsistent"
-+
-+#: ../lib/krb5/error_tables/asn1_err.c:27
-+msgid "ASN.1 value too large"
-+msgstr "ASN.1-Wert zu groß"
-+
-+#: ../lib/krb5/error_tables/asn1_err.c:28
-+msgid "ASN.1 encoding ended unexpectedly"
-+msgstr "ASN.1-Kodierung endete unerwartet"
-+
-+#: ../lib/krb5/error_tables/asn1_err.c:29
-+msgid "ASN.1 identifier doesn't match expected value"
-+msgstr "ASN.1-Bezeichner passt nicht zum erwarteten Wert"
-+
-+#: ../lib/krb5/error_tables/asn1_err.c:30
-+msgid "ASN.1 length doesn't match expected value"
-+msgstr "Länge von ASN.1 passt nicht zum erwarteten Wert"
-+
-+#: ../lib/krb5/error_tables/asn1_err.c:31
-+msgid "ASN.1 badly-formatted encoding"
-+msgstr "fehlerhaft formatierte ASN.1-Kodierung"
-+
-+#: ../lib/krb5/error_tables/asn1_err.c:32
-+msgid "ASN.1 parse error"
-+msgstr "ASN.1-Auswertungsfehler"
-+
-+#: ../lib/krb5/error_tables/asn1_err.c:33
-+msgid "ASN.1 bad return from gmtime"
-+msgstr "ASN.1 falscher Rückgabewert von Gmtime"
-+
-+#: ../lib/krb5/error_tables/asn1_err.c:34
-+msgid "ASN.1 non-constructed indefinite encoding"
-+msgstr "nicht konstruierte unbestimmte ASN.1-Kodierung"
-+
-+#: ../lib/krb5/error_tables/asn1_err.c:35
-+msgid "ASN.1 missing expected EOC"
-+msgstr "ASN.1 fehlt erwartetes EOC"
-+
-+#: ../lib/krb5/error_tables/asn1_err.c:36
-+msgid "ASN.1 object omitted in sequence"
-+msgstr "ASN.1-Objekt in Sequenz ausgelassen"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:23
-+msgid "Kerberos V5 magic number table"
-+msgstr "Tabelle magischer Zahlen von Kerberos V5"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:24
-+msgid "Bad magic number for krb5_principal structure"
-+msgstr "falsche magische Zahl für Krb5_principal-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:25
-+msgid "Bad magic number for krb5_data structure"
-+msgstr "falsche magische Zahl für Krb5_data-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:26
-+msgid "Bad magic number for krb5_keyblock structure"
-+msgstr "falsche magische Zahl für Krb5_krb5_keyblock-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:27
-+msgid "Bad magic number for krb5_checksum structure"
-+msgstr "falsche magische Zahl für Krb5_krb5_checksum-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:28
-+msgid "Bad magic number for krb5_encrypt_block structure"
-+msgstr "falsche magische Zahl für Krb5_encrypt_bloc-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:29
-+msgid "Bad magic number for krb5_enc_data structure"
-+msgstr "falsche magische Zahl für Krb5_enc_data-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:30
-+msgid "Bad magic number for krb5_cryptosystem_entry structure"
-+msgstr "falsche magische Zahl für Krb5_cryptosystem_entry-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:31
-+msgid "Bad magic number for krb5_cs_table_entry structure"
-+msgstr "falsche magische Zahl für Krb5_cs_table_entry-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:32
-+msgid "Bad magic number for krb5_checksum_entry structure"
-+msgstr "falsche magische Zahl für Krb5_checksum_entry-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:33
-+msgid "Bad magic number for krb5_authdata structure"
-+msgstr "falsche magische Zahl für Krb5_authdata-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:34
-+msgid "Bad magic number for krb5_transited structure"
-+msgstr "falsche magische Zahl für Krb5_transited-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:35
-+msgid "Bad magic number for krb5_enc_tkt_part structure"
-+msgstr "falsche magische Zahl für Krb5_enc_tkt_part-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:36
-+msgid "Bad magic number for krb5_ticket structure"
-+msgstr "falsche magische Zahl für Krb5_ticket-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:37
-+msgid "Bad magic number for krb5_authenticator structure"
-+msgstr "falsche magische Zahl für Krb5_authenticator-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:38
-+msgid "Bad magic number for krb5_tkt_authent structure"
-+msgstr "falsche magische Zahl für Krb5_tkt_authent-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:39
-+msgid "Bad magic number for krb5_creds structure"
-+msgstr "falsche magische Zahl für Krb5_creds-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:40
-+msgid "Bad magic number for krb5_last_req_entry structure"
-+msgstr "falsche magische Zahl für Krb5_last_req_entry-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:41
-+msgid "Bad magic number for krb5_pa_data structure"
-+msgstr "falsche magische Zahl für Krb5_pa_data-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:42
-+msgid "Bad magic number for krb5_kdc_req structure"
-+msgstr "falsche magische Zahl für Krb5_kdc_req-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:43
-+msgid "Bad magic number for krb5_enc_kdc_rep_part structure"
-+msgstr "falsche magische Zahl für Krb5_enc_kdc_rep_part-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:44
-+msgid "Bad magic number for krb5_kdc_rep structure"
-+msgstr "falsche magische Zahl für Krb5_kdc_rep-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:45
-+msgid "Bad magic number for krb5_error structure"
-+msgstr "falsche magische Zahl für Krb5_error-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:46
-+msgid "Bad magic number for krb5_ap_req structure"
-+msgstr "falsche magische Zahl für Krb5_ap_req-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:47
-+msgid "Bad magic number for krb5_ap_rep structure"
-+msgstr "falsche magische Zahl für Krb5_ap_rep-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:48
-+msgid "Bad magic number for krb5_ap_rep_enc_part structure"
-+msgstr "falsche magische Zahl für Krb5_ap_rep_enc_part-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:49
-+msgid "Bad magic number for krb5_response structure"
-+msgstr "falsche magische Zahl für Krb5_response-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:50
-+msgid "Bad magic number for krb5_safe structure"
-+msgstr "falsche magische Zahl für Krb5_safe-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:51
-+msgid "Bad magic number for krb5_priv structure"
-+msgstr "falsche magische Zahl für Krb5_priv-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:52
-+msgid "Bad magic number for krb5_priv_enc_part structure"
-+msgstr "falsche magische Zahl für Krb5_priv_enc_part-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:53
-+msgid "Bad magic number for krb5_cred structure"
-+msgstr "falsche magische Zahl für Krb5_cred-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:54
-+msgid "Bad magic number for krb5_cred_info structure"
-+msgstr "falsche magische Zahl für Krb5_cred_info-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:55
-+msgid "Bad magic number for krb5_cred_enc_part structure"
-+msgstr "falsche magische Zahl für Krb5_cred_enc_part-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:56
-+msgid "Bad magic number for krb5_pwd_data structure"
-+msgstr "falsche magische Zahl für Krb5_pwd_data-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:57
-+msgid "Bad magic number for krb5_address structure"
-+msgstr "falsche magische Zahl für Krb5_address-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:58
-+msgid "Bad magic number for krb5_keytab_entry structure"
-+msgstr "falsche magische Zahl für Krb5_keytab_entry-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:59
-+msgid "Bad magic number for krb5_context structure"
-+msgstr "falsche magische Zahl für Krb5_context-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:60
-+msgid "Bad magic number for krb5_os_context structure"
-+msgstr "falsche magische Zahl für Krb5_os_context-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:61
-+msgid "Bad magic number for krb5_alt_method structure"
-+msgstr "falsche magische Zahl für Krb5_alt_method-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:62
-+msgid "Bad magic number for krb5_etype_info_entry structure"
-+msgstr "falsche magische Zahl für Krb5_etype_info_entry-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:63
-+msgid "Bad magic number for krb5_db_context structure"
-+msgstr "falsche magische Zahl für Krb5_db_context-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:64
-+msgid "Bad magic number for krb5_auth_context structure"
-+msgstr "falsche magische Zahl für Krb5_auth_context-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:65
-+msgid "Bad magic number for krb5_keytab structure"
-+msgstr "falsche magische Zahl für Krb5_keytab-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:66
-+msgid "Bad magic number for krb5_rcache structure"
-+msgstr "falsche magische Zahl für Krb5_rcache-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:67
-+msgid "Bad magic number for krb5_ccache structure"
-+msgstr "falsche magische Zahl für Krb5_ccache-Struktur"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:68
-+msgid "Bad magic number for krb5_preauth_ops"
-+msgstr "falsche magische Zahl für Krb5_preauth_ops"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:69
-+msgid "Bad magic number for krb5_sam_challenge"
-+msgstr "falsche magische Zahl für Krb5_sam_challenge"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:70
-+msgid "Bad magic number for krb5_sam_challenge_2"
-+msgstr "falsche magische Zahl für Krb5_sam_challenge_2"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:71
-+msgid "Bad magic number for krb5_sam_key"
-+msgstr "falsche magische Zahl für Krb5_sam_key"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:72
-+#: ../lib/krb5/error_tables/kv5m_err.c:73
-+msgid "Bad magic number for krb5_enc_sam_response_enc"
-+msgstr "falsche magische Zahl für Krb5_enc_sam_response_enc"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:74
-+msgid "Bad magic number for krb5_sam_response"
-+msgstr "falsche magische Zahl für Krb5_sam_response"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:75
-+msgid "Bad magic number for krb5_sam_response 2"
-+msgstr "falsche magische Zahl für Krb5_sam_response 2"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:76
-+msgid "Bad magic number for krb5_predicted_sam_response"
-+msgstr "falsche magische Zahl für Krb5_predicted_sam_response"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:77
-+msgid "Bad magic number for passwd_phrase_element"
-+msgstr "falsche magische Zahl für Passwd_phrase_element"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:78
-+msgid "Bad magic number for GSSAPI OID"
-+msgstr "falsche magische Zahl für GSSAPI OID"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:79
-+msgid "Bad magic number for GSSAPI QUEUE"
-+msgstr "falsche magische Zahl für GSSAPI QUEUE"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:80
-+msgid "Bad magic number for fast armored request"
-+msgstr "falsche magische Zahl für per FAST geschützte Anfrage"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:81
-+msgid "Bad magic number for FAST request"
-+msgstr "falsche magische Zahl für FAST-Anfrage"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:82
-+msgid "Bad magic number for FAST response"
-+msgstr "falsche magische Zahl für FAST-Antwort"
-+
-+#: ../lib/krb5/error_tables/kv5m_err.c:83
-+msgid "Bad magic number for krb5_authdata_context"
-+msgstr "falsche magische Zahl für Krb5_authdata_context"
-+
-+#: ../lib/krb5/error_tables/krb524_err.c:23
-+msgid "Cannot convert V5 keyblock"
-+msgstr "V5-Schlüsselblock kann nicht umgewandelt werden"
-+
-+#: ../lib/krb5/error_tables/krb524_err.c:24
-+msgid "Cannot convert V5 address information"
-+msgstr "V5-Adressinformationen können nicht umgewandelt werden"
-+
-+#: ../lib/krb5/error_tables/krb524_err.c:25
-+msgid "Cannot convert V5 principal"
-+msgstr "V5-Principal kann nicht umgewandelt werden"
-+
-+#: ../lib/krb5/error_tables/krb524_err.c:26
-+msgid "V5 realm name longer than V4 maximum"
-+msgstr "V5-Realm-Name ist länger als die V4-Maximallänge"
-+
-+#: ../lib/krb5/error_tables/krb524_err.c:27
-+msgid "Kerberos V4 error"
-+msgstr "Kerberos-V4-Fehler"
-+
-+#: ../lib/krb5/error_tables/krb524_err.c:28
-+msgid "Encoding too large"
-+msgstr "Kodierung zu lang"
-+
-+#: ../lib/krb5/error_tables/krb524_err.c:29
-+msgid "Decoding out of data"
-+msgstr "Dekodieren außerhalb der Daten"
-+
-+#: ../lib/krb5/error_tables/krb524_err.c:30
-+msgid "Service not responding"
-+msgstr "Dienst antwortet nicht"
-+
-+#: ../lib/krb5/error_tables/krb524_err.c:31
-+msgid "Kerberos version 4 support is disabled"
-+msgstr "Kerberos 4 Unterstützung ist deaktiviert"
-+
-+#~ msgid "while creating server %s principal name"
-+#~ msgstr "beim Erstellen des Principal-Namens für Server %s"
-+
-+# KDC = Key Distribution Center
-+#~ msgid "while getting credentials from kdc"
-+#~ msgstr "beim Holen der Anmeldedaten vom KDC"
-+
-+# FIXME s/Retrieving/retrieving/
-+#~ msgid "while Retrieving credentials"
-+#~ msgstr "beim Abfragen der Anmeldedaten"
-+
-+#~ msgid "while copying principal"
-+#~ msgstr "beim Kopieren des Principals"
-+
-+#~ msgid "%s does not have correct permissions for %s\n"
-+#~ msgstr "%s hat nicht die erforderlichen Zugriffsrechte für %s\n"
-+
-+#~ msgid "no salt\n"
-+#~ msgstr "kein Salt\n"
-+
-+#~ msgid "%s: Couldn't grab lock\n"
-+#~ msgstr "%s: Es konnte keine Sperre erlangt werden.\n"
-+
-+#~ msgid "%s: Loads disallowed when iprop is enabled and a ulog is present\n"
-+#~ msgstr ""
-+#~ "%s: Wenn Iprop aktiviert und Ulog vorhanden ist, ist Laden nicht "
-+#~ "möglich.\n"
-+
-+#~ msgid "trying to lock database"
-+#~ msgstr "es wird versucht, die Datenbank zu sperren"
-+
-+#~ msgid "GSS-API error %s: %s\n"
-+#~ msgstr "GSS-API-Fehler %s: %s\n"
-+
-+#~ msgid "Couldn't create KRB5 Name NameType OID\n"
-+#~ msgstr "KRB5 Name NameType OID konnte nicht erstellt werden.\n"
-+
-+#~ msgid "%s: %s while initializing, aborting"
-+#~ msgstr "%s: %s beim Initialisieren, wird abgebrochen"
-+
-+#~ msgid ""
-+#~ "%s: Missing required configuration values (%lx) while initializing, "
-+#~ "aborting"
-+#~ msgstr ""
-+#~ "%s: Beim Initialisieren fehlen die erforderlichen Konfigurationswerte "
-+#~ "(%lx), wird abgebrochen"
-+
-+#~ msgid ""
-+#~ "%s: Missing required configuration values (%lx) while initializing, "
-+#~ "aborting\n"
-+#~ msgstr ""
-+#~ "%s: Beim Initialisieren fehlen die erforderlichen Konfigurationswerte "
-+#~ "(%lx), wird abgebrochen\n"
-+
-+#~ msgid "%s: could not initialize loop, aborting"
-+#~ msgstr "%s: Schleife konnte nicht initialisiert werden, wird abgebrochen"
-+
-+#~ msgid "%s: could not initialize loop, aborting\n"
-+#~ msgstr "%s: Schleife konnte nicht initialisiert werden, wird abgebrochen\n"
-+
-+#~ msgid "%s: %s while initializing signal handlers, aborting"
-+#~ msgstr ""
-+#~ "%s: %s beim Initialisieren des Signalbehandlungsprogramms, wird "
-+#~ "abgebrochen"
-+
-+#~ msgid "%s: %s while initializing signal handlers, aborting\n"
-+#~ msgstr ""
-+#~ "%s: %s beim Initialisieren des Signalbehandlungsprogramms, wird "
-+#~ "abgebrochen\n"
-+
-+#~ msgid "%s: %s while initializing network, aborting"
-+#~ msgstr "%s: %s beim Initialisieren des Netzwerks, wird abgebrochen"
-+
-+#~ msgid "%s: %s while initializing network, aborting\n"
-+#~ msgstr "%s: %s beim Initialisieren des Netzwerks, wird abgebrochen\n"
-+
-+#~ msgid "Cannot build GSS-API authentication names, failing."
-+#~ msgstr ""
-+#~ "GSS-API-Authentifizierungsnamen können nicht gebildet werden, "
-+#~ "fehlgeschlagen"
-+
-+#~ msgid "Can't set kdb keytab's internal context."
-+#~ msgstr ""
-+#~ "Der interne Kontext von KDBs Schlüsseltabelle kann nicht gesetzt werden."
-+
-+#~ msgid "Can't register kdb keytab."
-+#~ msgstr "Die KDB-Schlüsseltabelle kann nicht registriert werden."
-+
-+#~ msgid "Can't register acceptor keytab."
-+#~ msgstr "Die Empfängerschlüsseltabelle kann nicht registriert werden."
-+
-+#~ msgid ""
-+#~ "Cannot set GSS-API authentication names (keytab not present?), failing."
-+#~ msgstr ""
-+#~ "GSS-API-Authentifizierungsnamen können nicht gesetzt werden "
-+#~ "(Schlüsseltabelle nicht vorhanden?), fehlgeschlagen"
-+
-+#~ msgid "Cannot initialize acl file: %s"
-+#~ msgstr "ACL-Datei kann nicht initialisiert werden: %s"
-+
-+#~ msgid "%s: Cannot initialize acl file: %s\n"
-+#~ msgstr "%s: ACL-Datei kann nicht initialisiert werden: %s\n"
-+
-+#~ msgid "Cannot detach from tty: %s"
-+#~ msgstr "kann nicht vom Terminal gelöst werden: %s"
-+
-+#~ msgid "Cannot create PID file %s: %s"
-+#~ msgstr "PID-Datei %s kann nicht erstellt werden: %s"
-+
-+#~ msgid "%s: %s while mapping update log (`%s.ulog')\n"
-+#~ msgstr "%s: %s beim Abbilden des Aktualisierungsprotokolls (»%s.ulog«)\n"
-+
-+#~ msgid "%s while mapping update log (`%s.ulog')"
-+#~ msgstr "%s beim Abbilden des Aktualisierungsprotokolls (»%s.ulog«)"
-+
-+#~ msgid "%s: Cannot create IProp RPC service (PROG=%d, VERS=%d)\n"
-+#~ msgstr ""
-+#~ "%s: IProp-RPC-Dienst kann nicht erstellt werden (PROG=%d, VERS=%d)\n"
-+
-+#~ msgid "Cannot create IProp RPC service (PROG=%d, VERS=%d), failing."
-+#~ msgstr ""
-+#~ "IProp-RPC-Dienst kann nicht erstellt werden (PROG=%d, VERS=%d), "
-+#~ "fehlgeschlagen"
-+
-+#~ msgid "%s while getting IProp svc name, failing"
-+#~ msgstr "%s beim Holen des IProp-Dienstnamens, fehlgeschlagen"
-+
-+#~ msgid "%s: %s while getting IProp svc name, failing\n"
-+#~ msgstr "%s: %s beim Holen des IProp-Dienstnamens, fehlgeschlagen\n"
-+
-+#~ msgid "Unable to set RPCSEC_GSS service name (`%s'), failing."
-+#~ msgstr ""
-+#~ "der RPCSEC_GSS-Dienstname (»%s«) kann nicht gesetzt werden, fehlgeschlagen"
-+
-+#~ msgid "%s: Unable to set RPCSEC_GSS service name (`%s'), failing.\n"
-+#~ msgstr ""
-+#~ "%s: der RPCSEC_GSS-Dienstname (»%s«) kann nicht gesetzt werden, "
-+#~ "fehlgeschlagen\n"
-+
-+#~ msgid "GSS-API authentication error %.*s: recursive failure!"
-+#~ msgstr "GSS-API-Authentifizierungsfehler %.*s: rekursiver Fehlschlag!"
-+
-+#~ msgid "skipping unrecognized local address family %d"
-+#~ msgstr "nicht erkannte lokale Adressfamilie %d wird übersprungen"
-+
-+#~ msgid "got routing msg type %d(%s) v%d"
-+#~ msgstr "Routing-Meldungstyp %d(%s) v%d erhalten"
-+
-+#~ msgid "Could not create temp stash file: %s"
-+#~ msgstr "Temporäre Ablagedatei konnte nicht erstellt werden: %s"
-+
-+#~ msgid "ulog_sync_header: could not sync to disk"
-+#~ msgstr "ulog_sync_header: kann nicht auf Platte sychronisiert werden"
-+
-+#~ msgid "%s: attempt to convert non-extended krb5_get_init_creds_opt"
-+#~ msgstr ""
-+#~ "%s: Es wird versucht, nicht erweiterte »krb5_get_init_creds_opt« "
-+#~ "umzuwandeln"
-+
-+#~ msgid "krb5_sname_to_principal, while adding entries to the database"
-+#~ msgstr ""
-+#~ "»krb5_sname_to_principal« beim Hinzufügen von Einträgen zur Datenbank"
-+
-+#~ msgid "krb5_copy_principal, while adding entries to the database"
-+#~ msgstr "»krb5_copy_principal« beim Hinzufügen von Einträgen zur Datenbank"
-+
-+#~ msgid ""
-+#~ "Unable to check if SASL EXTERNAL mechanism is supported by LDAP server. "
-+#~ "Proceeding anyway ..."
-+#~ msgstr ""
-+#~ "Es konnte nicht geprüft werden, ob der Mechanismus SASL EXTERNAL vom LDAP-"
-+#~ "Server unterstützt wird. Es wird trotzdem fortgesetzt …"
-+
-+#~ msgid ""
-+#~ "SASL EXTERNAL mechanism not supported by LDAP server. Can't perform "
-+#~ "certificate-based bind."
-+#~ msgstr ""
-+#~ "Der Mechanismus SASL EXTERNAL wird nicht vom LDAP-Server unterstützt. Es "
-+#~ "kann keine zertifikatbasierte Verbindung hergestellt werden."
-+
-+#~ msgid "Error reading 'ldap_servers' attribute"
-+#~ msgstr "Fehler beim Lesen des Attributs »ldap_servers«"
-+
-+#~ msgid "Stash file entry corrupt"
-+#~ msgstr "Eintrag in der Ablagedatei beschädigt"
-+
-+#~ msgid "while setting server principal realm"
-+#~ msgstr "beim Setzen des Server-Principal-Realms"
-+
-+#~ msgid "while getting initial ticket\n"
-+#~ msgstr "beim Holen eines Anfangs-Tickets\n"
-+
-+#~ msgid "while destroying ticket cache"
-+#~ msgstr "beim Zerstören des Ticket-Zwischenspeichers"
-+
-+#~ msgid "while closing default ccache"
-+#~ msgstr "beim Schließen des Standard-Ccaches"
diff --git a/Add-KDC-policy-pluggable-interface.patch b/Add-KDC-policy-pluggable-interface.patch
deleted file mode 100644
index a5e029e..0000000
--- a/Add-KDC-policy-pluggable-interface.patch
+++ /dev/null
@@ -1,994 +0,0 @@
-From 78a1f155701f94a228c4f58f98846195a39991c4 Mon Sep 17 00:00:00 2001
-From: Robbie Harwood <rharwood@redhat.com>
-Date: Tue, 27 Jun 2017 17:15:39 -0400
-Subject: [PATCH] Add KDC policy pluggable interface
-
-Add the header include/krb5/kdcpolicy_plugin.h, defining a pluggable
-interface for modules to deny AS and TGS requests and set maximum
-ticket lifetimes. This interface replaces the policy.c stub functions.
-
-Add check_kdcpolicy_as() and check_kdcpolicy_tgs() as entry functions.
-Call them after auth indicators and ticket lifetimes have been
-determined.
-
-Add a test module and a test script with basic kdcpolicy tests. Add
-plugin interface documentation in doc/plugindev/policy.rst.
-
-Also authored by Matt Rogers <mrogers@redhat.com>.
-
-ticket: 8606 (new)
-(cherry picked from commit d0969f6a8170344031ef58fd2a161190f1edfb96)
-[rharwood@redhat.com: mention but do not use kadm_auth]
----
- doc/plugindev/index.rst | 1 +
- doc/plugindev/kdcpolicy.rst | 24 +++
- src/Makefile.in | 1 +
- src/configure.in | 1 +
- src/include/Makefile.in | 1 +
- src/include/k5-int.h | 4 +-
- src/include/k5-trace.h | 5 +
- src/include/krb5/kdcpolicy_plugin.h | 128 ++++++++++++
- src/kdc/do_as_req.c | 7 +
- src/kdc/do_tgs_req.c | 6 +
- src/kdc/kdc_util.c | 7 -
- src/kdc/kdc_util.h | 11 -
- src/kdc/main.c | 8 +
- src/kdc/policy.c | 267 +++++++++++++++++++++----
- src/kdc/policy.h | 19 +-
- src/kdc/tgs_policy.c | 6 -
- src/lib/krb5/krb/plugin.c | 4 +-
- src/plugins/kdcpolicy/test/Makefile.in | 20 ++
- src/plugins/kdcpolicy/test/deps | 0
- src/plugins/kdcpolicy/test/main.c | 111 ++++++++++
- src/plugins/kdcpolicy/test/policy_test.exports | 1 +
- src/tests/Makefile.in | 1 +
- src/tests/t_kdcpolicy.py | 57 ++++++
- 23 files changed, 616 insertions(+), 74 deletions(-)
- create mode 100644 doc/plugindev/kdcpolicy.rst
- create mode 100644 src/include/krb5/kdcpolicy_plugin.h
- create mode 100644 src/plugins/kdcpolicy/test/Makefile.in
- create mode 100644 src/plugins/kdcpolicy/test/deps
- create mode 100644 src/plugins/kdcpolicy/test/main.c
- create mode 100644 src/plugins/kdcpolicy/test/policy_test.exports
- create mode 100644 src/tests/t_kdcpolicy.py
-
-diff --git a/doc/plugindev/index.rst b/doc/plugindev/index.rst
-index 67dbc2790..0a012b82b 100644
---- a/doc/plugindev/index.rst
-+++ b/doc/plugindev/index.rst
-@@ -32,5 +32,6 @@ Contents
- gssapi.rst
- internal.rst
- certauth.rst
-+ kdcpolicy.rst
-
- .. TODO: GSSAPI mechanism plugins
-diff --git a/doc/plugindev/kdcpolicy.rst b/doc/plugindev/kdcpolicy.rst
-new file mode 100644
-index 000000000..74f21f08f
---- /dev/null
-+++ b/doc/plugindev/kdcpolicy.rst
-@@ -0,0 +1,24 @@
-+.. _kdcpolicy_plugin:
-+
-+KDC policy interface (kdcpolicy)
-+================================
-+
-+The kdcpolicy interface was first introduced in release 1.16. It
-+allows modules to veto otherwise valid AS and TGS requests or restrict
-+the lifetime and renew time of the resulting ticket. For a detailed
-+description of the kdcpolicy interface, see the header file
-+``<krb5/kdcpolicy_plugin.h>``.
-+
-+The optional **check_as** and **check_tgs** functions allow the module
-+to perform access control. Additionally, a module can create and
-+destroy module data with the **init** and **fini** methods. Module
-+data objects last for the lifetime of the KDC process, and are
-+provided to all other methods. The data has the type
-+krb5_kdcpolicy_moddata, which should be cast to the appropriate
-+internal type.
-+
-+kdcpolicy modules can optionally inspect principal entries. To do
-+this, the module must also include ``<kdb.h>`` to gain access to the
-+principal entry structure definition. As the KDB interface is
-+explicitly not as stable as other public interfaces, modules which do
-+this may not retain compatibility across releases.
-diff --git a/src/Makefile.in b/src/Makefile.in
-index ad8565056..e47bddcb1 100644
---- a/src/Makefile.in
-+++ b/src/Makefile.in
-@@ -21,6 +21,7 @@ SUBDIRS=util include lib \
- plugins/kdb/db2 \
- @ldap_plugin_dir@ \
- plugins/kdb/test \
-+ plugins/kdcpolicy/test \
- plugins/preauth/otp \
- plugins/preauth/pkinit \
- plugins/preauth/test \
-diff --git a/src/configure.in b/src/configure.in
-index 4ae2c07d5..ee1983043 100644
---- a/src/configure.in
-+++ b/src/configure.in
-@@ -1470,6 +1470,7 @@ dnl ccapi ccapi/lib ccapi/lib/unix ccapi/server ccapi/server/unix ccapi/test
- plugins/kdb/db2/libdb2/recno
- plugins/kdb/db2/libdb2/test
- plugins/kdb/test
-+ plugins/kdcpolicy/test
- plugins/preauth/otp
- plugins/preauth/test
- plugins/authdata/greet_client
-diff --git a/src/include/Makefile.in b/src/include/Makefile.in
-index 0239338a1..6a3fa8242 100644
---- a/src/include/Makefile.in
-+++ b/src/include/Makefile.in
-@@ -144,6 +144,7 @@ install-headers-unix install: krb5/krb5.h profile.h
- $(INSTALL_DATA) $(srcdir)/krb5/ccselect_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)ccselect_plugin.h
- $(INSTALL_DATA) $(srcdir)/krb5/clpreauth_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)clpreauth_plugin.h
- $(INSTALL_DATA) $(srcdir)/krb5/hostrealm_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)hostrealm_plugin.h
-+ $(INSTALL_DATA) $(srcdir)/krb5/kdcpolicy_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)kdcpolicy_plugin.h
- $(INSTALL_DATA) $(srcdir)/krb5/kdcpreauth_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)kdcpreauth_plugin.h
- $(INSTALL_DATA) $(srcdir)/krb5/localauth_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)localauth_plugin.h
- $(INSTALL_DATA) $(srcdir)/krb5/locate_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)locate_plugin.h
-diff --git a/src/include/k5-int.h b/src/include/k5-int.h
-index ed9c7bf75..39ffb9568 100644
---- a/src/include/k5-int.h
-+++ b/src/include/k5-int.h
-@@ -1157,7 +1157,9 @@ struct plugin_interface {
- #define PLUGIN_INTERFACE_TLS 8
- #define PLUGIN_INTERFACE_KDCAUTHDATA 9
- #define PLUGIN_INTERFACE_CERTAUTH 10
--#define PLUGIN_NUM_INTERFACES 11
-+#define PLUGIN_INTERFACE_KADM5_AUTH 11
-+#define PLUGIN_INTERFACE_KDCPOLICY 12
-+#define PLUGIN_NUM_INTERFACES 13
-
- /* Retrieve the plugin module of type interface_id and name modname,
- * storing the result into module. */
-diff --git a/src/include/k5-trace.h b/src/include/k5-trace.h
-index c75e264e0..2885408a2 100644
---- a/src/include/k5-trace.h
-+++ b/src/include/k5-trace.h
-@@ -454,4 +454,9 @@ void krb5int_trace(krb5_context context, const char *fmt, ...);
- #define TRACE_GET_CRED_VIA_TKT_EXT_RETURN(c, ret) \
- TRACE(c, "Got cred; {kerr}", ret)
-
-+#define TRACE_KDCPOLICY_VTINIT_FAIL(c, ret) \
-+ TRACE(c, "KDC policy module failed to init vtable: {kerr}", ret)
-+#define TRACE_KDCPOLICY_INIT_SKIP(c, name) \
-+ TRACE(c, "kadm5_auth module {str} declined to initialize", name)
-+
- #endif /* K5_TRACE_H */
-diff --git a/src/include/krb5/kdcpolicy_plugin.h b/src/include/krb5/kdcpolicy_plugin.h
-new file mode 100644
-index 000000000..c7592c5db
---- /dev/null
-+++ b/src/include/krb5/kdcpolicy_plugin.h
-@@ -0,0 +1,128 @@
-+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-+/* include/krb5/kdcpolicy_plugin.h - KDC policy plugin interface */
-+/*
-+ * Copyright (C) 2017 by Red Hat, Inc.
-+ * All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * * Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * * Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
-+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
-+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ */
-+
-+/*
-+ * Declarations for kdcpolicy plugin module implementors.
-+ *
-+ * The kdcpolicy pluggable interface currently has only one supported major
-+ * version, which is 1. Major version 1 has a current minor version number of
-+ * 1.
-+ *
-+ * kdcpolicy plugin modules should define a function named
-+ * kdcpolicy_<modulename>_initvt, matching the signature:
-+ *
-+ * krb5_error_code
-+ * kdcpolicy_modname_initvt(krb5_context context, int maj_ver, int min_ver,
-+ * krb5_plugin_vtable vtable);
-+ *
-+ * The initvt function should:
-+ *
-+ * - Check that the supplied maj_ver number is supported by the module, or
-+ * return KRB5_PLUGIN_VER_NOTSUPP if it is not.
-+ *
-+ * - Cast the vtable pointer as appropriate for maj_ver:
-+ * maj_ver == 1: Cast to krb5_kdcpolicy_vtable
-+ *
-+ * - Initialize the methods of the vtable, stopping as appropriate for the
-+ * supplied min_ver. Optional methods may be left uninitialized.
-+ *
-+ * Memory for the vtable is allocated by the caller, not by the module.
-+ */
-+
-+#ifndef KRB5_POLICY_PLUGIN_H
-+#define KRB5_POLICY_PLUGIN_H
-+
-+#include <krb5/krb5.h>
-+
-+/* Abstract module datatype. */
-+typedef struct krb5_kdcpolicy_moddata_st *krb5_kdcpolicy_moddata;
-+
-+/* A module can optionally include kdb.h to inspect principal entries when
-+ * authorizing requests. */
-+struct _krb5_db_entry_new;
-+
-+/*
-+ * Optional: Initialize module data. Return 0 on success,
-+ * KRB5_PLUGIN_NO_HANDLE if the module is inoperable (due to configuration, for
-+ * example), and any other error code to abort KDC startup. Optionally set
-+ * *data_out to a module data object to be passed to future calls.
-+ */
-+typedef krb5_error_code
-+(*krb5_kdcpolicy_init_fn)(krb5_context context,
-+ krb5_kdcpolicy_moddata *data_out);
-+
-+/* Optional: Clean up module data. */
-+typedef krb5_error_code
-+(*krb5_kdcpolicy_fini_fn)(krb5_context context,
-+ krb5_kdcpolicy_moddata moddata);
-+
-+/*
-+ * Optional: return an error code and set status to an appropriate string
-+ * literal to deny an AS request; otherwise return 0. lifetime_out, if set,
-+ * restricts the ticket lifetime. renew_lifetime_out, if set, restricts the
-+ * ticket renewable lifetime.
-+ */
-+typedef krb5_error_code
-+(*krb5_kdcpolicy_check_as_fn)(krb5_context context,
-+ krb5_kdcpolicy_moddata moddata,
-+ const krb5_kdc_req *request,
-+ const struct _krb5_db_entry_new *client,
-+ const struct _krb5_db_entry_new *server,
-+ const char *const *auth_indicators,
-+ const char **status, krb5_deltat *lifetime_out,
-+ krb5_deltat *renew_lifetime_out);
-+
-+/*
-+ * Optional: return an error code and set status to an appropriate string
-+ * literal to deny a TGS request; otherwise return 0. lifetime_out, if set,
-+ * restricts the ticket lifetime. renew_lifetime_out, if set, restricts the
-+ * ticket renewable lifetime.
-+ */
-+typedef krb5_error_code
-+(*krb5_kdcpolicy_check_tgs_fn)(krb5_context context,
-+ krb5_kdcpolicy_moddata moddata,
-+ const krb5_kdc_req *request,
-+ const struct _krb5_db_entry_new *server,
-+ const krb5_ticket *ticket,
-+ const char *const *auth_indicators,
-+ const char **status, krb5_deltat *lifetime_out,
-+ krb5_deltat *renew_lifetime_out);
-+
-+typedef struct krb5_kdcpolicy_vtable_st {
-+ const char *name;
-+ krb5_kdcpolicy_init_fn init;
-+ krb5_kdcpolicy_fini_fn fini;
-+ krb5_kdcpolicy_check_as_fn check_as;
-+ krb5_kdcpolicy_check_tgs_fn check_tgs;
-+} *krb5_kdcpolicy_vtable;
-+
-+#endif /* KRB5_POLICY_PLUGIN_H */
-diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
-index f85da6da6..f5cf8ad89 100644
---- a/src/kdc/do_as_req.c
-+++ b/src/kdc/do_as_req.c
-@@ -207,6 +207,13 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
-
- state->ticket_reply.enc_part2 = &state->enc_tkt_reply;
-
-+ errcode = check_kdcpolicy_as(kdc_context, state->request, state->client,
-+ state->server, state->auth_indicators,
-+ state->kdc_time, &state->enc_tkt_reply.times,
-+ &state->status);
-+ if (errcode)
-+ goto egress;
-+
- /*
- * Find the server key
- */
-diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
-index ac5864603..0009a9319 100644
---- a/src/kdc/do_tgs_req.c
-+++ b/src/kdc/do_tgs_req.c
-@@ -518,6 +518,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
- kdc_get_ticket_renewtime(kdc_active_realm, request, header_enc_tkt, client,
- server, &enc_tkt_reply);
-
-+ errcode = check_kdcpolicy_tgs(kdc_context, request, server, header_ticket,
-+ auth_indicators, kdc_time,
-+ &enc_tkt_reply.times, &status);
-+ if (errcode)
-+ goto cleanup;
-+
- /*
- * Set authtime to be the same as header or evidence ticket's
- */
-diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
-index b710aefe4..5455e2a67 100644
---- a/src/kdc/kdc_util.c
-+++ b/src/kdc/kdc_util.c
-@@ -642,7 +642,6 @@ validate_as_request(kdc_realm_t *kdc_active_realm,
- krb5_db_entry server, krb5_timestamp kdc_time,
- const char **status, krb5_pa_data ***e_data)
- {
-- int errcode;
- krb5_error_code ret;
-
- /*
-@@ -750,12 +749,6 @@ validate_as_request(kdc_realm_t *kdc_active_realm,
- if (ret && ret != KRB5_PLUGIN_OP_NOTSUPP)
- return errcode_to_protocol(ret);
-
-- /* Check against local policy. */
-- errcode = against_local_policy_as(request, client, server,
-- kdc_time, status, e_data);
-- if (errcode)
-- return errcode;
--
- return 0;
- }
-
-diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
-index 672f94380..dcedfd538 100644
---- a/src/kdc/kdc_util.h
-+++ b/src/kdc/kdc_util.h
-@@ -166,17 +166,6 @@ kdc_err(krb5_context call_context, errcode_t code, const char *fmt, ...)
- #endif
- ;
-
--/* policy.c */
--int
--against_local_policy_as (krb5_kdc_req *, krb5_db_entry,
-- krb5_db_entry, krb5_timestamp,
-- const char **, krb5_pa_data ***);
--
--int
--against_local_policy_tgs (krb5_kdc_req *, krb5_db_entry,
-- krb5_ticket *, const char **,
-- krb5_pa_data ***);
--
- /* kdc_preauth.c */
- krb5_boolean
- enctype_requires_etype_info_2(krb5_enctype enctype);
-diff --git a/src/kdc/main.c b/src/kdc/main.c
-index a4dffb29a..ccac3a759 100644
---- a/src/kdc/main.c
-+++ b/src/kdc/main.c
-@@ -31,6 +31,7 @@
- #include "kdc_util.h"
- #include "kdc_audit.h"
- #include "extern.h"
-+#include "policy.h"
- #include "kdc5_err.h"
- #include "kdb_kt.h"
- #include "net-server.h"
-@@ -986,6 +987,12 @@ int main(int argc, char **argv)
-
- load_preauth_plugins(&shandle, kcontext, ctx);
- load_authdata_plugins(kcontext);
-+ retval = load_kdcpolicy_plugins(kcontext);
-+ if (retval) {
-+ kdc_err(kcontext, retval, _("while loading KDC policy plugin"));
-+ finish_realms();
-+ return 1;
-+ }
-
- retval = setup_sam();
- if (retval) {
-@@ -1068,6 +1075,7 @@ int main(int argc, char **argv)
- krb5_klog_syslog(LOG_INFO, _("shutting down"));
- unload_preauth_plugins(kcontext);
- unload_authdata_plugins(kcontext);
-+ unload_kdcpolicy_plugins(kcontext);
- unload_audit_modules(kcontext);
- krb5_klog_close(kcontext);
- finish_realms();
-diff --git a/src/kdc/policy.c b/src/kdc/policy.c
-index 6cba4303f..e49644e06 100644
---- a/src/kdc/policy.c
-+++ b/src/kdc/policy.c
-@@ -1,67 +1,246 @@
- /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
- /* kdc/policy.c - Policy decision routines for KDC */
- /*
-- * Copyright 1990 by the Massachusetts Institute of Technology.
-+ * Copyright (C) 2017 by Red Hat, Inc.
-+ * All rights reserved.
- *
-- * Export of this software from the United States of America may
-- * require a specific license from the United States Government.
-- * It is the responsibility of any person or organization contemplating
-- * export to obtain such a license before exporting.
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
- *
-- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-- * distribute this software and its documentation for any purpose and
-- * without fee is hereby granted, provided that the above copyright
-- * notice appear in all copies and that both that copyright notice and
-- * this permission notice appear in supporting documentation, and that
-- * the name of M.I.T. not be used in advertising or publicity pertaining
-- * to distribution of the software without specific, written prior
-- * permission. Furthermore if you modify this software you must label
-- * your software as modified software and not distribute it in such a
-- * fashion that it might be confused with the original M.I.T. software.
-- * M.I.T. makes no representations about the suitability of
-- * this software for any purpose. It is provided "as is" without express
-- * or implied warranty.
-+ * * Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * * Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
-+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
-+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
- #include "k5-int.h"
- #include "kdc_util.h"
- #include "extern.h"
-+#include "policy.h"
-+#include "adm_proto.h"
-+#include <krb5/kdcpolicy_plugin.h>
-+#include <syslog.h>
-
--int
--against_local_policy_as(register krb5_kdc_req *request, krb5_db_entry client,
-- krb5_db_entry server, krb5_timestamp kdc_time,
-- const char **status, krb5_pa_data ***e_data)
-+typedef struct kdcpolicy_handle_st {
-+ struct krb5_kdcpolicy_vtable_st vt;
-+ krb5_kdcpolicy_moddata moddata;
-+} *kdcpolicy_handle;
-+
-+static kdcpolicy_handle *handles;
-+
-+static void
-+free_indicators(char **ais)
- {
--#if 0
-- /* An AS request must include the addresses field */
-- if (request->addresses == 0) {
-- *status = "NO ADDRESS";
-- return KRB5KDC_ERR_POLICY;
-- }
--#endif
-+ size_t i;
-
-- return 0; /* not against policy */
-+ if (ais == NULL)
-+ return;
-+ for (i = 0; ais[i] != NULL; i++)
-+ free(ais[i]);
-+ free(ais);
-+}
-+
-+/* Convert inds to a null-terminated list of C strings. */
-+static krb5_error_code
-+authind_strings(krb5_data *const *inds, char ***strs_out)
-+{
-+ krb5_error_code ret;
-+ char **list = NULL;
-+ size_t i, count;
-+
-+ *strs_out = NULL;
-+
-+ for (count = 0; inds != NULL && inds[count] != NULL; count++);
-+ list = k5calloc(count + 1, sizeof(*list), &ret);
-+ if (list == NULL)
-+ goto error;
-+
-+ for (i = 0; i < count; i++) {
-+ list[i] = k5memdup0(inds[i]->data, inds[i]->length, &ret);
-+ if (list[i] == NULL)
-+ goto error;
-+ }
-+
-+ *strs_out = list;
-+ return 0;
-+
-+error:
-+ free_indicators(list);
-+ return ret;
-+}
-+
-+/* Constrain times->endtime to life and times->renew_till to rlife, relative to
-+ * now. */
-+static void
-+update_ticket_times(krb5_ticket_times *times, krb5_timestamp now,
-+ krb5_deltat life, krb5_deltat rlife)
-+{
-+ if (life)
-+ times->endtime = ts_min(ts_incr(now, life), times->endtime);
-+ if (rlife)
-+ times->renew_till = ts_min(ts_incr(now, rlife), times->renew_till);
-+}
-+
-+/* Check an AS request against kdcpolicy modules, updating times with any
-+ * module endtime constraints. Set an appropriate status string on error. */
-+krb5_error_code
-+check_kdcpolicy_as(krb5_context context, const krb5_kdc_req *request,
-+ const krb5_db_entry *client, const krb5_db_entry *server,
-+ krb5_data *const *auth_indicators, krb5_timestamp kdc_time,
-+ krb5_ticket_times *times, const char **status)
-+{
-+ krb5_deltat life, rlife;
-+ krb5_error_code ret;
-+ kdcpolicy_handle *hp, h;
-+ char **ais = NULL;
-+
-+ *status = NULL;
-+
-+ ret = authind_strings(auth_indicators, &ais);
-+ if (ret)
-+ goto done;
-+
-+ for (hp = handles; *hp != NULL; hp++) {
-+ h = *hp;
-+ if (h->vt.check_as == NULL)
-+ continue;
-+
-+ ret = h->vt.check_as(context, h->moddata, request, client, server,
-+ (const char **)ais, status, &life, &rlife);
-+ if (ret)
-+ goto done;
-+
-+ update_ticket_times(times, kdc_time, life, rlife);
-+ }
-+
-+done:
-+ free_indicators(ais);
-+ return ret;
- }
-
- /*
-- * This is where local policy restrictions for the TGS should placed.
-+ * Check the TGS request against the local TGS policy. Accepts an
-+ * authentication indicator for the module policy decisions. Returns 0 and a
-+ * NULL status string on success.
- */
- krb5_error_code
--against_local_policy_tgs(register krb5_kdc_req *request, krb5_db_entry server,
-- krb5_ticket *ticket, const char **status,
-- krb5_pa_data ***e_data)
-+check_kdcpolicy_tgs(krb5_context context, const krb5_kdc_req *request,
-+ const krb5_db_entry *server, const krb5_ticket *ticket,
-+ krb5_data *const *auth_indicators, krb5_timestamp kdc_time,
-+ krb5_ticket_times *times, const char **status)
- {
--#if 0
-- /*
-- * For example, if your site wants to disallow ticket forwarding,
-- * you might do something like this:
-- */
-+ krb5_deltat life, rlife;
-+ krb5_error_code ret;
-+ kdcpolicy_handle *hp, h;
-+ char **ais = NULL;
-
-- if (isflagset(request->kdc_options, KDC_OPT_FORWARDED)) {
-- *status = "FORWARD POLICY";
-- return KRB5KDC_ERR_POLICY;
-+ *status = NULL;
-+
-+ ret = authind_strings(auth_indicators, &ais);
-+ if (ret)
-+ goto done;
-+
-+ for (hp = handles; *hp != NULL; hp++) {
-+ h = *hp;
-+ if (h->vt.check_tgs == NULL)
-+ continue;
-+
-+ ret = h->vt.check_tgs(context, h->moddata, request, server, ticket,
-+ (const char **)ais, status, &life, &rlife);
-+ if (ret)
-+ goto done;
-+
-+ update_ticket_times(times, kdc_time, life, rlife);
- }
--#endif
-
-- return 0; /* not against policy */
-+done:
-+ free_indicators(ais);
-+ return ret;
-+}
-+
-+void
-+unload_kdcpolicy_plugins(krb5_context context)
-+{
-+ kdcpolicy_handle *hp, h;
-+
-+ for (hp = handles; *hp != NULL; hp++) {
-+ h = *hp;
-+ if (h->vt.fini != NULL)
-+ h->vt.fini(context, h->moddata);
-+ free(h);
-+ }
-+ free(handles);
-+ handles = NULL;
-+}
-+
-+krb5_error_code
-+load_kdcpolicy_plugins(krb5_context context)
-+{
-+ krb5_error_code ret;
-+ krb5_plugin_initvt_fn *modules = NULL, *mod;
-+ kdcpolicy_handle h;
-+ size_t count;
-+
-+ ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_KDCPOLICY, &modules);
-+ if (ret)
-+ goto cleanup;
-+
-+ for (count = 0; modules[count] != NULL; count++);
-+ handles = k5calloc(count + 1, sizeof(*handles), &ret);
-+ if (handles == NULL)
-+ goto cleanup;
-+
-+ count = 0;
-+ for (mod = modules; *mod != NULL; mod++) {
-+ h = k5calloc(1, sizeof(*h), &ret);
-+ if (h == NULL)
-+ goto cleanup;
-+
-+ ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&h->vt);
-+ if (ret) { /* Version mismatch. */
-+ TRACE_KDCPOLICY_VTINIT_FAIL(context, ret);
-+ free(h);
-+ continue;
-+ }
-+ if (h->vt.init != NULL) {
-+ ret = h->vt.init(context, &h->moddata);
-+ if (ret == KRB5_PLUGIN_NO_HANDLE) {
-+ TRACE_KADM5_AUTH_INIT_SKIP(context, h->vt.name);
-+ free(h);
-+ continue;
-+ }
-+ if (ret) {
-+ kdc_err(context, ret, _("while loading policy module %s"),
-+ h->vt.name);
-+ free(h);
-+ goto cleanup;
-+ }
-+ }
-+ handles[count++] = h;
-+ }
-+
-+ ret = 0;
-+
-+cleanup:
-+ if (ret)
-+ unload_kdcpolicy_plugins(context);
-+ k5_plugin_free_modules(context, modules);
-+ return ret;
- }
-diff --git a/src/kdc/policy.h b/src/kdc/policy.h
-index 6b000dc90..2a57b0a01 100644
---- a/src/kdc/policy.h
-+++ b/src/kdc/policy.h
-@@ -26,11 +26,22 @@
- #ifndef __KRB5_KDC_POLICY__
- #define __KRB5_KDC_POLICY__
-
--extern int against_postdate_policy (krb5_timestamp);
-+krb5_error_code
-+load_kdcpolicy_plugins(krb5_context context);
-
--extern int against_flag_policy_as (const krb5_kdc_req *);
-+void
-+unload_kdcpolicy_plugins(krb5_context context);
-
--extern int against_flag_policy_tgs (const krb5_kdc_req *,
-- const krb5_ticket *);
-+krb5_error_code
-+check_kdcpolicy_as(krb5_context context, const krb5_kdc_req *request,
-+ const krb5_db_entry *client, const krb5_db_entry *server,
-+ krb5_data *const *auth_indicators, krb5_timestamp kdc_time,
-+ krb5_ticket_times *times, const char **status);
-+
-+krb5_error_code
-+check_kdcpolicy_tgs(krb5_context context, const krb5_kdc_req *request,
-+ const krb5_db_entry *server, const krb5_ticket *ticket,
-+ krb5_data *const *auth_indicators, krb5_timestamp kdc_time,
-+ krb5_ticket_times *times, const char **status);
-
- #endif /* __KRB5_KDC_POLICY__ */
-diff --git a/src/kdc/tgs_policy.c b/src/kdc/tgs_policy.c
-index d0f25d1b7..33cfbcd81 100644
---- a/src/kdc/tgs_policy.c
-+++ b/src/kdc/tgs_policy.c
-@@ -375,11 +375,5 @@ validate_tgs_request(kdc_realm_t *kdc_active_realm,
- if (ret && ret != KRB5_PLUGIN_OP_NOTSUPP)
- return errcode_to_protocol(ret);
-
-- /* Check local policy. */
-- errcode = against_local_policy_tgs(request, server, ticket,
-- status, e_data);
-- if (errcode)
-- return errcode;
--
- return 0;
- }
-diff --git a/src/lib/krb5/krb/plugin.c b/src/lib/krb5/krb/plugin.c
-index 17dd6bd30..31aaf661d 100644
---- a/src/lib/krb5/krb/plugin.c
-+++ b/src/lib/krb5/krb/plugin.c
-@@ -58,7 +58,9 @@ const char *interface_names[] = {
- "audit",
- "tls",
- "kdcauthdata",
-- "certauth"
-+ "certauth",
-+ "kadm5_auth",
-+ "kdcpolicy",
- };
-
- /* Return the context's interface structure for id, or NULL if invalid. */
-diff --git a/src/plugins/kdcpolicy/test/Makefile.in b/src/plugins/kdcpolicy/test/Makefile.in
-new file mode 100644
-index 000000000..b81f1a7ce
---- /dev/null
-+++ b/src/plugins/kdcpolicy/test/Makefile.in
-@@ -0,0 +1,20 @@
-+mydir=plugins$(S)policy$(S)test
-+BUILDTOP=$(REL)..$(S)..$(S)..
-+
-+LIBBASE=policy_test
-+LIBMAJOR=0
-+LIBMINOR=0
-+RELDIR=../plugins/kdcpolicy/test
-+SHLIB_EXPDEPS=$(KRB5_BASE_DEPLIBS)
-+SHLIB_EXPLIBS=$(KRB5_BASE_LIBS)
-+
-+STLIBOBJS=main.o
-+
-+SRCS=$(srcdir)/main.c
-+
-+all-unix: all-libs
-+install-unix:
-+clean-unix:: clean-libs clean-libobjs
-+
-+@libnover_frag@
-+@libobj_frag@
-diff --git a/src/plugins/kdcpolicy/test/deps b/src/plugins/kdcpolicy/test/deps
-new file mode 100644
-index 000000000..e69de29bb
-diff --git a/src/plugins/kdcpolicy/test/main.c b/src/plugins/kdcpolicy/test/main.c
-new file mode 100644
-index 000000000..eb8fde053
---- /dev/null
-+++ b/src/plugins/kdcpolicy/test/main.c
-@@ -0,0 +1,111 @@
-+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-+/* include/krb5/kdcpolicy_plugin.h - KDC policy plugin interface */
-+/*
-+ * Copyright (C) 2017 by Red Hat, Inc.
-+ * All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * * Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * * Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
-+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
-+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ */
-+
-+#include "k5-int.h"
-+#include "kdb.h"
-+#include <krb5/kdcpolicy_plugin.h>
-+
-+static krb5_error_code
-+output_from_indicator(const char *const *auth_indicators,
-+ krb5_deltat *lifetime_out,
-+ krb5_deltat *renew_lifetime_out,
-+ const char **status)
-+{
-+ if (auth_indicators[0] == NULL) {
-+ *status = NULL;
-+ return 0;
-+ }
-+
-+ if (strcmp(auth_indicators[0], "ONE_HOUR") == 0) {
-+ *lifetime_out = 3600;
-+ *renew_lifetime_out = *lifetime_out * 2;
-+ return 0;
-+ } else if (strcmp(auth_indicators[0], "SEVEN_HOURS") == 0) {
-+ *lifetime_out = 7 * 3600;
-+ *renew_lifetime_out = *lifetime_out * 2;
-+ return 0;
-+ }
-+
-+ *status = "LOCAL_POLICY";
-+ return KRB5KDC_ERR_POLICY;
-+}
-+
-+static krb5_error_code
-+test_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
-+ const krb5_kdc_req *request, const krb5_db_entry *client,
-+ const krb5_db_entry *server, const char *const *auth_indicators,
-+ const char **status, krb5_deltat *lifetime_out,
-+ krb5_deltat *renew_lifetime_out)
-+{
-+ if (request->client != NULL && request->client->length >= 1 &&
-+ data_eq_string(request->client->data[0], "fail")) {
-+ *status = "LOCAL_POLICY";
-+ return KRB5KDC_ERR_POLICY;
-+ }
-+ return output_from_indicator(auth_indicators, lifetime_out,
-+ renew_lifetime_out, status);
-+}
-+
-+static krb5_error_code
-+test_check_tgs(krb5_context context, krb5_kdcpolicy_moddata moddata,
-+ const krb5_kdc_req *request, const krb5_db_entry *server,
-+ const krb5_ticket *ticket, const char *const *auth_indicators,
-+ const char **status, krb5_deltat *lifetime_out,
-+ krb5_deltat *renew_lifetime_out)
-+{
-+ if (request->server != NULL && request->server->length >= 1 &&
-+ data_eq_string(request->server->data[0], "fail")) {
-+ *status = "LOCAL_POLICY";
-+ return KRB5KDC_ERR_POLICY;
-+ }
-+ return output_from_indicator(auth_indicators, lifetime_out,
-+ renew_lifetime_out, status);
-+}
-+
-+krb5_error_code
-+kdcpolicy_test_initvt(krb5_context context, int maj_ver, int min_ver,
-+ krb5_plugin_vtable vtable);
-+krb5_error_code
-+kdcpolicy_test_initvt(krb5_context context, int maj_ver, int min_ver,
-+ krb5_plugin_vtable vtable)
-+{
-+ krb5_kdcpolicy_vtable vt;
-+
-+ if (maj_ver != 1)
-+ return KRB5_PLUGIN_VER_NOTSUPP;
-+
-+ vt = (krb5_kdcpolicy_vtable)vtable;
-+ vt->name = "test";
-+ vt->check_as = test_check_as;
-+ vt->check_tgs = test_check_tgs;
-+ return 0;
-+}
-diff --git a/src/plugins/kdcpolicy/test/policy_test.exports b/src/plugins/kdcpolicy/test/policy_test.exports
-new file mode 100644
-index 000000000..9682ec74f
---- /dev/null
-+++ b/src/plugins/kdcpolicy/test/policy_test.exports
-@@ -0,0 +1 @@
-+kdcpolicy_test_initvt
-diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
-index 2b3112537..a2093108b 100644
---- a/src/tests/Makefile.in
-+++ b/src/tests/Makefile.in
-@@ -169,6 +169,7 @@ check-pytests: localauth plugorder rdreq responder s2p s4u2proxy unlockiter
- $(RUNPYTEST) $(srcdir)/t_tabdump.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_certauth.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_y2038.py $(PYTESTFLAGS)
-+ $(RUNPYTEST) $(srcdir)/t_kdcpolicy.py $(PYTESTFLAGS)
-
- clean:
- $(RM) adata etinfo forward gcred hist hooks hrealm icred kdbtest
-diff --git a/src/tests/t_kdcpolicy.py b/src/tests/t_kdcpolicy.py
-new file mode 100644
-index 000000000..6a745b959
---- /dev/null
-+++ b/src/tests/t_kdcpolicy.py
-@@ -0,0 +1,57 @@
-+#!/usr/bin/python
-+from k5test import *
-+from datetime import datetime
-+import re
-+
-+testpreauth = os.path.join(buildtop, 'plugins', 'preauth', 'test', 'test.so')
-+testpolicy = os.path.join(buildtop, 'plugins', 'kdcpolicy', 'test',
-+ 'policy_test.so')
-+krb5_conf = {'plugins': {'kdcpreauth': {'module': 'test:' + testpreauth},
-+ 'clpreauth': {'module': 'test:' + testpreauth},
-+ 'kdcpolicy': {'module': 'test:' + testpolicy}}}
-+kdc_conf = {'realms': {'$realm': {'default_principal_flags': '+preauth',
-+ 'max_renewable_life': '1d'}}}
-+realm = K5Realm(krb5_conf=krb5_conf, kdc_conf=kdc_conf)
-+
-+realm.run([kadminl, 'addprinc', '-pw', password('fail'), 'fail'])
-+
-+def verify_time(out, target_time):
-+ times = re.findall(r'\d\d/\d\d/\d\d \d\d:\d\d:\d\d', out)
-+ times = [datetime.strptime(t, '%m/%d/%y %H:%M:%S') for t in times]
-+ while len(times) > 0:
-+ starttime = times.pop(0)
-+ endtime = times.pop(0)
-+ renewtime = times.pop(0)
-+
-+ if str(endtime - starttime) != target_time:
-+ fail('unexpected lifetime value')
-+ if str(renewtime - endtime) != target_time:
-+ fail('unexpected renewable value')
-+
-+rflags = ['-r', '1d', '-l', '12h']
-+
-+# Test AS+TGS success path.
-+realm.kinit(realm.user_princ, password('user'),
-+ rflags + ['-X', 'indicators=SEVEN_HOURS'])
-+realm.run([kvno, realm.host_princ])
-+realm.run(['./adata', realm.host_princ], expected_msg='+97: [SEVEN_HOURS]')
-+out = realm.run([klist, realm.ccache, '-e'])
-+verify_time(out, '7:00:00')
-+
-+# Test AS+TGS success path with different values.
-+realm.kinit(realm.user_princ, password('user'),
-+ rflags + ['-X', 'indicators=ONE_HOUR'])
-+realm.run([kvno, realm.host_princ])
-+realm.run(['./adata', realm.host_princ], expected_msg='+97: [ONE_HOUR]')
-+out = realm.run([klist, realm.ccache, '-e'])
-+verify_time(out, '1:00:00')
-+
-+# Test TGS failure path (using previous creds).
-+realm.run([kvno, 'fail@%s' % realm.realm], expected_code=1,
-+ expected_msg='KDC policy rejects request')
-+
-+# Test AS failure path.
-+realm.kinit('fail@%s' % realm.realm, password('fail'),
-+ expected_code=1, expected_msg='KDC policy rejects request')
-+
-+success('kdcpolicy tests')
diff --git a/Add-PKINIT-UPN-tests-to-t_pkinit.py.patch b/Add-PKINIT-UPN-tests-to-t_pkinit.py.patch
deleted file mode 100644
index 94370dc..0000000
--- a/Add-PKINIT-UPN-tests-to-t_pkinit.py.patch
+++ /dev/null
@@ -1,101 +0,0 @@
-From 6ce3a9416ee73fee41d0190e3fd0fde0a097c774 Mon Sep 17 00:00:00 2001
-From: Matt Rogers <mrogers@redhat.com>
-Date: Fri, 9 Dec 2016 11:43:27 -0500
-Subject: [PATCH] Add PKINIT UPN tests to t_pkinit.py
-
-[ghudson@mit.edu: simplify and explain tests; add test for
-id-pkinit-san match against canonicalized client principal]
-
-ticket: 8528
-(cherry picked from commit d520fd3f032121b61b22681838af96ee505fe44d)
----
- src/tests/t_pkinit.py | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 57 insertions(+)
-
-diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
-index 526473b42..ac4d326b6 100755
---- a/src/tests/t_pkinit.py
-+++ b/src/tests/t_pkinit.py
-@@ -23,6 +23,9 @@ privkey_pem = os.path.join(certs, 'privkey.pem')
- privkey_enc_pem = os.path.join(certs, 'privkey-enc.pem')
- user_p12 = os.path.join(certs, 'user.p12')
- user_enc_p12 = os.path.join(certs, 'user-enc.p12')
-+user_upn_p12 = os.path.join(certs, 'user-upn.p12')
-+user_upn2_p12 = os.path.join(certs, 'user-upn2.p12')
-+user_upn3_p12 = os.path.join(certs, 'user-upn3.p12')
- path = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs')
- path_enc = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs-enc')
-
-@@ -36,6 +39,20 @@ pkinit_kdc_conf = {'realms': {'$realm': {
- restrictive_kdc_conf = {'realms': {'$realm': {
- 'restrict_anonymous_to_tgt': 'true' }}}
-
-+testprincs = {'krbtgt/KRBTEST.COM': {'keys': 'aes128-cts'},
-+ 'user': {'keys': 'aes128-cts', 'flags': '+preauth'},
-+ 'user2': {'keys': 'aes128-cts', 'flags': '+preauth'}}
-+alias_kdc_conf = {'realms': {'$realm': {
-+ 'default_principal_flags': '+preauth',
-+ 'pkinit_eku_checking': 'none',
-+ 'pkinit_allow_upn': 'true',
-+ 'pkinit_identity': 'FILE:%s,%s' % (kdc_pem, privkey_pem),
-+ 'database_module': 'test'}},
-+ 'dbmodules': {'test': {
-+ 'db_library': 'test',
-+ 'alias': {'user@krbtest.com': 'user'},
-+ 'princs': testprincs}}}
-+
- file_identity = 'FILE:%s,%s' % (user_pem, privkey_pem)
- file_enc_identity = 'FILE:%s,%s' % (user_pem, privkey_enc_pem)
- dir_identity = 'DIR:%s' % path
-@@ -45,11 +62,51 @@ dir_file_identity = 'FILE:%s,%s' % (os.path.join(path, 'user.crt'),
- dir_file_enc_identity = 'FILE:%s,%s' % (os.path.join(path_enc, 'user.crt'),
- os.path.join(path_enc, 'user.key'))
- p12_identity = 'PKCS12:%s' % user_p12
-+p12_upn_identity = 'PKCS12:%s' % user_upn_p12
-+p12_upn2_identity = 'PKCS12:%s' % user_upn2_p12
-+p12_upn3_identity = 'PKCS12:%s' % user_upn3_p12
- p12_enc_identity = 'PKCS12:%s' % user_enc_p12
- p11_identity = 'PKCS11:soft-pkcs11.so'
- p11_token_identity = ('PKCS11:module_name=soft-pkcs11.so:'
- 'slotid=1:token=SoftToken (token)')
-
-+# Start a realm with the test kdb module for the following UPN SAN tests.
-+realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=alias_kdc_conf,
-+ create_kdb=False)
-+realm.start_kdc()
-+
-+# Compatibility check: cert contains UPN "user", which matches the
-+# request principal user@KRBTEST.COM if parsed as a normal principal.
-+realm.kinit(realm.user_princ,
-+ flags=['-X', 'X509_user_identity=%s' % p12_upn2_identity])
-+
-+# Compatibility check: cert contains UPN "user@KRBTEST.COM", which matches
-+# the request principal user@KRBTEST.COM if parsed as a normal principal.
-+realm.kinit(realm.user_princ,
-+ flags=['-X', 'X509_user_identity=%s' % p12_upn3_identity])
-+
-+# Cert contains UPN "user@krbtest.com" which is aliased to the request
-+# principal.
-+realm.kinit(realm.user_princ,
-+ flags=['-X', 'X509_user_identity=%s' % p12_upn_identity])
-+
-+# Test an id-pkinit-san match to a post-canonical principal.
-+realm.kinit('user@krbtest.com',
-+ flags=['-E', '-X', 'X509_user_identity=%s' % p12_identity])
-+
-+# Test a UPN match to a post-canonical principal. (This only works
-+# for the cert with the UPN containing just "user", as we don't allow
-+# UPN reparsing when comparing to the canonicalized client principal.)
-+realm.kinit('user@krbtest.com',
-+ flags=['-E', '-X', 'X509_user_identity=%s' % p12_upn2_identity])
-+
-+# Test a mismatch.
-+out = realm.run([kinit, '-X', 'X509_user_identity=%s' % p12_upn2_identity,
-+ 'user2'], expected_code=1)
-+if 'kinit: Client name mismatch while getting initial credentials' not in out:
-+ fail('Wrong error for UPN SAN mismatch')
-+realm.stop()
-+
- realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf,
- get_creds=False)
-
diff --git a/Add-PKINIT-test-case-for-generic-client-cert.patch b/Add-PKINIT-test-case-for-generic-client-cert.patch
deleted file mode 100644
index e77dd5f..0000000
--- a/Add-PKINIT-test-case-for-generic-client-cert.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From e267849bcc3813989470c03565b22d25c71af91e Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Fri, 25 Aug 2017 12:39:14 -0400
-Subject: [PATCH] Add PKINIT test case for generic client cert
-
-In t_pkinit.py, add a test case where a client cert with no extensions
-is authorized via subject and issuer using a pkinit_cert_match string
-attribute.
-
-ticket: 8562
-(cherry picked from commit 8c5d50888aab554239fd51306e79c5213833c898)
-[rharwood@redhat.com: backport around dbmatch module]
----
- src/tests/t_pkinit.py | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
-index e943f4974..fa5c5199e 100755
---- a/src/tests/t_pkinit.py
-+++ b/src/tests/t_pkinit.py
-@@ -26,6 +26,7 @@ user_enc_p12 = os.path.join(certs, 'user-enc.p12')
- user_upn_p12 = os.path.join(certs, 'user-upn.p12')
- user_upn2_p12 = os.path.join(certs, 'user-upn2.p12')
- user_upn3_p12 = os.path.join(certs, 'user-upn3.p12')
-+generic_p12 = os.path.join(certs, 'generic.p12')
- path = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs')
- path_enc = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs-enc')
-
-@@ -65,6 +66,7 @@ p12_identity = 'PKCS12:%s' % user_p12
- p12_upn_identity = 'PKCS12:%s' % user_upn_p12
- p12_upn2_identity = 'PKCS12:%s' % user_upn2_p12
- p12_upn3_identity = 'PKCS12:%s' % user_upn3_p12
-+p12_generic_identity = 'PKCS12:%s' % generic_p12
- p12_enc_identity = 'PKCS12:%s' % user_enc_p12
- p11_identity = 'PKCS11:soft-pkcs11.so'
- p11_token_identity = ('PKCS11:module_name=soft-pkcs11.so:'
-@@ -284,6 +286,14 @@ realm.run(['./responder', '-X', 'X509_user_identity=%s' % p12_enc_identity,
- realm.klist(realm.user_princ)
- realm.run([kvno, realm.host_princ])
-
-+# Authorize a client cert with no PKINIT extensions using subject and
-+# issuer. (Relies on EKU checking being turned off.)
-+rule = '&&<SUBJECT>CN=user$<ISSUER>O=MIT,'
-+realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule])
-+realm.kinit(realm.user_princ,
-+ flags=['-X', 'X509_user_identity=%s' % p12_generic_identity])
-+realm.klist(realm.user_princ)
-+
- if not have_soft_pkcs11:
- skip_rest('PKINIT PKCS11 tests', 'soft-pkcs11.so not found')
-
diff --git a/Add-certauth-pluggable-interface.patch b/Add-certauth-pluggable-interface.patch
deleted file mode 100644
index a9adc3e..0000000
--- a/Add-certauth-pluggable-interface.patch
+++ /dev/null
@@ -1,1146 +0,0 @@
-From 43418f21de72060932661242126fe611b6b17d84 Mon Sep 17 00:00:00 2001
-From: Matt Rogers <mrogers@redhat.com>
-Date: Tue, 28 Feb 2017 15:55:24 -0500
-Subject: [PATCH] Add certauth pluggable interface
-
-Add the header include/krb5/certauth_plugin.h, defining a pluggable
-interface to control authorization of PKINIT client certificates.
-
-Add the "pkinit_san" and "pkinit_eku" builtin certauth modules and
-related PKINIT crypto X.509 helper functions. Add authorize_cert() as
-the entry function for certauth plugin module checks called in
-pkinit_server_verify_padata(). Modify kdcpreauth_moddata to hold the
-list of certauth module handles, and load the modules when the PKINIT
-kdcpreauth server plugin is initialized. Change
-crypto_retrieve_X509_sans() to return ENOENT when no SAN is found.
-
-Add test modules in plugins/certauth/test. Create t_certauth.py with
-basic certauth tests. Add plugin interface documentation in
-doc/plugindev/certauth.rst and doc/admin/krb5_conf.rst.
-
-[ghudson@mit.edu: simplified code, edited docs]
-
-ticket: 8561 (new)
-(cherry picked from commit b619ce84470519bea65470be3263cd85fba94f57)
----
- doc/admin/conf_files/krb5_conf.rst | 21 ++
- doc/plugindev/certauth.rst | 27 ++
- doc/plugindev/index.rst | 1 +
- src/Makefile.in | 1 +
- src/configure.in | 1 +
- src/include/Makefile.in | 1 +
- src/include/k5-int.h | 3 +-
- src/include/krb5/certauth_plugin.h | 103 +++++++
- src/lib/krb5/krb/plugin.c | 3 +-
- src/plugins/certauth/test/Makefile.in | 20 ++
- src/plugins/certauth/test/certauth_test.exports | 2 +
- src/plugins/certauth/test/deps | 14 +
- src/plugins/certauth/test/main.c | 209 +++++++++++++
- src/plugins/preauth/pkinit/pkinit_crypto.h | 4 +
- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 30 ++
- src/plugins/preauth/pkinit/pkinit_srv.c | 335 ++++++++++++++++++---
- src/plugins/preauth/pkinit/pkinit_trace.h | 5 +
- src/tests/Makefile.in | 1 +
- src/tests/t_certauth.py | 47 +++
- 19 files changed, 786 insertions(+), 42 deletions(-)
- create mode 100644 doc/plugindev/certauth.rst
- create mode 100644 src/include/krb5/certauth_plugin.h
- create mode 100644 src/plugins/certauth/test/Makefile.in
- create mode 100644 src/plugins/certauth/test/certauth_test.exports
- create mode 100644 src/plugins/certauth/test/deps
- create mode 100644 src/plugins/certauth/test/main.c
- create mode 100644 src/tests/t_certauth.py
-
-diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
-index 02a935961..1d9bc9e34 100644
---- a/doc/admin/conf_files/krb5_conf.rst
-+++ b/doc/admin/conf_files/krb5_conf.rst
-@@ -859,6 +859,27 @@ built-in modules exist for this interface:
- This module authorizes a principal to a local account if the
- principal name maps to the local account name.
-
-+.. _certauth:
-+
-+certauth interface
-+##################
-+
-+The certauth section (introduced in release 1.16) controls modules for
-+the certificate authorization interface, which determines whether a
-+certificate is allowed to preauthenticate a user via PKINIT. The
-+following built-in modules exist for this interface:
-+
-+**pkinit_san**
-+ This module authorizes the certificate if it contains a PKINIT
-+ Subject Alternative Name for the requested client principal, or a
-+ Microsoft UPN SAN matching the principal if **pkinit_allow_upn**
-+ is set to true for the realm.
-+
-+**pkinit_eku**
-+ This module rejects the certificate if it does not contain an
-+ Extended Key Usage attribute consistent with the
-+ **pkinit_eku_checking** value for the realm.
-+
-
- PKINIT options
- --------------
-diff --git a/doc/plugindev/certauth.rst b/doc/plugindev/certauth.rst
-new file mode 100644
-index 000000000..8a7f7c5eb
---- /dev/null
-+++ b/doc/plugindev/certauth.rst
-@@ -0,0 +1,27 @@
-+.. _certauth_plugin:
-+
-+PKINIT certificate authorization interface (certauth)
-+=====================================================
-+
-+The certauth interface was first introduced in release 1.16. It
-+allows customization of the X.509 certificate attribute requirements
-+placed on certificates used by PKINIT enabled clients. For a detailed
-+description of the certauth interface, see the header file
-+``<krb5/certauth_plugin.h>``
-+
-+A certauth module implements the **authorize** method to determine
-+whether a client's certificate is authorized to authenticate a client
-+principal. **authorize** receives the DER-encoded certificate, the
-+requested client principal, and a pointer to the client's
-+krb5_db_entry (for modules that link against libkdb5). It returns the
-+authorization status and optionally outputs a list of authentication
-+indicator strings to be added to the ticket. A module must use its
-+own internal or library-provided ASN.1 certificate decoder.
-+
-+A module can optionally create and destroy module data with the
-+**init** and **fini** methods. Module data objects last for the
-+lifetime of the KDC process.
-+
-+If a module allocates and returns a list of authentication indicators
-+from **authorize**, it must also implement the **free_ind** method
-+to free the list.
-diff --git a/doc/plugindev/index.rst b/doc/plugindev/index.rst
-index 3fb921778..67dbc2790 100644
---- a/doc/plugindev/index.rst
-+++ b/doc/plugindev/index.rst
-@@ -31,5 +31,6 @@ Contents
- profile.rst
- gssapi.rst
- internal.rst
-+ certauth.rst
-
- .. TODO: GSSAPI mechanism plugins
-diff --git a/src/Makefile.in b/src/Makefile.in
-index 2ebf2fb4d..b0249778c 100644
---- a/src/Makefile.in
-+++ b/src/Makefile.in
-@@ -17,6 +17,7 @@ SUBDIRS=util include lib \
- plugins/pwqual/test \
- plugins/authdata/greet_server \
- plugins/authdata/greet_client \
-+ plugins/certauth/test \
- plugins/kdb/db2 \
- @ldap_plugin_dir@ \
- plugins/kdb/test \
-diff --git a/src/configure.in b/src/configure.in
-index acf3a458b..24f653f0d 100644
---- a/src/configure.in
-+++ b/src/configure.in
-@@ -1451,6 +1451,7 @@ dnl ccapi ccapi/lib ccapi/lib/unix ccapi/server ccapi/server/unix ccapi/test
-
- kdc slave config-files build-tools man doc include
-
-+ plugins/certauth/test
- plugins/hostrealm/test
- plugins/localauth/test
- plugins/kadm5_hook/test
-diff --git a/src/include/Makefile.in b/src/include/Makefile.in
-index f5b921833..0239338a1 100644
---- a/src/include/Makefile.in
-+++ b/src/include/Makefile.in
-@@ -140,6 +140,7 @@ install-headers-unix install: krb5/krb5.h profile.h
- $(INSTALL_DATA) $(srcdir)/krb5.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5.h
- $(INSTALL_DATA) $(srcdir)/kdb.h $(DESTDIR)$(KRB5_INCDIR)$(S)kdb.h
- $(INSTALL_DATA) krb5/krb5.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)krb5.h
-+ $(INSTALL_DATA) $(srcdir)/krb5/certauth_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)certauth_plugin.h
- $(INSTALL_DATA) $(srcdir)/krb5/ccselect_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)ccselect_plugin.h
- $(INSTALL_DATA) $(srcdir)/krb5/clpreauth_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)clpreauth_plugin.h
- $(INSTALL_DATA) $(srcdir)/krb5/hostrealm_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)hostrealm_plugin.h
-diff --git a/src/include/k5-int.h b/src/include/k5-int.h
-index 173cb0264..cea644d0a 100644
---- a/src/include/k5-int.h
-+++ b/src/include/k5-int.h
-@@ -1156,7 +1156,8 @@ struct plugin_interface {
- #define PLUGIN_INTERFACE_AUDIT 7
- #define PLUGIN_INTERFACE_TLS 8
- #define PLUGIN_INTERFACE_KDCAUTHDATA 9
--#define PLUGIN_NUM_INTERFACES 10
-+#define PLUGIN_INTERFACE_CERTAUTH 10
-+#define PLUGIN_NUM_INTERFACES 11
-
- /* Retrieve the plugin module of type interface_id and name modname,
- * storing the result into module. */
-diff --git a/src/include/krb5/certauth_plugin.h b/src/include/krb5/certauth_plugin.h
-new file mode 100644
-index 000000000..f22fc1e84
---- /dev/null
-+++ b/src/include/krb5/certauth_plugin.h
-@@ -0,0 +1,103 @@
-+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-+/* include/krb5/certauth_plugin.h - certauth plugin header. */
-+/*
-+ * Copyright (C) 2017 by Red Hat, Inc.
-+ * All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * * Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * * Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
-+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
-+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ */
-+
-+/*
-+ * Certificate authorization plugin interface. The PKINIT server module uses
-+ * this interface to check client certificate attributes after the certificate
-+ * signature has been verified.
-+ */
-+#ifndef KRB5_CERTAUTH_PLUGIN_H
-+#define KRB5_CERTAUTH_PLUGIN_H
-+
-+#include <krb5/krb5.h>
-+#include <krb5/plugin.h>
-+
-+/* Abstract module data type. */
-+typedef struct krb5_certauth_moddata_st *krb5_certauth_moddata;
-+
-+typedef struct _krb5_db_entry_new krb5_db_entry;
-+
-+/*
-+ * Optional: Initialize module data.
-+ */
-+typedef krb5_error_code
-+(*krb5_certauth_init_fn)(krb5_context context,
-+ krb5_certauth_moddata *moddata_out);
-+
-+/*
-+ * Optional: Clean up the module data.
-+ */
-+typedef void
-+(*krb5_certauth_fini_fn)(krb5_context context, krb5_certauth_moddata moddata);
-+
-+/*
-+ * Mandatory:
-+ * Return 0 if the DER-encoded cert is authorized for PKINIT authentication by
-+ * princ; otherwise return one of the following error codes:
-+ * - KRB5KDC_ERR_CLIENT_NAME_MISMATCH - incorrect SAN value
-+ * - KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE - incorrect EKU
-+ * - KRB5KDC_ERR_CERTIFICATE_MISMATCH - other extension error
-+ * - KRB5_PLUGIN_NO_HANDLE - the module has no opinion about cert
-+ *
-+ * - opts is used by built-in modules to receive internal data, and must be
-+ * ignored by other modules.
-+ * - db_entry receives the client principal database entry, and can be ignored
-+ * by modules that do not link with libkdb5.
-+ * - *authinds_out optionally returns a null-terminated list of authentication
-+ * indicator strings upon KRB5_PLUGIN_NO_HANDLE or accepted authorization.
-+ */
-+typedef krb5_error_code
-+(*krb5_certauth_authorize_fn)(krb5_context context,
-+ krb5_certauth_moddata moddata,
-+ const uint8_t *cert, size_t cert_len,
-+ krb5_const_principal princ, const void *opts,
-+ const krb5_db_entry *db_entry,
-+ char ***authinds_out);
-+
-+/*
-+ * Free indicators allocated by a module. Mandatory if authorize returns
-+ * authentication indicators.
-+ */
-+typedef void
-+(*krb5_certauth_free_indicator_fn)(krb5_context context,
-+ krb5_certauth_moddata moddata,
-+ char **authinds);
-+
-+typedef struct krb5_certauth_vtable_st {
-+ char *name;
-+ krb5_certauth_init_fn init;
-+ krb5_certauth_fini_fn fini;
-+ krb5_certauth_authorize_fn authorize;
-+ krb5_certauth_free_indicator_fn free_ind;
-+} *krb5_certauth_vtable;
-+
-+#endif /* KRB5_CERTAUTH_PLUGIN_H */
-diff --git a/src/lib/krb5/krb/plugin.c b/src/lib/krb5/krb/plugin.c
-index 7d64b7c7e..17dd6bd30 100644
---- a/src/lib/krb5/krb/plugin.c
-+++ b/src/lib/krb5/krb/plugin.c
-@@ -57,7 +57,8 @@ const char *interface_names[] = {
- "hostrealm",
- "audit",
- "tls",
-- "kdcauthdata"
-+ "kdcauthdata",
-+ "certauth"
- };
-
- /* Return the context's interface structure for id, or NULL if invalid. */
-diff --git a/src/plugins/certauth/test/Makefile.in b/src/plugins/certauth/test/Makefile.in
-new file mode 100644
-index 000000000..d3524084c
---- /dev/null
-+++ b/src/plugins/certauth/test/Makefile.in
-@@ -0,0 +1,20 @@
-+mydir=plugins$(S)certauth$(S)test
-+BUILDTOP=$(REL)..$(S)..$(S)..
-+
-+LIBBASE=certauth_test
-+LIBMAJOR=0
-+LIBMINOR=0
-+RELDIR=../plugins/certauth/test
-+SHLIB_EXPDEPS=$(KRB5_BASE_DEPLIBS)
-+SHLIB_EXPLIBS=$(KRB5_BASE_LIBS)
-+
-+STLIBOBJS=main.o
-+
-+SRCS=$(srcdir)/main.c
-+
-+all-unix: all-libs
-+install-unix:
-+clean-unix:: clean-libs clean-libobjs
-+
-+@libnover_frag@
-+@libobj_frag@
-diff --git a/src/plugins/certauth/test/certauth_test.exports b/src/plugins/certauth/test/certauth_test.exports
-new file mode 100644
-index 000000000..1c8cd24e2
---- /dev/null
-+++ b/src/plugins/certauth/test/certauth_test.exports
-@@ -0,0 +1,2 @@
-+certauth_test1_initvt
-+certauth_test2_initvt
-diff --git a/src/plugins/certauth/test/deps b/src/plugins/certauth/test/deps
-new file mode 100644
-index 000000000..2974b3b57
---- /dev/null
-+++ b/src/plugins/certauth/test/deps
-@@ -0,0 +1,14 @@
-+#
-+# Generated makefile dependencies follow.
-+#
-+main.so main.po $(OUTPRE)main.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
-+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
-+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
-+ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
-+ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
-+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
-+ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
-+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
-+ $(top_srcdir)/include/krb5/certauth_plugin.h $(top_srcdir)/include/krb5/plugin.h \
-+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
-+ main.c
-diff --git a/src/plugins/certauth/test/main.c b/src/plugins/certauth/test/main.c
-new file mode 100644
-index 000000000..7ef7377fb
---- /dev/null
-+++ b/src/plugins/certauth/test/main.c
-@@ -0,0 +1,209 @@
-+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-+/* plugins/certauth/main.c - certauth plugin test modules. */
-+/*
-+ * Copyright (C) 2017 by Red Hat, Inc.
-+ * All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * * Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * * Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
-+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
-+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ */
-+
-+#include <k5-int.h>
-+#include "krb5/certauth_plugin.h"
-+
-+struct krb5_certauth_moddata_st {
-+ int initialized;
-+};
-+
-+/* Test module 1 returns OK with an indicator. */
-+static krb5_error_code
-+test1_authorize(krb5_context context, krb5_certauth_moddata moddata,
-+ const uint8_t *cert, size_t cert_len,
-+ krb5_const_principal princ, const void *opts,
-+ const krb5_db_entry *db_entry, char ***authinds_out)
-+{
-+ char **ais = NULL;
-+
-+ ais = calloc(2, sizeof(*ais));
-+ assert(ais != NULL);
-+ ais[0] = strdup("test1");
-+ assert(ais[0] != NULL);
-+ *authinds_out = ais;
-+ return KRB5_PLUGIN_NO_HANDLE;
-+}
-+
-+static void
-+test_free_ind(krb5_context context, krb5_certauth_moddata moddata,
-+ char **authinds)
-+{
-+ size_t i;
-+
-+ if (authinds == NULL)
-+ return;
-+ for (i = 0; authinds[i] != NULL; i++)
-+ free(authinds[i]);
-+ free(authinds);
-+}
-+
-+/* A basic moddata test. */
-+static krb5_error_code
-+test2_init(krb5_context context, krb5_certauth_moddata *moddata_out)
-+{
-+ krb5_certauth_moddata mod;
-+
-+ mod = calloc(1, sizeof(*mod));
-+ assert(mod != NULL);
-+ mod->initialized = 1;
-+ *moddata_out = mod;
-+ return 0;
-+}
-+
-+static void
-+test2_fini(krb5_context context, krb5_certauth_moddata moddata)
-+{
-+ free(moddata);
-+}
-+
-+/* Return true if cert appears to contain the CN name, based on a search of the
-+ * DER encoding. */
-+static krb5_boolean
-+has_cn(krb5_context context, const uint8_t *cert, size_t cert_len,
-+ const char *name)
-+{
-+ krb5_boolean match = FALSE;
-+ uint8_t name_len, cntag[5] = "\x06\x03\x55\x04\x03";
-+ const uint8_t *c;
-+ struct k5buf buf;
-+ size_t c_left;
-+
-+ /* Construct a DER search string of the CN AttributeType encoding followed
-+ * by a UTF8String encoding containing name as the AttributeValue. */
-+ k5_buf_init_dynamic(&buf);
-+ k5_buf_add_len(&buf, cntag, sizeof(cntag));
-+ k5_buf_add(&buf, "\x0C");
-+ assert(strlen(name) < 128);
-+ name_len = strlen(name);
-+ k5_buf_add_len(&buf, &name_len, 1);
-+ k5_buf_add_len(&buf, name, name_len);
-+ assert(k5_buf_status(&buf) == 0);
-+
-+ /* Check for the CN needle in the certificate haystack. */
-+ c_left = cert_len;
-+ c = memchr(cert, *cntag, c_left);
-+ while (c != NULL) {
-+ c_left = cert_len - (c - cert);
-+ if (buf.len > c_left)
-+ break;
-+ if (memcmp(c, buf.data, buf.len) == 0) {
-+ match = TRUE;
-+ break;
-+ }
-+ assert(c_left >= 1);
-+ c = memchr(c + 1, *cntag, c_left - 1);
-+ }
-+
-+ k5_buf_free(&buf);
-+ return match;
-+}
-+
-+/*
-+ * Test module 2 returns OK if princ matches the CN part of the subject name,
-+ * and returns indicators of the module name and princ.
-+ */
-+static krb5_error_code
-+test2_authorize(krb5_context context, krb5_certauth_moddata moddata,
-+ const uint8_t *cert, size_t cert_len,
-+ krb5_const_principal princ, const void *opts,
-+ const krb5_db_entry *db_entry, char ***authinds_out)
-+{
-+ krb5_error_code ret;
-+ char *name = NULL, **ais = NULL;
-+
-+ *authinds_out = NULL;
-+
-+ assert(moddata != NULL && moddata->initialized);
-+
-+ ret = krb5_unparse_name_flags(context, princ,
-+ KRB5_PRINCIPAL_UNPARSE_NO_REALM, &name);
-+ if (ret)
-+ goto cleanup;
-+
-+ if (!has_cn(context, cert, cert_len, name)) {
-+ ret = KRB5KDC_ERR_CERTIFICATE_MISMATCH;
-+ goto cleanup;
-+ }
-+
-+ /* Create an indicator list with the module name and CN. */
-+ ais = calloc(3, sizeof(*ais));
-+ assert(ais != NULL);
-+ ais[0] = strdup("test2");
-+ ais[1] = strdup(name);
-+ assert(ais[0] != NULL && ais[1] != NULL);
-+ *authinds_out = ais;
-+
-+ ais = NULL;
-+
-+cleanup:
-+ krb5_free_unparsed_name(context, name);
-+ return ret;
-+}
-+
-+krb5_error_code
-+certauth_test1_initvt(krb5_context context, int maj_ver, int min_ver,
-+ krb5_plugin_vtable vtable);
-+krb5_error_code
-+certauth_test1_initvt(krb5_context context, int maj_ver, int min_ver,
-+ krb5_plugin_vtable vtable)
-+{
-+ krb5_certauth_vtable vt;
-+
-+ if (maj_ver != 1)
-+ return KRB5_PLUGIN_VER_NOTSUPP;
-+ vt = (krb5_certauth_vtable)vtable;
-+ vt->name = "test1";
-+ vt->authorize = test1_authorize;
-+ vt->free_ind = test_free_ind;
-+ return 0;
-+}
-+
-+krb5_error_code
-+certauth_test2_initvt(krb5_context context, int maj_ver, int min_ver,
-+ krb5_plugin_vtable vtable);
-+krb5_error_code
-+certauth_test2_initvt(krb5_context context, int maj_ver, int min_ver,
-+ krb5_plugin_vtable vtable)
-+{
-+ krb5_certauth_vtable vt;
-+
-+ if (maj_ver != 1)
-+ return KRB5_PLUGIN_VER_NOTSUPP;
-+ vt = (krb5_certauth_vtable)vtable;
-+ vt->name = "test2";
-+ vt->authorize = test2_authorize;
-+ vt->init = test2_init;
-+ vt->fini = test2_fini;
-+ vt->free_ind = test_free_ind;
-+ return 0;
-+}
-diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h
-index b483affed..49b96b8ee 100644
---- a/src/plugins/preauth/pkinit/pkinit_crypto.h
-+++ b/src/plugins/preauth/pkinit/pkinit_crypto.h
-@@ -664,4 +664,8 @@ extern const size_t krb5_pkinit_sha512_oid_len;
- */
- extern krb5_data const * const supported_kdf_alg_ids[];
-
-+krb5_error_code
-+crypto_encode_der_cert(krb5_context context, pkinit_req_crypto_context reqctx,
-+ uint8_t **der_out, size_t *der_len);
-+
- #endif /* _PKINIT_CRYPTO_H */
-diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
-index 8def8c542..a5b010b26 100644
---- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
-+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
-@@ -2137,6 +2137,7 @@ crypto_retrieve_X509_sans(krb5_context context,
-
- if (!(ext = X509_get_ext(cert, l)) || !(ialt = X509V3_EXT_d2i(ext))) {
- pkiDebug("%s: found no subject alt name extensions\n", __FUNCTION__);
-+ retval = ENOENT;
- goto cleanup;
- }
- num_sans = sk_GENERAL_NAME_num(ialt);
-@@ -6176,3 +6177,32 @@ crypto_get_deferred_ids(krb5_context context,
- ret = (const pkinit_deferred_id *)deferred;
- return ret;
- }
-+
-+/* Return the received certificate as DER-encoded data. */
-+krb5_error_code
-+crypto_encode_der_cert(krb5_context context, pkinit_req_crypto_context reqctx,
-+ uint8_t **der_out, size_t *der_len)
-+{
-+ int len;
-+ unsigned char *der, *p;
-+
-+ *der_out = NULL;
-+ *der_len = 0;
-+
-+ if (reqctx->received_cert == NULL)
-+ return EINVAL;
-+ p = NULL;
-+ len = i2d_X509(reqctx->received_cert, NULL);
-+ if (len <= 0)
-+ return EINVAL;
-+ p = der = malloc(len);
-+ if (p == NULL)
-+ return ENOMEM;
-+ if (i2d_X509(reqctx->received_cert, &p) <= 0) {
-+ free(p);
-+ return EINVAL;
-+ }
-+ *der_out = der;
-+ *der_len = len;
-+ return 0;
-+}
-diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
-index b5638a367..731d14eb8 100644
---- a/src/plugins/preauth/pkinit/pkinit_srv.c
-+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
-@@ -31,6 +31,25 @@
-
- #include <k5-int.h>
- #include "pkinit.h"
-+#include "krb5/certauth_plugin.h"
-+
-+/* Aliases used by the built-in certauth modules */
-+struct certauth_req_opts {
-+ krb5_kdcpreauth_callbacks cb;
-+ krb5_kdcpreauth_rock rock;
-+ pkinit_kdc_context plgctx;
-+ pkinit_kdc_req_context reqctx;
-+};
-+
-+typedef struct certauth_module_handle_st {
-+ struct krb5_certauth_vtable_st vt;
-+ krb5_certauth_moddata moddata;
-+} *certauth_handle;
-+
-+struct krb5_kdcpreauth_moddata_st {
-+ pkinit_kdc_context *realm_contexts;
-+ certauth_handle *certauth_modules;
-+};
-
- static krb5_error_code
- pkinit_init_kdc_req_context(krb5_context, pkinit_kdc_req_context *blob);
-@@ -51,6 +70,34 @@ pkinit_find_realm_context(krb5_context context,
- krb5_kdcpreauth_moddata moddata,
- krb5_principal princ);
-
-+static void
-+free_realm_contexts(krb5_context context, pkinit_kdc_context *realm_contexts)
-+{
-+ int i;
-+
-+ if (realm_contexts == NULL)
-+ return;
-+ for (i = 0; realm_contexts[i] != NULL; i++)
-+ pkinit_server_plugin_fini_realm(context, realm_contexts[i]);
-+ pkiDebug("%s: freeing context at %p\n", __FUNCTION__, realm_contexts);
-+ free(realm_contexts);
-+}
-+
-+static void
-+free_certauth_handles(krb5_context context, certauth_handle *list)
-+{
-+ int i;
-+
-+ if (list == NULL)
-+ return;
-+ for (i = 0; list[i] != NULL; i++) {
-+ if (list[i]->vt.fini != NULL)
-+ list[i]->vt.fini(context, list[i]->moddata);
-+ free(list[i]);
-+ }
-+ free(list);
-+}
-+
- static krb5_error_code
- pkinit_create_edata(krb5_context context,
- pkinit_plg_crypto_context plg_cryptoctx,
-@@ -123,7 +170,7 @@ verify_client_san(krb5_context context,
- pkinit_kdc_req_context reqctx,
- krb5_kdcpreauth_callbacks cb,
- krb5_kdcpreauth_rock rock,
-- krb5_principal client,
-+ krb5_const_principal client,
- int *valid_san)
- {
- krb5_error_code retval;
-@@ -134,12 +181,15 @@ verify_client_san(krb5_context context,
- char *client_string = NULL, *san_string;
- #endif
-
-+ *valid_san = 0;
- retval = crypto_retrieve_cert_sans(context, plgctx->cryptoctx,
- reqctx->cryptoctx, plgctx->idctx,
- &princs,
- plgctx->opts->allow_upn ? &upns : NULL,
- NULL);
-- if (retval) {
-+ if (retval == ENOENT) {
-+ goto out;
-+ } else if (retval) {
- pkiDebug("%s: error from retrieve_certificate_sans()\n", __FUNCTION__);
- retval = KRB5KDC_ERR_CLIENT_NAME_MISMATCH;
- goto out;
-@@ -273,6 +323,73 @@ out:
- return retval;
- }
-
-+
-+/* Run the received, verified certificate through certauth modules, to verify
-+ * that it is authorized to authenticate as client. */
-+static krb5_error_code
-+authorize_cert(krb5_context context, certauth_handle *certauth_modules,
-+ pkinit_kdc_context plgctx, pkinit_kdc_req_context reqctx,
-+ krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock,
-+ krb5_principal client)
-+{
-+ krb5_error_code ret;
-+ certauth_handle h;
-+ struct certauth_req_opts opts;
-+ krb5_boolean accepted = FALSE;
-+ uint8_t *cert;
-+ size_t i, cert_len;
-+ void *db_ent = NULL;
-+ char **ais = NULL, **ai = NULL;
-+
-+ /* Re-encode the received certificate into DER, which is extra work, but
-+ * avoids creating an X.509 library dependency in the interface. */
-+ ret = crypto_encode_der_cert(context, reqctx->cryptoctx, &cert, &cert_len);
-+ if (ret)
-+ goto cleanup;
-+
-+ /* Set options for the builtin module. */
-+ opts.plgctx = plgctx;
-+ opts.reqctx = reqctx;
-+ opts.cb = cb;
-+ opts.rock = rock;
-+
-+ db_ent = cb->client_entry(context, rock);
-+
-+ /*
-+ * Check the certificate against each certauth module. For the certificate
-+ * to be authorized at least one module must return 0, and no module can an
-+ * error code other than KRB5_PLUGIN_NO_HANDLE (pass). Add indicators from
-+ * modules that return 0 or pass.
-+ */
-+ ret = KRB5_PLUGIN_NO_HANDLE;
-+ for (i = 0; certauth_modules != NULL && certauth_modules[i] != NULL; i++) {
-+ h = certauth_modules[i];
-+ ret = h->vt.authorize(context, h->moddata, cert, cert_len, client,
-+ &opts, db_ent, &ais);
-+ if (ret == 0)
-+ accepted = TRUE;
-+ else if (ret != KRB5_PLUGIN_NO_HANDLE)
-+ goto cleanup;
-+
-+ if (ais != NULL) {
-+ /* Assert authentication indicators from the module. */
-+ for (ai = ais; *ai != NULL; ai++) {
-+ ret = cb->add_auth_indicator(context, rock, *ai);
-+ if (ret)
-+ goto cleanup;
-+ }
-+ h->vt.free_ind(context, h->moddata, ais);
-+ ais = NULL;
-+ }
-+ }
-+
-+ ret = accepted ? 0 : KRB5KDC_ERR_CLIENT_NAME_MISMATCH;
-+
-+cleanup:
-+ free(cert);
-+ return ret;
-+}
-+
- static void
- pkinit_server_verify_padata(krb5_context context,
- krb5_data *req_pkt,
-@@ -295,7 +412,6 @@ pkinit_server_verify_padata(krb5_context context,
- pkinit_kdc_req_context reqctx = NULL;
- krb5_checksum cksum = {0, 0, 0, NULL};
- krb5_data *der_req = NULL;
-- int valid_eku = 0, valid_san = 0;
- krb5_data k5data;
- int is_signed = 1;
- krb5_pa_data **e_data = NULL;
-@@ -388,27 +504,11 @@ pkinit_server_verify_padata(krb5_context context,
- goto cleanup;
- }
- if (is_signed) {
--
-- retval = verify_client_san(context, plgctx, reqctx, cb, rock,
-- request->client, &valid_san);
-- if (retval)
-- goto cleanup;
-- if (!valid_san) {
-- pkiDebug("%s: did not find an acceptable SAN in user "
-- "certificate\n", __FUNCTION__);
-- retval = KRB5KDC_ERR_CLIENT_NAME_MISMATCH;
-- goto cleanup;
-- }
-- retval = verify_client_eku(context, plgctx, reqctx, &valid_eku);
-+ retval = authorize_cert(context, moddata->certauth_modules, plgctx,
-+ reqctx, cb, rock, request->client);
- if (retval)
- goto cleanup;
-
-- if (!valid_eku) {
-- pkiDebug("%s: did not find an acceptable EKU in user "
-- "certificate\n", __FUNCTION__);
-- retval = KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE;
-- goto cleanup;
-- }
- } else { /* !is_signed */
- if (!krb5_principal_compare(context, request->client,
- krb5_anonymous_principal())) {
-@@ -1245,11 +1345,15 @@ pkinit_find_realm_context(krb5_context context,
- krb5_principal princ)
- {
- int i;
-- pkinit_kdc_context *realm_contexts = (pkinit_kdc_context *)moddata;
-+ pkinit_kdc_context *realm_contexts;
-
- if (moddata == NULL)
- return NULL;
-
-+ realm_contexts = moddata->realm_contexts;
-+ if (realm_contexts == NULL)
-+ return NULL;
-+
- for (i = 0; realm_contexts[i] != NULL; i++) {
- pkinit_kdc_context p = realm_contexts[i];
-
-@@ -1331,6 +1435,155 @@ errout:
- return retval;
- }
-
-+static krb5_error_code
-+pkinit_san_authorize(krb5_context context, krb5_certauth_moddata moddata,
-+ const uint8_t *cert, size_t cert_len,
-+ krb5_const_principal princ, const void *opts,
-+ const krb5_db_entry *db_entry, char ***authinds_out)
-+{
-+ krb5_error_code ret;
-+ int valid_san;
-+ const struct certauth_req_opts *req_opts = opts;
-+
-+ *authinds_out = NULL;
-+
-+ ret = verify_client_san(context, req_opts->plgctx, req_opts->reqctx,
-+ req_opts->cb, req_opts->rock, princ, &valid_san);
-+ if (ret == ENOENT)
-+ return KRB5_PLUGIN_NO_HANDLE;
-+ else if (ret)
-+ return ret;
-+
-+ if (!valid_san) {
-+ pkiDebug("%s: did not find an acceptable SAN in user certificate\n",
-+ __FUNCTION__);
-+ return KRB5KDC_ERR_CLIENT_NAME_MISMATCH;
-+ }
-+
-+ return 0;
-+}
-+
-+static krb5_error_code
-+pkinit_eku_authorize(krb5_context context, krb5_certauth_moddata moddata,
-+ const uint8_t *cert, size_t cert_len,
-+ krb5_const_principal princ, const void *opts,
-+ const krb5_db_entry *db_entry, char ***authinds_out)
-+{
-+ krb5_error_code ret;
-+ int valid_eku;
-+ const struct certauth_req_opts *req_opts = opts;
-+
-+ *authinds_out = NULL;
-+
-+ /* Verify the client EKU. */
-+ ret = verify_client_eku(context, req_opts->plgctx, req_opts->reqctx,
-+ &valid_eku);
-+ if (ret)
-+ return ret;
-+
-+ if (!valid_eku) {
-+ pkiDebug("%s: did not find an acceptable EKU in user certificate\n",
-+ __FUNCTION__);
-+ return KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE;
-+ }
-+
-+ return 0;
-+}
-+
-+static krb5_error_code
-+certauth_pkinit_san_initvt(krb5_context context, int maj_ver, int min_ver,
-+ krb5_plugin_vtable vtable)
-+{
-+ krb5_certauth_vtable vt;
-+
-+ if (maj_ver != 1)
-+ return KRB5_PLUGIN_VER_NOTSUPP;
-+ vt = (krb5_certauth_vtable)vtable;
-+ vt->name = "pkinit_san";
-+ vt->authorize = pkinit_san_authorize;
-+ return 0;
-+}
-+
-+static krb5_error_code
-+certauth_pkinit_eku_initvt(krb5_context context, int maj_ver, int min_ver,
-+ krb5_plugin_vtable vtable)
-+{
-+ krb5_certauth_vtable vt;
-+
-+ if (maj_ver != 1)
-+ return KRB5_PLUGIN_VER_NOTSUPP;
-+ vt = (krb5_certauth_vtable)vtable;
-+ vt->name = "pkinit_eku";
-+ vt->authorize = pkinit_eku_authorize;
-+ return 0;
-+}
-+
-+static krb5_error_code
-+load_certauth_plugins(krb5_context context, certauth_handle **handle_out)
-+{
-+ krb5_error_code ret;
-+ krb5_plugin_initvt_fn *modules = NULL, *mod;
-+ certauth_handle *list = NULL, h;
-+ size_t count;
-+
-+ /* Register the builtin modules. */
-+ ret = k5_plugin_register(context, PLUGIN_INTERFACE_CERTAUTH,
-+ "pkinit_san", certauth_pkinit_san_initvt);
-+ if (ret)
-+ goto cleanup;
-+
-+ ret = k5_plugin_register(context, PLUGIN_INTERFACE_CERTAUTH,
-+ "pkinit_eku", certauth_pkinit_eku_initvt);
-+ if (ret)
-+ goto cleanup;
-+
-+ ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_CERTAUTH, &modules);
-+ if (ret)
-+ goto cleanup;
-+
-+ /* Allocate handle list. */
-+ for (count = 0; modules[count]; count++);
-+ list = k5calloc(count + 1, sizeof(*list), &ret);
-+ if (list == NULL)
-+ goto cleanup;
-+
-+ /* Initialize each module, ignoring ones that fail. */
-+ count = 0;
-+ for (mod = modules; *mod != NULL; mod++) {
-+ h = k5calloc(1, sizeof(*h), &ret);
-+ if (h == NULL)
-+ goto cleanup;
-+
-+ ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&h->vt);
-+ if (ret) {
-+ TRACE_CERTAUTH_VTINIT_FAIL(context, ret);
-+ free(h);
-+ continue;
-+ }
-+ h->moddata = NULL;
-+ if (h->vt.init != NULL) {
-+ ret = h->vt.init(context, &h->moddata);
-+ if (ret) {
-+ TRACE_CERTAUTH_INIT_FAIL(context, h->vt.name, ret);
-+ free(h);
-+ continue;
-+ }
-+ }
-+ list[count++] = h;
-+ list[count] = NULL;
-+ }
-+ list[count] = NULL;
-+
-+ ret = 0;
-+ *handle_out = list;
-+ list = NULL;
-+
-+cleanup:
-+ k5_plugin_free_modules(context, modules);
-+ free_certauth_handles(context, list);
-+ return ret;
-+}
-+
- static int
- pkinit_server_plugin_init(krb5_context context,
- krb5_kdcpreauth_moddata *moddata_out,
-@@ -1338,6 +1591,8 @@ pkinit_server_plugin_init(krb5_context context,
- {
- krb5_error_code retval = ENOMEM;
- pkinit_kdc_context plgctx, *realm_contexts = NULL;
-+ certauth_handle *certauth_modules = NULL;
-+ krb5_kdcpreauth_moddata moddata;
- size_t i, j;
- size_t numrealms;
-
-@@ -1368,16 +1623,22 @@ pkinit_server_plugin_init(krb5_context context,
- goto errout;
- }
-
-- *moddata_out = (krb5_kdcpreauth_moddata)realm_contexts;
-- retval = 0;
-- pkiDebug("%s: returning context at %p\n", __FUNCTION__, realm_contexts);
-+ retval = load_certauth_plugins(context, &certauth_modules);
-+ if (retval)
-+ goto errout;
-+
-+ moddata = k5calloc(1, sizeof(*moddata), &retval);
-+ if (moddata == NULL)
-+ goto errout;
-+ moddata->realm_contexts = realm_contexts;
-+ moddata->certauth_modules = certauth_modules;
-+ *moddata_out = moddata;
-+ pkiDebug("%s: returning context at %p\n", __FUNCTION__, moddata);
-+ return 0;
-
- errout:
-- if (retval) {
-- pkinit_server_plugin_fini(context,
-- (krb5_kdcpreauth_moddata)realm_contexts);
-- }
--
-+ free_realm_contexts(context, realm_contexts);
-+ free_certauth_handles(context, certauth_modules);
- return retval;
- }
-
-@@ -1405,17 +1666,11 @@ static void
- pkinit_server_plugin_fini(krb5_context context,
- krb5_kdcpreauth_moddata moddata)
- {
-- pkinit_kdc_context *realm_contexts = (pkinit_kdc_context *)moddata;
-- int i;
--
-- if (realm_contexts == NULL)
-+ if (moddata == NULL)
- return;
--
-- for (i = 0; realm_contexts[i] != NULL; i++) {
-- pkinit_server_plugin_fini_realm(context, realm_contexts[i]);
-- }
-- pkiDebug("%s: freeing context at %p\n", __FUNCTION__, realm_contexts);
-- free(realm_contexts);
-+ free_realm_contexts(context, moddata->realm_contexts);
-+ free_certauth_handles(context, moddata->certauth_modules);
-+ free(moddata);
- }
-
- static krb5_error_code
-diff --git a/src/plugins/preauth/pkinit/pkinit_trace.h b/src/plugins/preauth/pkinit/pkinit_trace.h
-index b3f5cbb20..458d0961e 100644
---- a/src/plugins/preauth/pkinit/pkinit_trace.h
-+++ b/src/plugins/preauth/pkinit/pkinit_trace.h
-@@ -91,4 +91,9 @@
- #define TRACE_PKINIT_OPENSSL_ERROR(c, msg) \
- TRACE(c, "PKINIT OpenSSL error: {str}", msg)
-
-+#define TRACE_CERTAUTH_VTINIT_FAIL(c, ret) \
-+ TRACE(c, "certauth module failed to init vtable: {kerr}", ret)
-+#define TRACE_CERTAUTH_INIT_FAIL(c, name, ret) \
-+ TRACE(c, "certauth module {str} failed to init: {kerr}", name, ret)
-+
- #endif /* PKINIT_TRACE_H */
-diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
-index b55469146..0e93d6b59 100644
---- a/src/tests/Makefile.in
-+++ b/src/tests/Makefile.in
-@@ -167,6 +167,7 @@ check-pytests: localauth plugorder rdreq responder s2p s4u2proxy unlockiter
- $(RUNPYTEST) $(srcdir)/t_preauth.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_princflags.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_tabdump.py $(PYTESTFLAGS)
-+ $(RUNPYTEST) $(srcdir)/t_certauth.py $(PYTESTFLAGS)
-
- clean:
- $(RM) adata etinfo forward gcred hist hooks hrealm icred kdbtest
-diff --git a/src/tests/t_certauth.py b/src/tests/t_certauth.py
-new file mode 100644
-index 000000000..e64a57b0d
---- /dev/null
-+++ b/src/tests/t_certauth.py
-@@ -0,0 +1,47 @@
-+#!/usr/bin/python
-+from k5test import *
-+
-+# Skip this test if pkinit wasn't built.
-+if not os.path.exists(os.path.join(plugins, 'preauth', 'pkinit.so')):
-+ skip_rest('certauth tests', 'PKINIT module not built')
-+
-+certs = os.path.join(srctop, 'tests', 'dejagnu', 'pkinit-certs')
-+ca_pem = os.path.join(certs, 'ca.pem')
-+kdc_pem = os.path.join(certs, 'kdc.pem')
-+privkey_pem = os.path.join(certs, 'privkey.pem')
-+user_pem = os.path.join(certs, 'user.pem')
-+
-+modpath = os.path.join(buildtop, 'plugins', 'certauth', 'test',
-+ 'certauth_test.so')
-+pkinit_krb5_conf = {'realms': {'$realm': {
-+ 'pkinit_anchors': 'FILE:%s' % ca_pem}},
-+ 'plugins': {'certauth': {'module': ['test1:' + modpath,
-+ 'test2:' + modpath],
-+ 'enable_only': ['test1', 'test2']}}}
-+pkinit_kdc_conf = {'realms': {'$realm': {
-+ 'default_principal_flags': '+preauth',
-+ 'pkinit_eku_checking': 'none',
-+ 'pkinit_identity': 'FILE:%s,%s' % (kdc_pem, privkey_pem),
-+ 'pkinit_indicator': ['indpkinit1', 'indpkinit2']}}}
-+
-+file_identity = 'FILE:%s,%s' % (user_pem, privkey_pem)
-+
-+realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf,
-+ get_creds=False)
-+
-+# Let the test module match user to CN=user, with indicators.
-+realm.kinit(realm.user_princ,
-+ flags=['-X', 'X509_user_identity=%s' % file_identity])
-+realm.klist(realm.user_princ)
-+realm.run([kvno, realm.host_princ])
-+realm.run(['./adata', realm.host_princ],
-+ expected_msg='+97: [test1, test2, user, indpkinit1, indpkinit2]')
-+
-+# Let the test module mismatch with user2 to CN=user.
-+realm.addprinc("user2@KRBTEST.COM")
-+out = realm.kinit("user2@KRBTEST.COM",
-+ flags=['-X', 'X509_user_identity=%s' % file_identity],
-+ expected_code=1,
-+ expected_msg='kinit: Certificate mismatch')
-+
-+success("certauth tests")
diff --git a/Add-hostname-based-ccselect-module.patch b/Add-hostname-based-ccselect-module.patch
deleted file mode 100644
index b56b8d3..0000000
--- a/Add-hostname-based-ccselect-module.patch
+++ /dev/null
@@ -1,293 +0,0 @@
-From 632575ab12fc5d6c9bdc83cb8200fb8f4f422b83 Mon Sep 17 00:00:00 2001
-From: Robbie Harwood <rharwood@redhat.com>
-Date: Wed, 23 Aug 2017 17:25:17 -0400
-Subject: [PATCH] Add hostname-based ccselect module
-
-The hostname module selects the ccache whose realm is the longest
-parent domain tail of the uppercase server hostname.
-
-[ghudson@mit.edu: minor edits]
-
-ticket: 8613 (new)
-(cherry picked from commit a4ddc6cf576b4155e6b994307902567f26f752b2)
----
- doc/admin/conf_files/krb5_conf.rst | 4 +
- src/lib/krb5/ccache/Makefile.in | 3 +
- src/lib/krb5/ccache/cc-int.h | 4 +
- src/lib/krb5/ccache/ccselect.c | 5 ++
- src/lib/krb5/ccache/ccselect_hostname.c | 146 ++++++++++++++++++++++++++++++++
- src/tests/gssapi/t_ccselect.py | 9 ++
- 6 files changed, 171 insertions(+)
- create mode 100644 src/lib/krb5/ccache/ccselect_hostname.c
-
-diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
-index 1d9bc9e34..9c1ee94a4 100644
---- a/doc/admin/conf_files/krb5_conf.rst
-+++ b/doc/admin/conf_files/krb5_conf.rst
-@@ -745,6 +745,10 @@ disabled with the disable tag):
- Uses the service realm to guess an appropriate cache from the
- collection
-
-+**hostname**
-+ If the service principal is host-based, uses the service hostname
-+ to guess an appropriate cache from the collection
-+
- .. _pwqual:
-
- pwqual interface
-diff --git a/src/lib/krb5/ccache/Makefile.in b/src/lib/krb5/ccache/Makefile.in
-index 5ac870728..f84cf793e 100644
---- a/src/lib/krb5/ccache/Makefile.in
-+++ b/src/lib/krb5/ccache/Makefile.in
-@@ -34,6 +34,7 @@ STLIBOBJS= \
- ccdefops.o \
- ccmarshal.o \
- ccselect.o \
-+ ccselect_hostname.o \
- ccselect_k5identity.o \
- ccselect_realm.o \
- cc_dir.o \
-@@ -52,6 +53,7 @@ OBJS= $(OUTPRE)ccbase.$(OBJEXT) \
- $(OUTPRE)ccdefops.$(OBJEXT) \
- $(OUTPRE)ccmarshal.$(OBJEXT) \
- $(OUTPRE)ccselect.$(OBJEXT) \
-+ $(OUTPRE)ccselect_hostname.$(OBJEXT) \
- $(OUTPRE)ccselect_k5identity.$(OBJEXT) \
- $(OUTPRE)ccselect_realm.$(OBJEXT) \
- $(OUTPRE)cc_dir.$(OBJEXT) \
-@@ -70,6 +72,7 @@ SRCS= $(srcdir)/ccbase.c \
- $(srcdir)/ccdefops.c \
- $(srcdir)/ccmarshal.c \
- $(srcdir)/ccselect.c \
-+ $(srcdir)/ccselect_hostname.c \
- $(srcdir)/ccselect_k5identity.c \
- $(srcdir)/ccselect_realm.c \
- $(srcdir)/cc_dir.c \
-diff --git a/src/lib/krb5/ccache/cc-int.h b/src/lib/krb5/ccache/cc-int.h
-index ee9b5e0e9..d920367ce 100644
---- a/src/lib/krb5/ccache/cc-int.h
-+++ b/src/lib/krb5/ccache/cc-int.h
-@@ -123,6 +123,10 @@ k5_cccol_force_unlock(void);
- krb5_error_code
- krb5int_fcc_new_unique(krb5_context context, char *template, krb5_ccache *id);
-
-+krb5_error_code
-+ccselect_hostname_initvt(krb5_context context, int maj_ver, int min_ver,
-+ krb5_plugin_vtable vtable);
-+
- krb5_error_code
- ccselect_realm_initvt(krb5_context context, int maj_ver, int min_ver,
- krb5_plugin_vtable vtable);
-diff --git a/src/lib/krb5/ccache/ccselect.c b/src/lib/krb5/ccache/ccselect.c
-index ee4b83a9b..393d39733 100644
---- a/src/lib/krb5/ccache/ccselect.c
-+++ b/src/lib/krb5/ccache/ccselect.c
-@@ -71,6 +71,11 @@ load_modules(krb5_context context)
- if (ret != 0)
- goto cleanup;
-
-+ ret = k5_plugin_register(context, PLUGIN_INTERFACE_CCSELECT, "hostname",
-+ ccselect_hostname_initvt);
-+ if (ret != 0)
-+ goto cleanup;
-+
- ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_CCSELECT, &modules);
- if (ret != 0)
- goto cleanup;
-diff --git a/src/lib/krb5/ccache/ccselect_hostname.c b/src/lib/krb5/ccache/ccselect_hostname.c
-new file mode 100644
-index 000000000..475cfabae
---- /dev/null
-+++ b/src/lib/krb5/ccache/ccselect_hostname.c
-@@ -0,0 +1,146 @@
-+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-+/* lib/krb5/ccache/ccselect_hostname.c - hostname ccselect module */
-+/*
-+ * Copyright (C) 2017 by Red Hat, Inc.
-+ * All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * * Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * * Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
-+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
-+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ */
-+
-+#include "k5-int.h"
-+#include "cc-int.h"
-+#include <ctype.h>
-+#include <krb5/ccselect_plugin.h>
-+
-+/* Swap a and b, using tmp as an intermediate. */
-+#define SWAP(a, b, tmp) \
-+ tmp = a; \
-+ a = b; \
-+ b = tmp;
-+
-+static krb5_error_code
-+hostname_init(krb5_context context, krb5_ccselect_moddata *data_out,
-+ int *priority_out)
-+{
-+ *data_out = NULL;
-+ *priority_out = KRB5_CCSELECT_PRIORITY_HEURISTIC;
-+ return 0;
-+}
-+
-+static krb5_error_code
-+hostname_choose(krb5_context context, krb5_ccselect_moddata data,
-+ krb5_principal server, krb5_ccache *ccache_out,
-+ krb5_principal *princ_out)
-+{
-+ krb5_error_code ret;
-+ char *p, *host = NULL;
-+ size_t hostlen;
-+ krb5_cccol_cursor col_cursor;
-+ krb5_ccache ccache, tmp_ccache, best_ccache = NULL;
-+ krb5_principal princ, tmp_princ, best_princ = NULL;
-+ krb5_data domain;
-+
-+ *ccache_out = NULL;
-+ *princ_out = NULL;
-+
-+ if (server->type != KRB5_NT_SRV_HST || server->length < 2)
-+ return KRB5_PLUGIN_NO_HANDLE;
-+
-+ /* Compute upper-case hostname. */
-+ hostlen = server->data[1].length;
-+ host = k5memdup0(server->data[1].data, hostlen, &ret);
-+ if (host == NULL)
-+ return ret;
-+ for (p = host; *p != '\0'; p++) {
-+ if (islower(*p))
-+ *p = toupper(*p);
-+ }
-+
-+ /* Scan the collection for a cache with a client principal whose realm is
-+ * the longest tail of the server hostname. */
-+ ret = krb5_cccol_cursor_new(context, &col_cursor);
-+ if (ret)
-+ goto done;
-+
-+ for (ret = krb5_cccol_cursor_next(context, col_cursor, &ccache);
-+ ret == 0 && ccache != NULL;
-+ ret = krb5_cccol_cursor_next(context, col_cursor, &ccache)) {
-+ ret = krb5_cc_get_principal(context, ccache, &princ);
-+ if (ret) {
-+ krb5_cc_close(context, ccache);
-+ break;
-+ }
-+
-+ /* Check for a longer match than we have. */
-+ domain = make_data(host, hostlen);
-+ while (best_princ == NULL ||
-+ best_princ->realm.length < domain.length) {
-+ if (data_eq(princ->realm, domain)) {
-+ SWAP(best_ccache, ccache, tmp_ccache);
-+ SWAP(best_princ, princ, tmp_princ);
-+ break;
-+ }
-+
-+ /* Try the next parent domain. */
-+ p = memchr(domain.data, '.', domain.length);
-+ if (p == NULL)
-+ break;
-+ domain = make_data(p + 1, hostlen - (p + 1 - host));
-+ }
-+
-+ if (ccache != NULL)
-+ krb5_cc_close(context, ccache);
-+ krb5_free_principal(context, princ);
-+ }
-+
-+ krb5_cccol_cursor_free(context, &col_cursor);
-+
-+ if (best_ccache != NULL) {
-+ *ccache_out = best_ccache;
-+ *princ_out = best_princ;
-+ } else {
-+ ret = KRB5_PLUGIN_NO_HANDLE;
-+ }
-+
-+done:
-+ free(host);
-+ return ret;
-+}
-+
-+krb5_error_code
-+ccselect_hostname_initvt(krb5_context context, int maj_ver, int min_ver,
-+ krb5_plugin_vtable vtable)
-+{
-+ krb5_ccselect_vtable vt;
-+
-+ if (maj_ver != 1)
-+ return KRB5_PLUGIN_VER_NOTSUPP;
-+ vt = (krb5_ccselect_vtable)vtable;
-+ vt->name = "hostname";
-+ vt->init = hostname_init;
-+ vt->choose = hostname_choose;
-+ return 0;
-+}
-diff --git a/src/tests/gssapi/t_ccselect.py b/src/tests/gssapi/t_ccselect.py
-index 668a2cc62..3503f9269 100755
---- a/src/tests/gssapi/t_ccselect.py
-+++ b/src/tests/gssapi/t_ccselect.py
-@@ -33,6 +33,7 @@ host1 = 'p:' + r1.host_princ
- host2 = 'p:' + r2.host_princ
- foo = 'foo.krbtest.com'
- foo2 = 'foo.krbtest2.com'
-+foobar = "foo.bar.krbtest.com"
-
- # These strings specify the target as a GSS name. The resulting
- # principal will have the host-based type, with the referral realm
-@@ -42,6 +43,7 @@ foo2 = 'foo.krbtest2.com'
- # single component.
- gssserver = 'h:host@' + foo
- gssserver2 = 'h:host@' + foo2
-+gssserver_bar = 'h:host@' + foobar
- gsslocal = 'h:host@localhost'
-
- # refserver specifies the target as a principal in the referral realm.
-@@ -77,10 +79,12 @@ r1.addprinc('host/localhost')
- r2.addprinc('host/localhost')
- r1.addprinc('host/' + foo)
- r2.addprinc('host/' + foo2)
-+r1.addprinc('host/' + foobar)
- r1.extract_keytab('host/localhost', r1.keytab)
- r2.extract_keytab('host/localhost', r2.keytab)
- r1.extract_keytab('host/' + foo, r1.keytab)
- r2.extract_keytab('host/' + foo2, r2.keytab)
-+r1.extract_keytab('host/' + foobar, r1.keytab)
-
- # Get tickets for one user in each realm (zaphod will be primary).
- r1.kinit(alice, password('alice'))
-@@ -128,6 +132,11 @@ output = r2.run(['./t_ccselect', gsslocal])
- if output != (zaphod + '\n'):
- fail('zaphod not chosen via default realm fallback')
-
-+# Check that realm ccselect fallback works correctly
-+r1.run(['./t_ccselect', gssserver_bar], expected_msg=alice)
-+r2.kinit(zaphod, password('zaphod'))
-+r1.run(['./t_ccselect', gssserver_bar], expected_msg=alice)
-+
- # Get a second cred in r1 (bob will be primary).
- r1.kinit(bob, password('bob'))
-
diff --git a/Add-k5test-expected_msg-expected_trace.patch b/Add-k5test-expected_msg-expected_trace.patch
deleted file mode 100644
index 16c1012..0000000
--- a/Add-k5test-expected_msg-expected_trace.patch
+++ /dev/null
@@ -1,96 +0,0 @@
-From 9c6f61e30e11eca5c04daa3f0dce398602ef5801 Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Tue, 17 Jan 2017 11:24:41 -0500
-Subject: [PATCH] Add k5test expected_msg, expected_trace
-
-In k5test.py, add the optional keyword argument "expected_msg" to
-methods that run commands, to make it easier to look for substrings in
-the command output. Add the optional keyword "expected_trace" to run
-the command with KRB5_TRACE enabled and look for an ordered series of
-substrings in the trace output.
-
-(cherry picked from commit 8bb5fce69a4aa6c3082fa7def66a93974e10e17a)
-[rharwood@redhat.com: Removed .gitignore change]
----
- src/config/post.in | 2 +-
- src/util/k5test.py | 37 ++++++++++++++++++++++++++++++++++---
- 2 files changed, 35 insertions(+), 4 deletions(-)
-
-diff --git a/src/config/post.in b/src/config/post.in
-index 7c7d86dc9..3643abad1 100644
---- a/src/config/post.in
-+++ b/src/config/post.in
-@@ -156,7 +156,7 @@ clean: clean-$(WHAT)
-
- clean-unix::
- $(RM) $(OBJS) $(DEPTARGETS_CLEAN) $(EXTRA_FILES)
-- $(RM) et-[ch]-*.et et-[ch]-*.[ch] testlog
-+ $(RM) et-[ch]-*.et et-[ch]-*.[ch] testlog testtrace
- -$(RM) -r testdir
-
- clean-windows::
-diff --git a/src/util/k5test.py b/src/util/k5test.py
-index c3d026377..4d30baf40 100644
---- a/src/util/k5test.py
-+++ b/src/util/k5test.py
-@@ -223,8 +223,11 @@ Scripts may use the following realm methods and attributes:
- command-line debugging options. Fail if the command does not return
- 0. Log the command output appropriately, and return it as a single
- multi-line string. Keyword arguments can contain input='string' to
-- send an input string to the command, and expected_code=N to expect a
-- return code other than 0.
-+ send an input string to the command, expected_code=N to expect a
-+ return code other than 0, expected_msg=MSG to expect a substring in
-+ the command output, and expected_trace=('a', 'b', ...) to expect an
-+ ordered series of line substrings in the command's KRB5_TRACE
-+ output.
-
- * realm.kprop_port(): Returns a port number based on realm.portbase
- intended for use by kprop and kpropd.
-@@ -647,10 +650,31 @@ def _stop_or_shell(stop, shell, env, ind):
- subprocess.call(os.getenv('SHELL'), env=env)
-
-
--def _run_cmd(args, env, input=None, expected_code=0):
-+# Read tracefile and look for the expected strings in successive lines.
-+def _check_trace(tracefile, expected):
-+ output('*** Trace output for previous command:\n')
-+ i = 0
-+ with open(tracefile, 'r') as f:
-+ for line in f:
-+ output(line)
-+ if i < len(expected) and expected[i] in line:
-+ i += 1
-+ if i < len(expected):
-+ fail('Expected string not found in trace output: ' + expected[i])
-+
-+
-+def _run_cmd(args, env, input=None, expected_code=0, expected_msg=None,
-+ expected_trace=None):
- global null_input, _cmd_index, _last_cmd, _last_cmd_output, _debug
- global _stop_before, _stop_after, _shell_before, _shell_after
-
-+ if expected_trace is not None:
-+ tracefile = 'testtrace'
-+ if os.path.exists(tracefile):
-+ os.remove(tracefile)
-+ env = env.copy()
-+ env['KRB5_TRACE'] = tracefile
-+
- if (_match_cmdnum(_debug, _cmd_index)):
- return _debug_cmd(args, env, input)
-
-@@ -679,6 +703,13 @@ def _run_cmd(args, env, input=None, expected_code=0):
- # Check the return code and return the output.
- if code != expected_code:
- fail('%s failed with code %d.' % (args[0], code))
-+
-+ if expected_msg is not None and expected_msg not in outdata:
-+ fail('Expected string not found in command output: ' + expected_msg)
-+
-+ if expected_trace is not None:
-+ _check_trace(tracefile, expected_trace)
-+
- return outdata
-
-
diff --git a/Add-support-to-query-the-SSF-of-a-GSS-context.patch b/Add-support-to-query-the-SSF-of-a-GSS-context.patch
deleted file mode 100644
index 299b0a4..0000000
--- a/Add-support-to-query-the-SSF-of-a-GSS-context.patch
+++ /dev/null
@@ -1,419 +0,0 @@
-From a3408731e3d73f99028f20c3f33caa5a411b430c Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Thu, 30 Mar 2017 11:27:09 -0400
-Subject: [PATCH] Add support to query the SSF of a GSS context
-
-Cyrus SASL provides a Security Strength Factor number to assess the
-relative "strength" of the negotiated mechanism, and applications
-sometimes make access control decisions based on it.
-
-Add a call that allows us to query the mechanism that established the
-GSS security context to ask what is the current SSF, based on the
-enctype of the session key.
-
-ticket: 8569 (new)
-(cherry picked from commit 7feb7da54c0321b5a3eeb6c3797846a3cf7eda28)
-[rharwood@redhat.com: hide GSS_KRB5_GET_CRED_IMPERSONATOR symbol]
----
- src/include/k5-int.h | 1 +
- src/lib/crypto/krb/crypto_int.h | 1 +
- src/lib/crypto/krb/enctype_util.c | 16 ++++++++++++++++
- src/lib/crypto/krb/etypes.c | 33 ++++++++++++++++++---------------
- src/lib/crypto/libk5crypto.exports | 1 +
- src/lib/gssapi/generic/gssapi_ext.h | 11 +++++++++++
- src/lib/gssapi/generic/gssapi_generic.c | 9 +++++++++
- src/lib/gssapi/krb5/gssapiP_krb5.h | 6 ++++++
- src/lib/gssapi/krb5/gssapi_krb5.c | 4 ++++
- src/lib/gssapi/krb5/inq_context.c | 27 +++++++++++++++++++++++++++
- src/lib/gssapi/libgssapi_krb5.exports | 1 +
- src/lib/gssapi32.def | 3 +++
- src/lib/krb5_32.def | 3 +++
- src/tests/gssapi/t_enctypes.c | 14 ++++++++++++++
- 14 files changed, 115 insertions(+), 15 deletions(-)
-
-diff --git a/src/include/k5-int.h b/src/include/k5-int.h
-index cea644d0a..06ca2b66d 100644
---- a/src/include/k5-int.h
-+++ b/src/include/k5-int.h
-@@ -2114,6 +2114,7 @@ krb5_get_tgs_ktypes(krb5_context, krb5_const_principal, krb5_enctype **);
- krb5_boolean krb5_is_permitted_enctype(krb5_context, krb5_enctype);
-
- krb5_boolean KRB5_CALLCONV krb5int_c_weak_enctype(krb5_enctype);
-+krb5_error_code k5_enctype_to_ssf(krb5_enctype enctype, unsigned int *ssf_out);
-
- krb5_error_code krb5_kdc_rep_decrypt_proc(krb5_context, const krb5_keyblock *,
- krb5_const_pointer, krb5_kdc_rep *);
-diff --git a/src/lib/crypto/krb/crypto_int.h b/src/lib/crypto/krb/crypto_int.h
-index d75b49c69..e5099291e 100644
---- a/src/lib/crypto/krb/crypto_int.h
-+++ b/src/lib/crypto/krb/crypto_int.h
-@@ -111,6 +111,7 @@ struct krb5_keytypes {
- prf_func prf;
- krb5_cksumtype required_ctype;
- krb5_flags flags;
-+ unsigned int ssf;
- };
-
- #define ETYPE_WEAK 1
-diff --git a/src/lib/crypto/krb/enctype_util.c b/src/lib/crypto/krb/enctype_util.c
-index 0ed74bd6e..b1b40e7ec 100644
---- a/src/lib/crypto/krb/enctype_util.c
-+++ b/src/lib/crypto/krb/enctype_util.c
-@@ -131,3 +131,19 @@ krb5_enctype_to_name(krb5_enctype enctype, krb5_boolean shortest,
- return ENOMEM;
- return 0;
- }
-+
-+/* The security of a mechanism cannot be summarized with a simple integer
-+ * value, but we provide a per-enctype value for Cyrus SASL's SSF. */
-+krb5_error_code
-+k5_enctype_to_ssf(krb5_enctype enctype, unsigned int *ssf_out)
-+{
-+ const struct krb5_keytypes *ktp;
-+
-+ *ssf_out = 0;
-+
-+ ktp = find_enctype(enctype);
-+ if (ktp == NULL)
-+ return EINVAL;
-+ *ssf_out = ktp->ssf;
-+ return 0;
-+}
-diff --git a/src/lib/crypto/krb/etypes.c b/src/lib/crypto/krb/etypes.c
-index 0e5e977d4..53d4a5c79 100644
---- a/src/lib/crypto/krb/etypes.c
-+++ b/src/lib/crypto/krb/etypes.c
-@@ -42,7 +42,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
- krb5int_des_string_to_key, k5_rand2key_des,
- krb5int_des_prf,
- CKSUMTYPE_RSA_MD5_DES,
-- ETYPE_WEAK },
-+ ETYPE_WEAK, 56 },
- { ENCTYPE_DES_CBC_MD4,
- "des-cbc-md4", { 0 }, "DES cbc mode with RSA-MD4",
- &krb5int_enc_des, &krb5int_hash_md4,
-@@ -51,7 +51,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
- krb5int_des_string_to_key, k5_rand2key_des,
- krb5int_des_prf,
- CKSUMTYPE_RSA_MD4_DES,
-- ETYPE_WEAK },
-+ ETYPE_WEAK, 56 },
- { ENCTYPE_DES_CBC_MD5,
- "des-cbc-md5", { "des" }, "DES cbc mode with RSA-MD5",
- &krb5int_enc_des, &krb5int_hash_md5,
-@@ -60,7 +60,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
- krb5int_des_string_to_key, k5_rand2key_des,
- krb5int_des_prf,
- CKSUMTYPE_RSA_MD5_DES,
-- ETYPE_WEAK },
-+ ETYPE_WEAK, 56 },
- { ENCTYPE_DES_CBC_RAW,
- "des-cbc-raw", { 0 }, "DES cbc mode raw",
- &krb5int_enc_des, NULL,
-@@ -69,7 +69,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
- krb5int_des_string_to_key, k5_rand2key_des,
- krb5int_des_prf,
- 0,
-- ETYPE_WEAK },
-+ ETYPE_WEAK, 56 },
- { ENCTYPE_DES3_CBC_RAW,
- "des3-cbc-raw", { 0 }, "Triple DES cbc mode raw",
- &krb5int_enc_des3, NULL,
-@@ -78,7 +78,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
- krb5int_dk_string_to_key, k5_rand2key_des3,
- NULL, /*PRF*/
- 0,
-- ETYPE_WEAK },
-+ ETYPE_WEAK, 112 },
-
- { ENCTYPE_DES3_CBC_SHA1,
- "des3-cbc-sha1", { "des3-hmac-sha1", "des3-cbc-sha1-kd" },
-@@ -89,7 +89,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
- krb5int_dk_string_to_key, k5_rand2key_des3,
- krb5int_dk_prf,
- CKSUMTYPE_HMAC_SHA1_DES3,
-- 0 /*flags*/ },
-+ 0 /*flags*/, 112 },
-
- { ENCTYPE_DES_HMAC_SHA1,
- "des-hmac-sha1", { 0 }, "DES with HMAC/sha1",
-@@ -99,7 +99,10 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
- krb5int_dk_string_to_key, k5_rand2key_des,
- NULL, /*PRF*/
- 0,
-- ETYPE_WEAK },
-+ ETYPE_WEAK, 56 },
-+
-+ /* rc4-hmac uses a 128-bit key, but due to weaknesses in the RC4 cipher, we
-+ * consider its strength degraded and assign it an SSF value of 64. */
- { ENCTYPE_ARCFOUR_HMAC,
- "arcfour-hmac", { "rc4-hmac", "arcfour-hmac-md5" },
- "ArcFour with HMAC/md5",
-@@ -110,7 +113,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
- krb5int_arcfour_decrypt, krb5int_arcfour_string_to_key,
- k5_rand2key_direct, krb5int_arcfour_prf,
- CKSUMTYPE_HMAC_MD5_ARCFOUR,
-- 0 /*flags*/ },
-+ 0 /*flags*/, 64 },
- { ENCTYPE_ARCFOUR_HMAC_EXP,
- "arcfour-hmac-exp", { "rc4-hmac-exp", "arcfour-hmac-md5-exp" },
- "Exportable ArcFour with HMAC/md5",
-@@ -121,7 +124,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
- krb5int_arcfour_decrypt, krb5int_arcfour_string_to_key,
- k5_rand2key_direct, krb5int_arcfour_prf,
- CKSUMTYPE_HMAC_MD5_ARCFOUR,
-- ETYPE_WEAK
-+ ETYPE_WEAK, 40
- },
-
- { ENCTYPE_AES128_CTS_HMAC_SHA1_96,
-@@ -133,7 +136,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
- krb5int_aes_string_to_key, k5_rand2key_direct,
- krb5int_dk_prf,
- CKSUMTYPE_HMAC_SHA1_96_AES128,
-- 0 /*flags*/ },
-+ 0 /*flags*/, 128 },
- { ENCTYPE_AES256_CTS_HMAC_SHA1_96,
- "aes256-cts-hmac-sha1-96", { "aes256-cts", "aes256-sha1" },
- "AES-256 CTS mode with 96-bit SHA-1 HMAC",
-@@ -143,7 +146,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
- krb5int_aes_string_to_key, k5_rand2key_direct,
- krb5int_dk_prf,
- CKSUMTYPE_HMAC_SHA1_96_AES256,
-- 0 /*flags*/ },
-+ 0 /*flags*/, 256 },
-
- { ENCTYPE_CAMELLIA128_CTS_CMAC,
- "camellia128-cts-cmac", { "camellia128-cts" },
-@@ -155,7 +158,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
- krb5int_camellia_string_to_key, k5_rand2key_direct,
- krb5int_dk_cmac_prf,
- CKSUMTYPE_CMAC_CAMELLIA128,
-- 0 /*flags*/ },
-+ 0 /*flags*/, 128 },
- { ENCTYPE_CAMELLIA256_CTS_CMAC,
- "camellia256-cts-cmac", { "camellia256-cts" },
- "Camellia-256 CTS mode with CMAC",
-@@ -166,7 +169,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
- krb5int_camellia_string_to_key, k5_rand2key_direct,
- krb5int_dk_cmac_prf,
- CKSUMTYPE_CMAC_CAMELLIA256,
-- 0 /*flags */ },
-+ 0 /*flags */, 256 },
-
- { ENCTYPE_AES128_CTS_HMAC_SHA256_128,
- "aes128-cts-hmac-sha256-128", { "aes128-sha2" },
-@@ -177,7 +180,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
- krb5int_aes2_string_to_key, k5_rand2key_direct,
- krb5int_aes2_prf,
- CKSUMTYPE_HMAC_SHA256_128_AES128,
-- 0 /*flags*/ },
-+ 0 /*flags*/, 128 },
- { ENCTYPE_AES256_CTS_HMAC_SHA384_192,
- "aes256-cts-hmac-sha384-192", { "aes256-sha2" },
- "AES-256 CTS mode with 192-bit SHA-384 HMAC",
-@@ -187,7 +190,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = {
- krb5int_aes2_string_to_key, k5_rand2key_direct,
- krb5int_aes2_prf,
- CKSUMTYPE_HMAC_SHA384_192_AES256,
-- 0 /*flags*/ },
-+ 0 /*flags*/, 256 },
- };
-
- const int krb5int_enctypes_length =
-diff --git a/src/lib/crypto/libk5crypto.exports b/src/lib/crypto/libk5crypto.exports
-index 447e45644..82eb5f30c 100644
---- a/src/lib/crypto/libk5crypto.exports
-+++ b/src/lib/crypto/libk5crypto.exports
-@@ -108,3 +108,4 @@ krb5int_nfold
- k5_allow_weak_pbkdf2iter
- krb5_c_prfplus
- krb5_c_derive_prfplus
-+k5_enctype_to_ssf
-diff --git a/src/lib/gssapi/generic/gssapi_ext.h b/src/lib/gssapi/generic/gssapi_ext.h
-index 9ad44216d..9d3a7e736 100644
---- a/src/lib/gssapi/generic/gssapi_ext.h
-+++ b/src/lib/gssapi/generic/gssapi_ext.h
-@@ -575,4 +575,15 @@ gss_import_cred(
- }
- #endif
-
-+/*
-+ * When used with gss_inquire_sec_context_by_oid(), return a buffer set with
-+ * the first member containing an unsigned 32-bit integer in network byte
-+ * order. This is the Security Strength Factor (SSF) associated with the
-+ * secure channel established by the security context. NOTE: This value is
-+ * made available solely as an indication for use by APIs like Cyrus SASL that
-+ * classify the strength of a secure channel via this number. The strength of
-+ * a channel cannot necessarily be represented by a simple number.
-+ */
-+GSS_DLLIMP extern gss_OID GSS_C_SEC_CONTEXT_SASL_SSF;
-+
- #endif /* GSSAPI_EXT_H_ */
-diff --git a/src/lib/gssapi/generic/gssapi_generic.c b/src/lib/gssapi/generic/gssapi_generic.c
-index 5496aa335..fa144c2bf 100644
---- a/src/lib/gssapi/generic/gssapi_generic.c
-+++ b/src/lib/gssapi/generic/gssapi_generic.c
-@@ -157,6 +157,13 @@ static const gss_OID_desc const_oids[] = {
- {7, (void *)"\x2b\x06\x01\x05\x05\x0d\x19"},
- {7, (void *)"\x2b\x06\x01\x05\x05\x0d\x1a"},
- {7, (void *)"\x2b\x06\x01\x05\x05\x0d\x1b"},
-+
-+ /*
-+ * GSS_SEC_CONTEXT_SASL_SSF_OID 1.2.840.113554.1.2.2.5.15
-+ * iso(1) member-body(2) United States(840) mit(113554)
-+ * infosys(1) gssapi(2) krb5(2) krb5-gssapi-ext(5) sasl-ssf(15)
-+ */
-+ {11, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0f"},
- };
-
- /* Here are the constants which point to the static structure above.
-@@ -218,6 +225,8 @@ GSS_DLLIMP gss_const_OID GSS_C_MA_PFS = oids+33;
- GSS_DLLIMP gss_const_OID GSS_C_MA_COMPRESS = oids+34;
- GSS_DLLIMP gss_const_OID GSS_C_MA_CTX_TRANS = oids+35;
-
-+GSS_DLLIMP gss_OID GSS_C_SEC_CONTEXT_SASL_SSF = oids+36;
-+
- static gss_OID_set_desc gss_ma_known_attrs_desc = { 27, oids+9 };
- gss_OID_set gss_ma_known_attrs = &gss_ma_known_attrs_desc;
-
-diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
-index d7bdef7e2..ef030707e 100644
---- a/src/lib/gssapi/krb5/gssapiP_krb5.h
-+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
-@@ -1144,6 +1144,12 @@ gss_krb5int_extract_authtime_from_sec_context(OM_uint32 *,
- const gss_OID,
- gss_buffer_set_t *);
-
-+#define GET_SEC_CONTEXT_SASL_SSF_OID_LENGTH 11
-+#define GET_SEC_CONTEXT_SASL_SSF_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0f"
-+OM_uint32
-+gss_krb5int_sec_context_sasl_ssf(OM_uint32 *, const gss_ctx_id_t,
-+ const gss_OID, gss_buffer_set_t *);
-+
- #define GSS_KRB5_IMPORT_CRED_OID_LENGTH 11
- #define GSS_KRB5_IMPORT_CRED_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0d"
-
-diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c
-index 99092ccab..de4131980 100644
---- a/src/lib/gssapi/krb5/gssapi_krb5.c
-+++ b/src/lib/gssapi/krb5/gssapi_krb5.c
-@@ -352,6 +352,10 @@ static struct {
- {
- {GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID_LENGTH, GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID},
- gss_krb5int_extract_authtime_from_sec_context
-+ },
-+ {
-+ {GET_SEC_CONTEXT_SASL_SSF_OID_LENGTH, GET_SEC_CONTEXT_SASL_SSF_OID},
-+ gss_krb5int_sec_context_sasl_ssf
- }
- };
-
-diff --git a/src/lib/gssapi/krb5/inq_context.c b/src/lib/gssapi/krb5/inq_context.c
-index 9024b3c7e..d2e466e60 100644
---- a/src/lib/gssapi/krb5/inq_context.c
-+++ b/src/lib/gssapi/krb5/inq_context.c
-@@ -310,3 +310,30 @@ gss_krb5int_extract_authtime_from_sec_context(OM_uint32 *minor_status,
-
- return generic_gss_add_buffer_set_member(minor_status, &rep, data_set);
- }
-+
-+OM_uint32
-+gss_krb5int_sec_context_sasl_ssf(OM_uint32 *minor_status,
-+ const gss_ctx_id_t context_handle,
-+ const gss_OID desired_object,
-+ gss_buffer_set_t *data_set)
-+{
-+ krb5_gss_ctx_id_rec *ctx;
-+ krb5_key key;
-+ krb5_error_code code;
-+ gss_buffer_desc ssfbuf;
-+ unsigned int ssf;
-+ uint8_t buf[4];
-+
-+ ctx = (krb5_gss_ctx_id_rec *)context_handle;
-+ key = ctx->have_acceptor_subkey ? ctx->acceptor_subkey : ctx->subkey;
-+
-+ code = k5_enctype_to_ssf(key->keyblock.enctype, &ssf);
-+ if (code)
-+ return GSS_S_FAILURE;
-+
-+ store_32_be(ssf, buf);
-+ ssfbuf.value = buf;
-+ ssfbuf.length = sizeof(buf);
-+
-+ return generic_gss_add_buffer_set_member(minor_status, &ssfbuf, data_set);
-+}
-diff --git a/src/lib/gssapi/libgssapi_krb5.exports b/src/lib/gssapi/libgssapi_krb5.exports
-index 9facb3f42..936540e41 100644
---- a/src/lib/gssapi/libgssapi_krb5.exports
-+++ b/src/lib/gssapi/libgssapi_krb5.exports
-@@ -37,6 +37,7 @@ GSS_C_MA_CBINDINGS
- GSS_C_MA_PFS
- GSS_C_MA_COMPRESS
- GSS_C_MA_CTX_TRANS
-+GSS_C_SEC_CONTEXT_SASL_SSF
- gss_accept_sec_context
- gss_acquire_cred
- gss_acquire_cred_with_password
-diff --git a/src/lib/gssapi32.def b/src/lib/gssapi32.def
-index 362b9bce8..dff057754 100644
---- a/src/lib/gssapi32.def
-+++ b/src/lib/gssapi32.def
-@@ -182,3 +182,6 @@ EXPORTS
- gss_verify_mic_iov @146
- ; Added in 1.14
- GSS_KRB5_CRED_NO_CI_FLAGS_X @147 DATA
-+; Added in 1.16
-+; GSS_KRB5_GET_CRED_IMPERSONATOR @148 DATA
-+ GSS_C_SEC_CONTEXT_SASL_SSF @149 DATA
-diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def
-index e5b560dfc..f7b428e16 100644
---- a/src/lib/krb5_32.def
-+++ b/src/lib/krb5_32.def
-@@ -470,3 +470,6 @@ EXPORTS
- krb5_get_init_creds_opt_set_pac_request @435
- krb5int_trace @436 ; PRIVATE GSSAPI
- krb5_expand_hostname @437
-+
-+; new in 1.16
-+ k5_enctype_to_ssf @438 ; PRIVATE GSSAPI
-diff --git a/src/tests/gssapi/t_enctypes.c b/src/tests/gssapi/t_enctypes.c
-index a2ad18f47..3fd31e2f8 100644
---- a/src/tests/gssapi/t_enctypes.c
-+++ b/src/tests/gssapi/t_enctypes.c
-@@ -32,6 +32,7 @@
-
- #include "k5-int.h"
- #include "common.h"
-+#include "gssapi_ext.h"
-
- /*
- * This test program establishes contexts with the krb5 mech, the default
-@@ -86,6 +87,9 @@ main(int argc, char *argv[])
- gss_krb5_lucid_context_v1_t *ilucid, *alucid;
- gss_krb5_rfc1964_keydata_t *i1964, *a1964;
- gss_krb5_cfx_keydata_t *icfx, *acfx;
-+ gss_buffer_set_t bufset = GSS_C_NO_BUFFER_SET;
-+ gss_OID ssf_oid = GSS_C_SEC_CONTEXT_SASL_SSF;
-+ unsigned int ssf;
- size_t count;
- void *lptr;
- int c;
-@@ -139,6 +143,16 @@ main(int argc, char *argv[])
- establish_contexts(&mech_krb5, icred, acred, tname, flags, &ictx, &actx,
- NULL, NULL, NULL);
-
-+ /* Query the SSF value and range-check the result. */
-+ major = gss_inquire_sec_context_by_oid(&minor, ictx, ssf_oid, &bufset);
-+ check_gsserr("gss_inquire_sec_context_by_oid(ssf)", major, minor);
-+ if (bufset->elements[0].length != 4)
-+ errout("SSF buffer has unexpected length");
-+ ssf = load_32_be(bufset->elements[0].value);
-+ if (ssf < 56 || ssf > 256)
-+ errout("SSF value not within acceptable range (56-256)");
-+ (void)gss_release_buffer_set(&minor, &bufset);
-+
- /* Export to lucid contexts. */
- major = gss_krb5_export_lucid_sec_context(&minor, &ictx, 1, &lptr);
- check_gsserr("gss_export_lucid_sec_context(initiator)", major, minor);
diff --git a/Add-test-case-for-PKINIT-DH-renegotiation.patch b/Add-test-case-for-PKINIT-DH-renegotiation.patch
deleted file mode 100644
index 89d695d..0000000
--- a/Add-test-case-for-PKINIT-DH-renegotiation.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 5faadd66bb278bcc1c618e199444e3012eeec215 Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Wed, 11 Jan 2017 10:49:30 -0500
-Subject: [PATCH] Add test case for PKINIT DH renegotiation
-
-In t_pkinit.py, add a PKINIT test case where the KDC sends
-KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED and the client retries with the
-KDC's TD_DH_PARAMETERS value, using the clpreauth tryagain method.
-Use the trace log to verify that the renegotiation actually takes
-place.
-
-(cherry picked from commit 7ad7eb7fd591e6c789ea24b94eccbf74ee4d79f8)
----
- src/tests/t_pkinit.py | 18 ++++++++++++++++++
- 1 file changed, 18 insertions(+)
-
-diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
-index ac4d326b6..183977750 100755
---- a/src/tests/t_pkinit.py
-+++ b/src/tests/t_pkinit.py
-@@ -174,6 +174,24 @@ realm.kinit(realm.user_princ,
- '-X', 'flag_RSA_PROTOCOL=yes'])
- realm.klist(realm.user_princ)
-
-+# Test a DH parameter renegotiation by temporarily setting a 4096-bit
-+# minimum on the KDC.
-+tracefile = os.path.join(realm.testdir, 'trace')
-+minbits_kdc_conf = {'realms': {'$realm': {'pkinit_dh_min_bits': '4096'}}}
-+minbits_env = realm.special_env('restrict', True, kdc_conf=minbits_kdc_conf)
-+realm.stop_kdc()
-+realm.start_kdc(env=minbits_env)
-+realm.run(['env', 'KRB5_TRACE=' + tracefile, kinit, '-X',
-+ 'X509_user_identity=' + file_identity, realm.user_princ])
-+with open(tracefile, 'r') as f:
-+ trace = f.read()
-+if ('Key parameters not accepted' not in trace or
-+ 'Preauth tryagain input types' not in trace or
-+ 'trying again with KDC-provided parameters' not in trace):
-+ fail('DH renegotiation steps not found in kinit trace log')
-+realm.stop_kdc()
-+realm.start_kdc()
-+
- # Run the basic test - PKINIT with FILE: identity, with a password on the key,
- # supplied by the prompter.
- # Expect failure if the responder does nothing, and we have no prompter.
diff --git a/Add-test-cert-generation-to-make-certs.sh.patch b/Add-test-cert-generation-to-make-certs.sh.patch
deleted file mode 100644
index eb7df73..0000000
--- a/Add-test-cert-generation-to-make-certs.sh.patch
+++ /dev/null
@@ -1,968 +0,0 @@
-From 5e3885e9d7c7cd2a19a291cdb1e54312ca7f7e1f Mon Sep 17 00:00:00 2001
-From: Matt Rogers <mrogers@redhat.com>
-Date: Mon, 5 Dec 2016 12:22:45 -0500
-Subject: [PATCH] Add test cert generation to make-certs.sh
-
-Add additional test certificates for UPN matching. Run make-certs.sh
-to regenerate certs.
-
-ticket: 8528
-(cherry picked from commit 5a1d0388ba2e4ec510ed715ce5fbc7f748941425)
----
- src/tests/dejagnu/pkinit-certs/ca.pem | 54 ++++++++++++------------
- src/tests/dejagnu/pkinit-certs/kdc.pem | 50 ++++++++++++----------
- src/tests/dejagnu/pkinit-certs/make-certs.sh | 53 ++++++++++++++++++++++-
- src/tests/dejagnu/pkinit-certs/privkey-enc.pem | 52 +++++++++++------------
- src/tests/dejagnu/pkinit-certs/privkey.pem | 50 +++++++++++-----------
- src/tests/dejagnu/pkinit-certs/user-enc.p12 | Bin 3029 -> 2837 bytes
- src/tests/dejagnu/pkinit-certs/user-upn.p12 | Bin 0 -> 2829 bytes
- src/tests/dejagnu/pkinit-certs/user-upn.pem | 28 +++++++++++++
- src/tests/dejagnu/pkinit-certs/user-upn2.p12 | Bin 0 -> 2813 bytes
- src/tests/dejagnu/pkinit-certs/user-upn2.pem | 28 +++++++++++++
- src/tests/dejagnu/pkinit-certs/user-upn3.csr | 16 +++++++
- src/tests/dejagnu/pkinit-certs/user-upn3.p12 | Bin 0 -> 2829 bytes
- src/tests/dejagnu/pkinit-certs/user-upn3.pem | 28 +++++++++++++
- src/tests/dejagnu/pkinit-certs/user.p12 | Bin 3104 -> 2837 bytes
- src/tests/dejagnu/pkinit-certs/user.pem | 56 ++++++++++++-------------
- 15 files changed, 283 insertions(+), 132 deletions(-)
- create mode 100644 src/tests/dejagnu/pkinit-certs/user-upn.p12
- create mode 100644 src/tests/dejagnu/pkinit-certs/user-upn.pem
- create mode 100644 src/tests/dejagnu/pkinit-certs/user-upn2.p12
- create mode 100644 src/tests/dejagnu/pkinit-certs/user-upn2.pem
- create mode 100644 src/tests/dejagnu/pkinit-certs/user-upn3.csr
- create mode 100644 src/tests/dejagnu/pkinit-certs/user-upn3.p12
- create mode 100644 src/tests/dejagnu/pkinit-certs/user-upn3.pem
-
-diff --git a/src/tests/dejagnu/pkinit-certs/ca.pem b/src/tests/dejagnu/pkinit-certs/ca.pem
-index 55fe02c92..44c917687 100644
---- a/src/tests/dejagnu/pkinit-certs/ca.pem
-+++ b/src/tests/dejagnu/pkinit-certs/ca.pem
-@@ -1,29 +1,29 @@
- -----BEGIN CERTIFICATE-----
--MIIE5TCCA82gAwIBAgIJANsFDWp1HgAaMA0GCSqGSIb3DQEBBQUAMIGnMQswCQYD
--VQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czESMBAGA1UEBxMJQ2FtYnJp
--ZGdlMQwwCgYDVQQKEwNNSVQxKTAnBgNVBAsTIEluc2VjdXJlIFBraW5pdCBLZXJi
--ZXJvcyB0ZXN0IENBMTMwMQYDVQQDFCpwa2luaXQgdGVzdCBzdWl0ZSBDQTsgZG8g
--bm90IHVzZSBvdGhlcndpc2UwHhcNMTAwMTA2MTQ1MTI3WhcNMjMwOTE1MTQ1MTI3
--WjCBpzELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEjAQBgNV
--BAcTCUNhbWJyaWRnZTEMMAoGA1UEChMDTUlUMSkwJwYDVQQLEyBJbnNlY3VyZSBQ
--a2luaXQgS2VyYmVyb3MgdGVzdCBDQTEzMDEGA1UEAxQqcGtpbml0IHRlc3Qgc3Vp
--dGUgQ0E7IGRvIG5vdCB1c2Ugb3RoZXJ3aXNlMIIBIjANBgkqhkiG9w0BAQEFAAOC
--AQ8AMIIBCgKCAQEAnYLMe58ny00MgskJP7tZ3PIQRpQkXGLJZKI0HfntCRbIuvmn
--ZejPSKdNMyejzRIyjdw1FDJUAnpXYcic3TD5817G5H63UrllAGuy+lhQWNzE6c6K
--ueerevR3pMaqHXonaflVasUu5e2AAWVnFbz4x04uLlQejqPwm5sR1xTeLUnVfSY7
--5NbXGIE488iDV0wW8nqGoVWn/TsRd+7KuQUIkJpt8+V6Jk6hPIcPqe6h7mXNGsgc
--5dBSqBwVcjU9DbeT4xxxEmgQdLt7qdNwV1ZPLQnTQpogNrT5uf3oSbOTsyM02GOW
--riIRmsqq81sfMrpviTRRDwoqTUEhoCSor0UmcwIDAQABo4IBEDCCAQwwHQYDVR0O
--BBYEFFn82RUKgTvkFn0cgwyCQpNeWCxYMIHcBgNVHSMEgdQwgdGAFFn82RUKgTvk
--Fn0cgwyCQpNeWCxYoYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFz
--c2FjaHVzZXR0czESMBAGA1UEBxMJQ2FtYnJpZGdlMQwwCgYDVQQKEwNNSVQxKTAn
--BgNVBAsTIEluc2VjdXJlIFBraW5pdCBLZXJiZXJvcyB0ZXN0IENBMTMwMQYDVQQD
--FCpwa2luaXQgdGVzdCBzdWl0ZSBDQTsgZG8gbm90IHVzZSBvdGhlcndpc2WCCQDb
--BQ1qdR4AGjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBVL2Q6Xubs
--gm881cAy6esku17/BSTZur7hCLHTGof1ZKNcCXALjmwNYNC3tl6owqpX8CSdBdsD
--Bw/Vs9p3mqnaVEoZc8uW8zS6LoAQbcqiYdQHdEXMh3ec8uvAfmdlQsIsm5Ux8q8L
--NM6bKnUOqOFOHme+RC4FGOLb8JqnnuQdwyIZaUyQP6hXbw4zyDphfgo1ZlZn20xh
--I555kPfAZKEi/d3WY0oN4k+sfCs9tWRNjmqZfKkH1OqRpjCFGG0b0vY77MFRMuPz
--YtN2iD3plgla7KkUMljp9th/Z8Ok79uA1TNLYKzoBjlAX0vToxfa8rrSNo1dHFKT
--e5Tj7+29DE4I
-+MIIE5TCCA82gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx
-+FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
-+A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz
-+dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug
-+b3RoZXJ3aXNlMB4XDTE2MTIxMjE0NDYzOVoXDTI3MTEyNTE0NDYzOVowgacxCzAJ
-+BgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMRIwEAYDVQQHDAlDYW1i
-+cmlkZ2UxDDAKBgNVBAoMA01JVDEpMCcGA1UECwwgSW5zZWN1cmUgUEtJTklUIEtl
-+cmJlcm9zIHRlc3QgQ0ExMzAxBgNVBAMMKnBraW5pdCB0ZXN0IHN1aXRlIENBOyBk
-+byBub3QgdXNlIG90aGVyd2lzZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-+ggEBANOWvXDyubZ/Kf8QYdPSRk/rsogzqS0rycNEJp/6rPpTS40UxGae5MyLHfmN
-+l2mSevRoHSqhb7cfT6n9kR2kb3HB0qhhhecHey4sGwd+m7WMhBQgVtYaiWkuEQDC
-+7/SWkRYzmYX8J41vrQulXU2/2pOQCmG4NKPsNo+vcKoT2SHl6qr3lflUaIG0wDu4
-+bFrWszkxcuSkU7SSXDf2xTTTJ8QftO6WQY3g0+dAhbjZFKxRO5uipxURez5EemVs
-+Re86vXEILka85tiVS4maCn3l3FWMqcBHRFNa+/osTb0J/OmvvdQ3bzvscG7KDRtM
-+bRUnpWClr5R+AbGVvKocj5I1+G0CAwEAAaOCARgwggEUMB0GA1UdDgQWBBRrwMkO
-+fMoN3ofjotSWjK0c27fYYjCB1AYDVR0jBIHMMIHJgBRrwMkOfMoN3ofjotSWjK0c
-+27fYYqGBraSBqjCBpzELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0
-+dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoGA1UECgwDTUlUMSkwJwYDVQQLDCBJ
-+bnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVzdCBDQTEzMDEGA1UEAwwqcGtpbml0
-+IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ugb3RoZXJ3aXNlggEBMAsGA1UdDwQE
-+AwIB/jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAN82zurZwM
-+TugUG6b1symxXxOdDqwinwIlQjzXJ8mTRv31q+YwNdYvdWn1aex8v44qjFDjEP80
-+83y18CjjBHznwxsHll80QmFHjpy6xtRrUC/Ak7jfKnDiTKQYBdgmF4/UiVQu354e
-+QI6jPMQlrWZXThlRuBjM55hs4tgRYeTgbd4VSZzVQXdm2ViZkg8SGqw0R2ZRnG91
-+dfXkhu/tTruguPAT3MQ2pTK/CoHHA4W2piQbBDqIl83fphRhYxyW/cCF2mvZZUhE
-+AfWhgYDeTDxHKG3Jfmm+ujMo5HscgeUpJ7XjZdobNhkQjD1piyuGzFkUfo2XzA6m
-+kMz4Jq4cnvpz
- -----END CERTIFICATE-----
-diff --git a/src/tests/dejagnu/pkinit-certs/kdc.pem b/src/tests/dejagnu/pkinit-certs/kdc.pem
-index 5575ab579..8820ad447 100644
---- a/src/tests/dejagnu/pkinit-certs/kdc.pem
-+++ b/src/tests/dejagnu/pkinit-certs/kdc.pem
-@@ -1,25 +1,29 @@
- -----BEGIN CERTIFICATE-----
--MIIEMjCCAxqgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBpzELMAkGA1UEBhMCVVMx
--FjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcTCUNhbWJyaWRnZTEMMAoG
--A1UEChMDTUlUMSkwJwYDVQQLEyBJbnNlY3VyZSBQa2luaXQgS2VyYmVyb3MgdGVz
--dCBDQTEzMDEGA1UEAxQqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug
--b3RoZXJ3aXNlMB4XDTEwMDEwNjE0NTgwOFoXDTIzMDkxNTE0NTgwOFowSjELMAkG
--A1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxFTATBgNVBAoTDEtSQlRF
--U1QuQ09NIDEMMAoGA1UECxMDS0RDMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
--CgKCAQEAnYLMe58ny00MgskJP7tZ3PIQRpQkXGLJZKI0HfntCRbIuvmnZejPSKdN
--MyejzRIyjdw1FDJUAnpXYcic3TD5817G5H63UrllAGuy+lhQWNzE6c6KueerevR3
--pMaqHXonaflVasUu5e2AAWVnFbz4x04uLlQejqPwm5sR1xTeLUnVfSY75NbXGIE4
--88iDV0wW8nqGoVWn/TsRd+7KuQUIkJpt8+V6Jk6hPIcPqe6h7mXNGsgc5dBSqBwV
--cjU9DbeT4xxxEmgQdLt7qdNwV1ZPLQnTQpogNrT5uf3oSbOTsyM02GOWriIRmsqq
--81sfMrpviTRRDwoqTUEhoCSor0UmcwIDAQABo4HEMIHBMAkGA1UdEwQCMAAwCwYD
--VR0PBAQDAgPoMBIGA1UdJQQLMAkGBysGAQUCAwUwHQYDVR0OBBYEFFn82RUKgTvk
--Fn0cgwyCQpNeWCxYMB8GA1UdIwQYMBaAFFn82RUKgTvkFn0cgwyCQpNeWCxYMAkG
--A1UdEgQCMAAwSAYDVR0RBEEwP6A9BgYrBgEFAgKgMzAxoA0bC0tSQlRFU1QuQ09N
--oSAwHqADAgEBoRcwFRsGa3JidGd0GwtLUkJURVNULkNPTTANBgkqhkiG9w0BAQUF
--AAOCAQEAP0byILHLWPyGlv/1HN34DfIpLdVkgGar2yceMtZ2v/7UjeA5PlZc8DFM
--20bTq/vIN0eWDTPLI57e+MzQTMxs2UHsic4su0m5DG0cvQTsBXRK51CW/qUF+4n0
--qSEORULiDF6LNoo8akoLukNBhzBh+aqYt4aB46hhsmDmNZTDP1CXsNGHQI9/L52l
--oqpUGx8tBpKIFos95PSajXrQn2u66rSMMi4aawitM2igurHPDMbC+XvEYMtXpOS5
--3PEzXEYiSV3TWLTzIE9ytswHeZyHCbp7XHx0LVZFxzqtIe4qmwJJOGhlbH21Izr4
--feF5h5e2ZrOVREY4cKkJmJhEwsqBVA==
-+MIIE4TCCA8mgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx
-+FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
-+A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz
-+dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug
-+b3RoZXJ3aXNlMB4XDTE2MTIxMjE0NDYzOVoXDTI3MTEyNTE0NDYzOVowSTELMAkG
-+A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF
-+U1QuQ09NMQwwCgYDVQQDDANLREMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-+AoIBAQDTlr1w8rm2fyn/EGHT0kZP67KIM6ktK8nDRCaf+qz6U0uNFMRmnuTMix35
-+jZdpknr0aB0qoW+3H0+p/ZEdpG9xwdKoYYXnB3suLBsHfpu1jIQUIFbWGolpLhEA
-+wu/0lpEWM5mF/CeNb60LpV1Nv9qTkAphuDSj7DaPr3CqE9kh5eqq95X5VGiBtMA7
-+uGxa1rM5MXLkpFO0klw39sU00yfEH7TulkGN4NPnQIW42RSsUTuboqcVEXs+RHpl
-+bEXvOr1xCC5GvObYlUuJmgp95dxVjKnAR0RTWvv6LE29Cfzpr73UN2877HBuyg0b
-+TG0VJ6Vgpa+UfgGxlbyqHI+SNfhtAgMBAAGjggFzMIIBbzAdBgNVHQ4EFgQUa8DJ
-+DnzKDd6H46LUloytHNu32GIwgdQGA1UdIwSBzDCByYAUa8DJDnzKDd6H46LUloyt
-+HNu32GKhga2kgaowgacxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNl
-+dHRzMRIwEAYDVQQHDAlDYW1icmlkZ2UxDDAKBgNVBAoMA01JVDEpMCcGA1UECwwg
-+SW5zZWN1cmUgUEtJTklUIEtlcmJlcm9zIHRlc3QgQ0ExMzAxBgNVBAMMKnBraW5p
-+dCB0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZYIBATALBgNVHQ8E
-+BAMCA+gwDAYDVR0TAQH/BAIwADBIBgNVHREEQTA/oD0GBisGAQUCAqAzMDGgDRsL
-+S1JCVEVTVC5DT02hIDAeoAMCAQGhFzAVGwZrcmJ0Z3QbC0tSQlRFU1QuQ09NMBIG
-+A1UdJQQLMAkGBysGAQUCAwUwDQYJKoZIhvcNAQELBQADggEBABJpKRfoFxyOUp9i
-+Z/fWql5anJuZElgBSbEC5sL2mMcmL/1vqkiYF3uF6/Z9g4X1LX4QDuvaXCJSdQ+b
-+JpmhklSyFN+E/agxZtSim+AjTgYJ0y+jwNvX6kZQ8fW3VLNJZ+zbb4n4txfgSROn
-+7ub+02mo4DYajyD9TE/qLzmVaiKLEKW0osjxX3fB1RN/d7zm//NDPsezzUzmKkgz
-+u0ML7HGYUNY3+/SC4ShF/But1IoY3/I46lB6BMrIn9X6fsVKlipqrRFniUk0qDlJ
-+fbKVB+MvGEFoqFNlMoGiufmDjnJl4PQZCVEmXO8wAVGeK8NpTBCjltAAsoVJVnjq
-+AC5jSAM=
- -----END CERTIFICATE-----
-diff --git a/src/tests/dejagnu/pkinit-certs/make-certs.sh b/src/tests/dejagnu/pkinit-certs/make-certs.sh
-index b82ef6f83..0f07709b0 100755
---- a/src/tests/dejagnu/pkinit-certs/make-certs.sh
-+++ b/src/tests/dejagnu/pkinit-certs/make-certs.sh
-@@ -4,7 +4,9 @@ NAMETYPE=1
- KEYSIZE=2048
- DAYS=4000
- REALM=KRBTEST.COM
-+LOWREALM=krbtest.com
- KRB5_PRINCIPAL_SAN=1.3.6.1.5.2.2
-+KRB5_UPN_SAN=1.3.6.1.4.1.311.20.2.3
- PKINIT_KDC_EKU=1.3.6.1.5.2.3.5
- PKINIT_CLIENT_EKU=1.3.6.1.5.2.3.4
- TLS_SERVER_EKU=1.3.6.1.5.5.7.3.1
-@@ -85,6 +87,30 @@ keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
- basicConstraints = critical,CA:FALSE
- subjectAltName = otherName:$KRB5_PRINCIPAL_SAN;SEQUENCE:krb5princ_client
- extendedKeyUsage = $CLIENT_EKU_LIST
-+
-+[exts_upn_client]
-+subjectKeyIdentifier = hash
-+authorityKeyIdentifier = keyid:always,issuer:always
-+keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
-+basicConstraints = critical,CA:FALSE
-+subjectAltName = otherName:$KRB5_UPN_SAN;UTF8:user@$LOWREALM
-+extendedKeyUsage = $CLIENT_EKU_LIST
-+
-+[exts_upn2_client]
-+subjectKeyIdentifier = hash
-+authorityKeyIdentifier = keyid:always,issuer:always
-+keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
-+basicConstraints = critical,CA:FALSE
-+subjectAltName = otherName:$KRB5_UPN_SAN;UTF8:user
-+extendedKeyUsage = $CLIENT_EKU_LIST
-+
-+[exts_upn3_client]
-+subjectKeyIdentifier = hash
-+authorityKeyIdentifier = keyid:always,issuer:always
-+keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
-+basicConstraints = critical,CA:FALSE
-+subjectAltName = otherName:$KRB5_UPN_SAN;UTF8:user@$REALM
-+extendedKeyUsage = $CLIENT_EKU_LIST
- EOF
-
- # Generate a private key.
-@@ -113,5 +139,30 @@ openssl pkcs12 -export -in user.pem -inkey privkey.pem -out user.p12 \
- openssl pkcs12 -export -in user.pem -inkey privkey.pem -out user-enc.p12 \
- -passout pass:encrypted
-
-+# Generate a client certificate and PKCS#12 bundles with a UPN SAN.
-+SUBJECT=user openssl req -config openssl.cnf -new -subj /CN=user \
-+ -key privkey.pem -out user-upn.csr
-+SUBJECT=user openssl x509 -extfile openssl.cnf -extensions exts_upn_client \
-+ -set_serial 4 -days $DAYS -req -CA ca.pem -CAkey privkey.pem \
-+ -out user-upn.pem -in user-upn.csr
-+openssl pkcs12 -export -in user-upn.pem -inkey privkey.pem -out user-upn.p12 \
-+ -passout pass:
-+
-+SUBJECT=user openssl req -config openssl.cnf -new -subj /CN=user \
-+ -key privkey.pem -out user-upn2.csr
-+SUBJECT=user openssl x509 -extfile openssl.cnf -extensions exts_upn2_client \
-+ -set_serial 5 -days $DAYS -req -CA ca.pem -CAkey privkey.pem \
-+ -out user-upn2.pem -in user-upn2.csr
-+openssl pkcs12 -export -in user-upn2.pem -inkey privkey.pem \
-+ -out user-upn2.p12 -passout pass:
-+
-+SUBJECT=user openssl req -config openssl.cnf -new -subj /CN=user \
-+ -key privkey.pem -out user-upn3.csr
-+SUBJECT=user openssl x509 -extfile openssl.cnf -extensions exts_upn3_client \
-+ -set_serial 6 -days $DAYS -req -CA ca.pem -CAkey privkey.pem \
-+ -out user-upn3.pem -in user-upn3.csr
-+openssl pkcs12 -export -in user-upn3.pem -inkey privkey.pem \
-+ -out user-upn3.p12 -passout pass:
-+
- # Clean up.
--rm -f openssl.cnf kdc.csr user.csr
-+rm -f openssl.cnf kdc.csr user.csr user-upn.csr user-upn2.csr user-upn3.csr
-diff --git a/src/tests/dejagnu/pkinit-certs/privkey-enc.pem b/src/tests/dejagnu/pkinit-certs/privkey-enc.pem
-index 9f7816f17..837fd0b01 100644
---- a/src/tests/dejagnu/pkinit-certs/privkey-enc.pem
-+++ b/src/tests/dejagnu/pkinit-certs/privkey-enc.pem
-@@ -1,30 +1,30 @@
- -----BEGIN RSA PRIVATE KEY-----
- Proc-Type: 4,ENCRYPTED
--DEK-Info: DES-EDE3-CBC,91CA660D6286E453
-+DEK-Info: DES-EDE3-CBC,19FEC334A4D4391D
-
--DpJ5bo/AN37NcxTNv0Z4d5YomWqyryqYhuA43FlzWWKubld4Gp+owAv5BUd4VLx7
--Efq23ODfuiuh5zna/ZXnY+9m8RHS5AxDd2Kr1s/fVsn+m2Lw9qS69DLjxTjEuDLU
--AwmVADqQUbvocZEt0Byn9oY4ku2lGOY/ax7tZ1WegLInnoCqT2xGC6TLw7Gwr3mX
--z6xFB2Yv4PbvVU8y4V+ka0p5manxptYkrbAkC+vrC4LPUACdbonmpeXUxAfVV9hL
--EMzY74IqY2QS1xFMhbLh2HunfjjC3HZ1wXMf1/LtLl1nnodiOk5o+MTLEHO+npaO
--rJn2z3V/eQsr93M8/K5ONQcPAKZGOCmNpNQUj1UHnUHEubhpI+nqRYe3vqem5GaH
--8gn+uc1/N6c/Bs037iSLWvkgk8mvHgH/26JobZ8qg9yYgVUl3AIVkkGwLGhE5+Kn
--593/p4E5Mb6ttv3ZJ4f3Mz/1b84guhTENY67zxnQEGnpEjfRKoEN1vmHi6mIuWld
--rrUCJ/x1Yvy2tN9eyuTNsGCcfvPeY22RrKgl7Wi0EIvBlLPKBQxqXOA7Mi9Acapd
--+n5pW2Ka2FABSifZ36owa7SJEJ0GLMtdHmZPirolgIjOZVOMbSj2UuR/kXVZjZUM
--LcRcVI1z8NgKF3RKs653HqkphcyRQMMQrL/A38t+v0zFA2P3HPoNWcD+BfKg0H37
--bHPjXdlvAD5yiFXKb1XN99utW5G/qCq5CdzAirm7drxR0bs4ZIV4SwTulvWLW644
--RYes8x7WKg3WUxtair++c1eTwTPhMLz/SxERYXxSUqpxJiRgYTQhwwbE22P6FCWT
--H9pso5IMi6AJp35CGaYHi78NPLWVmrxgkkv2uBoDFd/iIQTac60aG/F86aozQD7V
--DmHINEcsN3lVUmHinoNTcIfc5EZVEbLQIBhy3XI0UDxWuLnchVlU3ad1OKqknbbi
--Ik3lmeLz07JFbpCcMk+xDlQsZYbxcRzyRh0NsWvHXuG77Hbcrnk3ndxT8wADsfOn
--foXf1/R/gf7PDmte3nFlpEcJCHyeY1haIqgk4WsnUUKP56O75cGF1ylkaBrDPlLw
--WaN2Li537ALo6TyB0jspdCzPqIRt8Gr4muoX0tqFjSfKaWmRb3Y7i6jbVrh8d6KV
--xqLse0Vkaip4Lgf/VUWOTvlfHz9nLD0xR6OUPeQ3jxGdhLxmcYec1oRj1aVMlp6f
--PyC6TN+NlPEtv6KWWB9OMc420DGOWllvS5+zsm7Ff7/5TkXlWmlhfhrkyQVy8NOe
--/3ygPbpSfCFjJMwdbEX+ic/Qjk04f3CluP3FYiIG/Pd6ny6rclrhPHg08X6+sciU
--Rj7QtoFpVsDvde2QO0depdoysAG1j1a+sas2lYNPG8hdzbPe20xIJCmF0fWfdxOy
--BxxtKzpq46S8xKLfxAMvKrZNuZy5xhs3JMUjpxTIam7ZiQXd752LdzGx2s4CII6d
--mkeQ/d32TDACAxyEK8es4Mcm3IoCAq/NjIU/ICwGDeOmfDUpsV2TMrg+aKMKcwUE
--UK4bMXercw7Cs0C3o6mdCTFrTtsihHNTrbb7yyN83XK76niSc+LREbuJ8T0vp1Yh
-+S6pSicLj30Jlnu2OnYM0eXCvwAHR3xMhhl2N0gheWUGkjicqTdW6ft1qCmGBre9b
-+/aTSF1ajvFC+YQ/iABznWNmRNZKCzTK1dQ6P73p83uNqWt/cfe+pVYdeHw3u8NKA
-+fscciBtxnHNaAs16GX5/j1XXRPb+zmUe18A+VFMRgctbaurk+KbxO8qVUkzt9NNa
-+v5zHkXnaJf6ixL6zR3cOCJWPGy4GmGeFIytQos5Jgn23Pjn8BHAXf39GMs2n6g5V
-+eE5RAGDeXqPv/tO1kN0/RSKDeIPvKW6REklXraRUle0PNN5g5l3umSkg4fkplusp
-+nTsQCRWkqyVcMpxcf0wy7F2ZPOYIWDt1/pzAHC7y/fl0uCQPz0Qd1smwt0ABKcZv
-+m9zaMq6lkKYnBOxPiYIlWVlQi3RLDiQyAWQz/nF0SKsE88SUlB83quySJsZsLKzk
-+MR/C+ccSiHqMiDKVj5Ts1go+gbj8Vhlto8jH6ynQj6lrOIczyMmgUa0v0dFH3i3/
-+WL/8ydJ0otY67A8w5yH3hMzRChXQZlpTmH2dDhAv6EzKBi8eIiB0Em+laz5lDv6C
-+SfNxZa1/+bSAvXr7LwllUu+Gzbu7MNLwfB2ieTqdFQGA659DjnMqyBGLFzni4Ir0
-+Hi6Uh6yQubTm07oqyUHAsChGFE4Efh4O0rCbKKPZuSVfimUZcE6JM9IjRC/0DIwr
-+LZSYqsFgn44byrc62qV2JAE2ua+/4aHHI28hIZ3MDLwyYpCQL/FAUZtqZvni+zgw
-+yoHLRDbdrqPps6P71T6Pw6OQzAYC7AL/FsZnLJK78nI+Yai0dpyv/QWiFSXoDEVN
-+6vQoDv/VZbNIctr31OE4XyjIMiTpn3FPa3VSbKM4/h7SthjwEV2ONNfR8XQF+siz
-+3NhOjEFrZ6UGHvT06wo/hp4CM7u580fNu5HvyCyIwkx9CZRLHvG6Vu0emlzDfQhE
-+qxQs6L7IM8A46/LPSTtmEA8Rrn51YY9NChMdY6j3rLe4NLxxOCE6JYaGWVWBBawK
-+k3y9z6L9gWRwxEfCgWIutDrYtmA2aj6y/vRS6LrotCNeN5qBx+TdRnh6uCqbi1T8
-+4rF20TVhNZ/l+pkH/ehY9OJ/zpwdbTq4FlE0wWQZB/vwbYP5CZKF+rU6IXnCZEjt
-+Ak6Bka9mFm9Z/TvnKIRYiXELq32zOJAuEOQ576tkDX2rAuIQAfE9biX2qo0gbsJo
-+1RIfXekRurD/HX54blv5mNqUV34gl+ngPpV5nNDy7RuTAdP77Mu7/ynaPfnM7nqu
-+rECbZVv1HZSgTi+7G9SUjn4Bg36p4NiF0/dZ2W70byYIQvNPNqU1kyeSrZk/43te
-+NwFgpoAKVbMD1rZ+0xM2YCFFKQZZMN1a5tn8/1TWPlPU28Tu3ZliGeWMdeKd4/MP
-+vfH1pE58qVcyOngjLqGkk0L5A7WOAgu+vibKrxGxywwVLx/GfDFqnNr6H0buwXrk
-+vuKBTo0r3pcbaZt3kaYBm0d3zznQI1O/pX+eGiNr/rI86j4KC+jUSoKi4BdUeuDN
-+p1x6qyEK37kgVXiUyiEXO7e1arLBZMfFRTNKVsN5ewL441eCIgs5gA==
- -----END RSA PRIVATE KEY-----
-diff --git a/src/tests/dejagnu/pkinit-certs/privkey.pem b/src/tests/dejagnu/pkinit-certs/privkey.pem
-index 1825dec4e..7e9beb09a 100644
---- a/src/tests/dejagnu/pkinit-certs/privkey.pem
-+++ b/src/tests/dejagnu/pkinit-certs/privkey.pem
-@@ -1,27 +1,27 @@
- -----BEGIN RSA PRIVATE KEY-----
--MIIEpQIBAAKCAQEAnYLMe58ny00MgskJP7tZ3PIQRpQkXGLJZKI0HfntCRbIuvmn
--ZejPSKdNMyejzRIyjdw1FDJUAnpXYcic3TD5817G5H63UrllAGuy+lhQWNzE6c6K
--ueerevR3pMaqHXonaflVasUu5e2AAWVnFbz4x04uLlQejqPwm5sR1xTeLUnVfSY7
--5NbXGIE488iDV0wW8nqGoVWn/TsRd+7KuQUIkJpt8+V6Jk6hPIcPqe6h7mXNGsgc
--5dBSqBwVcjU9DbeT4xxxEmgQdLt7qdNwV1ZPLQnTQpogNrT5uf3oSbOTsyM02GOW
--riIRmsqq81sfMrpviTRRDwoqTUEhoCSor0UmcwIDAQABAoIBAQCSMh5Tu9S2yUwM
--dEZmZiGxhuf+anAZZAOjqT4QeLI/Fmu3yBNM7rq+p7JrAabyp6pOq46EsXXyWtWS
--SB742wWUk2quGMNVQAj0TAJyhNgGstr+XJu8k8BBPnlycobhF0lP/oH+uQifl0KR
--iSoWLjEG5JTOoXs/UAD6nQMBDDhv9TweEwSyIY9jq1J5Q3wVXm/Nr/FJ/8O53guJ
--/TQeo6dtdx6x2+oxKkeWinfxmy2nSoEZd0eb3WUNPZswijO7QgSJolOo83VNqFcn
--lj8hYT41zUM4chple8kGnuSV4ql4a1w/52dSTLKJbgukIqvxeDtKNost344eQqkS
--Lwcc+NO5AoGBAM0bR8TmFlbP4RJAEOOilXTYgP6Ttd1r1mRXGi3DRPyv4EWGT7WW
--MmBHsqU6Mqz+fcoD/AIy1BBdenhaYrrwyCSvitJpoHPjqzOJDX33wUcrnYeincQ3
--PVzpF41O45vTmm692DSJ8t/uR8DhGpCzf/kxuA9ixvdKgMPgBHYeb5zlAoGBAMSY
--KZvgwbtlRR25CGaUgOCHtW76puaPcyxEeCbJEKkJO1vZDAf8vi1zXOM4e/gorKHm
--349ZrBQfFCrvtZG//KvI12MpjBs0Z/ijSCwS4EkYJaSH+Hm+1ygLdArwWEFkNncL
--qQ+Wme1OUoDiAAxRiBKUxUF/pAQqn7X+0MGa2th3AoGBAJ8kRaFu7XJaRUZF01Ts
--d4571kqxDXFKFMUyGCvd0Q9G33rSZdJ9QYUW3HP7HgrAQ5WVVdnW2lgAT+BGMUjf
--PkvIsKvmLQr+YX3RH1jX/W1dWBM/h64RNll6uj14Mn5bxv2Z68GIL5y0Y5QylMwl
--mmwdubSmbb6+Xf6dOJj1sKBJAoGBAJwP0tAMHp6daL2Mmk+cSaZz9KJx1bYnYB1f
--CSZ47IHTc0yZQ0S/7VR1ROKXf0njOA+aEBRi8ghTF5ZyDefyySixWdI9NByQgIzP
--Sca7AVLlGVTAH4694VzHosngO59FZzsfhYh7XBwW1cW8Ip+kxWlCskgphFFOaNR3
--wM5AGMRHAoGAJELs9VYPRJd7h4dPUa2RqfVPlYkcMwvoLYykY0wE5mjoNaJkQbUr
--W5aKhidh4h48fImt2rpB6OYSofYC4yu3VDEr/Kl2nSb8UPE5qEd1pvmdkHSxMNkh
--M2diIqot6s2v20lE/6UCqLXonlquRK1MAlyfPw9yZHP9meCvlBsYZXc=
-+MIIEowIBAAKCAQEA05a9cPK5tn8p/xBh09JGT+uyiDOpLSvJw0Qmn/qs+lNLjRTE
-+Zp7kzIsd+Y2XaZJ69GgdKqFvtx9Pqf2RHaRvccHSqGGF5wd7LiwbB36btYyEFCBW
-+1hqJaS4RAMLv9JaRFjOZhfwnjW+tC6VdTb/ak5AKYbg0o+w2j69wqhPZIeXqqveV
-++VRogbTAO7hsWtazOTFy5KRTtJJcN/bFNNMnxB+07pZBjeDT50CFuNkUrFE7m6Kn
-+FRF7PkR6ZWxF7zq9cQguRrzm2JVLiZoKfeXcVYypwEdEU1r7+ixNvQn86a+91Ddv
-+O+xwbsoNG0xtFSelYKWvlH4BsZW8qhyPkjX4bQIDAQABAoIBAH28SS0ygFvLq4gw
-+EwJOJYxeswQvNuxp5gcMm6tbyqkjEHVxDtkwuSQ304M1ufF5o2lT6Wko7/sxNyT8
-+Utz7l2JRXL7E3U6R6ohgm1tTyHIVY3OWWCP5Nwjy4BXEwdVmGCfKWAP/+P0ajQmr
-+pguK4/fmk9TIIzf6Kd4u0lOvYcu7AYfaBj9OSSF08IoE1EA9gY3Mh9k8C3d3JDhG
-+hoJKwMAIX0PRyx6cvmpuAJyPf+19K0/SmzpbdNOHfIXZKtfYw3HxmebhhyCxqNsY
-+opI2fpn8joasvfcXICBFRHreSu4nKc8ky6FkMIc5KZRiSP//N3oFM7ZLxciMjfgl
-+bCYqST0CgYEA7xfrB4atDYApsmLk92uHnC2bOmJhncfAuLHh8M35fk09Jt6CMYPx
-+Ydp4cKYzMemO5zzHxdMnlmISIWWtNbm/gR74KZwOmhFFEP2LE09hpAXRBfQvN5af
-+RZwMZ9uyJU5ByecXbIt0cuNerl8sKJfG1S+/maD3dZvr78K4Jd6StTcCgYEA4ozu
-+okBTEZ9h7lxdBBbZcO8i/eikPeKnCEBaSryf3K3Pr/k8Ssaa7MYOT9yD+iRwU/uV
-+n13BA1I9PvdcWl6ewZdOYX4jCVCIsLs7ed4wfwLxGQMZIVHPZ59lRmVsZFO08g0D
-+27U/rUZBpMHl+ppq/FfBjyyUSqayKjcBoFXx0XsCgYAOzQM+pwaldE6gfWDBNEXj
-+1Crs1VRHqSr0BAcBmi6cs/laI6IZoJpbvWOBTbiTmWrAQ9H2HBkyRQXsTVgIoGQL
-+gThJkyCQRwtoftmSK3LW7Yk//hrCLS/U5lEaSM5hYtPNxOF9VbCywAKHdtrL9IFZ
-+hygsQXuwKyPS5tHxfjLExwKBgQC1D+Hg9vvtB67jLBqDHCfopJcYywgJFc5dP+Fp
-+/dreKmPkxpMzSAul1Jy3owwvrVPBKz9nwSxzlRSx8Ex1RU4odt8D+CXUWfMFHH7q
-+ZXPo7tb2II3DHXlf3fq5CnJYtLXXBiPhQriDqbTpErbVVPjQeOqPnRdfml6mcpPw
-+KwA7ZQKBgFzqLmWqy7ZnZdbBo4CUUt6B12eaPCW6YNpOd53zHOphaiZLq4rEhpiZ
-+S6JYQTEQYugr0yd6vxsVL2An58niRg1sM6gca9QqBlGMzaQoXaPx6OrLW2WoS5+I
-+MmVTeh7yvdop+6gvR8Eoh4cI0HoiJw8oQOOneiXVnh7Izk+WjKXb
- -----END RSA PRIVATE KEY-----
-diff --git a/src/tests/dejagnu/pkinit-certs/user-enc.p12 b/src/tests/dejagnu/pkinit-certs/user-enc.p12
-index 107480c6d2564a2e60655f29a9984f3009c35a11..049602939def4be1fa9164649b39a801f417e74e 100644
-GIT binary patch
-delta 2772
-zcmV;_3M=*17nK%3FoFva0s#Xsf(q9L2`Yw2hW8Bt2LYgh3djV43dAsi3cxUe1$PDs
-zDuzgg_YDCD2B3lkXfT2WWC8&IFoFeLkw6`P>Pk7sT{fZm0s;sCfPw`u+L;oVmwM*l
-z^A^(IMG+~hWX?aEZU^((3=^fBlyN^uJ1HdaB~86Bo9}9N+iX!V%5OEvtt$|1s1*AD
-zSi4_@qyJcutzz!=uO|*1J0QdyMXJ9F0W$DQND|#_%aKA}$m?*9_9e@K*B!h=TVo7=
-zMU9jzfb7^C(2Aqpo+PWbs`#J#x*BuH0)VGjB2ly(^0MI0lF7=F#Hzw2C+INlA^N4t
-zQGyERj6sz8uZ>M&)xR&um+swj;`PYIw7WY^-c-*m>8DZZQKge>x$dq<T98XdYI{=C
-z(i;J75XE-A#lP{7CRfCHpR%YFm}Pl?jKRY!)6&H5R~HB8x-&=$65c5bZ^)1Fwji*V
-zsv>y#H-~)PY_BM$dd~(Onw}(9&Z?axg}0Z9>TNk$HM5;@0zFIm*<zqrVDUR$K{uej
-z7o^MMPQ1MSc1>-gU`117jbMl3DK%BxZTfFoaazy+Y;K&KQb%|%j4SGGNq>fa9~oCG
-zwgvwvlgWm}c<(Owow5C6%<-HJ+#%w}d^yDVJj@KHm7O$cj$%wmqlApelQKGFkb>xi
-z&5HN+ZW~fbxGRW%c2vkasI|;g8|kowoTpi`2d$&gAo5M+Cd@-p1~P_!Ft-zz7TTx-
-zY=&;!yAmC`w_4KM$YX)1Rw*cdk0678Q7lj?36`+_J(4VyW}Tq4w1Njv41vgs&>dhV
-zSy#O>l4{FWV8Oa^*jM@TB-&IwhQ^?iss8sqxRaAy73MP_getDL=XHMi>x{`9P;^eT
-zX;^D`Rv!PAqmjC4%L#g1dGlx5N06S76*wky6q4>VTfaR`SZQ6zOcRNJ98dY`dEmKb
-z8P}CmkW^L=n%B9Q9|IB&cjOfV8D0G*n}j#+Ae+CPG<f!x=)*?q;}C1Kl>+aZe8MXo
-z`F_a6PkRdLk^jg~O|0#pR0Kh4XB=|!R$IMS=fhN%1ASSURF+C{e}%w%@G#U5K0jS@
-zdqcB9wUuTBoobzl&7kLhWRVF4i_>Aob7rR*b{%KZvHim+x9m@8H0mf6Z^St4G8&LB
-zHpTy;XI)>%!4A7DU(WgFp<~_!rjA?yBX>`Ll2{j!#;LZ@Ra|%q6ljZ~oCLM58DO2B
-z@@qKlVxyM%_wk^S+2B<;eEl8dI;C75!305v&lHVB%?{%@{fN_lh0Fz3+WhU-rc;Co
-zt{pd|08cdwp(y#Ey%DO75wgIM9oZx%m;M@)w+q%#yhOTzM{|0epFFl2%V2B*^zdb#
-zLtg+*Pk!JU6r=SE96Y=uWXqmonUaq<r%FH0jSJ!6ksHqzVTOXPMP8`bP9r8Jb)*35
-z)<6>_U~mhe|Nhs11z$eYsq5r6GvdUIkxPbSa^!JucJ6lunrI!~CYCBHpo`Zlp7W6T
-z0R}mN*!=ieFoIWHCQy@x2^a~s%8cQE!@vue=@_6@v&v+9@(+s>=GA{t>n(JibIAkC
-zc_Cl8#TZq+<+)Jkbg%{Bk2vlkN)*Sm?_sK9U|~dPYRfTytvvra%6Swxv_}$>R4{GC
-z9dlx?of)+8u)G1`(17)Ar}|)emc*7pvv9xmdyDM`V^qSXB8PVe5W(w!XdCZ@{~c9?
-z{EuW@x+Vd(`s-b0^6A;0gJC-K(fJr!jN58A+Ayo=k&&lfG4=NM^i(BMI}xs%5TYP@
-z=E+!co_#J#@ZGJ~+ZKh%5><O#aI<o-D%O4LG)<3^Avw=fKOE&t0|0yNCG`&ff@7SI
-zsX#y$&uWa66y=Ky#DBXc0HDdCpA<wEth=_N-%68R21bAN1dwb1k5i5U0tf&Ef&|D2
-zlSz@atcgu>wJ?OBEbcqJ!fd06JoCD0s<WRRos8q`B`}0Re0}q}21N{`#p;^>Tevnh
-zeYb}GmToDBVSi|c4c)}Znmx{Cob!CF^iezCh?0>3o=y9wlV)5pdPtsk3Dd6eJ&_}N
-z40Iz(<Gg<Xut<(scP(GIPBteY@&vO@C(R5V#aq}|ZpYH?2fW9QknUm&D+%}K$uEe)
-zrwWe1N&1$qLF0RNPzq5<Zt}cfFKb>KJ#BVeo_0Mf!({!#P6toUoXX?w!oM7*9BVb~
-zIG--Gt9ix_oY;+?D3Yc*H_^D|!+$CDRYbeE*wlZk3z1mJyVvza8MJTbTVp{-MR<E=
-z2#S_RSz_a$nfS|PXw$v$qpO&5$*sj!_G1QJeq3Ts17GAUh2L3d)mK=c+54Jg>$_Vb
-z85o1|GO+9}*jSN6x`o$u_GevO|A1oH2-B5JUOqY2dO1Y3xg@ket~W;HF3_p3ch;8H
-zA@hF(dD6pT!-L$M?9BB<@nkRrBfLfUa>Ey?Cx^`yKl#cDagwcp@|}$uh#okmH<k;2
-z(5z8Xxz-s`&%=hFCOnL!tX{Q{iiPM}>=tsN4bb+PHefW|Pj%3Vy}fha7a_E$bOa?P
-z8FJ-bADHzv$dO)+ZeJzqb&rWk^O*C_S+sv1mnye;2bKg{7eI^pmn(XQKdP_lspwTr
-zX3jc1V2jk!Qr(x}g`1t1=n8G+uvgT$sxT}{=y0^ob%Mg>npS<}){)aAx0%V$_o=B_
-z=~`SOSZjK3Bu&8!eRoGV7E#C8aL^u2%VNxK3R0dVoI`UXs6b26vcD9$2c%&DT-1N@
-zOi+2^=KXfZ0E|fDhH@NjFZ=~oJ&x0Gl83}Xb<GEt1E&B_9&{(}0Q@KE0|-x9Mdk^?
-za;j4OUfM6UYEH5GE#6(<=W8U%wOs<k+;q30JAKu@whucM(9mZ?*iKyew>q*W-14JW
-z5Npb?m|k`Fk1*3yniB}lEEU`;O%s240Z(1|b?~}E?*rj9DBGvik&Ix=3%@9Wr{Jf?
-zK$@qQgGUoLG|`FO53OK&_7?s^f<l+4n~4nDzGCK~dmcDT6_TyFZ@8gCHIIE@QA77}
-zp=zMELCW<`#`n4za+v+ab8z%jL}S#z=XlpYaA~neN{$iMEZ=CI0WV~ine%@GRzoOr
-zrwCOR%$Fk^IW|Y1_vGv~-+^PmSW&2US0PO^g4MEOUHk|?DN<n`WD2^qP^DRG#~u81
-z6ubsT)OLFSl=`;gfw%~`fojxl3K{s*@XG`K8U$BS0ICo8RKagbx$08|kc2;EItexO
-z7U1M?czBuFCK#|c8kTB*IFNr!=!*Q5-fX{ue4W?>NVpBgzWs{{x=M{I0$#)RqH^t?
-z%~@<E6#xZtzKr$8cORn18f<EQ<f+?y!H*FT2yy_mZqr9vb*3`+ty4}n0P+$n=27ri
-z?am4^mI|Myn!g@d-mz^V;rbm`Rd5$bFrZFAGSPvX((S9uFA}XqCCz`8RL;<OApZ_u
-z4_JRp0O{Bd+G@7(;FaKe$70?gwO+i0)lD>S*78!xW^UhVCcK6>Y=Dv}9xW+urfVcc
-zu>g#>iAxh_@0-L1`M|BMF|<{62P8z2r?f5+qTVJtpE~#aF(oh~1_>&LNQU<f0SOf`
-z76cS?87CA7H6oR5EM`2~yn#~xK}IRyFflM8FbM_)D-Ht!8U+9Z6jQXY#xMHZ@hr52
-ahH{=a^W;wfxC97gAc%ero&l@^0tf)CvO~uJ
-
-delta 2966
-zcmV;H3u*L~7S$I(FoFxw0s#Xsf(w@h2`Yw2hW8Bt2LYgh3y1`Q3xqI&3xF_!1~&!?
-zDuzgg_YDCD2B3llC@_KsBmw~dFoFghkw6`PiKB#0Wfi;-0s;sCfPw|^d*(R~YqhYs
-zs9FiU4}IooNk(Pg#7?i*RhU?jTF^FL$tLlm`zhp);3$IuSS`QkqKuG>0g$6*WuPSm
-z)&=BgN#*52!DdM7rK>Tl7p9;qj%3GuXDxAAtu*4<t2CmN;2kM}Usd+$WV|VsI|7n_
-z!Hi*fH4V$XeVJNI^Q*oozM?759;5Kb73nYRdzyhmcKfeX$!KOMY?oGa!c6A3IKw>h
-zC~9=k?MXWaO9t8Iz|oL*2?Un2l9AE|a$=h6Ph7myik>RjLzPAKR~3exF~gXi7EvqW
-zE~9J)1$c|Nk0{8hA?+9+)H9)`@X_yoFgT(r4IA^^MTMj{Qg_G_Ecp5%>Z9~6aEq$I
-zqZ#8v{eFLJh^yhFyaXX+Wj){=eEmUmy`7~T2J1-8fxBIne8Km2YT>L%0By<OX*&9S
-zlD%UweTxYxzZn`otoqTKT%k7_>K93;aq*c}2&1oN%Xv@sK}hC3l=wcLZg~cO)e4BA
-z9A-09@Eafd$`l!^yiLb`C@H8+r5iaEM;12amg^s3a2XC}sPdDEl<$~&v&Pt^O1_1E
-zQLtxqpx7ZB63jv2o#cE0mya%atND;ON*P9$5}aRRDv>sZ{ey&Aj(@1u1CJ9R>^DKP
-z^ixMkvsI@5PQIVZ3yi;x99d6)uZU8`4H|tVT|k0A07DTdxKdUroElL%G2hIaX>&z-
-zGBw+$uCgJ}c49uynU1`N7tso{NI`B)cx`w%*LIVJ;lKpsWLl6f9RZbB1vefXcRoxN
-zf`j3p2&6|(LpTdfF`pzI<CQ@#EZgfT7pNc)F0SUAeW{PhZEItto11EX`FV2p(URe}
-zbtuh;G)rfq5<y~wND4vJ<Kp~T*WotfVps6oW8}$tMNc!MkJ!viO8_cAmjGwa)XjRn
-z3OsK<y7GF#A7>s5HmQw0{t!f-w%I3Vn3;v*=k3Q$aN;z%(z;Q~Gd!!I0h)kqAw}+m
-z)+NTj<GF$BlOCTX@*iG*Z0`PB7L!}LVk7C|=dlu^A7<w*G&8W9@(aLBo}_|ie*L)P
-zNM6h2A$4ZOiK|^=uC2f5n2o*nN)lhh(RPG^v<EF1p39)^Bmd1cEt<scWco~yzGZx{
-zx_|Ybsri-2l}}1G1ChYU%7CwdUAI$CnUjmyw=@IKRn0yfO+~JM9oPej#On5;3nQ3|
-z6`&(tows#T_?FH%gDQr2Zcre1pq7aqAs>by%K`)VatpY0W8Hew#n^$E=RUK7nr1>4
-z>iwtm%PM>6uO=PfP>m?)-Gb0cP_7gNctp${p3IyR4R=HRqM7<Iw_Zgr&Yv5lrUjKk
-zO-0FAE2y$-*oXsvKbs_`h4P+LXA7t+svhr}7EAd9i$swi2a=z*D*68uafA+g2!{yK
-z`_8ALl8fiV90#XF)>Ltg{E|SI<kI)smc&bG7`BsINJlW9dZH3t_DVO`hzTJHSf)h=
-z4Kzr7CZ|JD>aOHhlurhABd(0~x?Wl|2L82IQ(SU$e^J<fQQ~HImi%g}1nOX)v%HC-
-z9tVL1#Y^C9HLYL6yw6TmpGMx&F3wLeVrPN*Ej1i1Axye1B;YEhrz<O8%VM<Tpsh3C
-zZb8aH)PP!l*A|w2ahD5>tfBDf7?-BFe^(x+A2}Ar^U?gLKFd_=+-4d3FF@XI)g-zh
-z-YtUJqo^N$Ly5y6L8u>qux4^IlnY>!6%dVBhAqwN2zEP8eon_hpqFqKTTU&#sK5}O
-zR_G2^6daRk?y%axch8{tVp@I}&7l#{P0Os;!v}UV1<eeui5e956P!ds(ibUbc(ETQ
-zio#-_+$6smaeyJapMWJkz|q<u^H(hs7uNYHneStNIVg1ju;UfAvEESEsW`}{yBqCO
-zAAEF?)XI|9@t}T#g_3t%gR*oK4zDcP3yEmrEXc259QameNqSA@Nab6B(Cw@c@7O+<
-znt@R#^`#$;>h?=i&-X=pfo-qbS+T++W?ZX%Us-H|5<*D)EJXiAg3Bf>mv`p<mLF?R
-zW8M`EEP)!ScItdfx}O(ylbr=de^TsH%0It>r~(2A00e>r$U;JEGF6`VoCJzVa0|EX
-z?r-cm#ze}S%!%psUL4|O7o)w?aL6CUL2C;@kcy;3mXmu9k5552^YysVU|y}Dt4Tre
-zPV>~Ox;FGPu3FhmY0ynI1FpBTH20$$M^SakV6_70&$J`Hks;hNehz)Le^GJSJ=_GN
-zH*39XikMG#7>%AiDZORRkOLt30;%lzH4I}kR@``X%@4PRBKiA11Q+_vN>vOuEud{H
-z&<_ysqjijW)wp?<ma~H~=q<~6qe;R@goZ{7^_>Ok%G6mho{!?zW9O6j+^<O8<MUk{
-z7LGVl4^&(mae)zl&$-s6f3cm*$nE_0(3C5vB{m}7IL4iW`ct?-QvV^nR}#}TT`%D2
-z2N8E8OwnLlu)tE;!J<|&Av`D=zRf|CV$?JAuV*)QR3a2dA$zNx+RSypeC*}FYK--)
-zd+Bh4N0`{3$m1vEtY9Z5bApmqikYaedpL0omBFH7BP**F$T#*7f8BoX!cyE`Gb^N^
-zMO!H$I(#j+ch_0Kb>7LBvOZo|k^lr?BV+&1Np*EvfVARsB<$I<vfZ_w-vo$9GVr)a
-zIl%wUJTz#AZ4YC#S#gv8!aI-<!HU7$%L$6XQWHa~A@K2uQ)`o2Y+_DNR^hoc@$Nua
-zQbw?ckmr?Uif@CTe_@PvW7V!A#ts-oDCfAgd)rD2o)E1J_Jmvm;iFQz<Cr*rCj=Jr
-zFwKR`%%b(?ml171g5`^7UaucTlz#7gAKK8u<>WpEwLanuBXis{e8Dk%c%<_`_Vrl+
-zeqkeQsAX_5vbkPxufli<voNM3AQO?8yyBCTu@hrhq*|BIf1Z^_jL2EJ=0b(sndlKz
-z00W)Y`6$0ZstSNP<Gi<_)Vq42Qc<y3Me%N0hqt^ZxpAHpoXic3(og+^H!oA*=Kh|#
-z)9-~mT;X5RRXq-*Bo;;hX6I#XDg3=(MxZ%Nw^*sL4f9Pkg49q;%FZ$h>V&E|2DwZd
-zb0a{R1$ot?e^yQpL#pUx?VWYRLnMsW%7--ugt4*a$I(}Hbu=0C{2_Z-8}s81q&aI9
-zJV$jFX1!0#)!Qr);z4f0ALns&37-$Ja!$6RBT&!xakOnxj9v0?HEOIy+<l<C<6=cy
-zQ|t-)o}D={D@t0V5ygE^tXANx#=`|zcH><IT2hpAf9N#Oe^a=M?c-PhHZBD2DR|)A
-z_kkkkgRth;iDyh!4ha@*roofjUK`Jy-`o5Yp%705$Xm2ned-ic&z6Q8q@6siL`rwa
-zXI7y;vPXX`1arOVW|;X>(jna|HALOL6>+lrjgECvKHr!Gf67D>%p^v_`gSa<g#9wy
-zU>$$4e+m*4;}Ckz#l?vNJZm2-dM=-bp!>L=k|AGKa`?vcIahAIZmTnuxhxl{YICp3
-zbH$qBcKtQZ8KAYVKc9+^HbatsPu{fE0zFaZHYW(`rDO+*{EDYApMIT5Q32n4CqAZ*
-z3o$&+QaVdGHLs9Cc0+|GA=Q3D8!`&+u~`8Oe;^^E@Vz;0#P`PM6$qBdZ)?J)lMoT)
-zz)rs=&q(e@F^-GlakAu9)f*&p!LhhDMXuDwQi)vur?~mo6<I7MvzXh;vcnA3K}0{1
-z%!uqr8J5W$_##&kQD0g_4khSjhUqaSFe3&DDuzgg_YDCF6)_eB6!52F$86#+p&3-3
-zJh0l8=@Mmr&0H`sFd;Ar1_dh)0|FWa00a~%@Tr5xA3dVP)kV68X&)q#DNa5F2>w(T
-M3X5P3IRXL*0PAOtl>h($
-
-diff --git a/src/tests/dejagnu/pkinit-certs/user-upn.p12 b/src/tests/dejagnu/pkinit-certs/user-upn.p12
-new file mode 100644
-index 0000000000000000000000000000000000000000..7a184f651e50d1443e5fe907b5a11455d69bc0d1
-GIT binary patch
-literal 2829
-zcmV+o3-a_Zf(r=(0Ru3C3eN@!Duzgg_YDCD0ic2kzyyK{yfA_axG;hRZw3h}hDe6@
-z4FLxRpn?TpFoFeK0s#Opf(2Cu2`Yw2hW8Bt2LUh~1_~;MNQU<f0So~KFb)I=E8?)B
-z=7dfc0s;sCfPw`m8i<Ofai&Hm(P_s$d!F6-g?I9Sy864kcf7p~Pz)}+YcUXGNOh0E
-zLsn~MXHU~zY7+ZA4-4t_TkT5jPH-QJxlgRXuG*+4f19{z?ASdk!zug1$yI~43kAF_
-z^7R#E7s!mu3Qf?S^(?hCib2s~>KrWafC+r24#=H7D;`er=H*b_6X_JS?p@<<sGpNN
-zqrN(^yeo*_g*YGx8x-m|;7+m(GxyIMm71Kru+I$s1N%(5QfwxImIJu;s=km3D7KrC
-zrt36SN$OWpryz?P39sOzo4{lJYdP{~y@Yv0b<@9k`?Rzi%(=^x5&X5_<M--o&FZ5l
-zwtwQXK{+>Xs@2^$asn4KAS;Hr!s53%;M>!4_lI!jE@siDP@6({Y?SkW5h+LdIH$!`
-z_-XqxelFC+82Tg$<j0o^9h13)Y784=ZqHptd!}0}Pzj01BTTUZ;@BJLa?c^27)lC(
-ztaoyo<V5wa69e1p;NM@stQ(I7_FHuv?QX|j1hnmry{8k30|*Cx``@AfeivPkB=iFK
-z<nGJ;Lo4A!{nOS5Hn<;Zx3ZIRgeRgCKe~O-G20G7JzcntJq7BMg~=bfKr4DD%(|?z
-zIc{J>(YW7cLdVydSw%i;-Dj91iRUVJgL03EKjM>L^g{mUmKBVKsyAB4h;T<*EUp~k
-z5rfW}jFu*r0k8Y^g;u6zO^A+%O_lMV@d%&03_Kg*X^^o_Uz{`U5MX67$xAr!e22Ui
-zNAXN+;wkb+d}b~b&i1*3(p;<yi=lyy=z%qDm9B3ot6njcW0AkiQ%4Y%vzPAzmT3<|
-zt;#3){vvx_Yzb}A5UW#2sehaDY(wLL!xvW={pTkHfW_J&ieS|l58QC-b<}`?Dt?La
-zsxoQ>Exz@ODQOofrIDJ4q$8bvI|QlJ^WxvF6?PHha;kGKy*Lw>`x5`pX#xOpU&t`!
-z7)slT|4hs;jt~|+@{`;8_Mdj$GgX1<i->D7bOQ^)Q}w75-Y#V2+pavIB(a*V$3IEP
-zg?T;;_;l~R>6v}Ls7>PH|CSU4@<t`nMjMClMzYc`7mKbe>((!&99d`8mJ4VP6tfU(
-z4xw}bWH@+eq;9;I?L2T^2F%;7KMe9jrkMY5;~yqZdv|HCk0HHe6ELR7-?n<sIzH32
-zY(uum{L{EdOzP-iubYPVGvjlb<w#%>En3P5tpF1(5hLL=IZuz7bA2y^CwDO;azer*
-z!C$qO=WhrA@3Sv;JL{~5A4{ohyNZWeqOYnSDSb7#hu$$uU(aKsIIcB?CZ9J;Z5$lu
-z=Cjt}MYS&q`XV#P))k%qT34!b_#XJr>cQ`>q`i7hA!{`l0Mcf&{z`~2DbjCAeFaIZ
-zsk<<puH3?D$??}*pIP(TSe!kh4W2h*L*}+d=xoOa%n*7%L7c(MUInd05#f&(z^il$
-zYF!#7{k{ViDRb!K?HfMLks5^d*>_2+ZB>2+Y`;uY#zb8doC4=Dl8MrvwAKUL`Q@5E
-znq+%df~WK#qUD~jzbgmfQeAq_dvu$o@tNNmYJPp4oVJ2u0qBUy8Jxcoc2$6Hz}-~z
-zxOwJtoxJUF&6R0oar=qp*4XgOz)zgalsD+2B(!V3Q|`x>a-lDmn?dh^U5F1;y2S0+
-zPRYG~!nEeag~ngC@l<j@90t-AttD}(Bu{Oz+8I6(k)MzWx<vf=T?jShy_Sc1lFtMV
-zcgiL;CL?u8)sucr!T<VbVf)_^M7BU1MOU0(qI)(3FoFd^1_>&LNQU<f0S5t~f(0@J
-zf(0%xf(0rtf(0f93o3?4hW8Bt3<?1Ppn?SMFoFc?FdPO7Duzgg_YDCI0Ru1&1PF7H
-z06iWOxUK>M2ml0v1jyDvT%JrGqHcV|9L||!v`3Xn^r^f=@jKTTw|8IP`5&TRwiQNz
-zuxF)@AE&AXjT8}6AiSS|MLo#|aBOswU;hdcU7DWCd`J>wJYfn542DWQmL+e#>?*H8
-zdH;kV9Zz*4#xxQrPTyNZM>hg4EpEgx#nP4#fobQPcfv18grG+nAHI;bL{ylamN8W@
-z<sUn{)JLO+HQd3kSKq1;PIxm=TEo?fEh)4az?P1F-fc|q<ksDIon+%vsmL?EC)bFO
-z7YtLbi$60ojZjQZwOvTMyHO2=H=KoXp)D^YnEhOicZHX=hO1_r?~A<bXK<--wv4}I
-z!1{)@#;{F#9v$(dq8!rVh3cpAYr+l><o|HuAQ_^dt5&&aga#$=W!k04AfdTyUPs7T
-zhkMXWWlFc}7egFVlIi{er{|^(6cGx!ENCS5B0cYQ&)V19E9<OCKIc)Wquk%EoJsAy
-z7h(p85-I4{$`EityxX(biS_xh*P?(9dv4hT9<J6|gJ)cx{g<L6lGzeo;fRuogR9?l
-zu39G#0ij&MMnD}Ar?pJ4k40&2C2>Kljh2Bb-jW^J?a^CKm+huNYxBjL<&hBZIF2SK
-zVu{~Wpo9P=Pg;QoJ|*nw7DjGB4y_W<Gmc@od#xD|&vk&(o}CkF4+c!UIe77qD)<6g
-z2%mXiI?pg754*DTetLNbI{+Zt?M0VjFHHHK>^t4=uyCXy=!hMY3cGj*<l5Y4t#m7w
-z-j;gDt&>tx`I>011gj_pl(O=FX4%Pv8{?*qOk9<hBxY0FmClZNb(fjFbH~$?P_{Q;
-zk4^&|)2fuE*uIa5Rx+6eBhwZUl;!=3s8jgC!;aQfD9Z@?L2PX$Ghgizq~7d-QhTd>
-ziMJ9kiDb%Rq~);boeQ_o6Gz>K3&BxCt+`@~nJAh%g!EqIPY9B0ewTqT;<AAM9}0U^
-z5{V*H)w|J{-}bNJ(i;XK-5uP*z?b9(F?b~TP0%D2?<-G{IN_}9e*mV|XbnwL7^%?^
-z@9`N8VJ|h?Ia@G@_90HgeO+-K*bA-PWYjWir%8)OmMHzz$59$tm|9o`xFJmyJ9?&r
-zkOu`{=6*&`OVGL`3aWEdid~)vgHa?C)^m>whOBD<HNJ;b1n25pSQ;m*&p}VwF}_2g
-zp<%#9@0P2`Rst4U5~hH14fWy;>Jtl59yda9Br}TXCfgC9#E~QjpuTlPa3D;Kuf{=3
-zeP!#*-6{&>E_LrM8`cuctXs|<wCmeWi+*}Y#gm$VX{r{?kt~}I6BlcDfQX~U5$?YI
-zkv+fo-0Z0cS2L=)0PQR%AC@vGlW(pH7wJQQprGl+L(!;G2Y>W@67%V=)pB@oy&Yus
-z@2ph_mT_Bq{2J2QM<a#GX|=I;WhrwH<ca?=<mS{i&w5}QVe%Ac6HU4{@oefBpB;zC
-zMgvKsUWGhPxF#Zm-Kyu;+QhFb%D`_KO7(pFx?(SbXo9Y_<^yoB<lsIlu^+`Rh~Pec
-zOIbeJluz**@tGI6G+BB)7Q~kN!AQ{g!qteMhqd!L(uO>k74-EEJMTAE*X9x#e!==1
-zfh0RBMQN77*2GhWj_q=-;Wz;n_ig?}US0W`OuQS?@DtZzW1f~nnyoP<Fe3&DDuzgg
-z_YDCF6)_eB6wdDm#+m(k+gMMPrq&TtmZjhf5il_@AutIB1uG5%0vZJX1Qce!+;T_3
-f8l0rJ)vn#o422}B-W3E0hg=f(0@~Xc0s;sCH%~#t
-
-literal 0
-HcmV?d00001
-
-diff --git a/src/tests/dejagnu/pkinit-certs/user-upn.pem b/src/tests/dejagnu/pkinit-certs/user-upn.pem
-new file mode 100644
-index 000000000..6ce095692
---- /dev/null
-+++ b/src/tests/dejagnu/pkinit-certs/user-upn.pem
-@@ -0,0 +1,28 @@
-+-----BEGIN CERTIFICATE-----
-+MIIExTCCA62gAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx
-+FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
-+A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz
-+dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug
-+b3RoZXJ3aXNlMB4XDTE2MTIxMjE0NDYzOVoXDTI3MTEyNTE0NDYzOVowSjELMAkG
-+A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF
-+U1QuQ09NMQ0wCwYDVQQDDAR1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-+CgKCAQEA05a9cPK5tn8p/xBh09JGT+uyiDOpLSvJw0Qmn/qs+lNLjRTEZp7kzIsd
-++Y2XaZJ69GgdKqFvtx9Pqf2RHaRvccHSqGGF5wd7LiwbB36btYyEFCBW1hqJaS4R
-+AMLv9JaRFjOZhfwnjW+tC6VdTb/ak5AKYbg0o+w2j69wqhPZIeXqqveV+VRogbTA
-+O7hsWtazOTFy5KRTtJJcN/bFNNMnxB+07pZBjeDT50CFuNkUrFE7m6KnFRF7PkR6
-+ZWxF7zq9cQguRrzm2JVLiZoKfeXcVYypwEdEU1r7+ixNvQn86a+91DdvO+xwbsoN
-+G0xtFSelYKWvlH4BsZW8qhyPkjX4bQIDAQABo4IBVjCCAVIwHQYDVR0OBBYEFGvA
-+yQ58yg3eh+Oi1JaMrRzbt9hiMIHUBgNVHSMEgcwwgcmAFGvAyQ58yg3eh+Oi1JaM
-+rRzbt9hioYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz
-+ZXR0czESMBAGA1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQKDANNSVQxKTAnBgNVBAsM
-+IEluc2VjdXJlIFBLSU5JVCBLZXJiZXJvcyB0ZXN0IENBMTMwMQYDVQQDDCpwa2lu
-+aXQgdGVzdCBzdWl0ZSBDQTsgZG8gbm90IHVzZSBvdGhlcndpc2WCAQEwCwYDVR0P
-+BAQDAgPoMAwGA1UdEwEB/wQCMAAwKwYDVR0RBCQwIqAgBgorBgEEAYI3FAIDoBIM
-+EHVzZXJAa3JidGVzdC5jb20wEgYDVR0lBAswCQYHKwYBBQIDBDANBgkqhkiG9w0B
-+AQsFAAOCAQEADpj2VeHFvGVzb2o+qUL00+1RfpNsGRxrkXpolkjGn8LNIHoMfxAR
-+utnL41Jd1wQQ0FpbgR1fIXgCDfdMNWWIE0SPO6WVHVUVaDb2kjgYZ2bvR3FvTIaQ
-+thj3jyG5Qn/hJZ2WZdJ1kavUQzCcGKxcIQHObcX0x2wXWPKlO1S8XDS8olsi9KPj
-+y1nWUvLgxhtp4vwRuVwKtgFusgaTJOOaJ+yKS8SHr1v89GRPmff/tQzMgf/nqRNP
-+lmQ5uHLeo35DvS5akdw0Izi0m5zwMvOAGBY8lyHgpx8jshourr078Swy/SNdaMGd
-+fwDCc7tFD2dw3jRC1O5jWBxOuDTmUL0cVw==
-+-----END CERTIFICATE-----
-diff --git a/src/tests/dejagnu/pkinit-certs/user-upn2.p12 b/src/tests/dejagnu/pkinit-certs/user-upn2.p12
-new file mode 100644
-index 0000000000000000000000000000000000000000..6691b8c72aa60d647c4993d3972a7bc39865901f
-GIT binary patch
-literal 2813
-zcmY+^XEYm(8V7J8R_qa5RZCQA1f@#t8jVejsJ%mt+Iz&_qh?UNHnmmJCdA%UYnGy_
-zg0^Y|tv0UroO|zk?}z6+=luWYJl~!l3<dg03Lt}_K)n>y(0Hx*GdchzpbQ0S0ir-J
-zuHsr4irnU(ilPifZg3UpkOD}qmij*p0LDWB`u7D|00oR5NcER_L2r?C?;0s76-g9|
-zoP$#^&~mk<xQwDrC>2OIS|=F_sMsnX8)@2#;-@M`*t=Bh1<j0!+TCzA(97HyQ6WT2
-zf)@q9nFM;V5H(lX*Y-t{eWQeWY#Lz~?bko}@xO71W$hea0X%tkqn@5KeDFLx``tB|
-z`&L#REf>+Frmnm8t#fylmKL=Kk92~}LueGYkFoKdBM<Qh`MB__yKtqIxZ;gMAwA0S
-z4gZM6w4ZaY1|QkkOr=B15+}@tJWmZ=Y_(gPL=dsqYR$_C-u{p@+_BLmJibip%vq={
-z#`IBM4eRpLV;z>+&*L7DFr$HNMR#9xE?N?M^FnQZJ^OT}z~im)IwW1caxhYM;+?)l
-z6FfS#9Zi+;8|~jLBE|RqTDAHS-Es(u*=ip2^4OkHCUs}hqma-3PAVfv2kYkUh7$_j
-z2|o2WEq=(;OC)Sg0{2i&3wkEy+s&cco^Hy?ow{G9!#<1CX=U-w;l%M;QxsMc1X{6^
-z@6*5A?zKfo@cDpT+L%OfWgny?;`z+SIpl0Bg=fDrrRB=EaGDD+ODlERhx_l4t_MSA
-zZ`6*wF0gJrmlz&9>PSWsZRGWzM9)1?B%hhQDZaPZz)@56+a=hTJ^Gd+X{KWGzD#mq
-z-)<kWASzpM=9&a9Z<@jKiF3kU`pHt>pP0)q9px96kY?$-{@ArN#H3W~b5SQpD^r{(
-zR2Aa>s|ul_3wCEtZPXyZ-^r|UbeSu}@3Tf;uCGgUPxvsJ_f8btP9L)4Gg}HiY);_2
-z+mOZkK=xZm%YI+y7HzaRSCY`jya)<sRO5)D_3I%|Z%e%oqql<H3|~cTR02vBa;#~F
-z*zsBzW175|5nDxcCc50sZbp$q)Aj;KKT8JV8kg-R_{G?`t4{?AjL09JwiV>D=X|9p
-z4i<_VEkh~=A|CY!+4#xR43G<!%k8hrv>CR3n_n$#mB!Q*Caq9<ctSs&_e+3>8D{#S
-zG2G6Qx>5L(CX1A+juY-*fdn6FiaFyDIVxdbcL^V(xEaKTCEGE?Eg-?Ir|*F}s^5!F
-z?uPI=y0M>KgdCNtoMqO7WN&7|%ur<qz_5;uue3VfuLjieX0oa+N$1y7R){2%g`5H2
-zz0O5s-j;I#^S;9$M>ZN+YeMK2xf3r~lQ+GSa7%(FHQyBM<VF|6c?Y0Hj4~>;pW9P%
-zaYm6(pg&99#xo>+!=(tb&Z%<iP|wqL1fXSGEpa-QcFqhKT>7-db}vcu*5eLkNkGZo
-zzF*Fi3O>s*3bhY!SM}Vz^#%)mEr-e%Q@4<wTFVjs<`QO$5;(l0m1S0sxv6MktZuqq
-z2F@8j{3~4HC~$S`dScF4+P%9wsocq>;7yibf%Z7JO1P^k=rogOwEP53EasxnaeY|&
-z@#_1`qn`I>sO}W|rUxMujvfdt)Pw>>jdIQ$6rBk!R?Dt3>HE(ioW+$zbs`si)M<^v
-zD!WD8%JztN8Hd@%EZTZYNj~AzLgM)N-?t%C&ch~aytdUXOx4wsy9c5Nt&-Emq#f4-
-zHl=P`cgVJINMbU#Kdm%;UPucqJ=;5<Kyi1;@^ez!iX@Halm74%Y3j6^hPmH)o<vtL
-zm2<IClPj-}?TxXZzGUMsr5t!z7GrFR{w=j479Iw>x2HOrGV*FpO|#t8^HM1;b*9+*
-z?Zrj8WYTa5?5X87{AmuhQ~{eUOrUJ)e#{c2RMvjrL*+(0<u&m&=emc2P=?CmXB{pD
-z*d`B&m@7zC{s+=4VkLnna<QuzdNmLVn*Xp00+5!WfZt&#;NJgfOZK<6FA|ZC?saI;
-z-`WCEz)>axNW{6}k4rWO^+1h+8G`-UW2$QEGKUu2I^6J46a;(RUNp$Kxxh+7_@dXK
-zD3E6J{uf}Muo{~}jVZQ{9-6OTAubq-@rVmDa-`b|`7@B!AeO10305~@Dr%6}iV8CQ
-zX=X6;)T_SAFS7M$LiE@D+*=b7TUtKh#SiDT!#~CG=`dm~<FiX0K~BhKRZ@H1d-BT!
-z8x`x8IkP`hu~~DuW_~Z<(~tWTO91PUns1r+uT{SI!EQ@C0D$XtxvApW6m2Q1k3zXB
-zj9we()7WJAwqO;ir%^<O7gQwLl4AYv)i;yhV=4o#aTttn<3X6#2=n>xS(|WMh2cwC
-z9xApaX8)-#y$}a)r)<27$PL=Btmpkt47*NBvk8ah#FF41>VQUrT~(jsda)wttvb!-
-zM+f8nK~3)SE8Uzv>G&lV4)_-4`%LMHreSl%ftOL3EVsbU&-o^)j+>LMjzQhwIHkzs
-zj3_$2&5jM8($vnfB%~s(`|}Z1C!?xTVII!4JlFJ1^Re_w@F<Oh#U)x-`!QfmZzDul
-z*^>9G4mN$!!_KgcobwEi=6Y(|7ZRIDRJGT*_~94IW0yH%-kFs9feQJ1yJn96nt$lA
-zzrxgdtPW^+9dj6s89v$x=<t51zn7+W6R)8XLK-tWj<{&tjMyE7#4xUJe^0L+a{SVL
-zhhMVlhd~cR*L(9wn}M8@bnd9zPYMorfdYRCxkz(3;?5P}m)AXB`xK^gp%*YTfv(96
-z{DBuuBt7Ezi*{jATseo*^EMfuJIH2FSrXudM!1r(+V-h$ErXhhO%l^f=7H5uj9-fG
-z+jK830K`^}Znu1VGdQB(AaGe1c%bdZYD%njBB5zz0G>KzGEryP`-O_BZ+GS2{l%GJ
-z;Wg}AbQUBB4M?CzGy8Ssk9A|Hpi;6b7mn2$y?*zP>|QNHc|A(7fn(<1Cf>^n=D2i4
-zKzgEcD}!8bkWoA}X|O@i)yfYB<*)NprS!O-sZn>>{Fs%#IjfvVXcK`c!w>TZC_`)L
-z+iDpL1H<p==mOGdK2d0aJB(;w_vI%BR-BxIFgR-OGYfRdGpl}sqd^z@$GUHe!yc4T
-zj^9VA8a#!2Ck?=MUwRW3O%xZF!l*~nA|cXxh+Ux3L8?%ySETSvPOZ!ihD<NDh|C~@
-zbiy$zjD-lh_3Z;DyJWjL*h#Ed=`mFIsj{<`_a89a7)>%ga{1M#fkH5W(UbJ6AdC5@
-zU_?h2EWjXR{7@lx`=c0sVEQ~^7P$v3nigDDUJKG8QvK<ebY?=E4tBmY^9Sr}iNDaT
-zwev&r<yBc6XL79rc?WXes7ho(U3*k8Y4nQ64>%lSC^!oJ2OHT0o?DE{uPC?#3C(OA
-zki6%DF9nBN!6h`eVtXs4W(A%(^dA#v!!&+b>kELYWpRq53rJne*K(ZpG~HB_^VCt?
-zf}PYa%M7*9wP4L>v+TwLKvTK5;tbtW_0<z%<JR+D^a?2=Nu-yH{lXuBpMni?G+J8v
-zSD6z!@q`RrFu$9n>s`(G_#F47O@y)BStu}uBOf)QBy-Z*`=tIAm?i4u#!!!3KB7)I
-z&S&h+XZ9MjAMs0e`O9!!0W;w!w{oKJ5c?VTVfMz1gdptZe|4k=ORxc1k(BTT-5~lg
-z`SxY-DooVB&XB_ZCIRDzQB#oLrY9riA}0Z|8jeaL!SN1ZPMJZ5zHE}mPLR8nKq_{_
-NjEEGCzWl$H{1*d>HH`oO
-
-literal 0
-HcmV?d00001
-
-diff --git a/src/tests/dejagnu/pkinit-certs/user-upn2.pem b/src/tests/dejagnu/pkinit-certs/user-upn2.pem
-new file mode 100644
-index 000000000..3a5094c84
---- /dev/null
-+++ b/src/tests/dejagnu/pkinit-certs/user-upn2.pem
-@@ -0,0 +1,28 @@
-+-----BEGIN CERTIFICATE-----
-+MIIEuTCCA6GgAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx
-+FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
-+A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz
-+dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug
-+b3RoZXJ3aXNlMB4XDTE2MTIxMjE0NDYzOVoXDTI3MTEyNTE0NDYzOVowSjELMAkG
-+A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF
-+U1QuQ09NMQ0wCwYDVQQDDAR1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-+CgKCAQEA05a9cPK5tn8p/xBh09JGT+uyiDOpLSvJw0Qmn/qs+lNLjRTEZp7kzIsd
-++Y2XaZJ69GgdKqFvtx9Pqf2RHaRvccHSqGGF5wd7LiwbB36btYyEFCBW1hqJaS4R
-+AMLv9JaRFjOZhfwnjW+tC6VdTb/ak5AKYbg0o+w2j69wqhPZIeXqqveV+VRogbTA
-+O7hsWtazOTFy5KRTtJJcN/bFNNMnxB+07pZBjeDT50CFuNkUrFE7m6KnFRF7PkR6
-+ZWxF7zq9cQguRrzm2JVLiZoKfeXcVYypwEdEU1r7+ixNvQn86a+91DdvO+xwbsoN
-+G0xtFSelYKWvlH4BsZW8qhyPkjX4bQIDAQABo4IBSjCCAUYwHQYDVR0OBBYEFGvA
-+yQ58yg3eh+Oi1JaMrRzbt9hiMIHUBgNVHSMEgcwwgcmAFGvAyQ58yg3eh+Oi1JaM
-+rRzbt9hioYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz
-+ZXR0czESMBAGA1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQKDANNSVQxKTAnBgNVBAsM
-+IEluc2VjdXJlIFBLSU5JVCBLZXJiZXJvcyB0ZXN0IENBMTMwMQYDVQQDDCpwa2lu
-+aXQgdGVzdCBzdWl0ZSBDQTsgZG8gbm90IHVzZSBvdGhlcndpc2WCAQEwCwYDVR0P
-+BAQDAgPoMAwGA1UdEwEB/wQCMAAwHwYDVR0RBBgwFqAUBgorBgEEAYI3FAIDoAYM
-+BHVzZXIwEgYDVR0lBAswCQYHKwYBBQIDBDANBgkqhkiG9w0BAQsFAAOCAQEAElYM
-+786mUr91z82s6QC0TwP380ze8yJQiaWifHYXiqIPay19M+QG91PvSm7LLZw+ersC
-+gEl/mPKrC89XlAFp8b+hJnGq6t6YmeC7OI+FapEMxpxX/X8eqAOQLrGnoq7Pm9/8
-+QtWaKgo09i7rmyykKl3xSU1VktBsmlhNPPNh3x+N4bxea9OIbZonPdDtr5/Yt87/
-+6kBPsGgvUUoIxLw03OmLu8AmKAwJja0FWyu93uCUP4UZWLEGpUhSYC1uUCpAZDNy
-+2AtPnxfGUDtvI9eMmyeXVGYXTfkfGZyvB3m9lyIj3VVmhbvr7qLAGQn00dbOHz16
-+r6w2aye0Me0GcU0grg==
-+-----END CERTIFICATE-----
-diff --git a/src/tests/dejagnu/pkinit-certs/user-upn3.csr b/src/tests/dejagnu/pkinit-certs/user-upn3.csr
-new file mode 100644
-index 000000000..958c1e043
---- /dev/null
-+++ b/src/tests/dejagnu/pkinit-certs/user-upn3.csr
-@@ -0,0 +1,16 @@
-+-----BEGIN CERTIFICATE REQUEST-----
-+MIICjzCCAXcCAQAwSjELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0
-+dHMxFDASBgNVBAoMC0tSQlRFU1QuQ09NMQ0wCwYDVQQDDAR1c2VyMIIBIjANBgkq
-+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA05a9cPK5tn8p/xBh09JGT+uyiDOpLSvJ
-+w0Qmn/qs+lNLjRTEZp7kzIsd+Y2XaZJ69GgdKqFvtx9Pqf2RHaRvccHSqGGF5wd7
-+LiwbB36btYyEFCBW1hqJaS4RAMLv9JaRFjOZhfwnjW+tC6VdTb/ak5AKYbg0o+w2
-+j69wqhPZIeXqqveV+VRogbTAO7hsWtazOTFy5KRTtJJcN/bFNNMnxB+07pZBjeDT
-+50CFuNkUrFE7m6KnFRF7PkR6ZWxF7zq9cQguRrzm2JVLiZoKfeXcVYypwEdEU1r7
-++ixNvQn86a+91DdvO+xwbsoNG0xtFSelYKWvlH4BsZW8qhyPkjX4bQIDAQABoAAw
-+DQYJKoZIhvcNAQELBQADggEBAEMxNp5md+jV5dFC1iSKh2CYl3P4g3UMQ9NjLcyq
-+upjJmFiEGkEg/LpH4CoXI03BaD885S7akKPA1J/sG2YIrbl3TpjUJKZoJ8BjNT0L
-+tYc+JIODZJEONR34Fh6/1uRU7UkRcJ8Crc83+ML+71O2SRZRJDEOS3tVbdzjEOTj
-+HIed6Ia3cu0XeAvhoqRSjh8J0ufoIv3CRRCtRU8ChkmMD64p3kOTlORxWspAF8sm
-+Xa53bWIpyuyz/vWwpWfr+fL+Q+BQ1TU39xvy+46AYuQIIKzK9vKZdCElQwFXZs26
-+f53OyZpFjcsT9jJAM54XUxLv5rE3fqZQiBhatPZa2ThHt08=
-+-----END CERTIFICATE REQUEST-----
-diff --git a/src/tests/dejagnu/pkinit-certs/user-upn3.p12 b/src/tests/dejagnu/pkinit-certs/user-upn3.p12
-new file mode 100644
-index 0000000000000000000000000000000000000000..a9d4780c47d33cd4d409d6ee657a7911381fe753
-GIT binary patch
-literal 2829
-zcmV+o3-a_Zf(r=(0Ru3C3eN@!Duzgg_YDCD0ic2kzyyK{yfA_axG;hRZw3h}hDe6@
-z4FLxRpn?TpFoFeK0s#Opf(2Cu2`Yw2hW8Bt2LUh~1_~;MNQU<f0So~KFb)I=yVW?L
-zsiFVS0s;sCfPw`mkHTA=UQUS+X!tCqdi>4cR+h_S!1xwTJB>WLrfC_;4Q{WSMU*o-
-zn@1qFp2kU-SDex#I*!6h8=!K8qv9pObzLDLmnzWdibwhCfJuy%lF%>17?*+`lBBJM
-zmXpRI{I$vJ#9ra!;LI(a-Y;XQ;Lg(@=%$W%N@M`uG=dT?Us_5#Ydy@oR}Jqosz*ey
-zVPGvYS6-Lg5~d9q+Kq_7hwvb*@x0}_hvi{GII8!JaJ+M3rIu;J>8y>3=gG`dH0^iR
-z|2dL^4OS11LK|#C4SCTCdZoH|NY!h^jRkR_ZBdMalelZlJG~EQsb631B6Pems-P<2
-zy=ikP`PqC(+TZsM6awppC_f0Xl3g4K3t|VAQ*|@tqWP;7pCfxOI}DZ9(iJy)rS*nL
-z8a}#DV!e3{QR4jj(Ty7a7d86H_%`o3)tY*5-w|QkembO|Ujs3}!86C73mgV0q^5iP
-zuZU!CsXRr9j$1G307B=@uSo~fVS&hEIJ+>AH&cjQ2XBCfI;BM))U<!v(ZU%l@LM`7
-z#f!jXE^Xq(g*Xp)kut|Db7M<CE!315S0|}@EIV+OB#%HpVx+`HE1fFGvW}22ROunk
-z%REb7>5*2LLkNN(0?0u`ndx|WU+*&cfWKL8;~Qf+dr$yMp*|3(UJ$X~0n_~&n<|bR
-zOiCnb3@;b`fsYZW;zy3u!xk;pHehyodmHBK(b4`FY+RdV=I@k+phXazTua8A-KghY
-zbHI;PA;HtNCqk1?WmxDfVMr;cPF-ev6fv2Fqj2|J6V<Fa!Yv!6XO5f{&4x7*xblr$
-z$21$cb_%C=5R3Ki8|;cMy=u8Zp6uM+x5`kZ3umi+t&q*iwi*C<yisn>MXUHxmH&PN
-z7i%{(&ibQjorX+L&72F>74o;aDdTY|SfNampj*cW`)4?RC{QhRV~@au<4#(Y1RTbE
-z+4)2+UV+lnFK&q(3AJu`R~b$_-o!)-dXZdz3uyEXkjR$GQ+@~Nrzj3Op78qsDTByr
-z87^>(n=t}k--9Y2&($W_V$rpuB>QO?+3-dA-pr3<Vc+FcLJ>g54LF<k)IhGZk(A<n
-ztCZ(JeUto0UD=4g0HwAcycywe@c>hpSdbUZ|IdewW&nX@Id-7N;;8dTYiF$bj&+Vz
-zp+$O4o`v}qtLqJumEjK!5TYC+&IxPxnPJ?qPwid3z%qigSZUd*O)r-j4oE29GsC=<
-zw0myiDI9d*4E>t?xOcwEA~EKL0)VbEj&Uc^xro!On)Pjn$+w5R6#oT#|93jg*@V}Z
-zk%j`((IQj&TOx`1Bp_153n75Eqw3)xRNoBq49xGry~PpA>RD@*p=h}-LFRPD=V~%O
-zL!t(9?TCJvy{&-ipV)<Q7)#smcfQt}*A@D{{kggvok(%B$+q;F67aagnEgkAUNoZ&
-zE~B&W;7rkyxz^0@`)P<8{P12ZSnSO2dzpM#x^Fd3vR}}|RqK33k`}~-TBRT!M1ti1
-zb&;4TB%~+lm$*`-VYijnC>bfua3YR-|1T`d;?f_6b0}I+QRRVRCX;HVm@R2;PE+7K
-z3Q|#cnBp2{Ho#|+7-NPyucnCX#eD8mEc6JWn6yVrPT1jqs)!%NzfUi>O@f`DTz7r-
-zs6~@+cMQii)Zyfm5|I-1^j4{K7>B7|irNe8d;&TQyncnqec(ERvcvZ=HhwevKN)GU
-zzDKIn4gl?ZdnRwvb(WT2#ZBk3!kjVDJEGu3Mj^N{FoFd^1_>&LNQU<f0S5t~f(0@J
-zf(0%xf(0rtf(0f93o3?4hW8Bt3<?1Ppn?SMFoFc?FdPO7Duzgg_YDCI0Ru1&1PBc+
-zs|CUhF3$o22ml0v1jq%o(IDH3ovZ^#qEO9*J>?&x>nfj%n^6>^V7C<x>U<!0JV>p+
-zETM}jN%cj-MzspiSpQ6CYmqrq{b{-|Kj>-Fd1TKY;L3MOk&IO)fs00$bk5ZHGFaBf
-zsRg6kCS^21bh?tWf1jQLIaT&uM>-1!L@?~)eWqce&iDF0qMSy`TNzT_)VB-&hdVeW
-zjEeXb0i{%KpZeK!$PY01Wa=BLfB6xzk$J9wnQ+$8Q?cOhQWJ^oEshJdhCpbB9?+gW
-z%#d0mHXCu4Kr$r>M+VFC+yRsa^lQ^YyqVejN5NolmXwl=j;AXtkvzSNzYd<VWXWkr
-z&3PU56OI7l8?Y;jSOTYKg_jP}g%H_X#EhKH?<h}^aW?}ca;yUSNV&$TrG)C3j2*g3
-zZWi6B9>LcLS1M3v(LEqdCXAG^SL1Jy92cADy`hRveJZ&>9tO3Rq_n_U2brOPWo6XM
-zre^&}h<m}oy0?@0IWEg_aJb66y(}368Oq~MW4I*-?85@!`dsAOWe>uWluk<kuE{>$
-z+B?xm6(8=jJ-w!B_8@+OFo>mq_>DV#ryewM9%Z)!#3=XxhO#WL%G$~t4CS!5WVoB@
-z9IwU{Qb#y?ADZ8(K#I6quZz_TTCR&i8M?`ng1<++_9q(O>U=r;A$e<K1gJn^Y7R?L
-zNQhzs&Ei0CwOwA?vJ2r;;}1H4mJ&||7VrKe*ZS&QPud3UPVor|?8bi&Mb#Ea4QFMx
-zEcX3;N3mp6I*i_|j1brNnkp^`QAZdAH9jE+ivS=|%Q|P&f8{anDm6a~Gc*;dyt^iC
-zX750!pW=WS#5htREl-wN=n~{2XZ{L*9dR&>p&O5PL~0ADX*&QcF)J*1tw=!<FTf=a
-zc=UE7NsQ5{vqP4W8r}XA9?pHuwN%dw*+a(im+()KHVNY*kEjsu^!sS@;lfE*LW!Yz
-zk~kdLN}|Bd62yeDNA7^Wgpu(CSO%C08)k!~fzCz56E*AV+19KtA8WPh0}^i)U*G!v
-z4wO??pkn;oX9CNneB+#z55HcJ`BL%`9CidvFV;TSIi7lfP_+QH2J5dXUgyy1(uXFv
-zP?QhU(#_a1iiPoA$zL687w629IXqmB<$E0;m)pq?dF9s7pO*82kXC1CO>Jp;oWW92
-zx_WL`bX!>KW=&X!8je^w5L8BljVzqd+B6(1iYw*+a2t*Og-{}@ahG~CSZjlKgN)_F
-z_gX<CTuQtj2;Gebp$<wwt(Db@r1C-%kxpIzU`glrSV8Q=;C(WR(2VdK`efL?>^4sG
-z?|whq1p%Fu)%2@m@;098MdnS5un)e;6`RgFr)yc~xn2wcd|aAZWeZIH?b=2rqMuuF
-zhM;R=1L3DiNIjP$4H_N4*lqU$eq7|>Ys3|ew5^EImFF1cx!T2ja<qOP!{1MFG}`;X
-z++FD=jC#Bv+}$<E1E*Vvv;VKSi$d6eo3Tfxj%0r**!t$Z*N@BLo2Pz@rN-hmSp;>X
-zfyvmtstS0orV!Q7PL#g<h)rqZNEM!OYYn<n#QqAdg76EPW~eh!<11hngVaOx;{yqv
-zKOAV}g7%4{<iW=Vy9*r=Z%u4?=O_i0#t33bJI<aCrhp|z;|OjRDAh3~Fe3&DDuzgg
-z_YDCF6)_eB6u*lQxi}3No$KBvS?o9~*aRfay)ZE_AutIB1uG5%0vZJX1Qc-C#Ob<z
-fZSGOyk<Sm+xmlwpJI(|M>{*$ChxfS!0s;sCZ%;ud
-
-literal 0
-HcmV?d00001
-
-diff --git a/src/tests/dejagnu/pkinit-certs/user-upn3.pem b/src/tests/dejagnu/pkinit-certs/user-upn3.pem
-new file mode 100644
-index 000000000..ffedb0d1a
---- /dev/null
-+++ b/src/tests/dejagnu/pkinit-certs/user-upn3.pem
-@@ -0,0 +1,28 @@
-+-----BEGIN CERTIFICATE-----
-+MIIExTCCA62gAwIBAgIBBjANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx
-+FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
-+A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz
-+dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug
-+b3RoZXJ3aXNlMB4XDTE2MTIxMjE0NDYzOVoXDTI3MTEyNTE0NDYzOVowSjELMAkG
-+A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF
-+U1QuQ09NMQ0wCwYDVQQDDAR1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-+CgKCAQEA05a9cPK5tn8p/xBh09JGT+uyiDOpLSvJw0Qmn/qs+lNLjRTEZp7kzIsd
-++Y2XaZJ69GgdKqFvtx9Pqf2RHaRvccHSqGGF5wd7LiwbB36btYyEFCBW1hqJaS4R
-+AMLv9JaRFjOZhfwnjW+tC6VdTb/ak5AKYbg0o+w2j69wqhPZIeXqqveV+VRogbTA
-+O7hsWtazOTFy5KRTtJJcN/bFNNMnxB+07pZBjeDT50CFuNkUrFE7m6KnFRF7PkR6
-+ZWxF7zq9cQguRrzm2JVLiZoKfeXcVYypwEdEU1r7+ixNvQn86a+91DdvO+xwbsoN
-+G0xtFSelYKWvlH4BsZW8qhyPkjX4bQIDAQABo4IBVjCCAVIwHQYDVR0OBBYEFGvA
-+yQ58yg3eh+Oi1JaMrRzbt9hiMIHUBgNVHSMEgcwwgcmAFGvAyQ58yg3eh+Oi1JaM
-+rRzbt9hioYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz
-+ZXR0czESMBAGA1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQKDANNSVQxKTAnBgNVBAsM
-+IEluc2VjdXJlIFBLSU5JVCBLZXJiZXJvcyB0ZXN0IENBMTMwMQYDVQQDDCpwa2lu
-+aXQgdGVzdCBzdWl0ZSBDQTsgZG8gbm90IHVzZSBvdGhlcndpc2WCAQEwCwYDVR0P
-+BAQDAgPoMAwGA1UdEwEB/wQCMAAwKwYDVR0RBCQwIqAgBgorBgEEAYI3FAIDoBIM
-+EHVzZXJAS1JCVEVTVC5DT00wEgYDVR0lBAswCQYHKwYBBQIDBDANBgkqhkiG9w0B
-+AQsFAAOCAQEARVeLPouequn86P3LgOZQ9LpP6IHpY2ZQwvNviiA8Zk0hsqFXnmwx
-+wr3JtESim3EPuwQtJ3jXp0rxQB02r5r8sg21OjCeAB+vOz3IoF/y6WEYlz67LjMB
-+XCB6Fuq80IHhVXWRi7w8dVI8xcADwIOh6fgzwbbk8qV2Lgn2Giivstp+76PnRtEn
-+tavWlWW7bQlXkiROYh6u3Y8IvYYoIdlDsXQBFSRE80Rc2jR2XGKAz5CDEZNC7RAH
-+Z7ON9HH6IRBOX1ijmXhBl/39QQ5t+ZYgKk8OJpL1RAZlJZtGMBwJtA1aGiAFvqTr
-+aCREHZfn9NAFE/szItH7hxWJv9RISUXYmA==
-+-----END CERTIFICATE-----
-diff --git a/src/tests/dejagnu/pkinit-certs/user.p12 b/src/tests/dejagnu/pkinit-certs/user.p12
-index a7c2baddf67f5a8c6ad97b661f6ff285ecd5bf37..67c3fa2eb01c9fdd543af9172dc63a3955987ed6 100644
-GIT binary patch
-delta 2825
-zcmV+k3-<J&7?l=4FoFva0s#Xsf(q9L2`Yw2hW8Bt2LYgh3djV43dAsi3cxUe1$PDs
-zDuzgg_YDCD2B3lkXfT2WWC8&IFoFeLkw6`PS!_%EJgRB~0s;sCfPw`uq>L2N;;rqK
-zSyqcBB#a`vq%RJm?UQRey5syNN;I{A1gyVwKE~n@jbWz;r@<T^_1RhEANi86K>|AM
-zlt-Dw4#5`C3%OE;suP^fKAkmd<0stTrax4cKBYi#wmDyWkH@HTEzF9<gOuO|V;;$W
-z9;azbqm~1`At0+>Vzb4z(Px-u%2--OA4DL`@vMDzJ%k+he$KUV+etb#R@X1p^xjIQ
-zHHCI2jR$-F?jK09io?qm@M_cn8*o;ql~XNl6dFi83)IqmcEQ`VgCdb<6p=l&wDNBh
-zCsi)gZ^pn!adN6tfqjU59L{WP9ZTwex*A&&TJq-rK^pl7CaosnYypN4z4}f_$-a57
-zM>j1uIhmSFRBBso?WIxHcvNXh7@BuA#OSnOJLPr!CPo6T$^vk}CF!iZW?)pB$=3O@
-zrfxe$v8EVwa|3H6ER9y+OaA^AN?sy_V(?K!suZGEvWScYsU%j8Tm223XbjYUAviV<
-zjRVqXMw@vdf|o5^<UO{AMF6V$Ln!G#8`t}E2`S)vG&#<1Eq!a<wiT|qhiq7=8g8yb
-zjW$uxWLCwLr~7=!p(Gb@(=Vh$v!J<LhCZZDqqkUxCB;IYyl||K`6R+irSMolq+G{b
-zDWwX+sq+2U_{~gBqzToq)Jh_MC#FS2NiBY#TLPb|ABHhbPvcA2la_Yjh8xuL;0O2F
-zSiBps<`Gka5PDf|)#S*@#QhS4HAkyc9NsPbmlf`+h0)e0zB@Y_9FuF18*?HCo3fAS
-z_;K6GIm(SLa#l2dbSW~K)p!|mB)EdWmAW)E5mzQKvI`<6;`Y+m=@ff^Kawb^-`!F9
-z3m3e1+a0c3pbC#29dz0woFb{j<3jl(#WDWgN*EuRH18|4C<@w^-;kjpOg}Z+=c@uN
-za#V({M3Qaoz=<*-!!J$={J_qgS%y;2>9wFcIr=5rw4>$56__Xd6#^Qsv`g(v1=Q8>
-ziP0(7aSZ@G=xc!){8#vY(P0#=2i#b!H0mS*tnBJn+%XiU^}ohqA;4n6-qyM>pihFy
-z4Eln#fQ^@qtxx1ua<5>n{y3?<OD2yq!nYACrk=zLsyY8{CVq{NDfC^v-@Z^O*GRWL
-zU{*JR?iyAZ%%cM--B>85=BH@<Ol*Vq*R?5XS{9rYTVzaU=l)NB`x1E#n5H%0S`v+_
-zdDeRyLVdYP7T@-GEHocD?!NZ@Oo;<ZpBZF0hN%IVLe}$)u(rBO@;_=4G-2DnNCvei
-zH3#9n6LfE%P!i5vI{RdU;-blHEYyR1lD)dvD@XZ;grEciY4&Gu4YNH#;ljP0DcLp;
-zg%(Qi^?i;)?xdA}X)}S5>b`Rk06z{b>dCNW6Oo&}cxMKGgz!y(Zd1EKXWX|R6D%;V
-zO%}A{2XK=U6Q9)>4CCpjR7Bmj5tGi0`fNAAiyy6Buzq`yQ7=G@(jo4kz~uX3a|leQ
-znPbFK-QrsSWjW`ZE0l0RbzoN$EaUA3xKZT3H)vpww4;H4Y~@Fxa(N5MMgT3L3esA&
-z#khOUkdtQeZ?ujc@i|b{Az$o6ji1SvfQ2P4Fl9xj(j2fRfXM91NY?TZi@9G~Q>8u>
-znUEbT327qTp=2E;8j!deS!wcJtNPg<C1<jy#^anMHKz?Bx*KE;S!q&;b6`^<?;CTA
-z-b3F(Gl+$M%SPni`Ow6=hpRru_{aO&%M<VogpWRTJg|;aCag@SY3#f?XJFp4*{P3b
-z_2FnMi>6~u?|e$Cn#?wg>Gy;!h%T#ZZm!|+sp>F-1wjT0Duzgg_YDCD0ic2fG6aGJ
-zE--=xDlmctCI$;ChDe6@4FL=a0Ro_c1nw|`1nMx8x&{${n%1@_Wccvq0s;sC1cC&}
-z(RN}-FcTn?seem_$6vscHBDugxnx8L|3Ew+b;;a<>LT@K6&!=f&;v{-fr9J4)RI5E
-zj@&%tk43H}?45`sk;yf*U$h5Rp|)9F6Mbki<C7fA>xr+=hea8YdyXbvVtQsqNcpBZ
-z#n8MiO94WErRUY&{G8aC13PpOJ~sOK8;S<+Ie>LKd{9|1T9WiB_c>(}FfnAf;L;jb
-zfNB;<Y?FRgNC31l)i1C0^z|Hg->hfdYtGs0rLO^TE8t4y7e>6bF8CPHU5uP4jz$Yy
-zbL9m*YvAtA8!^vfrnn<V33?dQ*pi<KCxwr-G>rj&CCGA^^&svs%|+8*DEE?lL`tj-
-zf`rq7l(SqSOVc@gT!bIJH%*ulo^Rrq8vp}!YD=*9th0b|XC4K5kKCIJ#G)UbZN)Ww
-zSw`3^C#o(f`hsxT+he6hh$}M~2Q87|(edYIB5yDLZ(%;MTpajfq_bj!59ytas5{aU
-zjlC6r#g*`SaxR%zzqQ6BW|Q6?cyz1Bvuy6fjt!Bo`$oo^9;J^!3#!XmSiw9*5%*N^
-zQ`2(jBGPjpt%+*4Ds-K8@v?N$LVXpWSJgCCtdxP8Ct2+e*4j(<Dijw<R6dfPZ_0lS
-zy4|J(ug3Q5ayou4K~LGu9DWR>IdxkRy@~{XUZ}X+DyjPW+V9xWn;~GLbJO}s4^x6;
-z6$reQw$IdY>X?kq_FmyYA+B|x6euPPHyfqnqwIO~_)n2=R;F+z4p%BJLy`c@dS(2-
-zx1Ora8m!D>l^j=a<4^I_s^luw>R2~vsr^$6814D=So0R^I>^3!lj4S1`0<`!x&sk^
-zT)bs;3pPzQTN^KA4O2TRv6Lezb#;s2(3`&1@Is%>(bImh$?j2Wv3z`eh8z^5Kqwnx
-zB9UF+NI^$^U>1@@y>$c-eUN_iXYM_d)Cc@f!jXT6&#y70UI?FBobSP=?)}8^=fZC{
-zH4+W5iQxFbHcNUHQfmMqnc71wJlHjVLAuoFS6%YV)&L9jzQ8?M-MXaXY8<Yb7Neza
-z?6F2~O?$}9eeWg7bThsG(M~OZNI_iD^2qVZL2NYK7>IG+q)TT3^jVwS*gQ@y;alU9
-zYt%DyI=C1o@+PH7AHTADb^xm{o(C~q=^;j5^A1;iPuz%5H<<!^IdG1yurgJDD2<<q
-z8`&1~0HiYRpQg`pdTEHG-H|vV1UjFYFoS5a-9YS@4HmoUkuYX{J+GwS-oA-0FXu!y
-z#wf94AQh)fgUvJ`7xlF^W;vR>;GtbhX9NhsDtNX{U+Rl2#B;cyXCk!hT~J7*4P9Lt
-z?sqAVi^dY}SlRgxYg^JcHm7@k-95OD4H6){G!Nrf%MW&7s(zR_*{b+<Q|`yJ*mw|P
-z3E$ti42Br_WT<Y*#q+%__sI5D(Jp_R&$|7BF12snPyI0b&IjR>Ys$MBCm0-*&fN2d
-zLo!o!O^GGE95nVk4@7S03xTA;N(*fPCX`P8`Xm>azWsS23xZYFbkS9REW0}sxCq_W
-zZA!1X2X1Q9)%6x;w#V%=r3cQCtdG~JmCf2ML+=s$*YLOY&xjJu6R*W@*bAA>)DitD
-zLn3);mi?f8-j`_w`MPBdP9y){Ok{43vm0hfd|)sc>x+EAS}`RsBL)d7hDe6@4FL%i
-zF%|?Aa~UTT2sI*=Z7gOy+Pr~M|3OA6;4m>TAutIB1uG5%0vZJX1Qf564%Dx{fH@}(
-by5{;I{o2EAUPuH8o2f}+U#knW0s;sCTvk7E
-
-delta 3072
-zcmV+b4FB_$7N8hFFoFym0s#Xsf(zmX2`Yw2hW8Bt2LYgh3)2LG3(qiu3(GKq244mV
-zDuzgg_YDCD2B3llP%wf9OacJ_FoFg}kw6`P!$C#iY;oVd0s;sCfPw}X{k^@yX8+%9
-zwBJ}5flvw<p~C+b5!^M80vu!HO723Fad1|;x`tI=_j@1Z8|!?5%3NEJYiC^lUYsL%
-z5dZznn-lQLh5N;8gb-q*z-{)OM&M3-Ly~xbR$Lhn8J;`l@?%v>?@^UAz@E_15;f|7
-z%=`IEmu8Fm{;M@9J1*`p_pIcRPLK(+FMWn?4Ww%T0x^GtUpOaX{(}d=6zfxU*O_P_
-z;{8-Vz=+PJ*fq5Q5}1P|h8#+LByXQ+P>3e*vahmych~z9*bcGZU>fX`OHPSi?VqiC
-zB=Rqvb+r)J90J&GI+Fao+TB6@Z9^%48aMh$*5ZZ;bg}FUG;4;3aF(v8Mc%?$$0qwd
-zc3^N%>ETq(6vTI$`2w_1Oa<kv>X?h#=Tof#*z5MeSw0*v$CMQcQ$S>moyee?d|Ygd
-zOSrQGiK>X-ozcDa;*JHQLCC}?$LH>?!<k<KzT=^3OA5rb<zBCTIw*>Yi#hRsnX1OX
-z*EB3%Xa}bdITw;zI$pm5MeS#lApv12PFz^)>i>;Kq;rwfsX%C~f|;W&4uX`4^<kHA
-z`0o4w@AtMOXQ3Wx2w;OKZSvOv|5u{}6)`akyQ(-{&}by}d8v9219I2y7qsqtoZuLW
-zJ>{hYr=Sv0%nHrgoVxp@+Oa2pz6_!d%FIr;pRDqUYfO{2<~UWQ(O#?)HAW1rbVG%r
-zq9bBAoA9db8X#}@U%8%J7?%N|4`BO{Kf`A)Bo>s1w3U?&wtbya#nq(}in*aOqVWwL
-z54v^FBkaQkJ{{9QU=Swu92Ip%GvLLOIDd7VZmIBi##hu?f(v78%UHjEu7or)#XQ(K
-z6nwxUcCasL?i8)8F(v3tkFjU0@B||ae%?*I6IKzV$B;Xlklq^f`Sg6cXaqJHeeaB=
-zR|Kl&E3F1db<1&_nuDc1V^iiCJ{=(AE^+aqY5NBcI$5;qni~17mHn5(Ds))Qj>(fB
-z!cAhp`uQ=F+SOD%%+Ha38w{~<FR{sk$=26inu~W`r2Cu3x{A*UO0NQAC$;M-yY&>j
-zo9@HR2C2O8b?-H5VC5*x&5I%i_u7WWj~_7^J#l4mNU^ZX$|TykZ>kn^P>m*4do=8)
-z-lvs7RD7|XX;o@sWC$=qUP|t9tI!D(6aWp9r+d%S@i=hsUzZGj4`0ajob3mf39g=O
-z%sLUXQul@047pG(XAo^Bzg#aTGeIP9XG%lsySCBt^BD;L!P?o>8|72>-F%bY1Wq+-
-zQ&co>uVf4#KdH09JZl->qdH!j&5obWpC252k*~RRm`<o4Xh==|8bTM&<(jyD>++aA
-zb)ix<L-Q8Z%xK7eyAzp;dPWw`ER~iH(G<zpI4~L}IT~p`j!Hh<b_p<QeXVYAk=RY<
-z3U|E_nkTR~7GgRTQ}GglV2!iarE<T;q)0h@%yi4%B(7v{ON!dJFVzkven{tTdz-QN
-zlt-g<4wg!_4Ci_d<@^$(A`Co99`YTlnN5v?t*)+nTHQT=%iVY#XJQz7gWseBVq0sc
-zV@Vxs1P|2EKeLsYzEk${&ZMn*;?qIvBx2sG;3dm7fD+h9%vIt*!Eyz&Jw&9`>=M5o
-zkDSS^SpDZ46j6?8FSSEt!hzU2{_KAgGG#C6JOuiZ$dBlrIHJI>a!|_ci}n~u6wfBn
-z1&}v(3R~EJEM#g)ZxZO$;#Uy*l%8e6KIeQxo6!Ev!p<ocJPg<cdkC9iAgt!+3B=TF
-z2S~%YWou5=^qPQ|f9QWH{Ry`og$nYCY}S~`1u(Q){CL4zhI5L?!y%tuXZo*uEgYKE
-zRN!3N)r=XdHnsHu=L5<_lt}VCkB<adFZYz9K6XQYzAPu2FD8luiKc9*i3leXVaN9e
-z2ZBR?UR)_<7Qx33^I-ivAtat;bb_hax(P(osq&*;YZlXXR{Xm3)?+nmc1a7{z$PlD
-zrq$Cwfd5fXsm)l>)g^jmB_%6GXqkLS>=3J;!BiP~zMs^7_ZV@z2e~h;XLQo=1(w3<
-zKSrEW)`6L0#?Y=Y^OVjAPol3~Y2-UA_>BjuU<55l@tHF|>M7Zh5YYg$$Med8J1xt2
-zLP*MiFoFeS1_>&LNQU<f0S5t~f(2Csf(219f(1=5f(1#FyagwJq&fD@`vm@c0s;sC
-z1cC&}`Xy+irCUz)2Kw55kk>Q6J*E3t0>aCid|=?nFOo@xF7nMEwFSqGFL=q6+5@%_
-zt-z3k=H;LP>M5^($OYSZJ{(r}tFwIj<o%s_vs09`ce;;kiZ)4pao^xsib14kF=-1>
-zvW>%k6&+&B`~)0-Gg;CuKJ}d10CU^>UaG3Eag)cBnkgpw6c$vz5a->`qeYY{qOzjV
-z$lM&d7YnfSl+TL;$Z%XYD8P&u6+OPseP8BbQ`Co+4qNH^w^HP@t~i7h`yya}!u<<K
-z54%!<9uQ%Kvg&0*hb=fOA`N^6;CVOdBr4ePeV^FhBnhy8s5=wcpVV>oz#o;ZUj=Hp
-z(TV68ifC2(4C2=wv3r~1104(jA4cs9gd=F=kJAOeb?#j`oJ0bKe65FiHPEx{!4^2M
-zz^<`>c3WJhEzhxX)l8^flHtnoU_1>9oCV*rdmGdTgN`7ewco2nZuA--|EL=EaG4Nn
-zpF~eT3tG2-f{+uROTHXdk{V0)X{9@F4mpkfDP7mjH8Tej5p$_wAOlRUsVV8eC0hd`
-zl4Cv#L%OnpO;^-jK=n`BoqWJ#I2zzYA;sz+Y;icw<{th3N}p#_Xrp8*rEd6NEX=<f
-zW?Yg<22{<;TT18&mRU}yPt}1YoWw~e+hwK$tP8b&zxx-H7mqBn2f(JCf<iD)hst(*
-zNL$1-;9~+%(!5{9Wv(G(!B!JoAw>4@Qp-i%c1jGY-l^{T#gMCnLtFM}i<I9#by%PE
-ztI+o$_3K>Uj!H}kK_5;CTggujzqx``SqC!?Fq@kO^ab0Yk*7|TX+l3@A8Z-brb&{t
-zZX^wVHoy<e9Xw9-`NlUwKElyaQs9W^lWxjmHEA{YGaL}0seMJWsg|Yym9v3uYFil$
-z6;xH~)~`%h+?<vqE(hn(s&8V>g=NeF)1EnnZ8*NrQU!QHwFx6a1u4+j8i75XaX{V`
-zTejP79{ii}hnRQ)sO)7qj>Pd@U}lVl&(b}Ag$oc4za4|Y2`)pu(3@Q{oocgpL9XPg
-z&ARc&g{ZqR#9ls<P?&Om&qDOH_6+58x=kL1=A>FPr=r@2fK*A|lb4n3k%R8?I#c2D
-z;=T<Y`Uk#ka-f|^#Zy{ov54F*JNfOHh4jqV?S-<R(p8Mbj|waXK&zK%o@}yDZC!hR
-z?LUQSf?t3|QEJEmL9>TZZ*j*ygj57wLl>LICIh&x-2VrAPjpHqNvA6BWcuW0J`V>k
-zX2DR;M<%0M5rj)YL!vo}Lr8*yNjn|jEon4LP>F3;n-~NKB>zj8a%?p*fZm_SEdJB6
-zP-Yt1+4};5@fwomsJaS~^N?NR6BXot?2jw}Jgj_7AnKjnZoO5nIY`wuDf(}pQfmod
-zE}t2${x!MEq*UT6S13ie-bH%m!2V*Ai?V#!PB*W9mXC+U>&7FB$YbjRT!@-#?o3x&
-ziB>ytwV(g|m}&0NES6Y|(~D_kcv$pTt6{{O5=Tjd*U#!Tli@}SuFK6QcZ9`%x3jAa
-z9<pmQAJ#w3{-PfDOomATm|`Vc9YHCwgTF7MHgl{?IT>wib(pG>woZhqj$pub<jt=!
-zrB%orzE$^v?!D`=%2V5t7y-*tC6=bWy*o1DVcqT=I+3Uczq9#HEHOwhAqEL5hDe6@
-z4FL%hF%%vW08{{F0CNCz03ZNgRRD7UWdL$8BL)d7hDe6@4FL%iF%|?A@TX$OY~nAW
-z8C0II+Lh@NWq!?EFflM8FbM_)D-Ht!8U+9Z6cOc2pr%Srb1djXx^j3QaFZgRgaimA
-OZhODsvxM#f0tf(M+PpOY
-
-diff --git a/src/tests/dejagnu/pkinit-certs/user.pem b/src/tests/dejagnu/pkinit-certs/user.pem
-index e6beefcde..f6d35f370 100644
---- a/src/tests/dejagnu/pkinit-certs/user.pem
-+++ b/src/tests/dejagnu/pkinit-certs/user.pem
-@@ -1,32 +1,28 @@
- -----BEGIN CERTIFICATE-----
--MIIFkjCCBHqgAwIBAgIIYo5oQQ6iySowDQYJKoZIhvcNAQEFBQAwgacxCzAJBgNV
--BAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMRIwEAYDVQQHEwlDYW1icmlk
--Z2UxDDAKBgNVBAoTA01JVDEpMCcGA1UECxMgSW5zZWN1cmUgUGtpbml0IEtlcmJl
--cm9zIHRlc3QgQ0ExMzAxBgNVBAMUKnBraW5pdCB0ZXN0IHN1aXRlIENBOyBkbyBu
--b3QgdXNlIG90aGVyd2lzZTAeFw0xMzAxMTcxODU5MDVaFw0yMzEyMzExODU5MDVa
--MIGhMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czESMBAGA1UE
--BxMJQ2FtYnJpZGdlMQwwCgYDVQQKEwNNSVQxKTAnBgNVBAsTIEluc2VjdXJlIFBr
--aW5pdCBLZXJiZXJvcyB0ZXN0IENBMS0wKwYDVQQDFCRwa2luaXQgdGVzdCBzdWl0
--ZSBjbGllbnQ7IGRvIG5vdCB1c2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
--AoIBAQCdgsx7nyfLTQyCyQk/u1nc8hBGlCRcYslkojQd+e0JFsi6+adl6M9Ip00z
--J6PNEjKN3DUUMlQCeldhyJzdMPnzXsbkfrdSuWUAa7L6WFBY3MTpzoq556t69Hek
--xqodeidp+VVqxS7l7YABZWcVvPjHTi4uVB6Oo/CbmxHXFN4tSdV9Jjvk1tcYgTjz
--yINXTBbyeoahVaf9OxF37sq5BQiQmm3z5XomTqE8hw+p7qHuZc0ayBzl0FKoHBVy
--NT0Nt5PjHHESaBB0u3up03BXVk8tCdNCmiA2tPm5/ehJs5OzIzTYY5auIhGayqrz
--Wx8yum+JNFEPCipNQSGgJKivRSZzAgMBAAGjggHEMIIBwDAdBgNVHQ4EFgQUWfzZ
--FQqBO+QWfRyDDIJCk15YLFgwgdwGA1UdIwSB1DCB0YAUWfzZFQqBO+QWfRyDDIJC
--k15YLFihga2kgaowgacxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNl
--dHRzMRIwEAYDVQQHEwlDYW1icmlkZ2UxDDAKBgNVBAoTA01JVDEpMCcGA1UECxMg
--SW5zZWN1cmUgUGtpbml0IEtlcmJlcm9zIHRlc3QgQ0ExMzAxBgNVBAMUKnBraW5p
--dCB0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZYIJANsFDWp1HgAa
--MA4GA1UdDwEB/wQEAwIE8DB9BgNVHREEdjB0oC4GBisGAQUCAqAkMCKgDRsLS1JC
--VEVTVC5DT02hETAPoAMCAQGhCDAGGwR1c2VyoCAGCisGAQQBgjcUAgOgEgwQdXNl
--ckBrcmJ0ZXN0LmNvbaAgBgorBgEEAYI3FAIDoBIMEHVzZXJAS1JCVEVTVC5DT00w
--JgYDVR0lBB8wHQYHKwYBBQIDBAYIKwYBBQUHAwQGCCsGAQUFBwMCMAkGA1UdEwQC
--MAAwDQYJKoZIhvcNAQEFBQADggEBAJZ+5CMbEj9anyH/b/jxUT8yGgYB3KGj7qL+
--RdU2zjgsQUMSdnlqQzpuEcY3z1wK94dYQVsPaYBv+zHl0rXFMfKlm97nVdCJi0ep
--vplNAaUlhkma3D8rkPN5LmIdHslpJD6pwbV+o69aCEsrwm38flmEnBX0OUynULod
--icDvxOxhmYG2kXmUmF7wZXI+XWX8b/TloDNLAnYfjKytMa3SQdp6wtj76BCk+ZZQ
--GAF3D0BS36lkNQ/8buHFhVv/tC/rFvql8DRbFzk6W02Ymq2OhcP0uz67rFZ2KjZ5
--Z0WP1REC8Cv7yoqOKPk8S+1FK+8RdKHjT1n/n+Mws72F72bxQWQ=
-+MIIE0zCCA7ugAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx
-+FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
-+A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz
-+dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug
-+b3RoZXJ3aXNlMB4XDTE2MTIxMjE0NDYzOVoXDTI3MTEyNTE0NDYzOVowSjELMAkG
-+A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF
-+U1QuQ09NMQ0wCwYDVQQDDAR1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-+CgKCAQEA05a9cPK5tn8p/xBh09JGT+uyiDOpLSvJw0Qmn/qs+lNLjRTEZp7kzIsd
-++Y2XaZJ69GgdKqFvtx9Pqf2RHaRvccHSqGGF5wd7LiwbB36btYyEFCBW1hqJaS4R
-+AMLv9JaRFjOZhfwnjW+tC6VdTb/ak5AKYbg0o+w2j69wqhPZIeXqqveV+VRogbTA
-+O7hsWtazOTFy5KRTtJJcN/bFNNMnxB+07pZBjeDT50CFuNkUrFE7m6KnFRF7PkR6
-+ZWxF7zq9cQguRrzm2JVLiZoKfeXcVYypwEdEU1r7+ixNvQn86a+91DdvO+xwbsoN
-+G0xtFSelYKWvlH4BsZW8qhyPkjX4bQIDAQABo4IBZDCCAWAwHQYDVR0OBBYEFGvA
-+yQ58yg3eh+Oi1JaMrRzbt9hiMIHUBgNVHSMEgcwwgcmAFGvAyQ58yg3eh+Oi1JaM
-+rRzbt9hioYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz
-+ZXR0czESMBAGA1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQKDANNSVQxKTAnBgNVBAsM
-+IEluc2VjdXJlIFBLSU5JVCBLZXJiZXJvcyB0ZXN0IENBMTMwMQYDVQQDDCpwa2lu
-+aXQgdGVzdCBzdWl0ZSBDQTsgZG8gbm90IHVzZSBvdGhlcndpc2WCAQEwCwYDVR0P
-+BAQDAgPoMAwGA1UdEwEB/wQCMAAwOQYDVR0RBDIwMKAuBgYrBgEFAgKgJDAioA0b
-+C0tSQlRFU1QuQ09NoREwD6ADAgEBoQgwBhsEdXNlcjASBgNVHSUECzAJBgcrBgEF
-+AgMEMA0GCSqGSIb3DQEBCwUAA4IBAQAzbpwzIFJk3a1BsrL7KT3B6aYNs5Z4bnwm
-+9dG3D2S1OFSQAbQt/ap5Tjz1RWabqWaSb6ufAKudQ6Ab2uKT8QhtmVByQYKDLYvn
-+bIGgoSeAcvWHWsTeReSADr2b0E9+UT8znvBDQGED39C1AgiVUWHgIExYU0kBrP3G
-+1CgWQLb7nZC5rKOkcK/Nm4XL7Oe+neiCr4j9adbGxeNHmt8HPuLuNL9TWkMAkcFo
-+5INHHFzNmW2aHdvO+7lDbK8/E0QwiES6UbBvQOkTyhC4W5u2Yy7qbpsQleu6jOEz
-+l8b05sf4FxhHevHtYUVuyhMOg8DPmfclnGX0Dms7aLf0s3oeSVt+
- -----END CERTIFICATE-----
diff --git a/Add-test-cert-with-no-extensions.patch b/Add-test-cert-with-no-extensions.patch
deleted file mode 100644
index 1afd9a1..0000000
--- a/Add-test-cert-with-no-extensions.patch
+++ /dev/null
@@ -1,1120 +0,0 @@
-From 565311d74c7532f9948b7b0b803f093aaa40afed Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Fri, 25 Aug 2017 12:33:33 -0400
-Subject: [PATCH] Add test cert with no extensions
-
-Add commands to make-certs.sh to generate a test client certificate
-with no certificate extensions. Re-run make-certs.sh.
-
-ticket: 8562
-(cherry picked from commit 0d23835660ab131d244d395e4568969b5c0dc678)
----
- src/tests/dejagnu/pkinit-certs/ca.pem | 32 +++++++--------
- src/tests/dejagnu/pkinit-certs/generic.p12 | Bin 0 -> 2477 bytes
- src/tests/dejagnu/pkinit-certs/generic.pem | 21 ++++++++++
- src/tests/dejagnu/pkinit-certs/kdc.pem | 32 +++++++--------
- src/tests/dejagnu/pkinit-certs/make-certs.sh | 9 +++++
- src/tests/dejagnu/pkinit-certs/privkey-enc.pem | 52 ++++++++++++-------------
- src/tests/dejagnu/pkinit-certs/privkey.pem | 50 ++++++++++++------------
- src/tests/dejagnu/pkinit-certs/user-enc.p12 | Bin 2837 -> 2837 bytes
- src/tests/dejagnu/pkinit-certs/user-upn.p12 | Bin 2829 -> 2829 bytes
- src/tests/dejagnu/pkinit-certs/user-upn.pem | 30 +++++++-------
- src/tests/dejagnu/pkinit-certs/user-upn2.p12 | Bin 2813 -> 2813 bytes
- src/tests/dejagnu/pkinit-certs/user-upn2.pem | 32 +++++++--------
- src/tests/dejagnu/pkinit-certs/user-upn3.csr | 16 --------
- src/tests/dejagnu/pkinit-certs/user-upn3.p12 | Bin 2829 -> 2829 bytes
- src/tests/dejagnu/pkinit-certs/user-upn3.pem | 30 +++++++-------
- src/tests/dejagnu/pkinit-certs/user.p12 | Bin 2837 -> 2837 bytes
- src/tests/dejagnu/pkinit-certs/user.pem | 30 +++++++-------
- 17 files changed, 174 insertions(+), 160 deletions(-)
- create mode 100644 src/tests/dejagnu/pkinit-certs/generic.p12
- create mode 100644 src/tests/dejagnu/pkinit-certs/generic.pem
- delete mode 100644 src/tests/dejagnu/pkinit-certs/user-upn3.csr
-
-diff --git a/src/tests/dejagnu/pkinit-certs/ca.pem b/src/tests/dejagnu/pkinit-certs/ca.pem
-index 44c917687..f7421ba02 100644
---- a/src/tests/dejagnu/pkinit-certs/ca.pem
-+++ b/src/tests/dejagnu/pkinit-certs/ca.pem
-@@ -3,27 +3,27 @@ MIIE5TCCA82gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx
- FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
- A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz
- dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug
--b3RoZXJ3aXNlMB4XDTE2MTIxMjE0NDYzOVoXDTI3MTEyNTE0NDYzOVowgacxCzAJ
-+b3RoZXJ3aXNlMB4XDTE3MDgyNTE4MzIxMFoXDTI4MDgwNzE4MzIxMFowgacxCzAJ
- BgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMRIwEAYDVQQHDAlDYW1i
- cmlkZ2UxDDAKBgNVBAoMA01JVDEpMCcGA1UECwwgSW5zZWN1cmUgUEtJTklUIEtl
- cmJlcm9zIHRlc3QgQ0ExMzAxBgNVBAMMKnBraW5pdCB0ZXN0IHN1aXRlIENBOyBk
- byBub3QgdXNlIG90aGVyd2lzZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
--ggEBANOWvXDyubZ/Kf8QYdPSRk/rsogzqS0rycNEJp/6rPpTS40UxGae5MyLHfmN
--l2mSevRoHSqhb7cfT6n9kR2kb3HB0qhhhecHey4sGwd+m7WMhBQgVtYaiWkuEQDC
--7/SWkRYzmYX8J41vrQulXU2/2pOQCmG4NKPsNo+vcKoT2SHl6qr3lflUaIG0wDu4
--bFrWszkxcuSkU7SSXDf2xTTTJ8QftO6WQY3g0+dAhbjZFKxRO5uipxURez5EemVs
--Re86vXEILka85tiVS4maCn3l3FWMqcBHRFNa+/osTb0J/OmvvdQ3bzvscG7KDRtM
--bRUnpWClr5R+AbGVvKocj5I1+G0CAwEAAaOCARgwggEUMB0GA1UdDgQWBBRrwMkO
--fMoN3ofjotSWjK0c27fYYjCB1AYDVR0jBIHMMIHJgBRrwMkOfMoN3ofjotSWjK0c
--27fYYqGBraSBqjCBpzELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0
-+ggEBAL8HFT/+Uia/TcSFIJJd7Z7ZFvMOYLhEkCyqRhW1ggDp0xrIAoh/fyxq4qId
-+S8f7Aurf39kzyS9NtDD2snKwfoLaZpunIXNLCujrlrqdhKsZdtl8aYLmjIhTLu4r
-+rN5WZIRQULbkLiuqc6ZFOjOZxkR0NkC/CyfQTJO5a2TaMrweLswmY0k5KlAoevps
-+h+LPXsLC66sqgYuWDD8c1Z9GlI8dW2abRPt+WUKskEgHqYJrCkjvPIZgS7UDAzpU
-+OCXopDDr/qQ9dnAYzt98r/pCx621/2R4JttZbdsXQDbQaHhV69iJqACqZB0lLyKO
-+Ka4Y2U5zy3++t6pd3oGlWCr96D0CAwEAAaOCARgwggEUMB0GA1UdDgQWBBSvEuBX
-+VNKtIomCkLcxpsKp9Ag9qzCB1AYDVR0jBIHMMIHJgBSvEuBXVNKtIomCkLcxpsKp
-+9Ag9q6GBraSBqjCBpzELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0
- dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoGA1UECgwDTUlUMSkwJwYDVQQLDCBJ
- bnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVzdCBDQTEzMDEGA1UEAwwqcGtpbml0
- IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ugb3RoZXJ3aXNlggEBMAsGA1UdDwQE
--AwIB/jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAN82zurZwM
--TugUG6b1symxXxOdDqwinwIlQjzXJ8mTRv31q+YwNdYvdWn1aex8v44qjFDjEP80
--83y18CjjBHznwxsHll80QmFHjpy6xtRrUC/Ak7jfKnDiTKQYBdgmF4/UiVQu354e
--QI6jPMQlrWZXThlRuBjM55hs4tgRYeTgbd4VSZzVQXdm2ViZkg8SGqw0R2ZRnG91
--dfXkhu/tTruguPAT3MQ2pTK/CoHHA4W2piQbBDqIl83fphRhYxyW/cCF2mvZZUhE
--AfWhgYDeTDxHKG3Jfmm+ujMo5HscgeUpJ7XjZdobNhkQjD1piyuGzFkUfo2XzA6m
--kMz4Jq4cnvpz
-+AwIB/jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQArUoCjqxsY
-+/m3nx/5BQSkBAL4T5RgWIX+L4y4GXloYYlafpw+SxRq0QffFm5fpCJBnMd21MbPl
-+k/YA+oq0/76cKyQmJ6h/Wl4KHCKKMmvGuhCEXzmrevk/EJ8lJXNdPfbBueAuLeyU
-+7X9tO8i9fJ59AZ9YWD9d//puOF+8xeHPxJIxHcR2jHpUOJPtm4yVu1LreHiJJTu4
-+Xotp9yMpJu/uJM3aBKVS5N/5JreraLj9N6N8nZ/7nEw9Dj1zzGHcHCcqtcxz1oOH
-+Zbg5Jo8HhVhIHxKdKLvwEk60P+lkGFIE+IUmhWfcbbprTGs7VhxREwxaWyCapCOk
-+qlhbJdEcjHr2
- -----END CERTIFICATE-----
-diff --git a/src/tests/dejagnu/pkinit-certs/generic.p12 b/src/tests/dejagnu/pkinit-certs/generic.p12
-new file mode 100644
-index 0000000000000000000000000000000000000000..238baa56bc7b4ec4a4cd66861d9a54888ae6baf8
-GIT binary patch
-literal 2477
-zcmV;e2~zejf(fYt0Ru3C32z1oDuzgg_YDCD0ic2jU<85*Trh$OSTKSF4+aS;hDe6@
-z4FLxRpn?PdFoFa80s#Opf&=vi2`Yw2hW8Bt2LUh~1_~;MNQU<f0So~KFb)I=hx$=L
-z1<ixW0s;sCfPw?a(gHBV*LQ_7OvK|HbaN^W^@n_~M?&;UFQ(vuXBLc&;u~(t@2A_`
-zN?~wJ?GFR6qa-(OLAF=pT)y15jOd>6Cwj5&?-ITdyp+x|XE-*3B|L8H?6tR9A4HUV
-zXKXC4=L{;GYOU0TZ%YIlTM6d!F~cR^uf!*<@U_-l*QqJ>xt(al?+>_BvzoP^gL1N$
-z`F-->tkpYWJQUWTg*!blr__$E(F`vAa6$tp#&2s#wO{Z+x9Q<eKW?|>j#E{tn`2{H
-zg{vzUo0|{iV-+Q+#HBbV5=@9HX*$|bj>(CQqEHI)oQ(#<UsfX*Vr)&0;G@6Mf89D!
-zH$DPc!csOKzz?2oPfu?Y$m&s>V>5%ee;p0M7*Ncmla{Oaw`~Lk01PKR0)2+7#ypOR
-z<Cze2yADgeOah3?RT8`UX$Mg(o}{pXQCI>E<@*23b5&ny_nUSu&QRYf<9<Br<4Sz}
-zu(qTFtQT~xHNsSZ_{J7Zq~#p(OzhU`O|n5it<yUUL#qC?MmT=@8vZ6Ca<ocu-6Dr8
-z4-Z-4`bPGQD~=PUDJSLO;UOIpqzkR`B-1J^@U90uaBM9eQ6oWbIdBxD$^vC#oJIJ9
-zk#^*H8=MbfbHZC9l8dBrM`T(28TXvNeEC~K+UQhg#5_uyGA>ZS$K+zIxKS{-TDjaw
-zil6-nf!Sd?4znmK)|t(Kh;^hMN(xELd?H&?xwpdgxQuGz&lqkC*bt7YYcgZyhS`(_
-zV#Eei3)wjY67{AC<7Jdb$1Dr<t;^O$#NnswD<9%3Loosj0sQS~YxCP@d^)K;FWe$3
-zJlGuiSqmn9lyw2@_(R%?dz(EjH#!JRSAk0hc;*ufrtQcRt0R@yV*5;Tz7&JL3|!y~
-z`Sj5k6pFX!?J25fU0e!Xyb-jrt%pq`TD8?dx$|;fgCHJ@Cx29TMN5(FR-Zccg^#tO
-zarkYUa+_;I$sb=t-gWhqyW`132nt>skBFGeZl1_X_JSlij;_AeG&Ze&pK!02Uol4a
-zAU3nTn}n!jf3MeflZTds*L87yad1DS(dZEx?R=EV`~wYbzuJ+gyipE3%clL}xH|uh
-z*0lFO@p4PYUlRKizgu%`-6@}1$(>d}Hi|tilS_mz$63&pG)DTS?u#a3%DdCMr6nS=
-zuqM$zP9u98I!aB)2ukr=BA^QLRczSH^0a)!b6RMWsc6m2lXG@=*;qxzKpg}Q;PWP$
-zSPdG{kzh|I5&?lP;`r@Y6C5-O-aNIi>snK{0uoVguzqbh?|wC|;ZdY*FoFd^1_>&L
-zNQU<f0S5t~f(0@Jf(0%xf(0rtf(0f93o3?4hW8Bt3<?1Ppn?SMFoFc?FdPO7Duzgg
-z_YDCI0Ru1&1PE&M1&nJFpMC-Y2ml0v1js4*^UmfbY1m7h_actRaA;dGKozjwpW<*f
-zLJMkle=~hq1K8<clzfxiE{Y$XU(^23k(PS;Z#$1b53eOu$H%4TBn-WT8P>i7=~UOR
-zVu`0Rq`j%-S6Ff=&?TzqMFSM&gz}ICHc9bAOg}ADuoHHkw?kNR=9F1w*lYN{EG@Q(
-z^&Z!5aJ#r-f4w{9{l_?xms3iieP1I%l~D*(t;Nk1aGOf}qn#GuBv85jI+6|9D>yt8
-z=`CiI1xSM|6#z}e8mUO30BVUlR!<3__7-RBW%t*-clA6mka`9Ep#J89G6;43;kLxp
-z*-|yA&X1<^zP0+5jK3^7X7_8Ji!05N16zPQD?*Vmuu}Oqin+2p?#8~7bHAc6s#bFC
-zBNktoPt|Xx$KKi92&|HGRDq~8=dk}B3c`50V14okG{e<gY9n1P=zK^~MQD(Pb<NQ@
-z)$hO~Ydw`k5$aHcw4Y{UbEZ#qDNfqgn?l^o_Zm`mSjK{0!%3`4M>S4V-1zL#^Hl>}
-zDnU~+pT_`PO~9}`Jv`1wS!fR(ZMPa4i`<v;BYz&F-+Y#-4VY%?rkV()Udk)B4K~q@
-z5|7$qS;nPsi%nISI2ytysTp#!J_~^sMWt)mxd$@4VU(>@TU5bt()(#ACb9{Y+&=*3
-z?16YQJcXXtc1SY}^F0^kPKKB2!~3O%n-3mC^{G$p0l|354kxz5D%&q&VtpxbBv{)*
-zpMNnNpUwwe>D5nKequv57A`7WDkH{;SWnT$m6mFQM_4sCy6`Q6+R>fF3xV>`&)a%y
-zB1l^2YMSpWB_)PDnwNbAr1q&CK9%#<?yoDM3e$L&#5x9uekTVOc*%sW8kEM(_Fo+R
-z>FU7a%regezQN#<IR5;9RwiRTB_fs_qlLhgjB6k4n1OItFvz)AtQvTQajQ74^GMk+
-zyv!~xR0*ak9$s!5EO;tFI&e>m#I@aB>MWA)qZGWrv>>pVj~&d(I8p??>w1k}$4P^X
-zAWnN%6sS3RRKSDNfisfVQl0_dGxCM!+1Yl>tFQeHvTap~MEH7XV84MrcTfkph~OhN
-z{o=b|+k%aoLEyQSSSCuJgEO`uIb&{+Z)uzyj^e7-ow^S5`Lr4TK3IX)>y>`8oiIWy
-zH0hllKCxMqW=7K+*+}M2uMG#-iv4KGvA+{{p>ck6qZXw*_yoH?4r-2LxGhvU$-SJ&
-z%}Cbjx7lK8O<X)~(Ayl=Q)OSdTE?AEfkl&l)>xbcYY6+T8eDcs^;Xvdw>6;}lnp8q
-zOI2Bf<p>+yF}Y41&9t?C1#$YRn~NWY8C%6yHl*AOeW|@!q&2^Avux<n?`bX_-y*qM
-z7-)bk6U4W0{#2(JPIO^XHVV5PUo$Cbs#&0nNI9sYiMd%^?HAW-8>K!KnnF`7+J)np
-zj6bGtii!U}#abz=^y{$*-&7lSX?~Xs2w?6rihtbpW0dcnT=iZgshJw14vAdMlwyD6
-z|23bFWaw<;jHGdx+WL{QTwvP`6=BXmumW|@H&izw=M#i7|4o2kT^B@DwWN<09-mt*
-zH_scbs?(Qg+gx};zbY90=8VD210!z1E&|~fxwzSLg-MMc62*ZwTWl5YDkMj->^Hv+
-zEh;f3Fe3&DDuzgg_YDCF6)_eB6o<o$W_TL6&4sv`u`-io>fmTa$1pK4AutIB1uG5%
-r0vZJX1QbFHUUX|Bgz^@{lOae~ZgSk8C3^%24n#rsPDd1M0s;sCf8Be;
-
-literal 0
-HcmV?d00001
-
-diff --git a/src/tests/dejagnu/pkinit-certs/generic.pem b/src/tests/dejagnu/pkinit-certs/generic.pem
-new file mode 100644
-index 000000000..706c2f341
---- /dev/null
-+++ b/src/tests/dejagnu/pkinit-certs/generic.pem
-@@ -0,0 +1,21 @@
-+-----BEGIN CERTIFICATE-----
-+MIIDZjCCAk4CAQcwDQYJKoZIhvcNAQELBQAwgacxCzAJBgNVBAYTAlVTMRYwFAYD
-+VQQIDA1NYXNzYWNodXNldHRzMRIwEAYDVQQHDAlDYW1icmlkZ2UxDDAKBgNVBAoM
-+A01JVDEpMCcGA1UECwwgSW5zZWN1cmUgUEtJTklUIEtlcmJlcm9zIHRlc3QgQ0Ex
-+MzAxBgNVBAMMKnBraW5pdCB0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVy
-+d2lzZTAeFw0xNzA4MjUxODMyMTFaFw0yODA4MDcxODMyMTFaMEoxCzAJBgNVBAYT
-+AlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMRQwEgYDVQQKDAtLUkJURVNULkNP
-+TTENMAsGA1UEAwwEdXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-+AL8HFT/+Uia/TcSFIJJd7Z7ZFvMOYLhEkCyqRhW1ggDp0xrIAoh/fyxq4qIdS8f7
-+Aurf39kzyS9NtDD2snKwfoLaZpunIXNLCujrlrqdhKsZdtl8aYLmjIhTLu4rrN5W
-+ZIRQULbkLiuqc6ZFOjOZxkR0NkC/CyfQTJO5a2TaMrweLswmY0k5KlAoevpsh+LP
-+XsLC66sqgYuWDD8c1Z9GlI8dW2abRPt+WUKskEgHqYJrCkjvPIZgS7UDAzpUOCXo
-+pDDr/qQ9dnAYzt98r/pCx621/2R4JttZbdsXQDbQaHhV69iJqACqZB0lLyKOKa4Y
-+2U5zy3++t6pd3oGlWCr96D0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAAniIG+xJ
-+6rXbrH2kt40GE58fFzrIlzhG4VzncNnpFitvPEMzN0kMa5LBX5/zSYiMawQBQ7C0
-+FpCjz+n82VVW8iabCNoqUUNwOP7ZYmsoraHT9klSak/mLfAXOyOG3DUV9jntivnl
-+HUIiDO7Pf6GnVVROio9psQEVOX1+W1uq9Vs79+F5GI/s0QR9dG0qXvdJ0h5UdVee
-+8LVXQOi3cQKyBOwECwt0HA0pJwwcD6w9e8Y2NYTeOTamWGQVEV3NlcvtdSVuDJ8y
-+lTke2YbEKyHdcsQ1vrDHtdyfEmJcgO5c9EL5ptYJB7Yv1QiwWJOhLdT13IBYvOtO
-+ebOF6zAD73Bpkw==
-+-----END CERTIFICATE-----
-diff --git a/src/tests/dejagnu/pkinit-certs/kdc.pem b/src/tests/dejagnu/pkinit-certs/kdc.pem
-index 8820ad447..4eb811deb 100644
---- a/src/tests/dejagnu/pkinit-certs/kdc.pem
-+++ b/src/tests/dejagnu/pkinit-certs/kdc.pem
-@@ -3,27 +3,27 @@ MIIE4TCCA8mgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx
- FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
- A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz
- dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug
--b3RoZXJ3aXNlMB4XDTE2MTIxMjE0NDYzOVoXDTI3MTEyNTE0NDYzOVowSTELMAkG
-+b3RoZXJ3aXNlMB4XDTE3MDgyNTE4MzIxMFoXDTI4MDgwNzE4MzIxMFowSTELMAkG
- A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF
- U1QuQ09NMQwwCgYDVQQDDANLREMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
--AoIBAQDTlr1w8rm2fyn/EGHT0kZP67KIM6ktK8nDRCaf+qz6U0uNFMRmnuTMix35
--jZdpknr0aB0qoW+3H0+p/ZEdpG9xwdKoYYXnB3suLBsHfpu1jIQUIFbWGolpLhEA
--wu/0lpEWM5mF/CeNb60LpV1Nv9qTkAphuDSj7DaPr3CqE9kh5eqq95X5VGiBtMA7
--uGxa1rM5MXLkpFO0klw39sU00yfEH7TulkGN4NPnQIW42RSsUTuboqcVEXs+RHpl
--bEXvOr1xCC5GvObYlUuJmgp95dxVjKnAR0RTWvv6LE29Cfzpr73UN2877HBuyg0b
--TG0VJ6Vgpa+UfgGxlbyqHI+SNfhtAgMBAAGjggFzMIIBbzAdBgNVHQ4EFgQUa8DJ
--DnzKDd6H46LUloytHNu32GIwgdQGA1UdIwSBzDCByYAUa8DJDnzKDd6H46LUloyt
--HNu32GKhga2kgaowgacxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNl
-+AoIBAQC/BxU//lImv03EhSCSXe2e2RbzDmC4RJAsqkYVtYIA6dMayAKIf38sauKi
-+HUvH+wLq39/ZM8kvTbQw9rJysH6C2mabpyFzSwro65a6nYSrGXbZfGmC5oyIUy7u
-+K6zeVmSEUFC25C4rqnOmRTozmcZEdDZAvwsn0EyTuWtk2jK8Hi7MJmNJOSpQKHr6
-+bIfiz17CwuurKoGLlgw/HNWfRpSPHVtmm0T7fllCrJBIB6mCawpI7zyGYEu1AwM6
-+VDgl6KQw6/6kPXZwGM7ffK/6Qsettf9keCbbWW3bF0A20Gh4VevYiagAqmQdJS8i
-+jimuGNlOc8t/vreqXd6BpVgq/eg9AgMBAAGjggFzMIIBbzAdBgNVHQ4EFgQUrxLg
-+V1TSrSKJgpC3MabCqfQIPaswgdQGA1UdIwSBzDCByYAUrxLgV1TSrSKJgpC3MabC
-+qfQIPauhga2kgaowgacxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNl
- dHRzMRIwEAYDVQQHDAlDYW1icmlkZ2UxDDAKBgNVBAoMA01JVDEpMCcGA1UECwwg
- SW5zZWN1cmUgUEtJTklUIEtlcmJlcm9zIHRlc3QgQ0ExMzAxBgNVBAMMKnBraW5p
- dCB0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZYIBATALBgNVHQ8E
- BAMCA+gwDAYDVR0TAQH/BAIwADBIBgNVHREEQTA/oD0GBisGAQUCAqAzMDGgDRsL
- S1JCVEVTVC5DT02hIDAeoAMCAQGhFzAVGwZrcmJ0Z3QbC0tSQlRFU1QuQ09NMBIG
--A1UdJQQLMAkGBysGAQUCAwUwDQYJKoZIhvcNAQELBQADggEBABJpKRfoFxyOUp9i
--Z/fWql5anJuZElgBSbEC5sL2mMcmL/1vqkiYF3uF6/Z9g4X1LX4QDuvaXCJSdQ+b
--JpmhklSyFN+E/agxZtSim+AjTgYJ0y+jwNvX6kZQ8fW3VLNJZ+zbb4n4txfgSROn
--7ub+02mo4DYajyD9TE/qLzmVaiKLEKW0osjxX3fB1RN/d7zm//NDPsezzUzmKkgz
--u0ML7HGYUNY3+/SC4ShF/But1IoY3/I46lB6BMrIn9X6fsVKlipqrRFniUk0qDlJ
--fbKVB+MvGEFoqFNlMoGiufmDjnJl4PQZCVEmXO8wAVGeK8NpTBCjltAAsoVJVnjq
--AC5jSAM=
-+A1UdJQQLMAkGBysGAQUCAwUwDQYJKoZIhvcNAQELBQADggEBAFMX7ZTpNPdzFwkE
-+hrab7fSDeoG+mN0yorY8e5Evx6sE7pXOtHgHIjQY2Ys0lk2mhbsIKptL/R6jTxWR
-+rbmU6jFNFeJgn5ba3NWdhlUiZ8WKe2knp6uc9ZDIK007XaKA4rRoHlJ3vHXoF+ga
-+JFOYwRzCtAlmsOCQ0UetoC3Ju6Y6NhCXIE8f81dsh6RMADoQT0n/fcLY/JtbbLXK
-+ANTIWHm0oSX9wvOU/yZkYGuwcPd91cc6Mea8f3J8D/OiatMZXc3719extmeR6Cv6
-+aba31kv9wtbxVuxkR7HhjlJhzhqfzfIp3tNREaIxPb/qKGWBOjwxGRqSUkdEqMvD
-+GjaSlyc=
- -----END CERTIFICATE-----
-diff --git a/src/tests/dejagnu/pkinit-certs/make-certs.sh b/src/tests/dejagnu/pkinit-certs/make-certs.sh
-index 0f07709b0..f77ac5813 100755
---- a/src/tests/dejagnu/pkinit-certs/make-certs.sh
-+++ b/src/tests/dejagnu/pkinit-certs/make-certs.sh
-@@ -164,5 +164,14 @@ SUBJECT=user openssl x509 -extfile openssl.cnf -extensions exts_upn3_client \
- openssl pkcs12 -export -in user-upn3.pem -inkey privkey.pem \
- -out user-upn3.p12 -passout pass:
-
-+# Generate a client certificate and PKCS#12 bundle with no PKINIT extensions.
-+SUBJECT=user openssl req -config openssl.cnf -new -subj /CN=user \
-+ -key privkey.pem -out generic.csr
-+SUBJECT=user openssl x509 -set_serial 7 -days $DAYS -req -CA ca.pem \
-+ -CAkey privkey.pem -out generic.pem -in generic.csr
-+openssl pkcs12 -export -in generic.pem -inkey privkey.pem -out generic.p12 \
-+ -passout pass:
-+
- # Clean up.
- rm -f openssl.cnf kdc.csr user.csr user-upn.csr user-upn2.csr user-upn3.csr
-+rm -f generic.csr
-diff --git a/src/tests/dejagnu/pkinit-certs/privkey-enc.pem b/src/tests/dejagnu/pkinit-certs/privkey-enc.pem
-index 837fd0b01..ee35e5cdc 100644
---- a/src/tests/dejagnu/pkinit-certs/privkey-enc.pem
-+++ b/src/tests/dejagnu/pkinit-certs/privkey-enc.pem
-@@ -1,30 +1,30 @@
- -----BEGIN RSA PRIVATE KEY-----
- Proc-Type: 4,ENCRYPTED
--DEK-Info: DES-EDE3-CBC,19FEC334A4D4391D
-+DEK-Info: DES-EDE3-CBC,7DF54DB740F92845
-
--S6pSicLj30Jlnu2OnYM0eXCvwAHR3xMhhl2N0gheWUGkjicqTdW6ft1qCmGBre9b
--/aTSF1ajvFC+YQ/iABznWNmRNZKCzTK1dQ6P73p83uNqWt/cfe+pVYdeHw3u8NKA
--fscciBtxnHNaAs16GX5/j1XXRPb+zmUe18A+VFMRgctbaurk+KbxO8qVUkzt9NNa
--v5zHkXnaJf6ixL6zR3cOCJWPGy4GmGeFIytQos5Jgn23Pjn8BHAXf39GMs2n6g5V
--eE5RAGDeXqPv/tO1kN0/RSKDeIPvKW6REklXraRUle0PNN5g5l3umSkg4fkplusp
--nTsQCRWkqyVcMpxcf0wy7F2ZPOYIWDt1/pzAHC7y/fl0uCQPz0Qd1smwt0ABKcZv
--m9zaMq6lkKYnBOxPiYIlWVlQi3RLDiQyAWQz/nF0SKsE88SUlB83quySJsZsLKzk
--MR/C+ccSiHqMiDKVj5Ts1go+gbj8Vhlto8jH6ynQj6lrOIczyMmgUa0v0dFH3i3/
--WL/8ydJ0otY67A8w5yH3hMzRChXQZlpTmH2dDhAv6EzKBi8eIiB0Em+laz5lDv6C
--SfNxZa1/+bSAvXr7LwllUu+Gzbu7MNLwfB2ieTqdFQGA659DjnMqyBGLFzni4Ir0
--Hi6Uh6yQubTm07oqyUHAsChGFE4Efh4O0rCbKKPZuSVfimUZcE6JM9IjRC/0DIwr
--LZSYqsFgn44byrc62qV2JAE2ua+/4aHHI28hIZ3MDLwyYpCQL/FAUZtqZvni+zgw
--yoHLRDbdrqPps6P71T6Pw6OQzAYC7AL/FsZnLJK78nI+Yai0dpyv/QWiFSXoDEVN
--6vQoDv/VZbNIctr31OE4XyjIMiTpn3FPa3VSbKM4/h7SthjwEV2ONNfR8XQF+siz
--3NhOjEFrZ6UGHvT06wo/hp4CM7u580fNu5HvyCyIwkx9CZRLHvG6Vu0emlzDfQhE
--qxQs6L7IM8A46/LPSTtmEA8Rrn51YY9NChMdY6j3rLe4NLxxOCE6JYaGWVWBBawK
--k3y9z6L9gWRwxEfCgWIutDrYtmA2aj6y/vRS6LrotCNeN5qBx+TdRnh6uCqbi1T8
--4rF20TVhNZ/l+pkH/ehY9OJ/zpwdbTq4FlE0wWQZB/vwbYP5CZKF+rU6IXnCZEjt
--Ak6Bka9mFm9Z/TvnKIRYiXELq32zOJAuEOQ576tkDX2rAuIQAfE9biX2qo0gbsJo
--1RIfXekRurD/HX54blv5mNqUV34gl+ngPpV5nNDy7RuTAdP77Mu7/ynaPfnM7nqu
--rECbZVv1HZSgTi+7G9SUjn4Bg36p4NiF0/dZ2W70byYIQvNPNqU1kyeSrZk/43te
--NwFgpoAKVbMD1rZ+0xM2YCFFKQZZMN1a5tn8/1TWPlPU28Tu3ZliGeWMdeKd4/MP
--vfH1pE58qVcyOngjLqGkk0L5A7WOAgu+vibKrxGxywwVLx/GfDFqnNr6H0buwXrk
--vuKBTo0r3pcbaZt3kaYBm0d3zznQI1O/pX+eGiNr/rI86j4KC+jUSoKi4BdUeuDN
--p1x6qyEK37kgVXiUyiEXO7e1arLBZMfFRTNKVsN5ewL441eCIgs5gA==
-+3I3F5dJkYmjX49YRQub+AzWPOJock699vQZV3oxcAabcZWtLVbQ75QBXXBPEtm3j
-+LAqb3gRxfETHNHsSIEwGtN3rYre1UdKs3Bu9ROQNTvlbCwRdss3JA1kGhJu2o5bu
-+hf5sjpfR+ivf2prJ4whfhb4+efCHE0Ll669V33D2kbPKX0VCokkRmxsIoVtHd2qu
-+d1HM/EkjxrOy/GHZ+93mkSeWC4hz56VL5ApGOV4wHuphdvKy121mU0mjtQRKF2El
-+N7DtM9/AIAkLPx5wxrTJXuELd+BBDPbRMwmvgqCX1m8sJLJT2fBzVKRKWexowp7T
-+d3j9hT+kMiWCTgd4vJ+i/KPkK460Cy9PzFrzCtWut4jh6rZ+F9Tdp1g4Np0ygWAg
-+q9tV4RC7ylW0DeseRTXTLuohngfu0h7mXuhutr1Xmq+SoRuhBllZyexV4jJMc1kZ
-+2nv9RJ+h7mCAQbLSVvWCZpngfK2IcZhi4hfNiiQ/wqc6rE3eaBIR9E60kaCeBpWB
-+rxZm4VHOrwJw0GsaCRLQez1F65Ulk4TA+7TYJWnW/MGrvBptuBamwxk28Ts6eOee
-+RVwb/AdY4QBVJKKT+/e3Lfy409evmdTAA2N+tbYzALC1cH4ex4sO0BifaLmKo3t1
-+fC2FLna4P9F17bbjcS1lSWVJKodofUEt4H03X7LaMhwe+sLRuKBIoTH2nLPHLIYg
-+B8NO1yFiJPFL0a8fi9kG8JJlCPkASQC5vcYg6BE40b7h7T4qw0HmkuH3i6TX6bsG
-+nQlryJ2BfQM+IT3MTEh/T1iHPZcTwFLPF9HMnZ/ydL/nM2kElF6YfMClFvuDGULQ
-+zmsvG4D/ndSisapJQeoevAwtCHybh8/3cy8CoAjBE9C1JlHOvP2+64rzvFVUAKfa
-+z5aZQQJKcdXcKcM8u8PgEyCN5x5tBqWQjSHR904k25KRkePAh8SoiSDuNQPwtzbB
-+RHesvkaSXuUaN7q1+oJzeQvzO8i79ud0Diu5y2KePrlB4HBSWCuWmvz9U+WvGBiw
-+KpEUAp/YpkqB1as4IUBDNjV1Y77cyUZ+/8EkPgAvB9wltCCAyQ5xi1h70cDJdabj
-+swabRD5JV1JLalFMDrOeOPZh1heaTNHXV8f7m8rMVeYVzVTM1JoQLlvKxcc3LVfN
-+9RLn/vTN7Ox//+385UiozC/PAo/Cep6Z1Wz+cwsd62HH0LVimVt2mrmHRKY983cw
-+U6cZyhvcTB5UOdJdhwbHfnxQipWRu//XRYY/yVdB6W2J4Gzh//adJfKOmHd8+cB+
-+y8Q1yZP3diTGkhyY9pkXS7Gv2Q9mcXlMJtoyb7rqBIL/osVTKdsZn7Cj6ZYB6ftF
-++hKQKNs/bKXYs3PF09UOInfUf57pENSr1AQBQceAisAsr8znRYsFlpqZ5L8G6um7
-+XBneZ1RBj41wheB8g3kL6hj2UrXrE2rxDAw175a3BaxP/Wc2JgGcBWyJTVcZ35Ab
-+f24UNlrfcJdgEFETEiy12WY2VaqJCSY3J6YSimHDbffX+ku8QgU1shZf9z8K1l1A
-+OJQzbjlxPZT/k4cfw/Xi0rHdgWGcmL7tKLkTcrG/AixdEoI9KCSlQGSksI8CfFmj
- -----END RSA PRIVATE KEY-----
-diff --git a/src/tests/dejagnu/pkinit-certs/privkey.pem b/src/tests/dejagnu/pkinit-certs/privkey.pem
-index 7e9beb09a..548e5a8d5 100644
---- a/src/tests/dejagnu/pkinit-certs/privkey.pem
-+++ b/src/tests/dejagnu/pkinit-certs/privkey.pem
-@@ -1,27 +1,27 @@
- -----BEGIN RSA PRIVATE KEY-----
--MIIEowIBAAKCAQEA05a9cPK5tn8p/xBh09JGT+uyiDOpLSvJw0Qmn/qs+lNLjRTE
--Zp7kzIsd+Y2XaZJ69GgdKqFvtx9Pqf2RHaRvccHSqGGF5wd7LiwbB36btYyEFCBW
--1hqJaS4RAMLv9JaRFjOZhfwnjW+tC6VdTb/ak5AKYbg0o+w2j69wqhPZIeXqqveV
--+VRogbTAO7hsWtazOTFy5KRTtJJcN/bFNNMnxB+07pZBjeDT50CFuNkUrFE7m6Kn
--FRF7PkR6ZWxF7zq9cQguRrzm2JVLiZoKfeXcVYypwEdEU1r7+ixNvQn86a+91Ddv
--O+xwbsoNG0xtFSelYKWvlH4BsZW8qhyPkjX4bQIDAQABAoIBAH28SS0ygFvLq4gw
--EwJOJYxeswQvNuxp5gcMm6tbyqkjEHVxDtkwuSQ304M1ufF5o2lT6Wko7/sxNyT8
--Utz7l2JRXL7E3U6R6ohgm1tTyHIVY3OWWCP5Nwjy4BXEwdVmGCfKWAP/+P0ajQmr
--pguK4/fmk9TIIzf6Kd4u0lOvYcu7AYfaBj9OSSF08IoE1EA9gY3Mh9k8C3d3JDhG
--hoJKwMAIX0PRyx6cvmpuAJyPf+19K0/SmzpbdNOHfIXZKtfYw3HxmebhhyCxqNsY
--opI2fpn8joasvfcXICBFRHreSu4nKc8ky6FkMIc5KZRiSP//N3oFM7ZLxciMjfgl
--bCYqST0CgYEA7xfrB4atDYApsmLk92uHnC2bOmJhncfAuLHh8M35fk09Jt6CMYPx
--Ydp4cKYzMemO5zzHxdMnlmISIWWtNbm/gR74KZwOmhFFEP2LE09hpAXRBfQvN5af
--RZwMZ9uyJU5ByecXbIt0cuNerl8sKJfG1S+/maD3dZvr78K4Jd6StTcCgYEA4ozu
--okBTEZ9h7lxdBBbZcO8i/eikPeKnCEBaSryf3K3Pr/k8Ssaa7MYOT9yD+iRwU/uV
--n13BA1I9PvdcWl6ewZdOYX4jCVCIsLs7ed4wfwLxGQMZIVHPZ59lRmVsZFO08g0D
--27U/rUZBpMHl+ppq/FfBjyyUSqayKjcBoFXx0XsCgYAOzQM+pwaldE6gfWDBNEXj
--1Crs1VRHqSr0BAcBmi6cs/laI6IZoJpbvWOBTbiTmWrAQ9H2HBkyRQXsTVgIoGQL
--gThJkyCQRwtoftmSK3LW7Yk//hrCLS/U5lEaSM5hYtPNxOF9VbCywAKHdtrL9IFZ
--hygsQXuwKyPS5tHxfjLExwKBgQC1D+Hg9vvtB67jLBqDHCfopJcYywgJFc5dP+Fp
--/dreKmPkxpMzSAul1Jy3owwvrVPBKz9nwSxzlRSx8Ex1RU4odt8D+CXUWfMFHH7q
--ZXPo7tb2II3DHXlf3fq5CnJYtLXXBiPhQriDqbTpErbVVPjQeOqPnRdfml6mcpPw
--KwA7ZQKBgFzqLmWqy7ZnZdbBo4CUUt6B12eaPCW6YNpOd53zHOphaiZLq4rEhpiZ
--S6JYQTEQYugr0yd6vxsVL2An58niRg1sM6gca9QqBlGMzaQoXaPx6OrLW2WoS5+I
--MmVTeh7yvdop+6gvR8Eoh4cI0HoiJw8oQOOneiXVnh7Izk+WjKXb
-+MIIEpAIBAAKCAQEAvwcVP/5SJr9NxIUgkl3tntkW8w5guESQLKpGFbWCAOnTGsgC
-+iH9/LGrioh1Lx/sC6t/f2TPJL020MPaycrB+gtpmm6chc0sK6OuWup2Eqxl22Xxp
-+guaMiFMu7ius3lZkhFBQtuQuK6pzpkU6M5nGRHQ2QL8LJ9BMk7lrZNoyvB4uzCZj
-+STkqUCh6+myH4s9ewsLrqyqBi5YMPxzVn0aUjx1bZptE+35ZQqyQSAepgmsKSO88
-+hmBLtQMDOlQ4JeikMOv+pD12cBjO33yv+kLHrbX/ZHgm21lt2xdANtBoeFXr2Imo
-+AKpkHSUvIo4prhjZTnPLf763ql3egaVYKv3oPQIDAQABAoIBAEe7ACa8d9qm4SvX
-+FYkAjjakq/JuxrDKxhyPf6utMXjoVGXtDs50matzI1DekVMxlUHe+O5VfMkvc2cj
-+a5SXY5n9KqRuGKhzWFBoDnxao7Of5zn5dqE5szGJksjKS6pdZHcutXBHtHKfGbgo
-+rJctuf6AaNLdKfI0TFz4NjRznrN2NyFQGhXzPpq34Qm3Rg91hVlU3A8FYjE7ez6b
-+vlJBsbKqnvzxEQMWTk0z0bWC79zE1ElH3Hpwfwb2cG7H4EXf0j6N5k2zODg7C45I
-+xWtlES+OpZqdDH6mKFBQojU375j6rb2plZGkTA+qxX9GvG7GsF5aOM6Wkge7SUeT
-+NUY2lB0CgYEA83u0TtxCMye1p+ykZwQdcEKR+l4aSjNsM2V2s8Zy4eZseR7f5fgZ
-+71ggIpzK9pjT55OiYJOwsEkZAPB0gBgiEcqJgow52w3Hg8sUU5LBEahUpx3Qm64W
-+64WNIOL9oVXYQu1S/yJ3iWPMQcH1xIlDtPPC1LH+yHyEOnGe4szIeccCgYEAyNkN
-+K2JEbbfK7Wsh3/MOtx5KCkzJzFClTSQZ55IxRUf+myauljKt+kI99jYV6eoicAJv
-+SMHQeYurLtSkhuyptAHUqo5xgH0HZ7cE7LV1nfam2p588Yg21nIId9XLDPK4AvCx
-+Phz1oznaiGMu4jB7esozuW4FKxB1kRmUikM8bdsCgYEA23jMRLFhsr6+jclPP9SD
-+vKck8mtUg0Hq7EEvSEk/UMTlTiA4bhC/P/FNtiVjBfkoOXvoR+mYwK6DLUeRm80l
-+GKhaXySLGhtHllK91b9Y7NOwypqjaVD5M/9EATraqEy7DUjjITsuSNd+TF/LawbX
-+0wpOum5fXNRwVEYKlCFHLA0CgYApr3LeSDzvkK/batrTAj1RoEW5sYpIj4xfYFjI
-+CT2UpYagaPzfS5F0WX9GtJ8Dt4aCPN8f+KnuMCDNTXEAV+o45BBhfcLs6gY5bnDl
-+OBw7NtAWm8JO1viatXwwcvz7qPysD4yZ2aTZxc4ndH5sj6dxKrpliAIml/nuraJ4
-+t8+49QKBgQCxJ7ZDlM9J0quVivSui5aoZ7iLEiu6GSZ5yF1HSNXY69OnqQK3UxMl
-+aERCn/cKqtquJQK3v1IE6k6uAaoM7PXDVKqKSH0Z1Jpqciqjg+J/i7Vym6oCdjer
-+6zt6P7Q13f9X9uUlZBnNrT9jk5WjR9pSpxAc0vU78VKa0lZMZ3bROg==
- -----END RSA PRIVATE KEY-----
-diff --git a/src/tests/dejagnu/pkinit-certs/user-enc.p12 b/src/tests/dejagnu/pkinit-certs/user-enc.p12
-index 049602939def4be1fa9164649b39a801f417e74e..b2648ceaa04be6a560966a414a7bbc8ac022c20e 100644
-GIT binary patch
-delta 2706
-zcmV;D3T^e37L^u|U4IAu_0R=Q$07m(2mpYB1u!tho?ixcuO0j=`>lGTs)`UgGm<_)
-z<FRqmWn%pS)IcQqE4xmjt^GWpkjN3ilU?#<{lsF^SOD<gXN+Nnn&oDodfIZcOm95&
-zxqOL=2<PpBiz1xlP2w^J?hU#tjG(#fYuRK)$hH|CSktq&rGM>pKPe)yNdVeYJWc`4
-zF|P^R?oh5stR*_(MT+TZR4{&W9qoqi)f&pBxOiQbYZZ1lmQ#Pc4q?TD!0ns{qlu}U
-zz(Odv2K+dfougnpE_VouJ0!M7bt6;%w@&*9{%SfiDrvUdRZW6CSckeD^E--2MzmZD
-zliS3w_y8kT@PFwptW_3@*xAKJ7u%{U_HfDf9jg*K{X<$ZK~Z=^`bq{K)M1SMGVQ^?
-zv#j3vs0HG{<v$_fwY45d{sUgr3KaH!i5o@ZAMdT*w&mxF{Bd#6rGd;cFHuuC4QyuU
-zWtK?T7HAci4IWSwBKqRZwD3!ugQY3y5-k`)`IBm*@PD&ZGo`zmy-UI%qVb9igw;ag
-zu4B_@oyd4J7|V#YG43Y+vphe4A#je-(nTPkFo#R}taq_<^zK?vpm!XU`1Zp+!#lbp
-zG%{BWDc<5rMW=rcNP_6N7a%mAel7zGbB`-%;P^1!*=KlsIsd0X<pM*pwtHLDlro<b
-ze=s6MIDeG9)y*e15CDpUpMUn0Y)uJtr$>g~oN&R6F<awHk=!m#yDWlWY*|xM^~y!w
-zP?NA5+*91PhZbIr?zRQ>PVPVchC^z{P@wq`t};KFoH0iPJC$e?G@1S`jv>DCV8RB0
-zmIsXlD|}<<BT(;Y4o7mvNXIChmBSuu`mA;5dVfJn@D&$8mxu!CY&vd%Yc63nwX|?Z
-zW~9`V$iKUJy5eAfF0@Ib<d1V=>)cCDUm$lZ#mt_Z{Bv{YU=x+<ZS-0J{J!ZZQ(GK7
-z|1OjcR@xi#na~>YDXTvPmRZqmcS<j*C!aHkp8o-gk;)F1tJd};GD$jhMd$jX4!5ul
-z`F}C|j}0uLhv2;q=pmiBZlALqVXC8E#FvvJCOpB<bNI@9?`RbDw%hQ0)QL&Arg;v)
-zW%kK_{9q)7B|wZw*cGeYcY~GoEHFO>#sZMLcxp_X>UsXy*q9%5!2Sahq`0+O!z?}T
-zi$jc*@c*4b82s)hz9gxO-sN=XmM&gwlz*+BOwds}(8bcfnOwG9>c4M41I>BdyIE6(
-zXbn>T;bsx#*{293>WqA>Y^T8DHfefzJaoF~ZIQJHExS&`Tva3s7=r%MBNe?|IHadr
-z<bYYwdzS90PBZb$HW->3;)tG~fkk%kK$~?KlYIw23fnj%9teHJ@ZW*2W?&0_g?~!F
-zv4KH{ocV+%s=kSCbfuiTU@S3?HSk;9`=V>fXAVPQ5yJ-A3VGtMn$hyJjBL>)Xat*f
-zk>LDwCgwH<7MZbk%enw@_RMCIr@ki6QHeb<ZSI2Tg_@M_F#R~{fk%G*ru^hD)YFXn
-zog`24=6ZBt|My*tX%=$=_ORincz=V>;WK_J`RwaC8Mfd`O!Ox)RKq~fUu_iU>d?3o
-z{a5i;hDvlYB>6O@o?_&bd+Lyi(>Q~@du=M6Hgdv6`ogLgF)<s{P=?1wq^3R3oyfZO
-zbU&yzwLS?ml6xI2>jrfhJv2PHS&O?EAOq?#SMnKNcb&pBwlq5g^OegV?n;MEw^ee;
-zNAm2zd3N1vCWnEDkE2q@f3WB!pgs=2pUxlBhb1$h(bH{Eh$P!rF3CGZuuACYydD<L
-zW-1_YK;I*vlg7MZ@YgjGlbr=de@mz0j%31q%>n`l00e>r$h%Gmj<@&l(&Xw}Eidkz
-zz@_D66&yL_Rt&B;1I)=kuf6ANgrS(5a+rcm&O0Um(1W@-qtpcTe1y@SR`1y2+!Bjk
-zQw=o(lgh9Kq4o>zszLR*B2s9LY?-=8`IIV7);U#dMhstBw7oiDXdQhCe+i9pk0cnV
-zMlgF0u95BdPI`jmlfO~!!}altl{kMJXBOyAE&JL=v<&Va3rMzRzEl_6c~VY?np>Zo
-zc?iAu&Mt}Dt}KDnI_!(wF&W;btDeR~!+4GFOI$qsL2rSj&Nf1Z`%l4{qYJ4Qo$_}#
-zJwxm6gK(!^XH`H3GDvYMf6ZXiHexfG^(D-Fhn88u;X368WggB2*>Np*Ni+Go9sUe9
-z{=o5{uwK>`NVcYMf4tOHNIsnqr!Hx^gA~eWZks4J^1j{2p{HG?g<?E~o6sHc!S~?s
-zB+QE!wBL$pgL~a2`Gd}kZ`%uT`8xyOlaRtci4z_LBw0;Cy7Ixqf2yGApSm9WGwVIJ
-zi?Uc7g_YO=6jlc7e*H748fFE(QJ*Y5Urg^XW-BvgmVe`wf%ezDyc~gX^?HDT6-}`6
-zU~C(o@sYuqEBql@`e*W4>@>qFF8lS7+k^J`&{T!%j#_zl8OmX0^a|L_Hb^Bf&;C%^
-zDRf4UJIncVpMKi6e_p<H-YD`KcD>tRh8&L~a0c+OZyUh4xk_H*ZiVT9oPj~^=?cH{
-zvVq3YVa|#w$>d?3-K=B$mSiz|5L=0aU%z0r5=NXvy%;*bv}`8zSe%or`$-|90;plD
-zBMc35ZSO>Cs2V+WJaJ0#L+Y2{w9jWYmI~V$Xh0U}91I|Pf1})&1-$>cf4IK3av<t$
-zEFr$Z|IWHRHIHp=dKp<UZ=^0juJ@1V=q?z7cscNH6)ebp!&3X?FSvs`0>bmhiO_QH
-zUzb|*rY0bBQH(2Dz0^m5V`6s!4}lu+2Z4sL!Z;_w`zlgnxe2p>);eKXeRgPbE8hM)
-zh`oOs<_8p$e;6ws?`vcLw-*IKpOB*Ser86?AiRqkbxtkcVjVI7;D@#G#Zz{htm%|t
-z{IL@z9azcPs?vP_JN_heR0Dg%Z|rV#jIu&Cz<+D|zX&(+Uz{)Hp2UasosM?7e~B}}
-z@Uc>9Lbj7eqH5pI{>XB6W3)`4gbWgDP6bb^t$0U;e~hQjWsuc=W%5osyn#COy+0Wn
-zfXyb`UV#nIfFOyKcTxpXT4y|ytF%_1G!x9h^LdFL>`qCd-xJuFe=Cka?oHZzMvv?F
-z4Tv$#KpEY*>=SF~eJrHN-&}^_T`nbeQ#*zvBRah$g$#AJtiay_Dr(%Vf`f5yT3Wx4
-zPw9EGe{U+zCREP#EnqfSUY`b6m<cNYbVnYiGk^ZgQ|{(}5{>lSFbnd$rpIUC2?Bx*
-z&*ahaHlnLZq_)8PFZU&7S##TPwtTI){S}rL@XarlH4%tMe*>vZ$pfl61)r>6REt#6
-zA1Tmhn;*&xXn8IimR;1v;fwKcbLt}hCu@0Ke_$`LZOuZ5IpYkzdoDeo7LH_jdX(6n
-zI8<+LlcXr9=#AM@2Sx-NbWd|hrC&4HEsn(_cD0F-dOu17hU<54gBG6YK=4`U_l4`A
-zqM(8cTN||R5H++bkzne?q5MIh^^GwlFe3&DDuzgg_YDCF6)_eB6ccK}Vdj_r1JjB8
-zJcW?bd-abN6XY;4Fd;Ar1_dh)0|FWa00b00NU*E?J0(4Y+o=|f0;Fia+%K{O2)&NJ
-M-JAb8(*gnr07yzcC;$Ke
-
-delta 2706
-zcmV;D3T^e37L^u|U4QCIImcZ#q51*>2mpYB1u)u~5}22I=HT-d(%(f9DXV18Kbvj`
-z^Vtj&rJIy-KS(<%B=99oy)c{aYIfUfQ83DHHOZ|j5N)Uw`u|wFUxcIoSdpz_?)9%H
-z4jelm#2iJczX|~|@JmP%-E7N|LSD%0aE|sR%YoM&yhB@K41Yz9lq-Pj*c;G_qu!n*
-ztG256pZmHRbI1aKr&uCUv>WoW;LeiC%96yY!X+o@FzzAxrOHu)3g?VLl=`oYO=8u*
-zFUXhf-E-pg$i=j~J5AnH&n@YvQR-2plWV!|u18vsOGavYQq$5K0c{Y)cD=>F@sB1~
-z#Ce~xs1%rGd4G(-!z|O%#O_xY2j{voND30(DGP7NkMXu3u$QVLc=<PneBErXD5iSP
-z1|6E7Bv#I<og{^~mx=0aIaxKcopAy^OZwSjpjcq>J6%CHpuQKR%i~VGy#97gZKGgC
-zQ)7)_hvF$URord*Z(4C$&;M+0oSafecrT1A>TOAXhJPO!S1Yy!|0t8mhQxU9F8H0X
-z{bS7WoDJL|;>UbB#Q8kT45pQxG--}vOh}`IjL4HRI%JT7=!MOS_w{ZYQc1Wgh<|oe
-z$UCUD%v2lcu!NkaS+WPMqtPJpP30!cLsAAZhJP@(6PFg+r~_<<Zrr;P9lEz#(%Z;m
-zfv8p~D1VP2gMU#hP$>zPu>L)gER|-RptQ7t2T%-w$coS%U?y2ty)u$&%U58*x^dW7
-z`SK*%R6K^ppp&Wo_dd9jlUx<%Ga!U2uD9oPe){W-$sAC0PPA!QYj{>3|COVWx@pS^
-zdR%$)XWB=Qo{$wdCUX>$?lfD!Jxy3?UC2xmiGLhV`RaM#xn>#Hl~j;aRu7ujxtJdV
-z5)OCd6$2Sv{U)1)H|`*tznwIA_Lu0xM(g7cYqXUD@0)zWD;@cM$iz>33hI&n$WKkI
-z?VwZyL273la`IMNy;tYMRF(sMS(#LpN^yUMz<cm8)DJ#CU2=Ovvq80$W(1vTor%q$
-z=YM382?dMOVa9W2rx|t~XVS6#!zj1xPiZvjC=_qRIP5YSkS;dG|Dk7HU&p}?yDVSM
-z`R1Wx-UX(PTmU0?Pk@qG7m>!Pw$N2vcnTC~i=mtZwXPXpou2Y*IPGGimihPbppn_&
-zRXBY89ppNtTpqy$L5I&2jYQ23<2e0@(|?7`1y<Vp?bfDKgbA)4H>3bhH4C9A`JcTJ
-zs*Mq{z>yu<Bqo>s8k4sR)=<1ex`9V?dYzv<wi?S|Yy$M~Wu8M{08LMR;2IR8^$Q$4
-zydz}Go@1Gkk2t4FKhBK{;oy-Q&lX{Zg04kgsMt;;CMI>H0P5C26D4493!(r1*M9|H
-zKGdn}<Tf+n#Eg+khGTN%ac_3+cLthh9o{CEDk`9h*DId$kof@yIf2;x_*pQ5S6n7g
-zlZFWx3AW0N;eW%x3z+E`pjETVWP9=tixcM6e^Bc!be?m`1Iu|KU%15>RlVi8Q0R29
-z1>lc3?jlMQ$F%QZs$yVaL}+TuF@LQ*|2oQf6gad;5|UIfZNwdOVy>MTwDGXK0pZYq
-z^=+s6V0xCsmO-;{zxI2J?FM61!lojJcLxx`>wst*?}YyyRfPPHWL&x?0k-<<U1sv>
-z*`9-8I`q-`7+Q?mYB$<2tLTxDr(QAj_V@HuB~m*PuA2~|AbRG>SaP0yE=us-t=HQY
-zg~<|Cdt7j{a<D4aed{z$kCGud&s0Ag<x2wqd+jCl4*!B<oR6tMKo-wxjFc4Riwwkn
-zyCwjj$)TSVL>8>OwxZuklbr=dfAs{AYygi_jsgM*00e>r$Ow~3k+rOeO>(s`grF?$
-zJG{bdqli57x@xMkpB<fy<Lo6cgh70L^STB_45P*Bn*Uq4Ha2~?hW?grDTiTyXon5m
-z#K@XG&SjkQe5~|QJKu<skpZ4f`=^s;Trzq{o_7h;uJJvQBYF&UBTD1Ee*v&aj#+mt
-zU${;-Cn53#vrQ+>3?9W>*jR4I((MPl$BvNhVhbw?_vgtkh{C4|j=)L!maakLdv;I?
-zQAlp`ykIYDUK>4ac3hrzJuJgy{liWNPtKgm<L<)09Hty=HS9Q_F0`w8#txj=jh-ly
-zra3p!xaGrtDfLxEySUiYf2#|TSjfBA^+g%9Z|7TMK}SV+du9lVmPc7)<Di-N%VlWO
-zz3`)}m~zRj#a8xX23>w!Von2J<Sd2XS!mT)SfJVanq=#{TOt`4gYq)4>@L_?kwdzL
-z*LC)1U0nZwV%P}Nl}uhfIo5hPM76mjv_P&mM&vHgsjqj|mewKje*}5b!(zjO+??#p
-z^+fSxFa#sKMfh^V7pW(Q%@sfS$_a6jt%35LjT(p^IHot23x3e7QBt|q8Bx!}hMy)p
-zjHIkywUCO1=vwR+a-j{-_L(+dG~7>h(22dhbKe&sw5W6hB_<hi<z63{^)|?nUX5;F
-zCF^yMiAwXB^Uhhce;$`Aw|NJa1X>qBi~5%<dWS!%uj;AjRZV8jIy_*D)Y4Mjm*9n)
-zotNkeZRN06)VQiJEK2Bbw9a*c!sVJ)edN}W(<8T;$<Ozxsafe-Tq0O&dT%66!3%wN
-zM>rNy$JlVt9!<+)%x(%&o+O+@b0ergOVP5w6uAeaVE|mzfALIEdE(~%cE<pWNaBWa
-z9BnWB1y((d({Pf9#6oq=2bTk<08butC+-0JC+PzSPgzCg3BhuzQvF`qFSTk;vHC6E
-zUEk+xB+0d10>j*Nx1l?I)xNe5I~CB-XG7RdT=};;vL@W}qgN1X%CMMTb@z`j(^Hxg
-z2+k}O+$v2Ie|Z5<UHNtJx<c;*;WQ}Qr`3^+V9N`?D1xWpr^Y~<r<a3A6E`%`iQNya
-zV0!iz{z8I6m#3SF4BNh9=AnBYI7=0ht+{Wwp+Yr}ePB^T_i>?WpteEE^-jk3x*2kq
-z{l#-|^i)J+)WGL>*FSJ+u}4ad5!Ni<Xq^EsWS5!qe*;!SD08O>RTj*bBOEz4N1ylP
-z>^0wkW58HZsCHK&O*4YkvSMBQ2tO%OVIE`(y0uWHS!>4~{B#t&21e9&djORBw&Q`g
-z2)Kc2)NTqH_|x#q1O6HWS5W|}5BOBUZ%Vo9Qw5NOKV&)yHS`wX<ZyU+nb{^7us0f(
-zYJWJ8e@p0!{FL5ozk+<7*aJwo4aUCxiwU|)jVc0O!}g+b?Vin9Y$X){1#-TO^~QG}
-zqQ@F+YJTLY+kC-~5fBJ+0JUz@M_P5JGWV@hPB#GZ5-jFX@L2863Nn@opQf6>9$DV8
-zZ6V?M9adFv7f3LmPCzozft%9ptIIDEtwklxf0b0u(0L&L4qp#ge@p=B*bmxjw(;PV
-z;Cshn-XXPKyoA+FG;h}OQpsj+-)bhjhBs`0k|`c7DQ>1~Bt@|RjJJtP6KC(6#0L4m
-zt*tS%Rdoj>M3SepE)k;MCOV%w_xv#>Fe3&DDuzgg_YDCF6)_eB6muCT6bLmUm2E6$
-zJled0QvX3lDc~?MFd;Ar1_dh)0|FWa00b0Mw6Ml6`rPp>w1kFoo;UO4PXV|D2xTCM
-Meh!`itO5cE0QPz^F#rGn
-
-diff --git a/src/tests/dejagnu/pkinit-certs/user-upn.p12 b/src/tests/dejagnu/pkinit-certs/user-upn.p12
-index 7a184f651e50d1443e5fe907b5a11455d69bc0d1..6daa5b378b83e9d4134ae48f8d1ebef715bf6cf5 100644
-GIT binary patch
-delta 2698
-zcmV;53U&337L68=U4J7*Cd0h`aFqfA2mpYB1t^AZ29wx*eOgc}d`r>Q7K3iXfn7bI
-z-h75b<#ho7#K*k@hvV0DY72<m7<CrkoDySrRb|_gU#{1l>cD-+GQbBx+_M+%n71zn
-z#X29cB(NtFLejt8_}`1}u<)0Fa|N#PFrop1;9l4e3fW%n<bT90_cK%bgt1P9Hhsx`
-zM^##Ak426pZRux=z(6>Am0812NzC2PWtG5Q-Le3SkbJQ8%$`CRQF5lvDMt^VA%Nf7
-z%gqA3e;};~*2a*2L2#V&7p#=9h0m8OkwZeltqP35E+5dzCHJJcdi2I@dxk4_kjEOT
-zj0U8U0++mnH-9@Zh;5`5me2`GT}33BIrtwbrAtxQU_u1LtK|{6gpV~{xkE5ejT2ih
-zN<?fbl(V<zS^%h@BtBkhc3fh}AOQSATlDJ_tX)Q^v-mNr>^~x-hZKe}PsA-74%;xY
-z%1B^HDt0=soP3^{EKJ)&_b-pfV8cwL_(1dml;Sji;(r9YP~QfvMIR=;$|FM4HE^b6
-zOll6EI_7z*5>D_vgiic>K%ddTL?+VkF!(XYy-glao-W+_2?bN*!b-%g<xEJ<fNF_H
-zO+|QOI+nb%dDM;5^9atuOcBV!FGg>+(*LW1WU#<n%`jfOTx*nckodZ(;n0s5CP<`2
-zqZ95dX@6b??`GBID5A*hm06y8>4Df_kOw0G_-qaOq{v+SRpmK1m*tb3kPzLIGjVa^
-z2hUFOzaEpi%o&g2^lIMNwb&tG?#XFJz%l4U56fY<Ke<G*%C{41HO=~>`oz^klt?AK
-zuXwGHf}vN7zq;z1mdw(fafua(ZnorQ`;=s@1b^+)-r`oP1|(c=7dWrTM*Y3X!S+-s
-z6yvzsNy6{reSb#uzqXA*j?J{*SW(elo9x=4Tgvmk7340ZG;`lvBR3tL)<pYW%va@z
-zkyRam5#4!yrgvAQTdV!Cv)`v9jNxm6cnrRnCOYS1`lNtbeMvwdY`$T%z2c2?KUYtH
-zuz%y7Pl4UE=`AdyO-Bk(i@@FZ$jbcl4D`#{qivoo@^VWi^8*wNhWHBcM9aZ^hO!59
-zZ!na}k}61}C|dqCeZzOBk4C*LcK$Meqy0}?H22^^RdJ=i>)izIU+caHn$AdqnrQly
-ze+yjHVauRy-|J4u6<7{TTLNDLr4%Jx7=JHGUoO1>1Jcfv{I7f>&cx$XLd+C6{T;$@
-z!JSbO;_3Sm(&oAtwAZTwA;<mi#zlL0dc8tNX$Jf+i?!St*hWr@1F>V25RbO9psZt*
-zln}2yx+-<d?bPAfj--=;${{Kb@G`=-!S6}r7<)MjYa<;579RL^yjjX^${dY$6MrYr
-zzlVM!*xX>4*YnuuI!9EkI82olCom|r^m3LOkVwF_AlZNQc;2PpCjjVZX)YexUPnw2
-z_$_(XXS$6%xZjS1<a2EF+>3_#*rgWL;?J<7vhZ&suuk^}1zTKrxKS~8Q14u?oGg}H
-zlv+EHsJHLYhdzk>*1*x?GypZ%k$)pPwmu21v!s;VGk^k+YzPtgAL>R8DmBl>#+JNk
-z9u*4ll2JG9`v}C4*CP{?T!#_a+ScwglwY1hLX}2-)3S}nNh}9HZ+}fv%zwfwr^~k!
-z=rp+UoO0)meUalXvhV<156HPdXB0C2j3K;I>+=s(Buy-477<Fc{D0(9AwpuM`R9VR
-z9PsG*j%Ivf^Frz#{2>MAi_(gcw~VJ;|J3AUk`);%Zg&6=cfM%r$Q?RW!0hdBllOO0
-zTK$e}^K!@?la&QVe>VvCGU(Vo?g9b`00e>r$fO@bT)QV0_0<G^sZHmf3XvyfIRJab
-z-ya4C4tq}JH{5aDiZ3>B1+RtRaRQU!+^G+F8ByUATuiqPku)}3=nLROGQxsSbkkY-
-zasCODE@NO&{NkW~>X(G9%rXzSV@mm{^~LPTEK*0Wm{&=#e~+kA6Ku&p0j~W>F>f{_
-zePAde#=SNS#X0&z^HzqJYAyDwxNt&TfKJc%3yAgfrUZA4_&$b8o8<?>XaNZw=|8qY
-zljvN6gHeh`L<o8Y#K9sZF8`^13QskAk{EVWasuIliOF;Rt+{0Zt-~QW63s&JBO}#~
-zNvCYLXQM^*e~3p4N!}m0BWmT6;WjhA5*!&#*e7Gu&6XY=wvhDu(y%oVJ1s-PGX4ij
-zXqr9zPp0<r?vuSR4TC4!uez)NW@`~s;F;ul=-M;eIElopsfJ}!`uQ>6q!)aIAW3M|
-zku8zI<tH1aMM4vr_wv;<iz11{WcdW0o!2OJ-2+~ee*|4US~rc7Et<j{4+Y|KQD2F^
-z)s#-KF0s5@Oo}QU{5nBSMSmDA+p9p!yaBC-Oni&ehVY8&eYvnxxOmI<jY++!4od;c
-zp3^d(-mSd9c-p-7P%5T;CFi2D5LnP0he&HzK2363zfQqt{#6>LVI$GTwtMdU?^96#
-zg~=M+e>pl9)d2Z?X8#?o-z0==7jEP#m#A>bdA2062BlD8Lkw*A-P*PsR8T~|$qx;D
-zg^_hvYQOo650pOQ9dBiuA#&WAk;<iQ=<ZsJY+tq8e+huVYS68}J0xYun`heXlCUm!
-z%~fC?3MQi7{30qvjj89wxizI@w&NypE|_9)f6J->Ae&G*Kp;Mz#)6aM7P|YSDn6RK
-z2FMmd^WV`rg9qo0*gPnx{M#w}w_jIXLt?Htq?997K%)maV%KC#Lbt!#l8-tKoQ$GB
-zXi<lvE$Shpilmp#>H8|epkkQXRPYNxML#!2<!VRX2W<(5#5fRI2@pU+*QzOi49;)e
-zf13&wDfc#|IiXNA?LuIP__A%wm@Zei=zp9W1Se0xrqGS%w;uT!na7^ABSo$q+jZ?=
-zkswUneFd9q?_0r;>-7pL2YG28Kjpo|2b}kK?f)J1gPw({=3$W^com8c3Ye7dJ}RHz
-z*vvJzwpsR6M44c_{jk~~Myb{^rc(sqe>x=O*QBRH4UGQB?z&_Bm@zH!#+>l)4pTGr
-z&x}!IZ*t34iEdy8K1?hC686S+fvw2MM4b6|ovWo{VfySc*qk^hH|y;Ox->fB-fZW3
-z9P`l12ah8*RP<o{BW{s6Md!Ac8^2X*$0PHI3@`Q7+0!@Lu~mAMJxpi_YUFJ@f9J@3
-z#YV)cj%xne*F9=@-d;%rPLF}n`r}ShJe1f@1;2a0c$$41BVCZigvD1y<>-+LVYybf
-z<$s@pM^MUhoQy-XmtfWe_GYFerm2qLg%H>?7HBLGv~=PBmQW8Ay#|QIkK#;jO;$81
-z;E<E=M^Gh-%%k7ms;lw4%QWZsfBvWa-S5l}Xst4(OaZ9=8{q4Rbz&hg7>c&>RSgW`
-zXj?}J-UUPY8f7(HIC6UZ<GEgySt{jX(*D7pNm^+n7dc_aqbuKBoY22Ju~+3)gC!R3
-zvHL%*8`1)2{VwDdmeMgLFe3&DDuzgg_YDCF6)_eB6wYL{lSXe?0vR^VJTME7{?XMl
-zFG(;lFd;Ar1_dh)0|FWa00b0v-Aj7Fz7H02I9qPM%e~Mkh#kxX2$T05m<n)RnF0a`
-E0Gb6l-2eap
-
-delta 2698
-zcmV;53U&337L68=U4JX$u%YIJP8R|K2mpYB1t=Pbil%X<Mkmo}$31(V-T8%g@`1Yg
-zyS#V2y$w(dF1u?n5MxMnkHAA#Yi4Ip(_Ly3`#cW|>GfOfO72c@ABwq8tiZ0?s3(7$
-zxM}RzJuAa0`@+dpgSHC=ye;ze6=fI5jLQm5(4O@ywKR%B(SKp;94zpF34Epw$elea
-z9!~P+<xt!c=@hl@UE^-3pOZVIzB;kID~R5OI3Nfc6zVwOPO=O$_s<)Znw-6`&kX(p
-z`%Jk~Y$k%11Gx37zK{thwwsZr>oiqK>Q_>yAd4Fbui&Gbz+?SuIr3+{gn2}D)4zKA
-zw6q+|xyzFg{C~CJ<M--o&FZ5lwtwQXK{+>Xs@2^$asn4KAS;Hr!s53%;M>!4_lI!j
-zE@siDP@6({Y?SkW5h+LdIH$!`_-XqxelFC+82Tg$<j0o^9h13)Y784=ZqHptd!}0}
-zPzj01BTTUZ;@BJLa?c^27)lC(taoyo<V5wa69e1p;D6s=z^ogO1@>EY9PMt$UIeu5
-zj=iT7iUSA-e*52|0Dc!;kR<d1_~h=({X;9^L;cg%2R67LYPYhJa)c+M6F<6r&oSE$
-zK|Ni#jy(nHlZDA2x<D&>C(OF6vpH^HL(#b3W<tl;nps6YYu#s<BZ=oKcY|_|h(F?!
-zU-Ux$=YN(JjE1T=TE~cRM_Med9N`gz&YFytCYAxO`}T!are#ftj)zT^@t^SspSuh^
-z8{uh?u})u{Gwu*zWiiQ1IPiRjycS3COl#sP@<)7TE)>r8xr5SNtP6{wfsN>aHEory
-zZz-!@F_mMHzsyrd5SFu-?*f)-4@0fWC;9#&dw*SQ32o63t5Zm+f1C1bL*s$N7grel
-z=O+Y!#o8f?VAUB9+;Hl3)PR91eu?p_GHL`ZzV(YKX%{M`k(!63Bb|Ob1gX^X;@_<m
-zb`j%ps&g*AI1`uq693O>0swMf$S~y?O52J5Ow2Ei5EeZ0liT|CpLX3dRe|Y?h-)%*
-z1Ahy_Q}w75-Y#V2+pavIB(a*V$3IEPg?T;;_;l~R>6v}Ls7>PH|CSU4@<t`nMjMCl
-zMzYc`7mKbe>((!&99d`8mJ4VP6tfU(4xw}bWH@+eq;9;I?L2T^2F%;7KMe9jrkMY5
-z;~yqZdv|HCk0HHe6ELR7-?n<sIzH32Y=1+x$^6r}NKESJVXvEp_cP;jn&n7f5-nQF
-z2(17UEfFK(G&xU?nR9(FgC}<}BXUB*Bf(#_mgjE>0PnLebvx^<h966*Y`cnwTB5J2
-zA1Qq`xQE^`OJC1pqd2ZLg(jajOKlt+=jOB4;YGDC3i={5$kr8||5{h7bNC+k&wuK{
-z@2;f1dQKs0H5dTWX0!fEh%hPAZ%KUxNvx^6FrBX4!fDCz*Ib`j^V(RPJ);etH)2EP
-zwnpe|#|O+1dOty&!OLC+twa&wj~2kIbP8%+8YTU{0~aZC=;Q4hKFyIDg!b8YNvmyD
-zeg$m5OjO21T@;)G=P{Cr(x0@}1Ap83<(fX4WP4YFr}QAA<({y=D+l3HU3$-ZbepE}
-znco^}etn&swt`{-=!nS~oWBxwRe*26-Bk3rdFFGSyzOz#m1$*h`-$e(*znB2Pn^t@
-zH|U}yv}?Xo?#GsLp)Z%4LGOWGh!0b`#O>Hl$-REUwC2Ty#$UDZRB}HY213#mttD}(
-zBu{Oz+8I6(k)MzWx<vf=T?jShy_Sc1lFtMVcgiL;CL?u8)sucr!T<VbVf)_^M7BU1
-zMOU0(qI)(3la&QVe{+!lJsuLct^xuG00e>r$ksqyo=hI1ZhXWX&Y5JiN0mzSsk}t-
-zJJ%SucVFN6AEIBj6-I!tXQhuHr>X^w6cJM(yq|zYJ;?@eY;==f{|XXanx4vhND^Z_
-zVG0NghDtq_C2zj$Dz8C#|AZkOPjw>3G!iII-&;gSHv%p#e{RGu#nP4#fobQPcfv18
-zgrG+nAHI;bL{ylamN8W@<sUn{)JLO+HQd3kSKq1;PIxm=TEo?fEh)4az?P1F-fc|q
-z<ksDIon+%vsmL?EC)bFO7YtLbi$60ojZjQZwOvTMyHO2=H=KoXp)D^YnEhOicZHX=
-zhO1_r?~A<be`j#1aJG!UWWf4{wZ^bbdLA9|q@o<s;)Uv`@oT~k59I%F;vgBKpsQB7
-zXoLnO?`7Jh$RMG)YhFjlS%-VjOl3;9>lZ^DQ<CZa0;lJu4HOXyxh!ZT_98v+b<f(@
-z+bip=NIvILsH5E9t(-~iy%%Bzh!QF2*UAuZLA=|uf7prj`LWlcfDU_Z*#sW0)>(sR
-zT%P@xq9c;o5?<kml8S??-*v89Cl3LkT){>_9TBIsOs|hcX>KKPL9C6IfhyjT9og;C
-zTTYklra)`+#hT@j5b!vTCMRNv-&CN403}aafd@V%?CBOpZa@yL63{b_VYz#)84%BP
-zfYP3we-mmC228v;c=3=b_ySr8pLt+9&oCknyR!6tdU*&t03h4#MVDePO!=PdJKgTE
-zaHJvVh#iv(yLboW+T3TYbSszMmU_pnlTuRonrN;Bt0)GPvhsgs*~x?(<ED;GT$Pt3
-zW>edh&W?F?mzlkD$J3Hfwl`moP6Hg%s+6VJf4+~1Rx+6eBhwZUl;!=3s8jgC!;aQf
-zD9Z@?L2PX$Ghgizq~7d-QhTd>iMJ9kiDb%Rq~);boeQ_o6Gz>K3&BxCt+`@~nJAh%
-zg!EqIPY9B0ewTqT;<AAM9}0U^5{V*H)w|J{-}bNJ(i;XK-5uP*z?b9(F?b~TP0%D2
-zfA1?#kvQS3?0*2J)@Th)QW&Yx5byCB4Ph@e+c{e>i1r~)!+l+G9oP%4++@@;Yo|$z
-zMwTf3)yGj9S(sW_1-Kzi6+3#SgOCRWU*>*BPfO6cBnql?REk}m2!l~16V`K&3x=#~
-z05!gcR0QYhTv!?>tIt7C*)hIDp`l^Ge?{+>tH@RY7FrUffN~A>;tlE(3sD|7LUANB
-zis>fX5un78BnY6sbwqF=OpLF_K}&sQ>&x9L3ga$y?=2hF63nby&K<Pt+fIvqdPv2S
-znt*Al7R-?>n+_8fYj=Q%qs9^LzWtFszxdqjsR&mys<{B|EGHk9GANU8t_m0Fe?x$v
-zpy|a!(Wp`ffAoA3^XaeEa(HpQ9c1?JtW^k>aa()*8q(TFBZbOowXt_)DRU3xiT^R=
-z=F~RNdSDu1@)T$jO}aMmZ0Z-E9f!w814*M^g*;BUCL)C0s^{0*#IGyLz;78!^?dxg
-zVlRVeg08jZ18}h9;65v{AH^?-f8aiTOIbeJluz**@tGI6G+BB)7Q~kN!AQ{g!qteM
-zhqd!L(uO>k74-EEJMTAE*X9x#e!==1fh0RBMQN77*2GhWj_q=-;Wz;n_ig?}US0W`
-zOuQS?@DtZzW1f~nnyoP<Fe3&DDuzgg_YDCF6)_eB6wdDm#+m(k+gMMPJf_wWQ<kOR
-z3=uFfFd;Ar1_dh)0|FWa00b0fzua<1!5W;Tx7DuQ&kThms@@d@2!~t}_X6767y<$a
-E017TA_W%F@
-
-diff --git a/src/tests/dejagnu/pkinit-certs/user-upn.pem b/src/tests/dejagnu/pkinit-certs/user-upn.pem
-index 6ce095692..21960ea6e 100644
---- a/src/tests/dejagnu/pkinit-certs/user-upn.pem
-+++ b/src/tests/dejagnu/pkinit-certs/user-upn.pem
-@@ -3,26 +3,26 @@ MIIExTCCA62gAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx
- FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
- A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz
- dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug
--b3RoZXJ3aXNlMB4XDTE2MTIxMjE0NDYzOVoXDTI3MTEyNTE0NDYzOVowSjELMAkG
-+b3RoZXJ3aXNlMB4XDTE3MDgyNTE4MzIxMVoXDTI4MDgwNzE4MzIxMVowSjELMAkG
- A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF
- U1QuQ09NMQ0wCwYDVQQDDAR1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
--CgKCAQEA05a9cPK5tn8p/xBh09JGT+uyiDOpLSvJw0Qmn/qs+lNLjRTEZp7kzIsd
--+Y2XaZJ69GgdKqFvtx9Pqf2RHaRvccHSqGGF5wd7LiwbB36btYyEFCBW1hqJaS4R
--AMLv9JaRFjOZhfwnjW+tC6VdTb/ak5AKYbg0o+w2j69wqhPZIeXqqveV+VRogbTA
--O7hsWtazOTFy5KRTtJJcN/bFNNMnxB+07pZBjeDT50CFuNkUrFE7m6KnFRF7PkR6
--ZWxF7zq9cQguRrzm2JVLiZoKfeXcVYypwEdEU1r7+ixNvQn86a+91DdvO+xwbsoN
--G0xtFSelYKWvlH4BsZW8qhyPkjX4bQIDAQABo4IBVjCCAVIwHQYDVR0OBBYEFGvA
--yQ58yg3eh+Oi1JaMrRzbt9hiMIHUBgNVHSMEgcwwgcmAFGvAyQ58yg3eh+Oi1JaM
--rRzbt9hioYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz
-+CgKCAQEAvwcVP/5SJr9NxIUgkl3tntkW8w5guESQLKpGFbWCAOnTGsgCiH9/LGri
-+oh1Lx/sC6t/f2TPJL020MPaycrB+gtpmm6chc0sK6OuWup2Eqxl22XxpguaMiFMu
-+7ius3lZkhFBQtuQuK6pzpkU6M5nGRHQ2QL8LJ9BMk7lrZNoyvB4uzCZjSTkqUCh6
-++myH4s9ewsLrqyqBi5YMPxzVn0aUjx1bZptE+35ZQqyQSAepgmsKSO88hmBLtQMD
-+OlQ4JeikMOv+pD12cBjO33yv+kLHrbX/ZHgm21lt2xdANtBoeFXr2ImoAKpkHSUv
-+Io4prhjZTnPLf763ql3egaVYKv3oPQIDAQABo4IBVjCCAVIwHQYDVR0OBBYEFK8S
-+4FdU0q0iiYKQtzGmwqn0CD2rMIHUBgNVHSMEgcwwgcmAFK8S4FdU0q0iiYKQtzGm
-+wqn0CD2roYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz
- ZXR0czESMBAGA1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQKDANNSVQxKTAnBgNVBAsM
- IEluc2VjdXJlIFBLSU5JVCBLZXJiZXJvcyB0ZXN0IENBMTMwMQYDVQQDDCpwa2lu
- aXQgdGVzdCBzdWl0ZSBDQTsgZG8gbm90IHVzZSBvdGhlcndpc2WCAQEwCwYDVR0P
- BAQDAgPoMAwGA1UdEwEB/wQCMAAwKwYDVR0RBCQwIqAgBgorBgEEAYI3FAIDoBIM
- EHVzZXJAa3JidGVzdC5jb20wEgYDVR0lBAswCQYHKwYBBQIDBDANBgkqhkiG9w0B
--AQsFAAOCAQEADpj2VeHFvGVzb2o+qUL00+1RfpNsGRxrkXpolkjGn8LNIHoMfxAR
--utnL41Jd1wQQ0FpbgR1fIXgCDfdMNWWIE0SPO6WVHVUVaDb2kjgYZ2bvR3FvTIaQ
--thj3jyG5Qn/hJZ2WZdJ1kavUQzCcGKxcIQHObcX0x2wXWPKlO1S8XDS8olsi9KPj
--y1nWUvLgxhtp4vwRuVwKtgFusgaTJOOaJ+yKS8SHr1v89GRPmff/tQzMgf/nqRNP
--lmQ5uHLeo35DvS5akdw0Izi0m5zwMvOAGBY8lyHgpx8jshourr078Swy/SNdaMGd
--fwDCc7tFD2dw3jRC1O5jWBxOuDTmUL0cVw==
-+AQsFAAOCAQEAceeR7lFXkEEjcMGK/mvNOT5zXcq27ipYuV5HBgGGNLqiawc7NTxF
-+ocyZf9HujNOMvBNblTml2GJQ9wmyQesVTGgJFTGORS2sFizICq19jISxrv44cdeF
-+X/KQxNmnviClkL9jfA/6oKU0uSpvUAUet3MmDuo8O7ebVXVEmQdvLrhP9ycHGq8u
-+qG+5qjN4dpf/ejtCCMGGZdUdPxPosoXJzf17hpyt8/YQohKG2igLSy1O68tuHTXb
-+L4yiB52JQdnJfOU1a+vUSk425zMI00MU1aLcDxcjI64kxYBpWflDqn9Ky0N6vA1i
-+OoBZgRFeQSELxUp7SUsK4xO2gPM2w0zzvQ==
- -----END CERTIFICATE-----
-diff --git a/src/tests/dejagnu/pkinit-certs/user-upn2.p12 b/src/tests/dejagnu/pkinit-certs/user-upn2.p12
-index 6691b8c72aa60d647c4993d3972a7bc39865901f..8f4c6b2d05d14b7d5fd4f161fe8c34d065c2e5e6 100644
-GIT binary patch
-delta 2682
-zcmV-=3WfFk75x>EU4QEdRHRCfek}q52mpYB1sD{K_#Ii+3SG3sHqthXJUvY<=YDAc
-z9#;0PWo-O>j);dWavz`vlnJdRTmaQEo(0cc+s7lXMT_ckx;wyC2|pOcNMhk2NQEoc
-z(*6LSNK&b;J(R<Vu(TYjSE6e%?H}Pi?bKRoc#1J&fWQQ2N`FnZL}q@Rr)%Kqlqc35
-zt%d-0S8uDcF*ELxxHS)5_w}Gv&2fQq^Vh}$vsghL2ova~D2{otn#y$}+~M$K*|J<A
-zTyHUST_o$xD9K6s^rh1e>KHcLgS$UbyOpsCkh&(Z&4JM6@2PAel3A~|!xb3Th5gvs
-z+2ZyxIT3B%aetn&kjA>&caGx0pjK-&f8Q_X>G1awp^&srIY7Je-gw)mNU&6nAKeV@
-zDUyEhZo?kDw^KqVPWeWk-%0aRE+Wjuc3X9h@7jFk@Bt8^KtvL9oxdA)#3I|;*|BOo
-z->lHL_8Whhtz?3eZXiK#wkl>sh(V2h>Rg}a(k;J|xPRt2O2Tj<96swuA_=jT#@8zR
-zTsY*e-_N+_<&h_dPb%s`G69d~tdf<}E{REDc=M2s^y7fW{0hfw^3IhGV>@v#&Kq3}
-zhwf5UAn^i(2RW!~epxan!iiQi1q9E*i^;IyPET${O0wgRN(&2aaM8OE5y7A05(S7?
-zsYqm-b$@CJke2fvwgCDwtGEZSH5p4N)(<4?9_pX)FmKp#;CJk)fx47Q!Ji=>(`gLt
-zB9<MdC#C)6a%y`}PyE@H#kE8AT2X8sw@=4oPHf;%#<~I?^K{Vt1IE~Flm9!pOkl_f
-z$S~3JKS=4$f_+YmL$FBPG}nT}@8HyOvUMwCh<^viQmr==_wHldeUX_54mVbSH3oLw
-z(#}i^H=kxTuS#*bOIwc}2av{A;$N8sDHLk+vm}jh{*F6vaPho_4y3G|ufE=hW7_*z
-znnZvf7=n|)7@elZs1A0ci2%j=4dgS<zUsez@pP&*`GcW{fk1EJs8$*d*GobT7$~v5
-z%zrwFo+aD6=6hB;)Xxjvab7weca>@RMXeL6z=WsaVZG<xRe*|k*3I+TOb&%O@i3bT
-z@M;X_;MD=b@!qQA!nL%Hp)_Y@*NkD|oFx?x?KL_-!XzLiHcM(t&a=5jy&}zQ)f&!h
-z%}`U8&yN}?I2E&6;4vc7-M{jTVy&Qc=70Ba+E7gjQh2qZ-e9d!dp)q5mQ*~*O>DZy
-zS;DhvL?nw<W5sSeHE{z)FOgE(Vxx{eoAH)z=*WU&{g5_<x3Y<K#UV^L6TR?R_mGou
-zN`BK}$%#H$@6=q5!v9|hIb3;;+Qg3?vzvh}LQ0^cn_r!27>M{iQ)K<YM0d#!k$*2$
-z6=P<TXzK~xW|QSrx$qj0V43aV?CXKeRadtaR%t7hq>1<=B|aQg-X&IDSl$A~zKkYo
-zhV&KKYp^vG$Xo#98^t%_%B6ouEDxE%5^=ljeyV}hvfW<w?F{HBp#rHav#^e@wYM_~
-zH`|gVj#q4ST^Z*RFxUS)fzMOEWq+dtVFXnwB3{dA23|GaO~Ve`$MjzmuaMQwgLQ~6
-za`rIJhUl5@D3~CBPlOnZC!rW6Q_MQlm9h?uKJ$*9`0jPPcSkSq9?^eM#T@KY=dmwH
-zvLXu6AG3D~M)C(;@}RiLkI;Bx*@mLss#-y#9f!4>i+B(755(_<fF|h9(K24?0iu>^
-zyBq^D^D)}0ODnN{tCc;IJ~a0+z_Z4F{>vTLxtG7v-n?O6^jolP-ZweAlZ6FFe`>0B
-zfhbF<9s&Xg00e>r$je4%i&omIruPaAML(chuA&9Npn@rycZovGBZ#}MmPoP7HFyS+
-z5YP1fO@E2>32IZ)3U7So39tUWihv|bt@|JD=G>W@vLbuh$`t2r-H%|(HA#7Z7W-_6
-zMx(N<y^1k^QnaZ9d$|Aj*cjo5e+%eSDgcD~^gkC?^p9V44e3ULhB16zAWivSoKg{Q
-z<Pwuk4pTmA<*1>U&So_YHnXHr{(L?L$F@_~eG6X?q6S`WCfKOSVZ2DhB(;a-fB!!0
-zx12<g*$t}D4_u$Z-M*XrPP?LTuO-vS(zv%d*WkkEpXnWT0TBuyNtn|hf7I>RrgaWp
-zY5qyxizI4x;ougu@A$3NK6q`unhku}7(r*IjuEbk_W?J+^#5)TU`GEu5)6)&$OQdF
-z;-goaN}BKgkRb>#!sPGo0~l6y6J_wWv)T|RQ;IHAJzqBid4iXawd)P0rV6^HMLnb$
-z)*C7%K6%-JP9aAHs48ype~zwJly9JZ$}NYKx-Mp9`1s6RNNL#vLto*^@?m;nGW+I=
-zWrFX-+Ya8`rQ6nHMD*!7*jvVb6y)NbtGwi4TGa~%?hH{~D+F~WCg$qzYa5~Jg_L|t
-zRR4#x%vZ6tegWzpK5qbxOZlsQw9ed@cuy1?5hFwQI5x`5k*FI1f3=Bo6N?70(6E=!
-z)=e3F8h{}lF=#L0^Xd)rP>R2*=*YJFpRmnBBqPdF6~Em{>vK>4KYMxGKc(f49lQR*
-zpC5e;d4$#Ea4PR55SyjScaGF=qC5ad8W_NCb&1?YgbKORkd^;He$u%fp+PlI)X|mz
-zVstj3!6b2+*r!Dke}#limlzF>9>fdN{BmbrZ}WBUCLIQZ!JJo(?`OTRR|!iY(4U7e
-z$^v2Fxgs0I5*}XGJhGl7%`WX>-$vfL?F|tI;2f<lND4#7#w`Pf7W3Eo{XRcaT*4ho
-zZX6Q;B*qu~x;S>Ai`BD5;7Bd#Vy+Sw;PxmH*ra_J0uID$f8R;tP|Zy-aDWv?@#W%h
-zgadvFj)f%M9Vnn?e<pHbV*d_k1(hzMiX`!(S_@ipPL-H`J;`lh>UJrGfhc=2RDa9V
-z>FxIlgkKyC(TX_6Co);|LM8Y_i725KU9m*^TC$^0OB)4Q@!qg|><#|?M~Ctb+P+hI
-zkbMqX>Z6#Xe>34_&bOc2;_=J{oyk_Ny}nc=NryDiE!$)Q7+PK!i92EIEojc$?P96m
-zc?iK(OD1K6|1g4R+r<@Y5|Jg!GwO8#LjQ})>Ni^dMDAw0p*0`d{zeV3zaLZ3oYpEw
-zH%D+{4}P!wbSfTH=8xk$*K9Gx2wGly)4dY^K_bE!e@dLK94%Iux!t<z$nC`kP^sKk
-zR*QvFUoU*mHaW4Kfy4}!s%tIW!{3X!$I%1JNM0ji{3QjfuoC|IE;C~ys-8J7Cex@y
-z0R2&fPTB)@95&FOmNgwr2!gLr$<pRvyI;{@aNMOEPWh(1{>n5oCu>-ve@+_7Qen#!
-zCcQI#e_G{j=hkznNe7#RtdAbEF26Pu?E0(v%|h1m<)!3M1d@Njft3yg;C}h;Dso!=
-zfAFsv_<1EcnjXbW)|JR|FCL)ej`wM6w&%hWM}7Gk&X#(57o~9AdT@&Zbv}$<O+GOt
-zFe3&DDuzgg_YDCF6)_eB6iXt7k}Mhzi{o+DJb5C^jWw?<uO=`tFd;Ar1_dh)0|FWa
-o00b0i6#VZZJAs+UglBRp$z_Zurg6mt2uFE!9>YQU*8&0v05$6?i~s-t
-
-delta 2682
-zcmV-=3WfFk75x>EU4Nojn7^Afzuf`?2mpYB1sEA6cU;`CoS+7>CyWFQ$f+`W0i)xX
-z1IMo8fFTH+Sz>3S>Uht|Eny;NP)?BG$3gXhG8NY)?NxVg6aGis7v1YDigSP`x?im@
-z`?Db1bRoQBgcP>Q+5v3SBB~A<eZ=^ElG7eAYvYlr3>yAzr+=xrsL^J*kw{1hZ5%a+
-zHc2Xg8*)=q>SP@L@CC{#w>L^Z+J&6pnI}#Mq2P6X*Nyqox5QLoU(Jpxpoq&?#cuXc
-zXJAXQt}I!EzNSb2ejUPkjluI$|4N3SNcUzZvV&GsmZuciaq~<Q(B#T(CVW!El0Iv5
-znw6R|z9aiX>wn*p_S%?j(No_hj!&e-e>lt2Pg<@@fsC`72#frhb+0TlAJiVEMe+^V
-zdV&&N)e5!qVh}cr=ge)HA7V6&5DHAbYHMo2Cwb?2_HFi@NgTia_2J9}>VmG;PF11h
-zuX{^wYCwv%P3F#g<Sz|KksZ>(FX%|k23^bb3@-HU&VT%}IkJ8+A94z3vJox8pxZTm
-zh96kU7&>62DbVf_jg>pF8CWC|H9xpweRbyo-+3m`BB;l^m|n5?F~-UAw2Eo|Upr51
-zfzm`i1<%YQFY4E;7^kKDXL(Z>fhax#kUom*Hj0_R>A-22fRZK89x=g|&JSE{W{2vI
-z^w^gDgMa^gOhBw$Ca*O&b-vw=S<ExBo-Ji$T~@&@Dnce}`lVSxO%-brjIBoXO4Byn
-z7`RwHhU*l6|KHy+xyy18Sij4dD~`osA6M9U@vny;H>;5yL^$nwu<O9K;|zf>8i^;~
-zmVO3ig006<Uc1F^a9mE?$S8SgQMZ2Jqye8jlz(0e#TV#Ey;BR8wSME94OLAWuWC|%
-z#m-_R^7);_g{|3P%ONfn8>aRom{J8v_Oh6k7nJM^oOvgO$e?LIcUe@rCtq|s3&RB^
-zp*ri|HnLH%?bY0wu{FJ?nTgs5ZEh;!_`)$2#t+ZJDuWwlGEIQ!^sZWqrL^=L`giqm
-z34aFCQ+hfGDFnHl9}q8BCSMbhWO{0LhibaOL`8zaZw)#kDfpVL!WS$Bf|Wp#SGs8z
-zuMxe^2$FU%zGSVpNVe46cBmbY6hqiGm#PP&EQ$kq_W{$pm06H0I%gFf)9CYmtx{e`
-zCJomci2D?Z;c$t;*d<k`?LA>S$k%-x!+$E95H>*!<g<&F!BT&0D*2yk%8xR0eKYmY
-zW{f)DDsJ|(Spl%+Lx|3V4ANHwd7p8xVCsoSC|k5ZG69|H>vWXOLFkcWfP(8vvqEm^
-zD7?NEyE=lGE=5{3&E1qK?Pq*of+X=YNRd~ny(2zVQ$<$apcRzL@uGb_@^{?HAb*II
-z$&EQT=ZqVQpB3Q~c_g!iYNSeNLJIbf9LS;cn*N*`225y4pWcO>;8=j3zmG!aoO6zN
-zSv~SZC)THX1T9jO_hUY0^=Dn#Xf}@Po+cTbq?@TM`@ji}ttmn2n;Sr4S<{d4l2a2)
-zPS}ZZea<H@=!X0&Ce3EXRoxw6rhl*zrl!p4?=A1KGR{*1v><ljGb>)SIItKpy^!VN
-z+N<Q&jeDQ>>iElo8@M<j83$l2iOQD(@N_J$wq4FJYc!sT4VcZ8`{1XQJ5Rp9gIWpy
-z79pPp!%3inQ&yV%GukeFd@wocLePuHx6(sLp;m7HKZT6XoL<rU`=K(4#xi;^aa<ng
-z_LRP#J-(7D^#`uGTN8LcptJ9C2x<(?Z_DhIAZ<M-k3n0Lv}c&Uu5B@clZ6FFf2@dU
-zWNWFK3IYNM00e>r$PrK`e)v)F{}y9KcSe}c^<wv12&M_3W3a*BN>NmRCcg8to5T>|
-z))WBs=1!|VB#mFx`T^_p+=Pn>y_{Zw#nr0X{?<`094{ph7>-~kbq@olS=kAbC8n;u
-zqo--UqoV^)&Jq=A_HU}Cbbqn(f6FcUJe4TRe&a}TeVj?vOMT*nA50LwT!xaLWC~?z
-zuR;Q1O*uQ+^<P0=u+mrk2!xT+l~;7N)DFsZ{+$8ee@D?0>mH=6@E2eV!vRW8xN1V^
-z7CvAHrt*6lqf)z5mkVEybFjWWrp|)?J*)@-OENCPO5D86?t`Ru9vD!^e;eouy|I2+
-z)$WnuN?<+4|2P~77T6MX&E~%*V{m1X=w~b<4D1y6!fa8v^q-RT@mT(ydAbR9tx)Mg
-za`UP#n<^-&N3T@x%5`|IYt`Dh8FG&3*k>3@<Gt?BpY%sjucPm8QhYcYB<K0nt~0bF
-z%&}y6xqZPue~OQQ4Nl>-f8ZRSjJBYOX+8{Vp2tFEQl+0M92wn~XpZ4n$&REI$O|!A
-z|C&upTLIlp;Cd-QTpjF8zK+*zVNtRL8TaU#8gXF2dW4AnLSjby@N|0|VUWjIwuzP7
-z2x<J~r_v!Fb$j!5J<Z>QObW)|z43v)#`5QOv~WpJ>Wxk#=te<$e*%Nh%31rZ;eP4F
-zCW8>)<?fEC#boBWG$Asj@KCxBxYSsGU&EC2jvIh0Y?$vI1SFy-XEhjP!T3H({~&F<
-za+!`An%2DwcW8<aA$R+(0J<;e`?D!6!J!yGp0YM_G-<DHH~<9uMtwh1L*@2!s1HLy
-zUx^X562si$5aydae_y%R)&VZuQY*0Dyu`;(t0e!ackfGT6juJGWdIAY4+QpOkP!)w
-zVsv{hMdi4cH~JZeT5ra4oA-D+Dt3nsni6!jm&v)k2r4r;LHlH;M!$4C@?p2xDjjW|
-zzIVx3?aS0VC6s5lekQtsm85uRA_E3-RjXfF4X8WBc$eQCf2E7MX!k=2v|sShH6zeK
-zi1o58FhEN2m%|5prw+2H5Se#<G)zqajtk-jNENhF47<RWh<Bs(_6ohh32^sXnw^tf
-z!cg+WXJT7T(VTolpa;r4f<jPnN^pt8FzK~$_19HC*4TUr$c=v{HBMRS1XAyeCyZ}@
-zDbJLsHs`$qe@={>15kbf%VdCj6aFwL?c2SQo#n52WiFgQTPjU)KxSQV{S``6ngGtn
-z|Lk(B1|^3OZUXEj6IkMTS+tQbc2JMX@jaF0-Y)3F&iIGWY3c-<&L!MH-FQs?2>rCo
-zW)YfJ#J06pbph*0FRV?dVRUI9mZe(rkQ(0v9mAEpe?l>lDrmYvy^Rh&^F$bAg9aFx
-zb;PX}B%WHxJK8;Gcqh-`?*P;qO4xaQT}m-W<AlGYGteZHW5V<P(0oSvUQZ+nrZ~Yq
-z$ku61z3idEOU@0=u4c{hh1Ov+`dp7gd);|Qlh7Aa!vt13(Jv3V&8nu$F3MijZw@_+
-zEQtdDf7ik(+XUiyP?Scnu)^FDhqmbTk4+UJYFubHM}~%!Yl-1mQ#$v11cMltg2z8L
-z^s&Ees<#yrfb=58x;mFxsVRkW$-Lwjr<!#B=8~bceN7}+DS&FB{wc*5_Z#t&;LkB7
-zFe3&DDuzgg_YDCF6)_eB6ln)at4(+g$vd;zJQdt9Ep@3;7*H@VFd;Ar1_dh)0|FWa
-o00b0K$TDdahGTqXka$sZ7Bcf?CO2FJ2p3V0ev3xHmjVI^0G=Ei4*&oF
-
-diff --git a/src/tests/dejagnu/pkinit-certs/user-upn2.pem b/src/tests/dejagnu/pkinit-certs/user-upn2.pem
-index 3a5094c84..37e123ade 100644
---- a/src/tests/dejagnu/pkinit-certs/user-upn2.pem
-+++ b/src/tests/dejagnu/pkinit-certs/user-upn2.pem
-@@ -3,26 +3,26 @@ MIIEuTCCA6GgAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx
- FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
- A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz
- dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug
--b3RoZXJ3aXNlMB4XDTE2MTIxMjE0NDYzOVoXDTI3MTEyNTE0NDYzOVowSjELMAkG
-+b3RoZXJ3aXNlMB4XDTE3MDgyNTE4MzIxMVoXDTI4MDgwNzE4MzIxMVowSjELMAkG
- A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF
- U1QuQ09NMQ0wCwYDVQQDDAR1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
--CgKCAQEA05a9cPK5tn8p/xBh09JGT+uyiDOpLSvJw0Qmn/qs+lNLjRTEZp7kzIsd
--+Y2XaZJ69GgdKqFvtx9Pqf2RHaRvccHSqGGF5wd7LiwbB36btYyEFCBW1hqJaS4R
--AMLv9JaRFjOZhfwnjW+tC6VdTb/ak5AKYbg0o+w2j69wqhPZIeXqqveV+VRogbTA
--O7hsWtazOTFy5KRTtJJcN/bFNNMnxB+07pZBjeDT50CFuNkUrFE7m6KnFRF7PkR6
--ZWxF7zq9cQguRrzm2JVLiZoKfeXcVYypwEdEU1r7+ixNvQn86a+91DdvO+xwbsoN
--G0xtFSelYKWvlH4BsZW8qhyPkjX4bQIDAQABo4IBSjCCAUYwHQYDVR0OBBYEFGvA
--yQ58yg3eh+Oi1JaMrRzbt9hiMIHUBgNVHSMEgcwwgcmAFGvAyQ58yg3eh+Oi1JaM
--rRzbt9hioYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz
-+CgKCAQEAvwcVP/5SJr9NxIUgkl3tntkW8w5guESQLKpGFbWCAOnTGsgCiH9/LGri
-+oh1Lx/sC6t/f2TPJL020MPaycrB+gtpmm6chc0sK6OuWup2Eqxl22XxpguaMiFMu
-+7ius3lZkhFBQtuQuK6pzpkU6M5nGRHQ2QL8LJ9BMk7lrZNoyvB4uzCZjSTkqUCh6
-++myH4s9ewsLrqyqBi5YMPxzVn0aUjx1bZptE+35ZQqyQSAepgmsKSO88hmBLtQMD
-+OlQ4JeikMOv+pD12cBjO33yv+kLHrbX/ZHgm21lt2xdANtBoeFXr2ImoAKpkHSUv
-+Io4prhjZTnPLf763ql3egaVYKv3oPQIDAQABo4IBSjCCAUYwHQYDVR0OBBYEFK8S
-+4FdU0q0iiYKQtzGmwqn0CD2rMIHUBgNVHSMEgcwwgcmAFK8S4FdU0q0iiYKQtzGm
-+wqn0CD2roYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz
- ZXR0czESMBAGA1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQKDANNSVQxKTAnBgNVBAsM
- IEluc2VjdXJlIFBLSU5JVCBLZXJiZXJvcyB0ZXN0IENBMTMwMQYDVQQDDCpwa2lu
- aXQgdGVzdCBzdWl0ZSBDQTsgZG8gbm90IHVzZSBvdGhlcndpc2WCAQEwCwYDVR0P
- BAQDAgPoMAwGA1UdEwEB/wQCMAAwHwYDVR0RBBgwFqAUBgorBgEEAYI3FAIDoAYM
--BHVzZXIwEgYDVR0lBAswCQYHKwYBBQIDBDANBgkqhkiG9w0BAQsFAAOCAQEAElYM
--786mUr91z82s6QC0TwP380ze8yJQiaWifHYXiqIPay19M+QG91PvSm7LLZw+ersC
--gEl/mPKrC89XlAFp8b+hJnGq6t6YmeC7OI+FapEMxpxX/X8eqAOQLrGnoq7Pm9/8
--QtWaKgo09i7rmyykKl3xSU1VktBsmlhNPPNh3x+N4bxea9OIbZonPdDtr5/Yt87/
--6kBPsGgvUUoIxLw03OmLu8AmKAwJja0FWyu93uCUP4UZWLEGpUhSYC1uUCpAZDNy
--2AtPnxfGUDtvI9eMmyeXVGYXTfkfGZyvB3m9lyIj3VVmhbvr7qLAGQn00dbOHz16
--r6w2aye0Me0GcU0grg==
-+BHVzZXIwEgYDVR0lBAswCQYHKwYBBQIDBDANBgkqhkiG9w0BAQsFAAOCAQEAkYoU
-+bTCe61BRrB1yw8mIpnXlRrVLV91M8YEr07Jzk4qGfRLXbWf9BnMpxzbU4YVzEifh
-+w6+gYSWGjgq4kDmp6tcY3IDGvzXkglKMAZv2mpFnBa6ZooEQ96tgg9O9G5Lg8Sv0
-+kSkoySJq03xapucEZbhPrtGNHKwB/EDo3T0Iaby+Go9bqkObNfuIFXRXC6HqPBS4
-+khss6cJ+daEE3Yg21QZ1BUlncwYbkCzt+xp3YaHlY41gdaMdF0tn6iRJjANAM2Kg
-+6J45M4GKKT3yo5hJAWIS4lSCZX92g/uiT7BcBhE+vDzi3JuEc1QKajgnza1BMZMG
-+EEIPWkC+Lfg8scWS5g==
- -----END CERTIFICATE-----
-diff --git a/src/tests/dejagnu/pkinit-certs/user-upn3.csr b/src/tests/dejagnu/pkinit-certs/user-upn3.csr
-deleted file mode 100644
-index 958c1e043..000000000
---- a/src/tests/dejagnu/pkinit-certs/user-upn3.csr
-+++ /dev/null
-@@ -1,16 +0,0 @@
-------BEGIN CERTIFICATE REQUEST-----
--MIICjzCCAXcCAQAwSjELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0
--dHMxFDASBgNVBAoMC0tSQlRFU1QuQ09NMQ0wCwYDVQQDDAR1c2VyMIIBIjANBgkq
--hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA05a9cPK5tn8p/xBh09JGT+uyiDOpLSvJ
--w0Qmn/qs+lNLjRTEZp7kzIsd+Y2XaZJ69GgdKqFvtx9Pqf2RHaRvccHSqGGF5wd7
--LiwbB36btYyEFCBW1hqJaS4RAMLv9JaRFjOZhfwnjW+tC6VdTb/ak5AKYbg0o+w2
--j69wqhPZIeXqqveV+VRogbTAO7hsWtazOTFy5KRTtJJcN/bFNNMnxB+07pZBjeDT
--50CFuNkUrFE7m6KnFRF7PkR6ZWxF7zq9cQguRrzm2JVLiZoKfeXcVYypwEdEU1r7
--+ixNvQn86a+91DdvO+xwbsoNG0xtFSelYKWvlH4BsZW8qhyPkjX4bQIDAQABoAAw
--DQYJKoZIhvcNAQELBQADggEBAEMxNp5md+jV5dFC1iSKh2CYl3P4g3UMQ9NjLcyq
--upjJmFiEGkEg/LpH4CoXI03BaD885S7akKPA1J/sG2YIrbl3TpjUJKZoJ8BjNT0L
--tYc+JIODZJEONR34Fh6/1uRU7UkRcJ8Crc83+ML+71O2SRZRJDEOS3tVbdzjEOTj
--HIed6Ia3cu0XeAvhoqRSjh8J0ufoIv3CRRCtRU8ChkmMD64p3kOTlORxWspAF8sm
--Xa53bWIpyuyz/vWwpWfr+fL+Q+BQ1TU39xvy+46AYuQIIKzK9vKZdCElQwFXZs26
--f53OyZpFjcsT9jJAM54XUxLv5rE3fqZQiBhatPZa2ThHt08=
-------END CERTIFICATE REQUEST-----
-diff --git a/src/tests/dejagnu/pkinit-certs/user-upn3.p12 b/src/tests/dejagnu/pkinit-certs/user-upn3.p12
-index a9d4780c47d33cd4d409d6ee657a7911381fe753..da888f519d9112e3d15dc48ad38585cde98d5b47 100644
-GIT binary patch
-delta 2698
-zcmV;53U&337L68=U4J{;58bgjeK7(82mpYB1t?D<^Vzr0meO{YpOc6TQFtkex1?x-
-zehwJizz{VXGun&BAkZb<MIbl*jJg${R(|m0@1(utK-vxcZ{@g}mmPN-v?fcXh{~)#
-z+_uOb?l*+A(^YI&1&U(CbIi0yg8U>6F`5&om0=1){V^dwH-A)3GtCm7iP)scf7`!^
-zpcfW<Hhq5fy$4Yw%z7HT+zupoL))aT*c1UqNoF159}V!gJmuU7rXQP<LiX#F-!~82
-zK|lHtDi}sPNv(p&<!V6m*wQ9&j3{9O!)<ao;IB<UUMc9<Kz$@YXz^bAVF-u|-sXiJ
-z$@zC7-^33jF@KXyK>Dp<M3!29p*1@sEg|R5l#>n~znhuv+jW45rkqMPDQT}e67<m}
-zC6O@UfefZ!E#!Jv>FE|w_ESX(LKd}_=1_wtRDk{{ei?VevL^v4)*gHc4wiT(y#HLe
-z4qSa#+Lf4khNXr}4Pq3ujwKQ%=*c1>#@tMjIH6+JG=JUgo3n9hbV2@&`^09UzLsXx
-z1Q0;yi%cyg>96()dg6wn_&qzl`iL-O?IPE57!Zi%GjLm9XfP6c3OXaDg?zmXl_m|-
-zD#I>Xh}5fP8${o7N)c1RcdbKF?oNOY6SjNF1NxBu?Xn2B5^2_>uDznS=+!Ntgao5u
-zB_17l5`Tuv-3}{<8W0>JB~ZN>!|Uw<Uo1K$BAyP{M7LP@$y-^t5HBMsJWRhRvpsF?
-zb5Kc#4cNj?yC@@yH6O(;wZP$$6PCw<ILPK|6vMVVTn93&?_jYpDPVn|hMU2zYe86j
-zYyqN>yTJ;p$j>5;?5;Y$w%BzS>?M_-N=&9H^M5*5VIABRGi2Gd*F0<%A61E4i|HUz
-zX!OLlQeM2}Z={{ENfa0g*iW|uy6#x-f>|U_zzmuM>X>mvJm2MZn#=zwdTlT-NTv)n
-z$gq@JThWUCy5?f5nUaHNcqc>Wi{@iB-%8J0m(YS!7p$&;U$Mx~#YgsS#hfS;=L)-0
-z4}bqab$|EYJ#yJjn${s(M^^4b`Y9ZM%%!e@ka;J&=%N+5kQpuV&Y*NQ6%bqqrp?0c
-zvkASQ^E5U0TOV~zI*%0#ts88^z*()E+lgg{*<{;CjX2|_kR5t`3b)2*_|u7AS)zCI
-zddqMp*eroBDYq6%$yo$Y{G=>O3TL-|_kTW!!P_2$POnW{>xFSfio_MXs0ww-mo~hi
-z=(rSEzL&BlLd#CsC*oqs6C~Fo+9Hg8?ck})d&Mf}w3xopmhhLVP`QjiQyjND61#m-
-z@Ti!l54-Aa1EIxMwvv%1+o8lC5XZ?$KpMOo<DogG>o;_Rth{0DdmNF=oifNM6@T>e
-z7}*!D{OdLG!LDBZFZ#;gcf%2Gl4oOl6Fn~r8DNFFQ~AA?eY^)C|5Ly1pjk;wx&r6#
-zDrVnH0^2DH(;P{I=T})*lyeFUa6%tU6RtX@SZ<2mTs?v7BL{(|rzuaK5kMkSf)x!P
-zMII;x>m<OOR}4lVpY^^j$2vv!iGPR5nUy!?$NVWK$M5{RxZ?YHn6Kuch6grg?GbVk
-zt=$_+5cp$0Ha()S2wc~W3ZOVzG4|KL&PPo);bGf&@iDa6xsaDb-8pq=RE1ivYkz}X
-zAtoBO5iRIakLhuRk~oFqiqQtak%;1~P3|cu+ipkUQ_?Z(D;h&D22ulM!a^Mw-CvPZ
-zMr+4upf+5VZ`oT|!&jXGwMYZKqlq5!9}+Z1dfSvlGPUQNS*=pg3d(uiE+E}+()ARb
-zKDto+n8Th~la&QVf6ulEXjQ}6{sICB00e>r$R@xPVtr{^r7my}%1}E!A}WmbofvFM
-zcS!kljv8Z%(&&Qf>ru913`}dK`R}b6!=OYQ|L5CpY15F!mbW2qYdr|JUF9YL8WSuf
-ze*bNr&bN?B+Q@E1=uUeEjhQSIS?`<O-$^NdRRBbc?+&PEf1!4RexONx14IYgSFp`C
-z09^qUk#qxIlOxwc5W9mwQ01fbXEo+i7Mj>-Af4;LXKn5N-XLq6xc|f%_#M%w-*Pn9
-z0f3p>$dACQCD|ZcE0T;i&hLLDWC+>2e_q0`-xh{n0FH%33ag~T<R29nuL-Bh7i+$q
-zeO=N?KKWpwe_*{gKs^Y)oly$tRFp_Uq!TC%gFMS`in$Wr;m*7w=kGRT?4^1jipI<&
-z>cZ@rg112tzut(cYLAtgLWrFG9P}7g>GqSjUx=*%5=Ei(wi;B#qD!D0DdHB=5ne3p
-zz7X)28kw|s=IQ-C@X=`XBrP#XfrYOchw)SmxSL>Lf2fV;6VyWK+tGI0@;#9o`ML}b
-z=Efu{JvtPd@rn|9u&5^X|3=^8Ur|_(J(G1WEIKJ0`^x9%VSj#?Nk6WwjXxRnu-6m(
-zjd)VmBbBWvY@1~+Vw#!O<(3tv)oh)ricul3Rfwl%X8C3a+<33*fD-2-GI5{qDV75o
-z>LqpWe?G2-@V5x^ez4WY)5Dk<WN?9G-J)5D8V;*)spcgeEQv*rF_YNZJ9;DV%%F8G
-z&syN-6ttUEvr}Vn3+|HewTgx2UM{YhpwSb$RbHT-A`*{5AclpWM_xQF47U%t-UY#U
-zVXA7Ty8@gJE!U$tNH1)JRREzYgxq2nOcdS^f228{e)6+3IC#b_ynkNbb;oCAQmz(h
-z7h2c*qH;XtCgl_2uGM${DJLg*-tH^Som`ek{)Dat19_IO50TJX4SsyJ2RspN{H~;B
-z+V0S(^O11wgH*SS6pSB%<M=A@x`=uJA=IH?bW){d%HoxDdPSevtbFilO-&FJYVyz1
-zf2sP6fg8#5D(P{5<D__zXl+?017n1!B&M|Pb_J;{gzf7LyVjx6?mCL%o`c|Jh2#}v
-zyxWYbFsbYv>L6ZxDB*vBE9%u;E|A>H(s6n}9bH&KQb#zdIBW7MnaIzRarxL@n!O)O
-zK=8REHm-D)+!QbFDD>eFGqQGle!kP6e|@)JpgdCP;~7UeyK0@F3NK#SJ0IUT4CA()
-zo39%1U#tTOc@;VYuXNuOe?N1eS){UjB$ovmaX=}kj~2dJIL}s}NbDPCos#k!q0k~&
-z6(yK2z2-dNY(yJA%`mY1gCo4XY$|Rb{VRvx>}p2VB)BS18|crUeYiOaX8I5uf9e;5
-z!Sp~;hom{dK*GcnV={{eZlquY3=K$u%N;dC3YcZ7Jwid9q$w720~h8_o0`r<W2EJE
-z9ED(wCA4GukQP%KSJ?osP!B*EZ_PnpT`#3;PNgFROp@R;uRKQWg|I+UQiQ@}X3P<@
-z=;vz*VW}x>J<VW8lOv<Y$&>#+e>}#fXz~jOgIgpH5GUFmGfeNWtu%Y@mn$$D4=DMM
-z<8V+G_ROuV$#I&3s%U2e{*tn{;XFo~vnDzTiDiOa;XL2_2q1G2#|Ib<`7((J_Ta?x
-z6m<s7NYJ?4<44k7t~W6yFe3&DDuzgg_YDCF6)_eB6dj)5)|#)>a$u_FJom0HA=6G#
-zp;0g~Fd;Ar1_dh)0|FWa00a~tK>i(z<@;kWV;*m?sLnLjiHbx72-=Fo1r5yv^#TG2
-E0EqGn4gdfE
-
-delta 2698
-zcmV;53U&337L68=U4OgPIH0Ma|Ih*g2mpYB1t^cgTby1_i4bV`ET($=&EQs+%VWU!
-z7EL>iJi4Z78OaT9ubV}bGdi0`Ahw>yNtjoh(jz*K!b%&Ua)hJeCBb!FAt9G4(CLat
-z`Rag4jFpnmFT)s@f*z8jt%jD9#v%N*$?L>k;p5=UEuP*lV}GdN&eI?0rjB?@WB}eY
-zf)XxYT1q=>J<PmU4ev9mM?|n;U@bFOUYFbwrVSa|jflX9@F1-5yyd!w<zYcMs`rg>
-zymMlumTAK2tc{81$;?wU?RVDyIg)}6Ru7Is8*D-idC>`arMh=W)oa9!1#zHlQH+C=
-zxNFQiy$@%pUw>ciB6Pems-P<2y=ikP`PqC(+TZsM6awppC_f0Xl3g4K3t|VAQ*|@t
-zqWP;7pCfxOI}DZ9(iJy)rS*nL8a}#DV!e3{QR4jj(Ty7a7d86H_%`o3)tY*5-w|Qk
-zembO|Ujs3}!86C73mgV0q^5iPuZU!CsXRr9j$1G30DnT~&96xZ(_w+gVmP}nkT+9^
-zTnBG}hdQN2AJnve+R?%pEbv=8E5(bzWG-#u#DzEycabv3EOTQ^KP}Xh8CNH%dMrC|
-zl_ZZqKVqcBMJt^u$Fh!)FjVOw&dWSYUg?omm_rDHAOgriM49P$d0+1``GCJ!ZsQwc
-zIeSn5N`Ij~5U5@dvEBjG{TiDpjvP!%Bx(#V7yW^c5vbxvj?}{zE!H+*c6xgo=IhbX
-z{ugXqn`P$jl!c&05S&~~#+%)!=U#Kbk5wVT)3ql;lTT$>=q+JLDX30eW_%PenT4Zp
-z_goXztU1Ch8>MHCoD|K5H4(V-ja<hx8@YB0r+;@4i}mjt?20bEYPmt4?A+bA%21^X
-zXRCd!kj=`r8UT2_QEtvftN2ls|9%4(Yd18``lD){hD=Y*oD0<z^0&Du<8diip-hyZ
-zTgM0cXE=W-P%U+1kHCcEPFj@&9L9Xv`9v;Wfzs12ZiyTTwQhJ<8BROi#6${ukz9WZ
-zXn*t$kjR$GQ+@~Nrzj3Op78qsDTByr87^>(n=t}k--9Y2&($W_V$rpuB>QO?+3-dA
-z-pr3<Vc+FcLJ>g54LF<k)IhGZk(A<ntCZ(JeUto0UD=4g0HwAcycywe@c>hpSdbUZ
-z|IdewW&nX@Id-7N;;8dTYiF$bj&+Vzp?^hsO`e7M7OU$Gla=8Q4G^LnBF+hG_nBeb
-zu}|$?y}&Ypv{-4`sZB4J84gG&-!sF!m9%?q;wc<-;0*nm{J3|%$s#f4g#v)CGLCU4
-z(Yc7zteW+0h{?ByycGWhd;fPj&Dn(4myw17)6pVR`dcE2`6M7x!wVsRwxjCdAb(Wf
-z4D$@k@4>yr5z6XWYn7pBxh_HGbj9atGCo7126F9)ewn?kfa;&vg>e{5+wgb3)|=NA
-z`o8_Sx*VNIakI&`^qCUyxWkzJM}b~6qYN&iv+v+c(UQ5=%<ubYh#LIxUMyJb%<p@d
-zd|0|~HBPc$(8N{id_|HL#DrR<Ab%c2g5>{ok(ekXq$lZ@xKgBHx0Tl@87a+hB943i
-zFD%RA(jSI%C|Xca<$+=*lWL`yEop8}Q{X%bQc-xA;u>Z)z-N*eV}?4frikpteC|{%
-z^a!Dtv`0%$*x`Vxh#$niPcOGkf}NjScYXD!MU!uL497Oq;pCJOkrMUvRzj(C7>B7|
-zirNe8d;&TQyncnqec(ERvcvZ=HhwevKN)GUzDKIn4gl?ZdnRwvb(WT2#ZBk3!kjVD
-zJEGu3Mj^N{la&QVe+@0G1;Pz3&jJDn00e>r$OX00Alr(atOG})P|bur<sYN#DxZs+
-zQ52$Jw-pZRd?0u{NUgpsp^GU=^+m!)wF=N!|4e6VkvUWSX}T~!=xNe<WX~Vq%6CeU
-zj8!Iqi$<4p&eZraSk}j>1*6+0Wi&x_x{|YhpPm9aRrXy+e>w{XL@?~)eWqce&iDF0
-zqMSy`TNzT_)VB-&hdVeWjEeXb0i{%KpZeK!$PY01Wa=BLfB6xzk$J9wnQ+$8Q?cOh
-zQWJ^oEshJdhCpbB9?+gW%#d0mHXCu4Kr$r>M+VFC+yRsa^lQ^YyqVejN5NolmXwl=
-zj;AXtkvzSNf4>f%vSi6=NX>a2^%IT&;v29li&z4uXN8vz(uEM&T*Qo=&F?5rk#RQz
-zC336+`bfFPsilPKn2a5|Np2S1s2;)B2v;glXVE<%O(u+#u~*}7ksKGB=)IwePkk!6
-zKOP3PmZY@6SqGV+fn{aX%cf@iNQisE!MeAT`8h7je{pcQ%DlZS83P&0<4$9^B?j!n
-z0^s^w<lAKr!jqIvO8~CPKHl0p(MS~^?zBC<rfK#deu6NFrGWU2JAJ1fG;tnfw*$l|
-z_yC5oEU(Ji${Y;ku(xEmo9P^{#uQRVIC>wN->E=~xLdD_)eKs$i$WQ?$&-S=N4)kY
-z8sF-Ce>waid23??s6b(A4ogu;h++fH;y`e<U0&L<3*l4a4?2OC5>Evd@BSm#`s!Ry
-z+6L`T@d*j+#(xh*)fPw%XJxi5_WgWEv1C&^jNYt_5ZCvbDlQ07M;HV(J|PE-03cDz
-zI%m{><uUInH9re8G!?46yC!XB??9)Y;(!^%e>hShEl-wN=n~{2XZ{L*9dR&>p&O5P
-zL~0ADX*&QcF)J*1tw=!<FTf=ac=UE7NsQ5{vqP4W8r}XA9?pHuwN%dw*+a(im+()K
-zHVNY*kEjsu^!sS@;lfE*LW!Yzk~kdLN}|Bd62yeDNA7^Wgpu(CSO%C08)k!~fzCz5
-ze-kz9>e<$;FCS~Q>H`vQ6<^=_{tlE=R-j`1+-CyIrhMa^l@GsOkoi*b5gc{|O)u6y
-z*Eybgfl##owFc|2DqiQ%>C%TLxKNZ2)Y8q^GKz)qUCCb^Y!~Ouk~utFj^%qDAD7$7
-z4|(O*(4Us`f{<2cXiaTtd7QygQM!6=e^+!{SnFm@Sce*pSUC_>Mud$loY2}d94m?|
-z<^OOSjsAsDBC2thdNWvSgLi|B<-_+{K_gsBydMbNjR&C)N<giZ)rq9?LK2ZqUH@Q7
-z=lEDb?8D%FGK$cQ@EiJM*uLyGPV?`6KidTXos`w|t7P&vp6W&BO^dJ(zR4Avf6h9m
-zYgy;HUJL?!T$);C3rzm)+D0a#pIdQ;plf0S;ipPSJ(nX58XdpbZTA9xT;$+u#1)OS
-zt%%W;=NRR=+Qofxw0<7L-%oKg+WWxVUFjx_db}Xq-8IMqr(1}#|F5`<LfC<uu}7wk
-zWPd2w`sTgYkIUhkr+$m2#^N?ve*|@-fyvmtstS0orV!Q7PL#g<h)rqZNEM!OYYn<n
-z#QqAdg76EPW~eh!<11hngVaOx;{yqvKOAV}g7%4{<iW=Vy9*r=Z%u4?=O_i0#t33b
-zJI<aCrhp|z;|OjRDAh3~Fe3&DDuzgg_YDCF6)_eB6u*lQxi}3No$KBvJX!2GE7$}i
-z&Al)&Fd;Ar1_dh)0|FWa00b0p*u?3&er@hi<B`t~)wx-tCp*pr2<%yzfrt0G1p)#H
-E0Pq?oS^xk5
-
-diff --git a/src/tests/dejagnu/pkinit-certs/user-upn3.pem b/src/tests/dejagnu/pkinit-certs/user-upn3.pem
-index ffedb0d1a..754114f5d 100644
---- a/src/tests/dejagnu/pkinit-certs/user-upn3.pem
-+++ b/src/tests/dejagnu/pkinit-certs/user-upn3.pem
-@@ -3,26 +3,26 @@ MIIExTCCA62gAwIBAgIBBjANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx
- FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
- A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz
- dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug
--b3RoZXJ3aXNlMB4XDTE2MTIxMjE0NDYzOVoXDTI3MTEyNTE0NDYzOVowSjELMAkG
-+b3RoZXJ3aXNlMB4XDTE3MDgyNTE4MzIxMVoXDTI4MDgwNzE4MzIxMVowSjELMAkG
- A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF
- U1QuQ09NMQ0wCwYDVQQDDAR1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
--CgKCAQEA05a9cPK5tn8p/xBh09JGT+uyiDOpLSvJw0Qmn/qs+lNLjRTEZp7kzIsd
--+Y2XaZJ69GgdKqFvtx9Pqf2RHaRvccHSqGGF5wd7LiwbB36btYyEFCBW1hqJaS4R
--AMLv9JaRFjOZhfwnjW+tC6VdTb/ak5AKYbg0o+w2j69wqhPZIeXqqveV+VRogbTA
--O7hsWtazOTFy5KRTtJJcN/bFNNMnxB+07pZBjeDT50CFuNkUrFE7m6KnFRF7PkR6
--ZWxF7zq9cQguRrzm2JVLiZoKfeXcVYypwEdEU1r7+ixNvQn86a+91DdvO+xwbsoN
--G0xtFSelYKWvlH4BsZW8qhyPkjX4bQIDAQABo4IBVjCCAVIwHQYDVR0OBBYEFGvA
--yQ58yg3eh+Oi1JaMrRzbt9hiMIHUBgNVHSMEgcwwgcmAFGvAyQ58yg3eh+Oi1JaM
--rRzbt9hioYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz
-+CgKCAQEAvwcVP/5SJr9NxIUgkl3tntkW8w5guESQLKpGFbWCAOnTGsgCiH9/LGri
-+oh1Lx/sC6t/f2TPJL020MPaycrB+gtpmm6chc0sK6OuWup2Eqxl22XxpguaMiFMu
-+7ius3lZkhFBQtuQuK6pzpkU6M5nGRHQ2QL8LJ9BMk7lrZNoyvB4uzCZjSTkqUCh6
-++myH4s9ewsLrqyqBi5YMPxzVn0aUjx1bZptE+35ZQqyQSAepgmsKSO88hmBLtQMD
-+OlQ4JeikMOv+pD12cBjO33yv+kLHrbX/ZHgm21lt2xdANtBoeFXr2ImoAKpkHSUv
-+Io4prhjZTnPLf763ql3egaVYKv3oPQIDAQABo4IBVjCCAVIwHQYDVR0OBBYEFK8S
-+4FdU0q0iiYKQtzGmwqn0CD2rMIHUBgNVHSMEgcwwgcmAFK8S4FdU0q0iiYKQtzGm
-+wqn0CD2roYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz
- ZXR0czESMBAGA1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQKDANNSVQxKTAnBgNVBAsM
- IEluc2VjdXJlIFBLSU5JVCBLZXJiZXJvcyB0ZXN0IENBMTMwMQYDVQQDDCpwa2lu
- aXQgdGVzdCBzdWl0ZSBDQTsgZG8gbm90IHVzZSBvdGhlcndpc2WCAQEwCwYDVR0P
- BAQDAgPoMAwGA1UdEwEB/wQCMAAwKwYDVR0RBCQwIqAgBgorBgEEAYI3FAIDoBIM
- EHVzZXJAS1JCVEVTVC5DT00wEgYDVR0lBAswCQYHKwYBBQIDBDANBgkqhkiG9w0B
--AQsFAAOCAQEARVeLPouequn86P3LgOZQ9LpP6IHpY2ZQwvNviiA8Zk0hsqFXnmwx
--wr3JtESim3EPuwQtJ3jXp0rxQB02r5r8sg21OjCeAB+vOz3IoF/y6WEYlz67LjMB
--XCB6Fuq80IHhVXWRi7w8dVI8xcADwIOh6fgzwbbk8qV2Lgn2Giivstp+76PnRtEn
--tavWlWW7bQlXkiROYh6u3Y8IvYYoIdlDsXQBFSRE80Rc2jR2XGKAz5CDEZNC7RAH
--Z7ON9HH6IRBOX1ijmXhBl/39QQ5t+ZYgKk8OJpL1RAZlJZtGMBwJtA1aGiAFvqTr
--aCREHZfn9NAFE/szItH7hxWJv9RISUXYmA==
-+AQsFAAOCAQEAurL26+vQNYFbJNAFJ3yHOt1nwAVO4/OlCtgqzOAq0nBs35HY10Qe
-+y8eRcxrLmm4O/Wy+Rwre2v3pIP0AclvIytDzEm6K3Pgj4yJfUUM3VhnSOlXQP6UG
-+D9Z9pVxNiDeykj5/SzxwOQAmJbPcMx9aRwP9wOLMwUxi5sKHQlL9YUTC1hffhuYY
-+Yccc2dHWd5IyaKaLp9yBVXQryNdVTBYrGA2ZqcwETmcXqU/wCo/Rmf10Ra1sj88X
-+VfTb4Sr0j9RaSKeXRZgbEu6kz9i2WK70dcDke08xRv4xVfrlbXrfIS+Va9WYKxrf
-+Xb0XCkKp32Q0EHqapeJrCcuQtnDMGvncTQ==
- -----END CERTIFICATE-----
-diff --git a/src/tests/dejagnu/pkinit-certs/user.p12 b/src/tests/dejagnu/pkinit-certs/user.p12
-index 67c3fa2eb01c9fdd543af9172dc63a3955987ed6..e9c044c5b1d0d950ee2520770de2f8f64200cbf6 100644
-GIT binary patch
-delta 2706
-zcmV;D3T^e37L^u|U4Pj<TzJWUzcvB_2mpYB1u$u|U(OiYZWaAdo&=0W(D-NHJ~J3Y
-zI~rchE>Z%Y(>Bs|d@Ni&G^NWGp&(#5%4Z5twBV>={4~8{Uu<TgGho+eUPSehodq)G
-zMtCIV{~=Q73CQa-OCbMz+w@wq(P4!Vj#tqP3^{;nxzSHzWPbr^w_(dkTU(SFJL&oQ
-z7zL?S2x%2N_Q|C4e}CAberkP`3BLksF6_zM3KTSVk`X2!wi(j<c5Aq9+wm9GWZngW
-z<Dbs@F>yO)#6}%;xPIHyY{h_i55`b4<${ihODv=^X_GvM2$(ip)-{scMp=K6z4NT0
-zh9qH{M2vDnA%B4RMJV4L3g&uG{}^y>U@_^&s079+Uw;8UwQZawTn!vsnczNryXER<
-z^4t|;quLw`bl;E|eEKmn>RrwfXq1zSpT$o-918IoaQn0K1Qcv~32@A!!Yk9d$5)cI
-zy{aB^id7jlNY5I{?KJ6dEI`cwQ;~`h@bsE-*#<oN>wn1qLARY;aK^Be3VEOF^3YZC
-z@z)+dYJm7<$cmm$-`oMA4%n3L(y&2%bYK#IC-~*C61&8wgQwA^>q1bHC}EtDjtVc1
-zELlaHTmHT=Yj$uxFYs(>usRFRqQvn&Y=h-QA_vyh{d+oN#SEVcRq3G;MW*B4{9l6v
-zq4IfK2!A=Q^+R+st9#jqW4=?osK-Q)K4Hq5%bbPzj&C#dO##MJ7oXFI1vcvc70Jw{
-zEv_S72+LnOnU;)4y)s1`vlaV>-0o^K1+!777`l65f<`flFo5nDa<3{ccfhQZ2?{|o
-z7c|F5o2|#B%7Rj;vzYt{Mut5sSc(Fb-e#e^-GBAX_{?R+=$MOl)HiG~U+;&08^mvP
-zHNfv;+m0CZZAMc)NCYtA@^kdgq@Aok`CYuV8^FZ~W1mpM$Y|0UcYycv$Rw~Uk-pz-
-z!Dy26%)YpIB<5W?r3BX^eu*^fEgSl~ReH*mq<Od&#=uGpYlY6$wQWulKU}tsO+Y{0
-zSbyK^jZnw<Wk?;4G`3wO)J2BX-HAy$Q5bK{g1=%YrtPi_Gfz#E->G<*`wedGDz+{;
-zx4kLMqty}CrlV-aA&gVt>cAAtAE|kT{Gl>@GBfH-*I9Ut$$mL}Z;Gm~5u@3~UH3u;
-zu*RcYkh532p}cjA>7*oslZ7OgH8tToL4TJC&l=yANqs|aNom00jp9FBDbRbjK3>*1
-z%t%A$fhz|l3Z2Gti}<DCaW-|b-r=NDNxJi1H_xuj6pJ|LJHQ$(mJN7IN0$!G*Anpp
-zccbwS+1jQrcGtjr%9x}yE7acF?Dh6)b?N~9Fl7@@s3U}jF)!lk@HI3Pv}ys9s((-*
-z8#dFKFhw}!fRvCXG|3sxeIMc&S9G?cjEPQ^yGL>j5NxrXYzf=4jVC`TMPTZ<dQw-v
-z5hI|CLwK)rv$U;lQ)|sSio785wW58C3VJ1u0Q@CJF!VMAXZ|0m4kB3VOiVy|)ZPrL
-z#N}qgPGV&p9eY6#M&LO|2-{x2OMj*lG34GJ9E)|lteX1xgPLLhf&`)SK-2(8Z)w6-
-zf`(A_WYlFm-I%bz+TR#$vcF&TqYu)C`;M;|`+MeJSU8Z#a{Jy$W@#J*`eM4b@B#@u
-z#JA#r%%;>vUT-H%YSuYeGCOl)KMa1~`sWdLxxWOlH7Hp((U}SX!YNhgfJ)IPf=;Gx
-zCA}LPUS!(0kh@$b!MG*{z<Op)Ezte4&$0g=sPoTvm1zlTJ)4F93M+nLmGGMxIa+vF
-z>^TG9-c9BlhSqSqv`*cklbr=df9nY*n}fvB!vX>b00e>r$RI81nSv?+Yi!SD63Wi?
-zTpz5uAf~z86j38B#-LJmrSIOk*?dx5rd<Z*3r--K%&NA>vPi*JcISr<oe+^au0!F>
-z;GrMw4kJI_;L|8E<b2(~#RS|!7%$e>8I7#QK@8J%06j|~QeRT5YPYz2e~m|0eC*+N
-z;tTbW&k|>^&OYIQAQZ)=e!ZR$EefvbbEa%e@aTI~@iZEV&h?kl_iWbBu8gqL22EWO
-z9%e@s<ShBc-FD1uiaxXO=E3%qo-=vE(2O$HQE%20of;d}l+Q(2v%?CXSf&GtjM23Q
-zqyLr&*RQ4?O2*yf8n{@gf0Lk9C^>!Ln9mn5gIkKyZEbno(BO|N92gh4zi>;+t!DB#
-zUD*#wq%14Ws-EP3hBY-&Ihk~ywGtQqB8-6CEv895gq+Y?Ref!PVQoN$e}ep~l&{da
-zqe>QuPg-wYhtPeEN!5YpIa21fnSW1kwM|Wu{MOd})a|@aJ<LBIe`uJL2<7MT1$-Kn
-znNBU@f`qXiPdrro3U=5l)w0K1H{h$=535I5Rj5G3Tz}_!-fSvSxO<(>wy*geIt_-o
-zf@_GTcauuKT26C<kH~ZiiIa~Qg;|CP2wh6v+it1wZ?wf)%<Cu2h#vyjys8f*2);+)
-z1(Cc*1Xq0x7k~SdfAsH>ov}Jb>o;A$hT-*SD}c|OaKX(rQfx^MRmECJ-R!H{CDx2O
-ztfI!lXTISDio|vGOxL+yF(#V^*FP|1>(VxK)_HV+LW+m+hM>6nHJtbPD8$YNAI`V}
-zJxt8tv;~TeJ|us*$IFJ&gYiOXa5$hQD(6={4wTTv<(s?me|tUC1}n4%7sLR#^%2Z1
-z>wB$BQPVbOEZr-HbQu^qQZZDV0B=qKLSTk0OH6ViZg6t{x4jDwj>Q2g#8kQ3r>Eji
-zoCHAsSfZI^gjaN%up<B^epM7RAvzIT;KRQ2X07C;wJ3%8{_AIpRI!(d8d(I1h9y@c
-zbcAA3^>LrFe;LL-L(-_It&su|RC&en#x}vk5N84OPL*8oFVPE6rr}-0qN*#i8!ZNM
-z-lMCaJq9;t`UH;WVM3PeWlDBk&GJ8MW!kV<E3~UD16Q>JPop~_JfAJz8Tv~1W~R=A
-zf#mg1W3o+d#@#T-2&}3LjtVGn(SoOHnQi>T=yg_;f6ZBqH!1J@yw>z^@>NitY+5GG
-z$_K1gfo*y_T~t97XgHe91xGJb>0;+13X;T-03Pf6IfLg53{}XapD=~I*1UWMmfQ!D
-z7Ze1;SJ|?3B4j<BuWHsJc%O#7pP@0Ez=lAzqw~qnb{a@F`B{OmdIvYMG$dNQePmy5
-zuy#2qe}oqYXYN^bx8@9nYY#&dtWG6w_5b3Dw>g+a%x7qj<bZ`6ESTH^e+bHC!K!fa
-zB+{$}lAR0oh%TlN-?41id-g5a(A-^)`A_f@pQwV6J>gRh1J9NxeFNvzi*YlS;ci9S
-z#DRe^Z<FqJM(4_WwdFZzldwXZu~#d;GN9A*e}NnEf1x<zdIxpJRyDAeufFP`dC%(Y
-zkzV?Ba}7CYC)<%^VizhoxpCKK^FA7`<--}tdAh>a5%?_JurFHR(9)uJQ)yN&4iz?H
-zSw@t!Q))44>uN8OaX|V82359~wEHn7Fe3&DDuzgg_YDCF6)_eB6ccK}Vdj_r1JjB8
-zJcW?bd-abN6XY;4Fd;Ar1_dh)0|FWa00a~TEWhWcHtRjAj4t&h2$Cd#3qV%{2$+b8
-MPj+1S(*gnr0E_P~i~s-t
-
-delta 2706
-zcmV;D3T^e37L^u|U4L0@OZ+^lY6AiS2mpYB1u&$H6w%_X?Uh+pizOtCBD<t74x{ap
-zYdgB*{3c2?wSWYyzjQvv;t-8trw6CO93J)AS>zx2lCMDmI_;E4nZypk7SId1QiiG%
-zoX$R-HEZK1+~1}@RF*!aKybD>Uwe<osB$gLio}DI-~?kH$$uWFX-lJ)1HB<2t6pNW
-z#kSFBm}bgYT16j3Ak6WseRe&B9QS_CwQ<`?IyF|;FV*zkN~Sf1b|#Gnd;abpNV1B<
-z%NFoz)BziCR;QIyEp8MVNIVPF(tUQp+qHutk!KW<J+!p)Zxkn0F4S+vz(;X%s#Ae|
-zh<zN+Y-}A%>VLW#TM}CG=Kw((`3EMgCgE%Wh7i5_PDshVd9Oz|EjKxtnoLw`TW#&7
-zQPy}=X-XKHcQwT5v|u~sb^Inq0<OveaKI($th{DmRGP`w`Ld>NJ4Lak7<6+3Ya}d<
-zR^Uti{uWAJB7|b_QADZ~qF1trj0LGAR*qZ!4V-8U)PEs3HV=&h(r8ATc_D(AEnMV1
-zwuVIjs`^7H=|3CS`*aB@;CnPV&TlP!Yu&aLuDOS7Sg0Cqu0xGBQP5;o#gwP}e8{0B
-z7jV-rq(ifyxm<=mq)wx^ScfIWLZ7^FtdIF5!b_#_SU{v)$6P6;3c{)K{n+@;OiiQ-
-z)v(k`B7Y~QMMOz0exF+cpQ;~*F-}k8OW2c^cHxE_)brp6_t{vy8?fdPQ-ctCS#H(j
-z$jQY05`;BJt5Y1_E&P`i?y7~+)+fF@I~p95YmggrA_kkXkLdVu+sQe~jV^LlG=Fp{
-zGMUwQ8FM7Kg20u!G&B)cCNQ!KA|~SY(%9(~dw)NYD5>AwQTYoOym#9ju3MlAj~yL!
-z+9RAIsl?+#`6I<K{@zL$ADJ}oE3_yI+Lqstp&?8^HQMK^0xWV=hOR`CZSBB`G9be*
-zP6_<L&Yf9?QqSqNpgTGGCEK*4<;E45C;Sxx8n3iV?MnsJ)$obYDc5lg06gexff@W)
-z_<zx16s-r`SgbVaBm%7L>Q~$`6sGmR#$qABV!__lx-g(mg2@c}g0+B+myWGZ<W_R8
-zV6Of+sl7`kk2Auz5i6#i#0#o9|7|9IjgKkxUA^DFP$}0)w>@B1H-hdORvFBr11a5D
-zD5mD8X#7lUgZJ09DQa34oE2MSOlRl*Pk;Loc@3DRHQ-tjjjDOpdmBQ1xk?t__INBb
-zA2{y5_WewW14^G6WH^SY0hmJ8^Ng^zx=ZpuY7#VI+rLN#wJ0?Q;k^@dZ=X;S&RshD
-zWP{?O$!sjtgM5;`y4Wj6`G$m`1OsXIXK)R(Jwf5Zy`3r9HV=gsO7Qi4jzaFFm49h7
-zfsyLIa}fYP4lU}*uw@gGo4t5v27iR`O@MAwyFq8%w;vNMFt1G(wBrYGlM@r4)ff!p
-z>8Mmh-L?^v&W!qOH^7S@tzEEwdy!EuK#bBM?x4Wr`(bkkOsAP+#8TbjTL5J_=bS5)
-za6olnR}(Db?FG0|<i0m(V2`w;fq!h}N1<|g3&}<REujk1TD8Tvd(M!PX7X>ejvnzj
-zP}Lz{>_d&8$(MkIB`z>!MW@mnuqJ@W?8->i@)3)<Us_Y8J`|ad9V-cGBHf{69VHr&
-zxEfh$@?ER?*&ZclvZu!5oFp};4I#Q4WDZ$rQiyY4QzGvhbBo?X-$65og-Xjt<lp(w
-z#JY#8KF0XR``XJB@C}5IK6N~>j#DPAOs8q=yg6rJ-m=-Lk7xDaXe*1RV@>aTN~)U7
-zHjL@_ge{0Jt7~qq;qj^Jlbr=df11{|CuI2W<pKf-00e>r$kBFUM=%p0lc|48g~wmO
-zlQm6cm$_s_2>(DlA9cyxg6bmmW)&QR$<PB#CxL?NzSNRGypG&F<c~$JCG4GuBaz89
-zv|qFbRiU<7T@!t1GvkvS%j=1+&xb`Bk$a9NUSfJ?Mo9UlI>peuE=vJIf2HTu-u#@{
-znFBj?5I#2g`5TG`?>T^VI($%BFj|uIDfc;L5->4jxZu(nSAc33NNkgSR!9J}GSx4y
-z_4M@|c;BpN-D}R->!q&&aVy|T<rhZ0wJ!J=(Orz3D2_%8Tyy0GJZs?Y&Koh$Vy3tw
-zM+tfu)7X-q2`7b*wKR<Ze<jFrnDrp;G0jEOUMTmHd_+pD41$Eyft0gcB1_Xbd|ZSd
-zy*Evm5}t43m>U2Cb!tnn_pGykac3R{dXL<j3&f%yo^8c7d|5`=D<`ThDf)tN+1q2K
-zMu;mj7zZtp;nDHuW+HDd{%>JEv0NPZVx+TTgAeJQji@`)5{<nTf5nyXdU7tASiiN#
-zBxaM|9(Z)C$Fpqi#EuP-ulq*EnjWQ(KntqNSy;h5L=pE?@Ke)r=pxc{AgzgNw<>g<
-zcJZ=w(L#L{pjXv2RjibOnkQN957ydC_9_$?NmM?Po^Q&34Z7W?1h2;S>~cDOE<sP(
-z%^ZFVq&an45xt58e_p7#+bXI0``Yi=(VHP)qI1*wNe@$kV-*OzmA22+aq5_i&h}p6
-zKq0PmpcE)33^yC4<D=|(^!QJaa8{;pB@S0AE<=(4%z9<~zqg*M%^IxCVwD_MaN|$$
-z)T-nv)#_L`X{r5F3mEPB^jPy2>pIB3e3RmaS@`juU%CSke_Xs}bPG03Hd`AnWDQe0
-zDzTI!DRp&=;Lw}C)$l@}&C%0-vB~aHYq5NMeTEzqqd+JdVj_`U-$+46eP9-nM7?zc
-z5Pgt-^k?oplhg<NP{NUahtIDuq+ST0TAc5}rtba3@#n&CH#HIsu!-RK!8S{J6;f*e
-zA(`4kEj-vYe?hv`=vQ6x%+>%4^}fJ8S>3v%<7ynPniiv_Z|t!~Z%up1%zf`A$#gTl
-z|Itn@fJi}H(elXg%0X;2+!%;)-lR)s0rXj$+}J!$F5z3_l55m6b2_*fC-NqxNFTql
-zdv*Y;FP;Z6UFji4Uh@uDeNWtoP&b(ZdpU59uCOvye<+Qgi5uA#^8lnW?w_X5a(Zcq
-zqur4>A_O|0nJ|NBvfV)Jmkk!X>5(vIem$?G-`>87E-&XqHpVEiV;~i$OoPodAQ$zu
-zHfA}RyWpW+OJ@WK!YX*SO<(GZEW~rTpl2eq>|IbuqzzqN8t!)~kBi0<?pWFR4{KY}
-zH#Vnxf89N}jtvqZyfhEvSIZA}V5)wYIN7TBc2n-hv)FhLVhP{hxD19E`DCbW$;I=%
-zE%(UwRnabgo6oxaf-bdh-B0~6{LTmAlWWSm87CMVl+N7qheI+`bxnySyc{(4JP$-}
-z=nH|Q!Ac8l0Vb4A{`w>rn7;jaAq#?4)^yQTe=NH@6SxT7)@@3!xd(1))7AABX12%e
-zGo=U4kgSi_sg=#zEko}S``7Td_RokC%@eQ1Z`cc&&D0V7DMKQ8X_oz<ecqR81^K#V
-z4NfEf-%Mm~j<XwPNqk^18S9IDz*;dSFe3&DDuzgg_YDCF6)_eB6muCT6bLmUm2E6$
-zJled0QvX3lDc~?MFd;Ar1_dh)0|FWa00b1TlMd9czJNI=4Z7y~ApP3IZC*$O2%D)%
-MVqdEZv;qPM03^{LzW@LL
-
-diff --git a/src/tests/dejagnu/pkinit-certs/user.pem b/src/tests/dejagnu/pkinit-certs/user.pem
-index f6d35f370..5b2853bc8 100644
---- a/src/tests/dejagnu/pkinit-certs/user.pem
-+++ b/src/tests/dejagnu/pkinit-certs/user.pem
-@@ -3,26 +3,26 @@ MIIE0zCCA7ugAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx
- FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG
- A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz
- dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug
--b3RoZXJ3aXNlMB4XDTE2MTIxMjE0NDYzOVoXDTI3MTEyNTE0NDYzOVowSjELMAkG
-+b3RoZXJ3aXNlMB4XDTE3MDgyNTE4MzIxMVoXDTI4MDgwNzE4MzIxMVowSjELMAkG
- A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF
- U1QuQ09NMQ0wCwYDVQQDDAR1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
--CgKCAQEA05a9cPK5tn8p/xBh09JGT+uyiDOpLSvJw0Qmn/qs+lNLjRTEZp7kzIsd
--+Y2XaZJ69GgdKqFvtx9Pqf2RHaRvccHSqGGF5wd7LiwbB36btYyEFCBW1hqJaS4R
--AMLv9JaRFjOZhfwnjW+tC6VdTb/ak5AKYbg0o+w2j69wqhPZIeXqqveV+VRogbTA
--O7hsWtazOTFy5KRTtJJcN/bFNNMnxB+07pZBjeDT50CFuNkUrFE7m6KnFRF7PkR6
--ZWxF7zq9cQguRrzm2JVLiZoKfeXcVYypwEdEU1r7+ixNvQn86a+91DdvO+xwbsoN
--G0xtFSelYKWvlH4BsZW8qhyPkjX4bQIDAQABo4IBZDCCAWAwHQYDVR0OBBYEFGvA
--yQ58yg3eh+Oi1JaMrRzbt9hiMIHUBgNVHSMEgcwwgcmAFGvAyQ58yg3eh+Oi1JaM
--rRzbt9hioYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz
-+CgKCAQEAvwcVP/5SJr9NxIUgkl3tntkW8w5guESQLKpGFbWCAOnTGsgCiH9/LGri
-+oh1Lx/sC6t/f2TPJL020MPaycrB+gtpmm6chc0sK6OuWup2Eqxl22XxpguaMiFMu
-+7ius3lZkhFBQtuQuK6pzpkU6M5nGRHQ2QL8LJ9BMk7lrZNoyvB4uzCZjSTkqUCh6
-++myH4s9ewsLrqyqBi5YMPxzVn0aUjx1bZptE+35ZQqyQSAepgmsKSO88hmBLtQMD
-+OlQ4JeikMOv+pD12cBjO33yv+kLHrbX/ZHgm21lt2xdANtBoeFXr2ImoAKpkHSUv
-+Io4prhjZTnPLf763ql3egaVYKv3oPQIDAQABo4IBZDCCAWAwHQYDVR0OBBYEFK8S
-+4FdU0q0iiYKQtzGmwqn0CD2rMIHUBgNVHSMEgcwwgcmAFK8S4FdU0q0iiYKQtzGm
-+wqn0CD2roYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz
- ZXR0czESMBAGA1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQKDANNSVQxKTAnBgNVBAsM
- IEluc2VjdXJlIFBLSU5JVCBLZXJiZXJvcyB0ZXN0IENBMTMwMQYDVQQDDCpwa2lu
- aXQgdGVzdCBzdWl0ZSBDQTsgZG8gbm90IHVzZSBvdGhlcndpc2WCAQEwCwYDVR0P
- BAQDAgPoMAwGA1UdEwEB/wQCMAAwOQYDVR0RBDIwMKAuBgYrBgEFAgKgJDAioA0b
- C0tSQlRFU1QuQ09NoREwD6ADAgEBoQgwBhsEdXNlcjASBgNVHSUECzAJBgcrBgEF
--AgMEMA0GCSqGSIb3DQEBCwUAA4IBAQAzbpwzIFJk3a1BsrL7KT3B6aYNs5Z4bnwm
--9dG3D2S1OFSQAbQt/ap5Tjz1RWabqWaSb6ufAKudQ6Ab2uKT8QhtmVByQYKDLYvn
--bIGgoSeAcvWHWsTeReSADr2b0E9+UT8znvBDQGED39C1AgiVUWHgIExYU0kBrP3G
--1CgWQLb7nZC5rKOkcK/Nm4XL7Oe+neiCr4j9adbGxeNHmt8HPuLuNL9TWkMAkcFo
--5INHHFzNmW2aHdvO+7lDbK8/E0QwiES6UbBvQOkTyhC4W5u2Yy7qbpsQleu6jOEz
--l8b05sf4FxhHevHtYUVuyhMOg8DPmfclnGX0Dms7aLf0s3oeSVt+
-+AgMEMA0GCSqGSIb3DQEBCwUAA4IBAQClwfj6ACfmDie1YoKzr3zSWZJKZimv7wG1
-+iZMNPE6bw22ZmE+P+Vq6WrY5M5e4u7ZdvFmkVq3rUA0HoU6bk3YLGapgsEAG6W1R
-+LVzxwoYDf4poOMqjCL34eLFdlVeRDADiulROE8bJGrPLJIiqeii0c7Kzxxuh5nxl
-+QHDgNV0fHQQJlejgJssOqgGErsCXCq7k6kkqB8MnKVMErRjsYuY3YI2tpjxBq9nA
-+A9dXgIU1zEUVzfpxzBjL9+2pMctbL1y4/ePpTP1+PlfI81TwrQNvMGYjxKNZM1ab
-+lZt37n8GQUZQyZ2TacR4JyY+w20ivE/JPN0L3Ncmem6bO1CULpwO
- -----END CERTIFICATE-----
diff --git a/Add-the-client_name-kdcpreauth-callback.patch b/Add-the-client_name-kdcpreauth-callback.patch
deleted file mode 100644
index 172f5e0..0000000
--- a/Add-the-client_name-kdcpreauth-callback.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 42469712239d3eb0e47d9aa306567464dd1f392a Mon Sep 17 00:00:00 2001
-From: Matt Rogers <mrogers@redhat.com>
-Date: Tue, 4 Apr 2017 16:54:56 -0400
-Subject: [PATCH] Add the client_name() kdcpreauth callback
-
-Add a kdcpreauth callback to returns the canonicalized client principal.
-
-ticket: 8570 (new)
-(cherry picked from commit a84f39ec30f3deeda7836da6e8b3d8dcf7a045b1)
----
- src/include/krb5/kdcpreauth_plugin.h | 6 ++++++
- src/kdc/kdc_preauth.c | 9 ++++++++-
- 2 files changed, 14 insertions(+), 1 deletion(-)
-
-diff --git a/src/include/krb5/kdcpreauth_plugin.h b/src/include/krb5/kdcpreauth_plugin.h
-index 92aa5a5a5..fa4436b83 100644
---- a/src/include/krb5/kdcpreauth_plugin.h
-+++ b/src/include/krb5/kdcpreauth_plugin.h
-@@ -232,6 +232,12 @@ typedef struct krb5_kdcpreauth_callbacks_st {
- krb5_kdcpreauth_rock rock,
- krb5_principal princ);
-
-+ /*
-+ * Get an alias to the client DB entry principal (possibly canonicalized).
-+ */
-+ krb5_principal (*client_name)(krb5_context context,
-+ krb5_kdcpreauth_rock rock);
-+
- /* End of version 4 kdcpreauth callbacks. */
-
- } *krb5_kdcpreauth_callbacks;
-diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
-index 0ce79c667..81d0b8cff 100644
---- a/src/kdc/kdc_preauth.c
-+++ b/src/kdc/kdc_preauth.c
-@@ -591,6 +591,12 @@ match_client(krb5_context context, krb5_kdcpreauth_rock rock,
- return match;
- }
-
-+static krb5_principal
-+client_name(krb5_context context, krb5_kdcpreauth_rock rock)
-+{
-+ return rock->client->princ;
-+}
-+
- static struct krb5_kdcpreauth_callbacks_st callbacks = {
- 4,
- max_time_skew,
-@@ -607,7 +613,8 @@ static struct krb5_kdcpreauth_callbacks_st callbacks = {
- add_auth_indicator,
- get_cookie,
- set_cookie,
-- match_client
-+ match_client,
-+ client_name
- };
-
- static krb5_error_code
diff --git a/Add-timestamp-helper-functions.patch b/Add-timestamp-helper-functions.patch
deleted file mode 100644
index 54e7f59..0000000
--- a/Add-timestamp-helper-functions.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From 9b50a75e97cbe9cc8c0a4e37158b56b58e966f25 Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Sat, 22 Apr 2017 09:49:12 -0400
-Subject: [PATCH] Add timestamp helper functions
-
-Add k5-int.h helper functions to manipulate krb5_timestamp values,
-avoiding undefined behavior and treating negative timestamp values as
-times between 2038 and 2106. Add a doxygen comment for krb5_timestamp
-indicating how third-party code should use it safely.
-
-ticket: 8352
-(cherry picked from commit 58e9155060cd93b1a7557e37fbc9b077b76465c2)
----
- src/include/k5-int.h | 31 +++++++++++++++++++++++++++++++
- src/include/krb5/krb5.hin | 9 +++++++++
- 2 files changed, 40 insertions(+)
-
-diff --git a/src/include/k5-int.h b/src/include/k5-int.h
-index 06ca2b66d..82ee20760 100644
---- a/src/include/k5-int.h
-+++ b/src/include/k5-int.h
-@@ -2353,6 +2353,37 @@ k5memdup0(const void *in, size_t len, krb5_error_code *code)
- return ptr;
- }
-
-+/* Convert a krb5_timestamp to a time_t value, treating the negative range of
-+ * krb5_timestamp as times between 2038 and 2106 (if time_t is 64-bit). */
-+static inline time_t
-+ts2tt(krb5_timestamp timestamp)
-+{
-+ return (time_t)(uint32_t)timestamp;
-+}
-+
-+/* Return the delta between two timestamps (a - b) as a signed 32-bit value,
-+ * without relying on undefined behavior. */
-+static inline krb5_deltat
-+ts_delta(krb5_timestamp a, krb5_timestamp b)
-+{
-+ return (krb5_deltat)((uint32_t)a - (uint32_t)b);
-+}
-+
-+/* Increment a timestamp by a signed 32-bit interval, without relying on
-+ * undefined behavior. */
-+static inline krb5_timestamp
-+ts_incr(krb5_timestamp ts, krb5_deltat delta)
-+{
-+ return (krb5_timestamp)((uint32_t)ts + (uint32_t)delta);
-+}
-+
-+/* Return true if a comes after b. */
-+static inline krb5_boolean
-+ts_after(krb5_timestamp a, krb5_timestamp b)
-+{
-+ return (uint32_t)a > (uint32_t)b;
-+}
-+
- krb5_error_code KRB5_CALLCONV
- krb5_get_credentials_for_user(krb5_context context, krb5_flags options,
- krb5_ccache ccache,
-diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
-index cf60d6c41..53ad85384 100644
---- a/src/include/krb5/krb5.hin
-+++ b/src/include/krb5/krb5.hin
-@@ -187,7 +187,16 @@ typedef krb5_int32 krb5_cryptotype;
-
- typedef krb5_int32 krb5_preauthtype; /* This may change, later on */
- typedef krb5_int32 krb5_flags;
-+
-+/**
-+ * Represents a timestamp in seconds since the POSIX epoch. This legacy type
-+ * is used frequently in the ABI, but cannot represent timestamps after 2038 as
-+ * a positive number. Code which uses this type should cast values of it to
-+ * uint32_t so that negative values are treated as timestamps between 2038 and
-+ * 2106 on platforms with 64-bit time_t.
-+ */
- typedef krb5_int32 krb5_timestamp;
-+
- typedef krb5_int32 krb5_deltat;
-
- /**
diff --git a/Add-timestamp-tests.patch b/Add-timestamp-tests.patch
deleted file mode 100644
index ac64115..0000000
--- a/Add-timestamp-tests.patch
+++ /dev/null
@@ -1,599 +0,0 @@
-From 3a06f6a3cfad62da6dd8878d3446003f8293c3ae Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Sat, 29 Apr 2017 17:30:36 -0400
-Subject: [PATCH] Add timestamp tests
-
-Add a test program for krb5int_validate_times() covering cases before
-and across the y2038 boundary. Add a GSSAPI test program to exercise
-lifetime queries, and tests using it in t_gssapi.py for ticket end
-times after y2038. Add a new test script t_y2038.py which only runs
-on platforms with 64-bit time_t to exercise end-user operations across
-and after y2038. Add an LDAP test case to test storage of post-y2038
-timestamps.
-
-ticket: 8352
-(cherry picked from commit 8ca62e54e89e2fbd6a089e8ab20b4e374a486003)
-[rharwood@redhat.com: prune gitignore]
----
- src/Makefile.in | 1 +
- src/config/pre.in | 2 +
- src/configure.in | 3 +
- src/lib/krb5/krb/Makefile.in | 14 ++--
- src/lib/krb5/krb/t_valid_times.c | 109 ++++++++++++++++++++++++++++++
- src/tests/Makefile.in | 1 +
- src/tests/gssapi/Makefile.in | 27 ++++----
- src/tests/gssapi/t_gssapi.py | 32 +++++++++
- src/tests/gssapi/t_lifetime.c | 140 +++++++++++++++++++++++++++++++++++++++
- src/tests/t_kdb.py | 7 ++
- src/tests/t_y2038.py | 75 +++++++++++++++++++++
- 11 files changed, 395 insertions(+), 16 deletions(-)
- create mode 100644 src/lib/krb5/krb/t_valid_times.c
- create mode 100644 src/tests/gssapi/t_lifetime.c
- create mode 100644 src/tests/t_y2038.py
-
-diff --git a/src/Makefile.in b/src/Makefile.in
-index b0249778c..ad8565056 100644
---- a/src/Makefile.in
-+++ b/src/Makefile.in
-@@ -521,6 +521,7 @@ pyrunenv.vals: Makefile
- done > $@
- echo "tls_impl = '$(TLS_IMPL)'" >> $@
- echo "have_sasl = '$(HAVE_SASL)'" >> $@
-+ echo "sizeof_time_t = $(SIZEOF_TIME_T)" >> $@
-
- runenv.py: pyrunenv.vals
- echo 'env = {}' > $@
-diff --git a/src/config/pre.in b/src/config/pre.in
-index d961b5621..f23c07d9d 100644
---- a/src/config/pre.in
-+++ b/src/config/pre.in
-@@ -452,6 +452,8 @@ HAVE_SASL = @HAVE_SASL@
- # Whether we have libresolv 1.1.5 for URI discovery tests
- HAVE_RESOLV_WRAPPER = @HAVE_RESOLV_WRAPPER@
-
-+SIZEOF_TIME_T = @SIZEOF_TIME_T@
-+
- # error table rules
- #
- ### /* these are invoked as $(...) foo.et, which works, but could be better */
-diff --git a/src/configure.in b/src/configure.in
-index 24f653f0d..4ae2c07d5 100644
---- a/src/configure.in
-+++ b/src/configure.in
-@@ -744,6 +744,9 @@ fi
-
- AC_HEADER_TIME
- AC_CHECK_TYPE(time_t, long)
-+AC_CHECK_SIZEOF(time_t)
-+SIZEOF_TIME_T=$ac_cv_sizeof_time_t
-+AC_SUBST(SIZEOF_TIME_T)
-
- # Determine where to put the replay cache.
-
-diff --git a/src/lib/krb5/krb/Makefile.in b/src/lib/krb5/krb/Makefile.in
-index 0fe02a95d..55f82b147 100644
---- a/src/lib/krb5/krb/Makefile.in
-+++ b/src/lib/krb5/krb/Makefile.in
-@@ -364,6 +364,7 @@ SRCS= $(srcdir)/addr_comp.c \
- $(srcdir)/t_in_ccache.c \
- $(srcdir)/t_response_items.c \
- $(srcdir)/t_sname_match.c \
-+ $(srcdir)/t_valid_times.c \
- $(srcdir)/t_vfy_increds.c
-
- # Someday, when we have a "maintainer mode", do this right:
-@@ -457,9 +458,12 @@ t_response_items: t_response_items.o response_items.o $(KRB5_BASE_DEPLIBS)
- t_sname_match: t_sname_match.o sname_match.o $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ t_sname_match.o sname_match.o $(KRB5_BASE_LIBS)
-
-+t_valid_times: t_valid_times.o valid_times.o $(KRB5_BASE_DEPLIBS)
-+ $(CC_LINK) -o $@ t_valid_times.o valid_times.o $(KRB5_BASE_LIBS)
-+
- TEST_PROGS= t_walk_rtree t_kerb t_ser t_deltat t_expand t_authdata t_pac \
-- t_in_ccache t_cc_config t_copy_context \
-- t_princ t_etypes t_vfy_increds t_response_items t_sname_match
-+ t_in_ccache t_cc_config t_copy_context t_princ t_etypes t_vfy_increds \
-+ t_response_items t_sname_match t_valid_times
-
- check-unix: $(TEST_PROGS)
- $(RUN_TEST_LOCAL_CONF) ./t_kerb \
-@@ -496,6 +500,7 @@ check-unix: $(TEST_PROGS)
- $(RUN_TEST) ./t_response_items
- $(RUN_TEST) ./t_copy_context
- $(RUN_TEST) ./t_sname_match
-+ $(RUN_TEST) ./t_valid_times
-
- check-pytests: t_expire_warn t_vfy_increds
- $(RUNPYTEST) $(srcdir)/t_expire_warn.py $(PYTESTFLAGS)
-@@ -522,8 +527,9 @@ clean:
- $(OUTPRE)t_ad_fx_armor$(EXEEXT) $(OUTPRE)t_ad_fx_armor.$(OBJEXT) \
- $(OUTPRE)t_vfy_increds$(EXEEXT) $(OUTPRE)t_vfy_increds.$(OBJEXT) \
- $(OUTPRE)t_response_items$(EXEEXT) \
-- $(OUTPRE)t_response_items.$(OBJEXT) $(OUTPRE)t_sname_match$(EXEEXT) \
-- $(OUTPRE)t_sname_match.$(OBJEXT) \
-+ $(OUTPRE)t_response_items.$(OBJEXT) \
-+ $(OUTPRE)t_sname_match$(EXEEXT) $(OUTPRE)t_sname_match.$(OBJEXT) \
-+ $(OUTPRE)t_valid_times$(EXEEXT) $(OUTPRE)t_valid_times.$(OBJECT) \
- $(OUTPRE)t_parse_host_string$(EXEEXT) \
- $(OUTPRE)t_parse_host_string.$(OBJEXT)
-
-diff --git a/src/lib/krb5/krb/t_valid_times.c b/src/lib/krb5/krb/t_valid_times.c
-new file mode 100644
-index 000000000..1b469ffc2
---- /dev/null
-+++ b/src/lib/krb5/krb/t_valid_times.c
-@@ -0,0 +1,109 @@
-+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-+/* lib/krb5/krb/t_valid_times.c - test program for krb5int_validate_times() */
-+/*
-+ * Copyright (C) 2017 by the Massachusetts Institute of Technology.
-+ * All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * * Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * * Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
-+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
-+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ */
-+
-+#include "k5-int.h"
-+#include "int-proto.h"
-+
-+#define BOUNDARY (uint32_t)INT32_MIN
-+
-+int
-+main()
-+{
-+ krb5_error_code ret;
-+ krb5_context context;
-+ krb5_ticket_times times = { 0, 0, 0, 0 };
-+
-+ ret = krb5_init_context(&context);
-+ assert(!ret);
-+
-+ /* Current time is within authtime and end time. */
-+ ret = krb5_set_debugging_time(context, 1000, 0);
-+ times.authtime = 500;
-+ times.endtime = 1500;
-+ ret = krb5int_validate_times(context, &times);
-+ assert(!ret);
-+
-+ /* Current time is before starttime, but within clock skew. */
-+ times.starttime = 1100;
-+ ret = krb5int_validate_times(context, &times);
-+ assert(!ret);
-+
-+ /* Current time is before starttime by more than clock skew. */
-+ times.starttime = 1400;
-+ ret = krb5int_validate_times(context, &times);
-+ assert(ret == KRB5KRB_AP_ERR_TKT_NYV);
-+
-+ /* Current time is after end time, but within clock skew. */
-+ times.starttime = 500;
-+ times.endtime = 800;
-+ ret = krb5int_validate_times(context, &times);
-+ assert(!ret);
-+
-+ /* Current time is after end time by more than clock skew. */
-+ times.endtime = 600;
-+ ret = krb5int_validate_times(context, &times);
-+ assert(ret == KRB5KRB_AP_ERR_TKT_EXPIRED);
-+
-+ /* Current time is within starttime and endtime; current time and
-+ * endtime are across y2038 boundary. */
-+ ret = krb5_set_debugging_time(context, BOUNDARY - 100, 0);
-+ assert(!ret);
-+ times.starttime = BOUNDARY - 200;
-+ times.endtime = BOUNDARY + 500;
-+ ret = krb5int_validate_times(context, &times);
-+ assert(!ret);
-+
-+ /* Current time is before starttime, but by less than clock skew. */
-+ times.starttime = BOUNDARY + 100;
-+ ret = krb5int_validate_times(context, &times);
-+ assert(!ret);
-+
-+ /* Current time is before starttime by more than clock skew. */
-+ times.starttime = BOUNDARY + 250;
-+ ret = krb5int_validate_times(context, &times);
-+ assert(ret == KRB5KRB_AP_ERR_TKT_NYV);
-+
-+ /* Current time is after endtime, but by less than clock skew. */
-+ ret = krb5_set_debugging_time(context, BOUNDARY + 100, 0);
-+ assert(!ret);
-+ times.starttime = BOUNDARY - 1000;
-+ times.endtime = BOUNDARY - 100;
-+ ret = krb5int_validate_times(context, &times);
-+ assert(!ret);
-+
-+ /* Current time is after endtime by more than clock skew. */
-+ times.endtime = BOUNDARY - 300;
-+ ret = krb5int_validate_times(context, &times);
-+ assert(ret == KRB5KRB_AP_ERR_TKT_EXPIRED);
-+
-+ return 0;
-+}
-diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
-index 0e93d6b59..2b3112537 100644
---- a/src/tests/Makefile.in
-+++ b/src/tests/Makefile.in
-@@ -168,6 +168,7 @@ check-pytests: localauth plugorder rdreq responder s2p s4u2proxy unlockiter
- $(RUNPYTEST) $(srcdir)/t_princflags.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_tabdump.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_certauth.py $(PYTESTFLAGS)
-+ $(RUNPYTEST) $(srcdir)/t_y2038.py $(PYTESTFLAGS)
-
- clean:
- $(RM) adata etinfo forward gcred hist hooks hrealm icred kdbtest
-diff --git a/src/tests/gssapi/Makefile.in b/src/tests/gssapi/Makefile.in
-index 6c1464297..604f926de 100644
---- a/src/tests/gssapi/Makefile.in
-+++ b/src/tests/gssapi/Makefile.in
-@@ -15,15 +15,16 @@ SRCS= $(srcdir)/ccinit.c $(srcdir)/ccrefresh.c $(srcdir)/common.c \
- $(srcdir)/t_gssexts.c $(srcdir)/t_imp_cred.c $(srcdir)/t_imp_name.c \
- $(srcdir)/t_invalid.c $(srcdir)/t_inq_cred.c $(srcdir)/t_inq_ctx.c \
- $(srcdir)/t_inq_mechs_name.c $(srcdir)/t_iov.c \
-- $(srcdir)/t_namingexts.c $(srcdir)/t_oid.c $(srcdir)/t_pcontok.c \
-- $(srcdir)/t_prf.c $(srcdir)/t_s4u.c $(srcdir)/t_s4u2proxy_krb5.c \
-- $(srcdir)/t_saslname.c $(srcdir)/t_spnego.c $(srcdir)/t_srcattrs.c
-+ $(srcdir)/t_lifetime.c $(srcdir)/t_namingexts.c $(srcdir)/t_oid.c \
-+ $(srcdir)/t_pcontok.c $(srcdir)/t_prf.c $(srcdir)/t_s4u.c \
-+ $(srcdir)/t_s4u2proxy_krb5.c $(srcdir)/t_saslname.c \
-+ $(srcdir)/t_spnego.c $(srcdir)/t_srcattrs.c
-
- OBJS= ccinit.o ccrefresh.o common.o t_accname.o t_ccselect.o t_ciflags.o \
- t_credstore.o t_enctypes.o t_err.o t_export_cred.o t_export_name.o \
- t_gssexts.o t_imp_cred.o t_imp_name.o t_invalid.o t_inq_cred.o \
-- t_inq_ctx.o t_inq_mechs_name.o t_iov.o t_namingexts.o t_oid.o \
-- t_pcontok.o t_prf.o t_s4u.o t_s4u2proxy_krb5.o t_saslname.o \
-+ t_inq_ctx.o t_inq_mechs_name.o t_iov.o t_lifetime.o t_namingexts.o \
-+ t_oid.o t_pcontok.o t_prf.o t_s4u.o t_s4u2proxy_krb5.o t_saslname.o \
- t_spnego.o t_srcattrs.o
-
- COMMON_DEPS= common.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
-@@ -31,9 +32,9 @@ COMMON_LIBS= common.o $(GSS_LIBS) $(KRB5_BASE_LIBS)
-
- all: ccinit ccrefresh t_accname t_ccselect t_ciflags t_credstore t_enctypes \
- t_err t_export_cred t_export_name t_gssexts t_imp_cred t_imp_name \
-- t_invalid t_inq_cred t_inq_ctx t_inq_mechs_name t_iov t_namingexts \
-- t_oid t_pcontok t_prf t_s4u t_s4u2proxy_krb5 t_saslname t_spnego \
-- t_srcattrs
-+ t_invalid t_inq_cred t_inq_ctx t_inq_mechs_name t_iov t_lifetime \
-+ t_namingexts t_oid t_pcontok t_prf t_s4u t_s4u2proxy_krb5 t_saslname \
-+ t_spnego t_srcattrs
-
- check-unix: t_oid
- $(RUN_TEST) ./t_invalid
-@@ -42,8 +43,8 @@ check-unix: t_oid
-
- check-pytests: ccinit ccrefresh t_accname t_ccselect t_ciflags t_credstore \
- t_enctypes t_err t_export_cred t_export_name t_imp_cred t_inq_cred \
-- t_inq_ctx t_inq_mechs_name t_iov t_pcontok t_s4u t_s4u2proxy_krb5 \
-- t_spnego t_srcattrs
-+ t_inq_ctx t_inq_mechs_name t_iov t_lifetime t_pcontok t_s4u \
-+ t_s4u2proxy_krb5 t_spnego t_srcattrs
- $(RUNPYTEST) $(srcdir)/t_gssapi.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_ccselect.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_client_keytab.py $(PYTESTFLAGS)
-@@ -88,6 +89,8 @@ t_inq_mechs_name: t_inq_mechs_name.o $(COMMON_DEPS)
- $(CC_LINK) -o $@ t_inq_mechs_name.o $(COMMON_LIBS)
- t_iov: t_iov.o $(COMMON_DEPS)
- $(CC_LINK) -o $@ t_iov.o $(COMMON_LIBS)
-+t_lifetime: t_lifetime.o $(COMMON_DEPS)
-+ $(CC_LINK) -o $@ t_lifetime.o $(COMMON_LIBS)
- t_namingexts: t_namingexts.o $(COMMON_DEPS)
- $(CC_LINK) -o $@ t_namingexts.o $(COMMON_LIBS)
- t_pcontok: t_pcontok.o $(COMMON_DEPS)
-@@ -111,5 +114,5 @@ clean:
- $(RM) ccinit ccrefresh t_accname t_ccselect t_ciflags t_credstore
- $(RM) t_enctypes t_err t_export_cred t_export_name t_gssexts t_imp_cred
- $(RM) t_imp_name t_invalid t_inq_cred t_inq_ctx t_inq_mechs_name t_iov
-- $(RM) t_namingexts t_oid t_pcontok t_prf t_s4u t_s4u2proxy_krb5
-- $(RM) t_saslname t_spnego t_srcattrs
-+ $(RM) t_lifetime t_namingexts t_oid t_pcontok t_prf t_s4u
-+ $(RM) t_s4u2proxy_krb5 t_saslname t_spnego t_srcattrs
-diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py
-index 397e58962..98c8df25c 100755
---- a/src/tests/gssapi/t_gssapi.py
-+++ b/src/tests/gssapi/t_gssapi.py
-@@ -185,4 +185,36 @@ realm.run(['./t_ciflags', 'p:' + realm.host_princ])
- # contexts.
- realm.run(['./t_inq_ctx', 'user', password('user'), 'p:%s' % realm.host_princ])
-
-+# Test lifetime results, using a realm with a large maximum lifetime
-+# so that we can test ticket end dates after y2038. There are no
-+# time_t conversions involved, so we can run these tests on platforms
-+# with 32-bit time_t.
-+realm.stop()
-+conf = {'realms': {'$realm': {'max_life': '9000d'}}}
-+realm = K5Realm(kdc_conf=conf, get_creds=False)
-+
-+# Check a lifetime string result against an expected number value (or None).
-+# Allow some variance due to time elapsed during the tests.
-+def check_lifetime(msg, val, expected):
-+ if expected is None and val != 'indefinite':
-+ fail('%s: expected indefinite, got %s' % (msg, val))
-+ if expected is not None and val == 'indefinite':
-+ fail('%s: expected %d, got indefinite' % (msg, expected))
-+ if expected is not None and abs(int(val) - expected) > 100:
-+ fail('%s: expected %d, got %s' % (msg, expected, val))
-+
-+realm.kinit(realm.user_princ, password('user'), flags=['-l', '8500d'])
-+out = realm.run(['./t_lifetime', 'p:' + realm.host_princ, str(8000 * 86400)])
-+ln = out.split('\n')
-+check_lifetime('icred gss_acquire_cred', ln[0], 8500 * 86400)
-+check_lifetime('icred gss_inquire_cred', ln[1], 8500 * 86400)
-+check_lifetime('acred gss_acquire_cred', ln[2], None)
-+check_lifetime('acred gss_inquire_cred', ln[3], None)
-+check_lifetime('ictx gss_init_sec_context', ln[4], 8000 * 86400)
-+check_lifetime('ictx gss_inquire_context', ln[5], 8000 * 86400)
-+check_lifetime('ictx gss_context_time', ln[6], 8000 * 86400)
-+check_lifetime('actx gss_accept_sec_context', ln[7], 8000 * 86400 + 300)
-+check_lifetime('actx gss_inquire_context', ln[8], 8000 * 86400 + 300)
-+check_lifetime('actx gss_context_time', ln[9], 8000 * 86400 + 300)
-+
- success('GSSAPI tests')
-diff --git a/src/tests/gssapi/t_lifetime.c b/src/tests/gssapi/t_lifetime.c
-new file mode 100644
-index 000000000..8dcf18621
---- /dev/null
-+++ b/src/tests/gssapi/t_lifetime.c
-@@ -0,0 +1,140 @@
-+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-+/* tests/gssapi/t_lifetime.c - display cred and context lifetimes */
-+/*
-+ * Copyright (C) 2017 by the Massachusetts Institute of Technology.
-+ * All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * * Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * * Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
-+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
-+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ */
-+
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <assert.h>
-+#include "common.h"
-+
-+/*
-+ * Using the default credential, exercise the GSS functions which accept or
-+ * produce lifetimes. Display the following results, one per line, as ASCII
-+ * integers or the string "indefinite":
-+ *
-+ * initiator cred lifetime according to gss_acquire_cred()
-+ * initiator cred lifetime according to gss_inquire_cred()
-+ * acceptor cred lifetime according to gss_acquire_cred()
-+ * acceptor cred lifetime according to gss_inquire_cred()
-+ * initiator context lifetime according to gss_init_sec_context()
-+ * initiator context lifetime according to gss_inquire_context()
-+ * initiator context lifetime according to gss_context_time()
-+ * acceptor context lifetime according to gss_init_sec_context()
-+ * acceptor context lifetime according to gss_inquire_context()
-+ * acceptor context lifetime according to gss_context_time()
-+ */
-+
-+static void
-+display_time(OM_uint32 tval)
-+{
-+ if (tval == GSS_C_INDEFINITE)
-+ puts("indefinite");
-+ else
-+ printf("%u\n", (unsigned int)tval);
-+}
-+
-+int
-+main(int argc, char *argv[])
-+{
-+ OM_uint32 minor, major;
-+ gss_cred_id_t icred, acred;
-+ gss_name_t tname;
-+ gss_ctx_id_t ictx = GSS_C_NO_CONTEXT, actx = GSS_C_NO_CONTEXT;
-+ gss_buffer_desc itok = GSS_C_EMPTY_BUFFER, atok = GSS_C_EMPTY_BUFFER;
-+ OM_uint32 time_req = GSS_C_INDEFINITE, time_rec;
-+
-+ if (argc < 2 || argc > 3) {
-+ fprintf(stderr, "Usage: %s targetname [time_req]\n", argv[0]);
-+ return 1;
-+ }
-+ tname = import_name(argv[1]);
-+ if (argc >= 3)
-+ time_req = atoll(argv[2]);
-+
-+ /* Get initiator cred and display its lifetime according to
-+ * gss_acquire_cred and gss_inquire_cred. */
-+ major = gss_acquire_cred(&minor, GSS_C_NO_NAME, time_req, &mechset_krb5,
-+ GSS_C_INITIATE, &icred, NULL, &time_rec);
-+ check_gsserr("gss_acquire_cred(initiate)", major, minor);
-+ display_time(time_rec);
-+ major = gss_inquire_cred(&minor, icred, NULL, &time_rec, NULL, NULL);
-+ check_gsserr("gss_inquire_cred(initiate)", major, minor);
-+ display_time(time_rec);
-+
-+ /* Get acceptor cred and display its lifetime according to gss_acquire_cred
-+ * and gss_inquire_cred. */
-+ major = gss_acquire_cred(&minor, GSS_C_NO_NAME, time_req, &mechset_krb5,
-+ GSS_C_ACCEPT, &acred, NULL, &time_rec);
-+ check_gsserr("gss_acquire_cred(accept)", major, minor);
-+ display_time(time_rec);
-+ major = gss_inquire_cred(&minor, acred, NULL, &time_rec, NULL, NULL);
-+ check_gsserr("gss_inquire_cred(accept)", major, minor);
-+ display_time(time_rec);
-+
-+ /* Make an initiator context and display its lifetime according to
-+ * gss_init_sec_context, gss_inquire_context, and gss_context_time. */
-+ major = gss_init_sec_context(&minor, icred, &ictx, tname, &mech_krb5, 0,
-+ time_req, GSS_C_NO_CHANNEL_BINDINGS, &atok,
-+ NULL, &itok, NULL, &time_rec);
-+ check_gsserr("gss_init_sec_context", major, minor);
-+ assert(major == GSS_S_COMPLETE);
-+ display_time(time_rec);
-+ major = gss_inquire_context(&minor, ictx, NULL, NULL, &time_rec, NULL,
-+ NULL, NULL, NULL);
-+ check_gsserr("gss_inquire_context(initiate)", major, minor);
-+ display_time(time_rec);
-+ major = gss_context_time(&minor, ictx, &time_rec);
-+ check_gsserr("gss_context_time(initiate)", major, minor);
-+ display_time(time_rec);
-+
-+ major = gss_accept_sec_context(&minor, &actx, acred, &itok,
-+ GSS_C_NO_CHANNEL_BINDINGS, NULL,
-+ NULL, &atok, NULL, &time_rec, NULL);
-+ check_gsserr("gss_accept_sec_context", major, minor);
-+ assert(major == GSS_S_COMPLETE);
-+ display_time(time_rec);
-+ major = gss_inquire_context(&minor, actx, NULL, NULL, &time_rec, NULL,
-+ NULL, NULL, NULL);
-+ check_gsserr("gss_inquire_context(accept)", major, minor);
-+ display_time(time_rec);
-+ major = gss_context_time(&minor, actx, &time_rec);
-+ check_gsserr("gss_context_time(accept)", major, minor);
-+ display_time(time_rec);
-+
-+ (void)gss_release_buffer(&minor, &itok);
-+ (void)gss_release_buffer(&minor, &atok);
-+ (void)gss_release_name(&minor, &tname);
-+ (void)gss_release_cred(&minor, &icred);
-+ (void)gss_release_cred(&minor, &acred);
-+ (void)gss_delete_sec_context(&minor, &ictx, NULL);
-+ (void)gss_delete_sec_context(&minor, &actx, NULL);
-+ return 0;
-+}
-diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py
-index 44635b089..ffc043709 100755
---- a/src/tests/t_kdb.py
-+++ b/src/tests/t_kdb.py
-@@ -414,6 +414,13 @@ realm.run([kadminl, 'addprinc', '-policy', 'keepoldpasspol', '-pw', 'aaaa',
- for p in ('bbbb', 'cccc', 'aaaa'):
- realm.run([kadminl, 'cpw', '-keepold', '-pw', p, 'keepoldpassprinc'])
-
-+if runenv.sizeof_time_t <= 4:
-+ skipped('y2038 LDAP test', 'platform has 32-bit time_t')
-+else:
-+ # Test storage of timestamps after y2038.
-+ realm.run([kadminl, 'modprinc', '-pwexpire', '2040-02-03', 'user'])
-+ realm.run([kadminl, 'getprinc', 'user'], expected_msg=' 2040\n')
-+
- realm.stop()
-
- # Briefly test dump and load.
-diff --git a/src/tests/t_y2038.py b/src/tests/t_y2038.py
-new file mode 100644
-index 000000000..02e946df4
---- /dev/null
-+++ b/src/tests/t_y2038.py
-@@ -0,0 +1,75 @@
-+#!/usr/bin/python
-+from k5test import *
-+
-+# These tests will become much less important after the y2038 boundary
-+# has elapsed, and may start exhibiting problems around the year 2075.
-+
-+if runenv.sizeof_time_t <= 4:
-+ skip_rest('y2038 timestamp tests', 'platform has 32-bit time_t')
-+
-+# Start a KDC running roughly 21 years in the future, after the y2038
-+# boundary. Set long maximum lifetimes for later tests.
-+conf = {'realms': {'$realm': {'max_life': '9000d',
-+ 'max_renewable_life': '9000d'}}}
-+realm = K5Realm(start_kdc=False, kdc_conf=conf)
-+realm.start_kdc(['-T', '662256000'])
-+
-+# kinit without preauth should succeed with clock skew correction, but
-+# will result in an expired ticket, because we sent an absolute end
-+# time and didn't get a chance to correct it..
-+realm.kinit(realm.user_princ, password('user'))
-+realm.run([kvno, realm.host_princ], expected_code=1,
-+ expected_msg='Ticket expired')
-+
-+# kinit with preauth should succeed and result in a valid ticket, as
-+# we get a chance to correct the end time based on the KDC time. Try
-+# with encrypted timestamp and encrypted challenge.
-+realm.run([kadminl, 'modprinc', '+requires_preauth', 'user'])
-+realm.kinit(realm.user_princ, password('user'))
-+realm.run([kvno, realm.host_princ])
-+realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache])
-+realm.run([kvno, realm.host_princ])
-+
-+# Test that expiration warning works after y2038, by setting a
-+# password expiration time ten minutes after the KDC time.
-+realm.run([kadminl, 'modprinc', '-pwexpire', '662256600 seconds', 'user'])
-+out = realm.kinit(realm.user_princ, password('user'))
-+if 'will expire in less than one hour' not in out:
-+ fail('password expiration message')
-+year = int(out.split()[-1])
-+if year < 2038 or year > 9999:
-+ fail('password expiration year')
-+
-+realm.stop_kdc()
-+realm.start_kdc()
-+realm.start_kadmind()
-+realm.prep_kadmin()
-+
-+# Test getdate parsing of absolute timestamps after 2038 and
-+# marshalling over the kadmin protocol. The local time zone will
-+# affect the display time by a little bit, so just look for the year.
-+realm.run_kadmin(['modprinc', '-pwexpire', '2040-02-03', realm.host_princ])
-+realm.run_kadmin(['getprinc', realm.host_princ], expected_msg=' 2040\n')
-+
-+# Get a ticket whose lifetime crosses the y2038 boundary and
-+# range-check the expiration year as reported by klist.
-+realm.kinit(realm.user_princ, password('user'),
-+ flags=['-l', '8000d', '-r', '8500d'])
-+realm.run([kvno, realm.host_princ])
-+out = realm.run([klist])
-+if int(out.split('\n')[4].split()[2].split('/')[2]) < 39:
-+ fail('unexpected tgt expiration year')
-+if int(out.split('\n')[5].split()[2].split('/')[2]) < 40:
-+ fail('unexpected tgt rtill year')
-+if int(out.split('\n')[6].split()[2].split('/')[2]) < 39:
-+ fail('unexpected service ticket expiration year')
-+if int(out.split('\n')[7].split()[2].split('/')[2]) < 40:
-+ fail('unexpected service ticket rtill year')
-+realm.kinit(realm.user_princ, None, ['-R'])
-+out = realm.run([klist])
-+if int(out.split('\n')[4].split()[2].split('/')[2]) < 39:
-+ fail('unexpected renewed tgt expiration year')
-+if int(out.split('\n')[5].split()[2].split('/')[2]) < 40:
-+ fail('unexpected renewed tgt rtill year')
-+
-+success('y2038 tests')
diff --git a/Add-y2038-documentation.patch b/Add-y2038-documentation.patch
deleted file mode 100644
index 693a1fb..0000000
--- a/Add-y2038-documentation.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From 69ca5ff168f24792924b3cab0a9f27ada3eb4c4b Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Thu, 4 May 2017 17:03:35 -0400
-Subject: [PATCH] Add y2038 documentation
-
-ticket: 8352
-(cherry picked from commit 85d64c43dbf7a7faa56a1999494cdfa49e8bd2c9)
----
- doc/appdev/index.rst | 1 +
- doc/appdev/y2038.rst | 28 ++++++++++++++++++++++++++++
- 2 files changed, 29 insertions(+)
- create mode 100644 doc/appdev/y2038.rst
-
-diff --git a/doc/appdev/index.rst b/doc/appdev/index.rst
-index 3d62045ca..961bb1e9e 100644
---- a/doc/appdev/index.rst
-+++ b/doc/appdev/index.rst
-@@ -5,6 +5,7 @@ For application developers
- :maxdepth: 1
-
- gssapi.rst
-+ y2038.rst
- h5l_mit_apidiff.rst
- init_creds.rst
- princ_handle.rst
-diff --git a/doc/appdev/y2038.rst b/doc/appdev/y2038.rst
-new file mode 100644
-index 000000000..bc4122dad
---- /dev/null
-+++ b/doc/appdev/y2038.rst
-@@ -0,0 +1,28 @@
-+Year 2038 considerations for uses of krb5_timestamp
-+===================================================
-+
-+POSIX time values, which measure the number of seconds since January 1
-+1970, will exceed the maximum value representable in a signed 32-bit
-+integer in January 2038. This documentation describes considerations
-+for consumers of the MIT krb5 libraries.
-+
-+Applications or libraries which use libkrb5 and consume the timestamps
-+included in credentials or other structures make use of the
-+:c:type:`krb5_timestamp` type. For historical reasons, krb5_timestamp
-+is a signed 32-bit integer, even on platforms where a larger type is
-+natively used to represent time values. To behave properly for time
-+values after January 2038, calling code should cast krb5_timestamp
-+values to uint32_t, and then to time_t::
-+
-+ (time_t)(uint32_t)timestamp
-+
-+Used in this way, krb5_timestamp values can represent time values up
-+until February 2106, provided that the platform uses a 64-bit or
-+larger time_t type. This usage will also remain safe if a later
-+version of MIT krb5 changes krb5_timestamp to an unsigned 32-bit
-+integer.
-+
-+The GSSAPI only uses representations of time intervals, not absolute
-+times. Callers of the GSSAPI should require no changes to behave
-+correctly after January 2038, provided that they use MIT krb5 release
-+1.16 or later.
diff --git a/Build-with-Werror-implicit-int-where-supported.patch b/Build-with-Werror-implicit-int-where-supported.patch
deleted file mode 100644
index 30e3ba8..0000000
--- a/Build-with-Werror-implicit-int-where-supported.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-From 5f2ea38f7ecd60184e510558bdb551d0153432e0 Mon Sep 17 00:00:00 2001
-From: Robbie Harwood <rharwood@redhat.com>
-Date: Thu, 10 Nov 2016 13:20:49 -0500
-Subject: [PATCH] Build with -Werror-implicit-int where supported
-
-(cherry picked from commit 873d864230c9c64c65ff12a24199bac3adf3bc2f)
----
- src/aclocal.m4 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/aclocal.m4 b/src/aclocal.m4
-index 2bfb99496..da1d6d8b4 100644
---- a/src/aclocal.m4
-+++ b/src/aclocal.m4
-@@ -529,7 +529,7 @@ if test "$GCC" = yes ; then
- TRY_WARN_CC_FLAG(-Wno-format-zero-length)
- # Other flags here may not be supported on some versions of
- # gcc that people want to use.
-- for flag in overflow strict-overflow missing-format-attribute missing-prototypes return-type missing-braces parentheses switch unused-function unused-label unused-variable unused-value unknown-pragmas sign-compare newline-eof error=uninitialized error=pointer-arith error=int-conversion error=incompatible-pointer-types error=discarded-qualifiers ; do
-+ for flag in overflow strict-overflow missing-format-attribute missing-prototypes return-type missing-braces parentheses switch unused-function unused-label unused-variable unused-value unknown-pragmas sign-compare newline-eof error=uninitialized error=pointer-arith error=int-conversion error=incompatible-pointer-types error=discarded-qualifiers error=implicit-int ; do
- TRY_WARN_CC_FLAG(-W$flag)
- done
- # old-style-definition? generates many, many warnings
diff --git a/Convert-some-pkiDebug-messages-to-TRACE-macros.patch b/Convert-some-pkiDebug-messages-to-TRACE-macros.patch
deleted file mode 100644
index e9e27df..0000000
--- a/Convert-some-pkiDebug-messages-to-TRACE-macros.patch
+++ /dev/null
@@ -1,422 +0,0 @@
-From 686fa6476eb759532d566794fa8d430774d44cf7 Mon Sep 17 00:00:00 2001
-From: Matt Rogers <mrogers@redhat.com>
-Date: Wed, 29 Mar 2017 10:35:13 -0400
-Subject: [PATCH] Convert some pkiDebug messages to TRACE macros
-
-ticket: 8568 (new)
-(cherry picked from commit 9852862a83952a94300adfafa3e333f43396ec33)
----
- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 46 ++++++---------
- src/plugins/preauth/pkinit/pkinit_identity.c | 3 -
- src/plugins/preauth/pkinit/pkinit_matching.c | 1 +
- src/plugins/preauth/pkinit/pkinit_srv.c | 24 ++++----
- src/plugins/preauth/pkinit/pkinit_trace.h | 68 +++++++++++++++++++++-
- 5 files changed, 97 insertions(+), 45 deletions(-)
-
-diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
-index 90c30dbf5..70e230ec2 100644
---- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
-+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
-@@ -2320,7 +2320,6 @@ crypto_check_cert_eku(krb5_context context,
-
- X509_NAME_oneline(X509_get_subject_name(reqctx->received_cert),
- buf, sizeof(buf));
-- pkiDebug("%s: looking for EKUs in cert = %s\n", __FUNCTION__, buf);
-
- if ((i = X509_get_ext_by_NID(reqctx->received_cert,
- NID_ext_key_usage, -1)) >= 0) {
-@@ -2354,7 +2353,6 @@ crypto_check_cert_eku(krb5_context context,
-
- if (found_eku) {
- ASN1_BIT_STRING *usage = NULL;
-- pkiDebug("%s: found acceptable EKU, checking for digitalSignature\n", __FUNCTION__);
-
- /* check that digitalSignature KeyUsage is present */
- X509_check_ca(reqctx->received_cert);
-@@ -2363,12 +2361,10 @@ crypto_check_cert_eku(krb5_context context,
-
- if (!ku_reject(reqctx->received_cert,
- X509v3_KU_DIGITAL_SIGNATURE)) {
-- pkiDebug("%s: found digitalSignature KU\n",
-- __FUNCTION__);
-+ TRACE_PKINIT_EKU(context);
- *valid_eku = 1;
- } else
-- pkiDebug("%s: didn't find digitalSignature KU\n",
-- __FUNCTION__);
-+ TRACE_PKINIT_EKU_NO_KU(context);
- }
- ASN1_BIT_STRING_free(usage);
- }
-@@ -4317,8 +4313,7 @@ pkinit_get_certs_pkcs12(krb5_context context,
-
- fp = fopen(idopts->cert_filename, "rb");
- if (fp == NULL) {
-- pkiDebug("Failed to open PKCS12 file '%s', error %d\n",
-- idopts->cert_filename, errno);
-+ TRACE_PKINIT_PKCS_OPEN_FAIL(context, idopts->cert_filename, errno);
- goto cleanup;
- }
- set_cloexec_file(fp);
-@@ -4326,8 +4321,7 @@ pkinit_get_certs_pkcs12(krb5_context context,
- p12 = d2i_PKCS12_fp(fp, NULL);
- fclose(fp);
- if (p12 == NULL) {
-- pkiDebug("Failed to decode PKCS12 file '%s' contents\n",
-- idopts->cert_filename);
-+ TRACE_PKINIT_PKCS_DECODE_FAIL(context, idopts->cert_filename);
- goto cleanup;
- }
- /*
-@@ -4345,7 +4339,7 @@ pkinit_get_certs_pkcs12(krb5_context context,
- char *p12name = reassemble_pkcs12_name(idopts->cert_filename);
- const char *tmp;
-
-- pkiDebug("Initial PKCS12_parse with no password failed\n");
-+ TRACE_PKINIT_PKCS_PARSE_FAIL_FIRST(context);
-
- if (id_cryptoctx->defer_id_prompt) {
- /* Supply the identity name to be passed to the responder. */
-@@ -4386,14 +4380,14 @@ pkinit_get_certs_pkcs12(krb5_context context,
- NULL, NULL, 1, &kprompt);
- k5int_set_prompt_types(context, 0);
- if (r) {
-- pkiDebug("Failed to prompt for PKCS12 password");
-+ TRACE_PKINIT_PKCS_PROMPT_FAIL(context);
- goto cleanup;
- }
- }
-
- ret = PKCS12_parse(p12, rdat.data, &y, &x, NULL);
- if (ret == 0) {
-- pkiDebug("Second PKCS12_parse with password failed\n");
-+ TRACE_PKINIT_PKCS_PARSE_FAIL_SECOND(context);
- goto cleanup;
- }
- }
-@@ -4516,8 +4510,7 @@ pkinit_get_certs_fs(krb5_context context,
- }
-
- if (idopts->key_filename == NULL) {
-- pkiDebug("%s: failed to get user's private key location\n",
-- __FUNCTION__);
-+ TRACE_PKINIT_NO_PRIVKEY(context);
- goto cleanup;
- }
-
-@@ -4545,8 +4538,7 @@ pkinit_get_certs_dir(krb5_context context,
- char *dirname, *suf;
-
- if (idopts->cert_filename == NULL) {
-- pkiDebug("%s: failed to get user's certificate directory location\n",
-- __FUNCTION__);
-+ TRACE_PKINIT_NO_CERT(context);
- return ENOENT;
- }
-
-@@ -4590,8 +4582,7 @@ pkinit_get_certs_dir(krb5_context context,
- retval = pkinit_load_fs_cert_and_key(context, id_cryptoctx,
- certname, keyname, i);
- if (retval == 0) {
-- pkiDebug("%s: Successfully loaded cert (and key) for %s\n",
-- __FUNCTION__, dentry->d_name);
-+ TRACE_PKINIT_LOADED_CERT(context, dentry->d_name);
- i++;
- }
- else
-@@ -4599,8 +4590,7 @@ pkinit_get_certs_dir(krb5_context context,
- }
-
- if (!id_cryptoctx->defer_id_prompt && i == 0) {
-- pkiDebug("%s: No cert/key pairs found in directory '%s'\n",
-- __FUNCTION__, idopts->cert_filename);
-+ TRACE_PKINIT_NO_CERT_AND_KEY(context, idopts->cert_filename);
- retval = ENOENT;
- goto cleanup;
- }
-@@ -5370,9 +5360,7 @@ crypto_cert_select_default(krb5_context context,
- goto errout;
- }
- if (cert_count != 1) {
-- pkiDebug("%s: ERROR: There are %d certs to choose from, "
-- "but there must be exactly one.\n",
-- __FUNCTION__, cert_count);
-+ TRACE_PKINIT_NO_DEFAULT_CERT(context, cert_count);
- retval = EINVAL;
- goto errout;
- }
-@@ -5520,7 +5508,7 @@ load_cas_and_crls(krb5_context context,
- switch(catype) {
- case CATYPE_ANCHORS:
- if (sk_X509_num(ca_certs) == 0) {
-- pkiDebug("no anchors in file, %s\n", filename);
-+ TRACE_PKINIT_NO_CA_ANCHOR(context, filename);
- if (id_cryptoctx->trustedCAs == NULL)
- sk_X509_free(ca_certs);
- } else {
-@@ -5530,7 +5518,7 @@ load_cas_and_crls(krb5_context context,
- break;
- case CATYPE_INTERMEDIATES:
- if (sk_X509_num(ca_certs) == 0) {
-- pkiDebug("no intermediates in file, %s\n", filename);
-+ TRACE_PKINIT_NO_CA_INTERMEDIATE(context, filename);
- if (id_cryptoctx->intermediateCAs == NULL)
- sk_X509_free(ca_certs);
- } else {
-@@ -5540,7 +5528,7 @@ load_cas_and_crls(krb5_context context,
- break;
- case CATYPE_CRLS:
- if (sk_X509_CRL_num(ca_crls) == 0) {
-- pkiDebug("no crls in file, %s\n", filename);
-+ TRACE_PKINIT_NO_CRL(context, filename);
- if (id_cryptoctx->revoked == NULL)
- sk_X509_CRL_free(ca_crls);
- } else {
-@@ -5626,14 +5614,14 @@ crypto_load_cas_and_crls(krb5_context context,
- int catype,
- char *id)
- {
-- pkiDebug("%s: called with idtype %s and catype %s\n",
-- __FUNCTION__, idtype2string(idtype), catype2string(catype));
- switch (idtype) {
- case IDTYPE_FILE:
-+ TRACE_PKINIT_LOAD_FROM_FILE(context);
- return load_cas_and_crls(context, plg_cryptoctx, req_cryptoctx,
- id_cryptoctx, catype, id);
- break;
- case IDTYPE_DIR:
-+ TRACE_PKINIT_LOAD_FROM_DIR(context);
- return load_cas_and_crls_dir(context, plg_cryptoctx, req_cryptoctx,
- id_cryptoctx, catype, id);
- break;
-diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c
-index a897efa25..737552e85 100644
---- a/src/plugins/preauth/pkinit/pkinit_identity.c
-+++ b/src/plugins/preauth/pkinit/pkinit_identity.c
-@@ -608,7 +608,6 @@ pkinit_identity_prompt(krb5_context context,
- retval = pkinit_cert_matching(context, plg_cryptoctx,
- req_cryptoctx, id_cryptoctx, princ);
- if (retval) {
-- pkiDebug("%s: No matching certificate found\n", __FUNCTION__);
- crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx,
- id_cryptoctx);
- goto errout;
-@@ -621,8 +620,6 @@ pkinit_identity_prompt(krb5_context context,
- retval = crypto_cert_select_default(context, plg_cryptoctx,
- req_cryptoctx, id_cryptoctx);
- if (retval) {
-- pkiDebug("%s: Failed while selecting default certificate\n",
-- __FUNCTION__);
- crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx,
- id_cryptoctx);
- goto errout;
-diff --git a/src/plugins/preauth/pkinit/pkinit_matching.c b/src/plugins/preauth/pkinit/pkinit_matching.c
-index a50c50c8d..cad4c2b9a 100644
---- a/src/plugins/preauth/pkinit/pkinit_matching.c
-+++ b/src/plugins/preauth/pkinit/pkinit_matching.c
-@@ -812,6 +812,7 @@ pkinit_cert_matching(krb5_context context,
- goto cleanup;
- }
- } else {
-+ TRACE_PKINIT_NO_MATCHING_CERT(context);
- retval = ENOENT; /* XXX */
- goto cleanup;
- }
-diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
-index 32ca122f2..9c6e96c9e 100644
---- a/src/plugins/preauth/pkinit/pkinit_srv.c
-+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
-@@ -188,6 +188,7 @@ verify_client_san(krb5_context context,
- plgctx->opts->allow_upn ? &upns : NULL,
- NULL);
- if (retval == ENOENT) {
-+ TRACE_PKINIT_SERVER_NO_SAN(context);
- goto out;
- } else if (retval) {
- pkiDebug("%s: error from retrieve_certificate_sans()\n", __FUNCTION__);
-@@ -224,7 +225,7 @@ verify_client_san(krb5_context context,
- krb5_free_unparsed_name(context, san_string);
- #endif
- if (cb->match_client(context, rock, princs[i])) {
-- pkiDebug("%s: pkinit san match found\n", __FUNCTION__);
-+ TRACE_PKINIT_SERVER_MATCHING_SAN_FOUND(context);
- *valid_san = 1;
- retval = 0;
- goto out;
-@@ -252,7 +253,7 @@ verify_client_san(krb5_context context,
- krb5_free_unparsed_name(context, san_string);
- #endif
- if (cb->match_client(context, rock, upns[i])) {
-- pkiDebug("%s: upn san match found\n", __FUNCTION__);
-+ TRACE_PKINIT_SERVER_MATCHING_UPN_FOUND(context);
- *valid_san = 1;
- retval = 0;
- goto out;
-@@ -300,7 +301,7 @@ verify_client_eku(krb5_context context,
- *eku_accepted = 0;
-
- if (plgctx->opts->require_eku == 0) {
-- pkiDebug("%s: configuration requests no EKU checking\n", __FUNCTION__);
-+ TRACE_PKINIT_SERVER_EKU_SKIP(context);
- *eku_accepted = 1;
- retval = 0;
- goto out;
-@@ -364,6 +365,7 @@ authorize_cert(krb5_context context, certauth_handle *certauth_modules,
- ret = KRB5_PLUGIN_NO_HANDLE;
- for (i = 0; certauth_modules != NULL && certauth_modules[i] != NULL; i++) {
- h = certauth_modules[i];
-+ TRACE_PKINIT_SERVER_CERT_AUTH(context, h->vt.name);
- ret = h->vt.authorize(context, h->moddata, cert, cert_len, client,
- &opts, db_ent, &ais);
- if (ret == 0)
-@@ -449,7 +451,7 @@ pkinit_server_verify_padata(krb5_context context,
-
- switch ((int)data->pa_type) {
- case KRB5_PADATA_PK_AS_REQ:
-- pkiDebug("processing KRB5_PADATA_PK_AS_REQ\n");
-+ TRACE_PKINIT_SERVER_PADATA_VERIFY(context);
- retval = k5int_decode_krb5_pa_pk_as_req(&k5data, &reqp);
- if (retval) {
- pkiDebug("decode_krb5_pa_pk_as_req failed\n");
-@@ -472,7 +474,7 @@ pkinit_server_verify_padata(krb5_context context,
- break;
- case KRB5_PADATA_PK_AS_REP_OLD:
- case KRB5_PADATA_PK_AS_REQ_OLD:
-- pkiDebug("processing KRB5_PADATA_PK_AS_REQ_OLD\n");
-+ TRACE_PKINIT_SERVER_PADATA_VERIFY_OLD(context);
- retval = k5int_decode_krb5_pa_pk_as_req_draft9(&k5data, &reqp9);
- if (retval) {
- pkiDebug("decode_krb5_pa_pk_as_req_draft9 failed\n");
-@@ -500,7 +502,7 @@ pkinit_server_verify_padata(krb5_context context,
- goto cleanup;
- }
- if (retval) {
-- pkiDebug("pkcs7_signeddata_verify failed\n");
-+ TRACE_PKINIT_SERVER_PADATA_VERIFY_FAIL(context);
- goto cleanup;
- }
- if (is_signed) {
-@@ -830,7 +832,7 @@ pkinit_server_return_padata(krb5_context context,
- return ENOENT;
- }
-
-- pkiDebug("pkinit_return_padata: entered!\n");
-+ TRACE_PKINIT_SERVER_RETURN_PADATA(context);
- reqctx = (pkinit_kdc_req_context)modreq;
-
- if (encrypting_key->contents) {
-@@ -1463,8 +1465,7 @@ pkinit_san_authorize(krb5_context context, krb5_certauth_moddata moddata,
- return ret;
-
- if (!valid_san) {
-- pkiDebug("%s: did not find an acceptable SAN in user certificate\n",
-- __FUNCTION__);
-+ TRACE_PKINIT_SERVER_SAN_REJECT(context);
- return KRB5KDC_ERR_CLIENT_NAME_MISMATCH;
- }
-
-@@ -1490,8 +1491,7 @@ pkinit_eku_authorize(krb5_context context, krb5_certauth_moddata moddata,
- return ret;
-
- if (!valid_eku) {
-- pkiDebug("%s: did not find an acceptable EKU in user certificate\n",
-- __FUNCTION__);
-+ TRACE_PKINIT_SERVER_EKU_REJECT(context);
- return KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE;
- }
-
-@@ -1617,7 +1617,7 @@ pkinit_server_plugin_init(krb5_context context,
- return ENOMEM;
-
- for (i = 0, j = 0; i < numrealms; i++) {
-- pkiDebug("%s: processing realm '%s'\n", __FUNCTION__, realmnames[i]);
-+ TRACE_PKINIT_SERVER_INIT_REALM(context, realmnames[i]);
- retval = pkinit_server_plugin_init_realm(context, realmnames[i], &plgctx);
- if (retval == 0 && plgctx != NULL)
- realm_contexts[j++] = plgctx;
-diff --git a/src/plugins/preauth/pkinit/pkinit_trace.h b/src/plugins/preauth/pkinit/pkinit_trace.h
-index 458d0961e..6abe28c0c 100644
---- a/src/plugins/preauth/pkinit/pkinit_trace.h
-+++ b/src/plugins/preauth/pkinit/pkinit_trace.h
-@@ -52,7 +52,7 @@
- #define TRACE_PKINIT_CLIENT_REP_CHECKSUM_FAIL(c, expected, received) \
- TRACE(c, "PKINIT client checksum mismatch: expected {cksum}, " \
- "received {cksum}", expected, received)
--#define TRACE_PKINIT_CLIENT_REP_DH(c) \
-+#define TRACE_PKINIT_CLIENT_REP_DH(c) \
- TRACE(c, "PKINIT client verified DH reply")
- #define TRACE_PKINIT_CLIENT_REP_DH_FAIL(c) \
- TRACE(c, "PKINIT client could not verify DH reply")
-@@ -91,6 +91,72 @@
- #define TRACE_PKINIT_OPENSSL_ERROR(c, msg) \
- TRACE(c, "PKINIT OpenSSL error: {str}", msg)
-
-+#define TRACE_PKINIT_SERVER_CERT_AUTH(c, modname) \
-+ TRACE(c, "PKINIT server authorizing cert with module {str}", \
-+ modname)
-+#define TRACE_PKINIT_SERVER_EKU_REJECT(c) \
-+ TRACE(c, "PKINIT server found no acceptable EKU in client cert")
-+#define TRACE_PKINIT_SERVER_EKU_SKIP(c) \
-+ TRACE(c, "PKINIT server skipping EKU check due to configuration")
-+#define TRACE_PKINIT_SERVER_INIT_REALM(c, realm) \
-+ TRACE(c, "PKINIT server initializing realm {str}", realm)
-+#define TRACE_PKINIT_SERVER_MATCHING_UPN_FOUND(c) \
-+ TRACE(c, "PKINIT server found a matching UPN SAN in client cert")
-+#define TRACE_PKINIT_SERVER_MATCHING_SAN_FOUND(c) \
-+ TRACE(c, "PKINIT server found a matching SAN in client cert")
-+#define TRACE_PKINIT_SERVER_NO_SAN(c) \
-+ TRACE(c, "PKINIT server found no SAN in client cert")
-+#define TRACE_PKINIT_SERVER_PADATA_VERIFY(c) \
-+ TRACE(c, "PKINIT server verifying KRB5_PADATA_PK_AS_REQ")
-+#define TRACE_PKINIT_SERVER_PADATA_VERIFY_OLD(c) \
-+ TRACE(c, "PKINIT server verifying KRB5_PADATA_PK_AS_REQ_OLD")
-+#define TRACE_PKINIT_SERVER_PADATA_VERIFY_FAIL(c) \
-+ TRACE(c, "PKINIT server failed to verify PA data")
-+#define TRACE_PKINIT_SERVER_RETURN_PADATA(c) \
-+ TRACE(c, "PKINIT server returning PA data")
-+#define TRACE_PKINIT_SERVER_SAN_REJECT(c) \
-+ TRACE(c, "PKINIT server found no acceptable SAN in client cert")
-+
-+#define TRACE_PKINIT_EKU(c) \
-+ TRACE(c, "PKINIT found acceptable EKU and digitalSignature KU")
-+#define TRACE_PKINIT_EKU_NO_KU(c) \
-+ TRACE(c, "PKINIT found acceptable EKU but no digitalSignature KU")
-+#define TRACE_PKINIT_LOADED_CERT(c, name) \
-+ TRACE(c, "PKINIT loaded cert and key for {str}", name)
-+#define TRACE_PKINIT_LOAD_FROM_FILE(c) \
-+ TRACE(c, "PKINIT loading CA certs and CRLs from FILE")
-+#define TRACE_PKINIT_LOAD_FROM_DIR(c) \
-+ TRACE(c, "PKINIT loading CA certs and CRLs from DIR")
-+#define TRACE_PKINIT_NO_CA_ANCHOR(c, file) \
-+ TRACE(c, "PKINIT no anchor CA in file {str}", file)
-+#define TRACE_PKINIT_NO_CA_INTERMEDIATE(c, file) \
-+ TRACE(c, "PKINIT no intermediate CA in file {str}", file)
-+#define TRACE_PKINIT_NO_CERT(c) \
-+ TRACE(c, "PKINIT no certificate provided")
-+#define TRACE_PKINIT_NO_CERT_AND_KEY(c, dirname) \
-+ TRACE(c, "PKINIT no cert and key pair found in directory {str}", \
-+ dirname)
-+#define TRACE_PKINIT_NO_CRL(c, file) \
-+ TRACE(c, "PKINIT no CRL in file {str}", file)
-+#define TRACE_PKINIT_NO_DEFAULT_CERT(c, count) \
-+ TRACE(c, "PKINIT error: There are {int} certs, but there must " \
-+ "be exactly one.", count)
-+#define TRACE_PKINIT_NO_MATCHING_CERT(c) \
-+ TRACE(c, "PKINIT no matching certificate found")
-+#define TRACE_PKINIT_NO_PRIVKEY(c) \
-+ TRACE(c, "PKINIT no private key provided")
-+#define TRACE_PKINIT_PKCS_DECODE_FAIL(c, name) \
-+ TRACE(c, "PKINIT failed to decode PKCS12 file {str} contents", name)
-+#define TRACE_PKINIT_PKCS_OPEN_FAIL(c, name, err) \
-+ TRACE(c, "PKINIT failed to open PKCS12 file {str}: err {errno}", \
-+ name, err)
-+#define TRACE_PKINIT_PKCS_PARSE_FAIL_FIRST(c) \
-+ TRACE(c, "PKINIT initial PKCS12_parse with no password failed")
-+#define TRACE_PKINIT_PKCS_PARSE_FAIL_SECOND(c) \
-+ TRACE(c, "PKINIT second PKCS12_parse with password failed")
-+#define TRACE_PKINIT_PKCS_PROMPT_FAIL(c) \
-+ TRACE(c, "PKINIT failed to prompt for PKCS12 password")
-+
- #define TRACE_CERTAUTH_VTINIT_FAIL(c, ret) \
- TRACE(c, "certauth module failed to init vtable: {kerr}", ret)
- #define TRACE_CERTAUTH_INIT_FAIL(c, name, ret) \
diff --git a/Correct-error-handling-bug-in-prior-commit.patch b/Correct-error-handling-bug-in-prior-commit.patch
deleted file mode 100644
index 6878e8c..0000000
--- a/Correct-error-handling-bug-in-prior-commit.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 08d995aaf48e75c174525ae0b47e12c3170b3f5f Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Thu, 23 Mar 2017 13:42:55 -0400
-Subject: [PATCH] Correct error handling bug in prior commit
-
-In crypto_encode_der_cert(), if the second i2d_X509() invocation
-fails, make sure to free the allocated pointer and not the
-possibly-modified alias.
-
-ticket: 8561
-(cherry picked from commit 7fdaef7c3280c86b5df25ae061fb04cc56d8620c)
----
- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
-index a5b010b26..90c30dbf5 100644
---- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
-+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
-@@ -6196,10 +6196,10 @@ crypto_encode_der_cert(krb5_context context, pkinit_req_crypto_context reqctx,
- if (len <= 0)
- return EINVAL;
- p = der = malloc(len);
-- if (p == NULL)
-+ if (der == NULL)
- return ENOMEM;
- if (i2d_X509(reqctx->received_cert, &p) <= 0) {
-- free(p);
-+ free(der);
- return EINVAL;
- }
- *der_out = der;
diff --git a/Deindent-crypto_retrieve_X509_sans.patch b/Deindent-crypto_retrieve_X509_sans.patch
deleted file mode 100644
index 9262e7d..0000000
--- a/Deindent-crypto_retrieve_X509_sans.patch
+++ /dev/null
@@ -1,263 +0,0 @@
-From d5462c96c9918ffa7d3f05de310c5aed34181941 Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Wed, 4 Jan 2017 11:33:57 -0500
-Subject: [PATCH] Deindent crypto_retrieve_X509_sans()
-
-Fix some long lines in crypto_retrieve_X509_sans() by returning early
-if X509_get_ext_by_NID() returns a negative result. Also ensure that
-return parameters are always initialized.
-
-(cherry picked from commit c6b772523db9d7791ee1c56eb512c4626556a4e7)
----
- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 224 +++++++++++----------
- 1 file changed, 114 insertions(+), 110 deletions(-)
-
-diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
-index bc6e7662e..8def8c542 100644
---- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
-+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
-@@ -2101,11 +2101,21 @@ crypto_retrieve_X509_sans(krb5_context context,
- {
- krb5_error_code retval = EINVAL;
- char buf[DN_BUF_LEN];
-- int p = 0, u = 0, d = 0, l;
-+ int p = 0, u = 0, d = 0, ret = 0, l;
- krb5_principal *princs = NULL;
- krb5_principal *upns = NULL;
- unsigned char **dnss = NULL;
-- unsigned int i, num_found = 0;
-+ unsigned int i, num_found = 0, num_sans = 0;
-+ X509_EXTENSION *ext = NULL;
-+ GENERAL_NAMES *ialt = NULL;
-+ GENERAL_NAME *gen = NULL;
-+
-+ if (princs_ret != NULL)
-+ *princs_ret = NULL;
-+ if (upn_ret != NULL)
-+ *upn_ret = NULL;
-+ if (dns_ret != NULL)
-+ *dns_ret = NULL;
-
- if (princs_ret == NULL && upn_ret == NULL && dns_ret == NULL) {
- pkiDebug("%s: nowhere to return any values!\n", __FUNCTION__);
-@@ -2121,118 +2131,112 @@ crypto_retrieve_X509_sans(krb5_context context,
- buf, sizeof(buf));
- pkiDebug("%s: looking for SANs in cert = %s\n", __FUNCTION__, buf);
-
-- if ((l = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1)) >= 0) {
-- X509_EXTENSION *ext = NULL;
-- GENERAL_NAMES *ialt = NULL;
-- GENERAL_NAME *gen = NULL;
-- int ret = 0;
-- unsigned int num_sans = 0;
-+ l = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1);
-+ if (l < 0)
-+ return 0;
-
-- if (!(ext = X509_get_ext(cert, l)) || !(ialt = X509V3_EXT_d2i(ext))) {
-- pkiDebug("%s: found no subject alt name extensions\n",
-- __FUNCTION__);
-+ if (!(ext = X509_get_ext(cert, l)) || !(ialt = X509V3_EXT_d2i(ext))) {
-+ pkiDebug("%s: found no subject alt name extensions\n", __FUNCTION__);
-+ goto cleanup;
-+ }
-+ num_sans = sk_GENERAL_NAME_num(ialt);
-+
-+ pkiDebug("%s: found %d subject alt name extension(s)\n", __FUNCTION__,
-+ num_sans);
-+
-+ /* OK, we're likely returning something. Allocate return values */
-+ if (princs_ret != NULL) {
-+ princs = calloc(num_sans + 1, sizeof(krb5_principal));
-+ if (princs == NULL) {
-+ retval = ENOMEM;
- goto cleanup;
- }
-- num_sans = sk_GENERAL_NAME_num(ialt);
--
-- pkiDebug("%s: found %d subject alt name extension(s)\n",
-- __FUNCTION__, num_sans);
--
-- /* OK, we're likely returning something. Allocate return values */
-- if (princs_ret != NULL) {
-- princs = calloc(num_sans + 1, sizeof(krb5_principal));
-- if (princs == NULL) {
-- retval = ENOMEM;
-- goto cleanup;
-- }
-- }
-- if (upn_ret != NULL) {
-- upns = calloc(num_sans + 1, sizeof(krb5_principal));
-- if (upns == NULL) {
-- retval = ENOMEM;
-- goto cleanup;
-- }
-- }
-- if (dns_ret != NULL) {
-- dnss = calloc(num_sans + 1, sizeof(*dnss));
-- if (dnss == NULL) {
-- retval = ENOMEM;
-- goto cleanup;
-- }
-- }
--
-- for (i = 0; i < num_sans; i++) {
-- krb5_data name = { 0, 0, NULL };
--
-- gen = sk_GENERAL_NAME_value(ialt, i);
-- switch (gen->type) {
-- case GEN_OTHERNAME:
-- name.length = gen->d.otherName->value->value.sequence->length;
-- name.data = (char *)gen->d.otherName->value->value.sequence->data;
-- if (princs != NULL
-- && OBJ_cmp(plgctx->id_pkinit_san,
-- gen->d.otherName->type_id) == 0) {
--#ifdef DEBUG_ASN1
-- print_buffer_bin((unsigned char *)name.data, name.length,
-- "/tmp/pkinit_san");
--#endif
-- ret = k5int_decode_krb5_principal_name(&name, &princs[p]);
-- if (ret) {
-- pkiDebug("%s: failed decoding pkinit san value\n",
-- __FUNCTION__);
-- } else {
-- p++;
-- num_found++;
-- }
-- } else if (upns != NULL
-- && OBJ_cmp(plgctx->id_ms_san_upn,
-- gen->d.otherName->type_id) == 0) {
-- /* Prevent abuse of embedded null characters. */
-- if (memchr(name.data, '\0', name.length))
-- break;
-- ret = krb5_parse_name_flags(context, name.data,
-- KRB5_PRINCIPAL_PARSE_ENTERPRISE,
-- &upns[u]);
-- if (ret) {
-- pkiDebug("%s: failed parsing ms-upn san value\n",
-- __FUNCTION__);
-- } else {
-- u++;
-- num_found++;
-- }
-- } else {
-- pkiDebug("%s: unrecognized othername oid in SAN\n",
-- __FUNCTION__);
-- continue;
-- }
--
-- break;
-- case GEN_DNS:
-- if (dnss != NULL) {
-- /* Prevent abuse of embedded null characters. */
-- if (memchr(gen->d.dNSName->data, '\0',
-- gen->d.dNSName->length))
-- break;
-- pkiDebug("%s: found dns name = %s\n",
-- __FUNCTION__, gen->d.dNSName->data);
-- dnss[d] = (unsigned char *)
-- strdup((char *)gen->d.dNSName->data);
-- if (dnss[d] == NULL) {
-- pkiDebug("%s: failed to duplicate dns name\n",
-- __FUNCTION__);
-- } else {
-- d++;
-- num_found++;
-- }
-- }
-- break;
-- default:
-- pkiDebug("%s: SAN type = %d expecting %d\n",
-- __FUNCTION__, gen->type, GEN_OTHERNAME);
-- }
-- }
-- sk_GENERAL_NAME_pop_free(ialt, GENERAL_NAME_free);
- }
-+ if (upn_ret != NULL) {
-+ upns = calloc(num_sans + 1, sizeof(krb5_principal));
-+ if (upns == NULL) {
-+ retval = ENOMEM;
-+ goto cleanup;
-+ }
-+ }
-+ if (dns_ret != NULL) {
-+ dnss = calloc(num_sans + 1, sizeof(*dnss));
-+ if (dnss == NULL) {
-+ retval = ENOMEM;
-+ goto cleanup;
-+ }
-+ }
-+
-+ for (i = 0; i < num_sans; i++) {
-+ krb5_data name = { 0, 0, NULL };
-+
-+ gen = sk_GENERAL_NAME_value(ialt, i);
-+ switch (gen->type) {
-+ case GEN_OTHERNAME:
-+ name.length = gen->d.otherName->value->value.sequence->length;
-+ name.data = (char *)gen->d.otherName->value->value.sequence->data;
-+ if (princs != NULL &&
-+ OBJ_cmp(plgctx->id_pkinit_san,
-+ gen->d.otherName->type_id) == 0) {
-+#ifdef DEBUG_ASN1
-+ print_buffer_bin((unsigned char *)name.data, name.length,
-+ "/tmp/pkinit_san");
-+#endif
-+ ret = k5int_decode_krb5_principal_name(&name, &princs[p]);
-+ if (ret) {
-+ pkiDebug("%s: failed decoding pkinit san value\n",
-+ __FUNCTION__);
-+ } else {
-+ p++;
-+ num_found++;
-+ }
-+ } else if (upns != NULL &&
-+ OBJ_cmp(plgctx->id_ms_san_upn,
-+ gen->d.otherName->type_id) == 0) {
-+ /* Prevent abuse of embedded null characters. */
-+ if (memchr(name.data, '\0', name.length))
-+ break;
-+ ret = krb5_parse_name_flags(context, name.data,
-+ KRB5_PRINCIPAL_PARSE_ENTERPRISE,
-+ &upns[u]);
-+ if (ret) {
-+ pkiDebug("%s: failed parsing ms-upn san value\n",
-+ __FUNCTION__);
-+ } else {
-+ u++;
-+ num_found++;
-+ }
-+ } else {
-+ pkiDebug("%s: unrecognized othername oid in SAN\n",
-+ __FUNCTION__);
-+ continue;
-+ }
-+
-+ break;
-+ case GEN_DNS:
-+ if (dnss != NULL) {
-+ /* Prevent abuse of embedded null characters. */
-+ if (memchr(gen->d.dNSName->data, '\0', gen->d.dNSName->length))
-+ break;
-+ pkiDebug("%s: found dns name = %s\n", __FUNCTION__,
-+ gen->d.dNSName->data);
-+ dnss[d] = (unsigned char *)
-+ strdup((char *)gen->d.dNSName->data);
-+ if (dnss[d] == NULL) {
-+ pkiDebug("%s: failed to duplicate dns name\n",
-+ __FUNCTION__);
-+ } else {
-+ d++;
-+ num_found++;
-+ }
-+ }
-+ break;
-+ default:
-+ pkiDebug("%s: SAN type = %d expecting %d\n", __FUNCTION__,
-+ gen->type, GEN_OTHERNAME);
-+ }
-+ }
-+ sk_GENERAL_NAME_pop_free(ialt, GENERAL_NAME_free);
-
- retval = 0;
- if (princs)
diff --git a/Fix-bugs-in-kdcpolicy-commit.patch b/Fix-bugs-in-kdcpolicy-commit.patch
deleted file mode 100644
index c4c50a1..0000000
--- a/Fix-bugs-in-kdcpolicy-commit.patch
+++ /dev/null
@@ -1,130 +0,0 @@
-From c8c704cdaaa15a0908024f0917344048c0df5940 Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Sat, 19 Aug 2017 19:09:24 -0400
-Subject: [PATCH] Fix bugs in kdcpolicy commit
-
-Commit d0969f6a8170344031ef58fd2a161190f1edfb96 added tests using
-"klist ccachname -e", which does not work with a POSIX-conformant
-getopt() implementation such as the one in Solaris. Fix
-t_kdcpolicy.py to use "klist -e ccachename" instead.
-
-The tests could fail if the clock second rolled over between kinit and
-kvno. Divide service ticket maximum lifetimes by 2 in the test module
-to correctly exercise TGS policy restrictions and ensure that service
-tickets are not constrained by the TGT end time.
-
-Also use the correct trace macro when a kdcpolicy module declines to
-initialize (my mistake when revising the commit, noted by rharwood).
-
-ticket: 8606
-(cherry picked from commit 09acbd91efc6df54e1572285ffc94c6acb3a9113)
----
- src/kdc/policy.c | 2 +-
- src/plugins/kdcpolicy/test/main.c | 10 +++++-----
- src/tests/t_kdcpolicy.py | 13 +++++++++----
- 3 files changed, 15 insertions(+), 10 deletions(-)
-
-diff --git a/src/kdc/policy.c b/src/kdc/policy.c
-index e49644e06..26c16f97c 100644
---- a/src/kdc/policy.c
-+++ b/src/kdc/policy.c
-@@ -222,7 +222,7 @@ load_kdcpolicy_plugins(krb5_context context)
- if (h->vt.init != NULL) {
- ret = h->vt.init(context, &h->moddata);
- if (ret == KRB5_PLUGIN_NO_HANDLE) {
-- TRACE_KADM5_AUTH_INIT_SKIP(context, h->vt.name);
-+ TRACE_KDCPOLICY_INIT_SKIP(context, h->vt.name);
- free(h);
- continue;
- }
-diff --git a/src/plugins/kdcpolicy/test/main.c b/src/plugins/kdcpolicy/test/main.c
-index eb8fde053..86c808958 100644
---- a/src/plugins/kdcpolicy/test/main.c
-+++ b/src/plugins/kdcpolicy/test/main.c
-@@ -35,7 +35,7 @@
- #include <krb5/kdcpolicy_plugin.h>
-
- static krb5_error_code
--output_from_indicator(const char *const *auth_indicators,
-+output_from_indicator(const char *const *auth_indicators, int divisor,
- krb5_deltat *lifetime_out,
- krb5_deltat *renew_lifetime_out,
- const char **status)
-@@ -46,11 +46,11 @@ output_from_indicator(const char *const *auth_indicators,
- }
-
- if (strcmp(auth_indicators[0], "ONE_HOUR") == 0) {
-- *lifetime_out = 3600;
-+ *lifetime_out = 3600 / divisor;
- *renew_lifetime_out = *lifetime_out * 2;
- return 0;
- } else if (strcmp(auth_indicators[0], "SEVEN_HOURS") == 0) {
-- *lifetime_out = 7 * 3600;
-+ *lifetime_out = 7 * 3600 / divisor;
- *renew_lifetime_out = *lifetime_out * 2;
- return 0;
- }
-@@ -71,7 +71,7 @@ test_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
- *status = "LOCAL_POLICY";
- return KRB5KDC_ERR_POLICY;
- }
-- return output_from_indicator(auth_indicators, lifetime_out,
-+ return output_from_indicator(auth_indicators, 1, lifetime_out,
- renew_lifetime_out, status);
- }
-
-@@ -87,7 +87,7 @@ test_check_tgs(krb5_context context, krb5_kdcpolicy_moddata moddata,
- *status = "LOCAL_POLICY";
- return KRB5KDC_ERR_POLICY;
- }
-- return output_from_indicator(auth_indicators, lifetime_out,
-+ return output_from_indicator(auth_indicators, 2, lifetime_out,
- renew_lifetime_out, status);
- }
-
-diff --git a/src/tests/t_kdcpolicy.py b/src/tests/t_kdcpolicy.py
-index 6a745b959..b5d308461 100644
---- a/src/tests/t_kdcpolicy.py
-+++ b/src/tests/t_kdcpolicy.py
-@@ -18,16 +18,21 @@ realm.run([kadminl, 'addprinc', '-pw', password('fail'), 'fail'])
- def verify_time(out, target_time):
- times = re.findall(r'\d\d/\d\d/\d\d \d\d:\d\d:\d\d', out)
- times = [datetime.strptime(t, '%m/%d/%y %H:%M:%S') for t in times]
-+ divisor = 1
- while len(times) > 0:
- starttime = times.pop(0)
- endtime = times.pop(0)
- renewtime = times.pop(0)
-
-- if str(endtime - starttime) != target_time:
-+ if str((endtime - starttime) * divisor) != target_time:
- fail('unexpected lifetime value')
-- if str(renewtime - endtime) != target_time:
-+ if str((renewtime - endtime) * divisor) != target_time:
- fail('unexpected renewable value')
-
-+ # Service tickets should have half the lifetime of initial
-+ # tickets.
-+ divisor = 2
-+
- rflags = ['-r', '1d', '-l', '12h']
-
- # Test AS+TGS success path.
-@@ -35,7 +40,7 @@ realm.kinit(realm.user_princ, password('user'),
- rflags + ['-X', 'indicators=SEVEN_HOURS'])
- realm.run([kvno, realm.host_princ])
- realm.run(['./adata', realm.host_princ], expected_msg='+97: [SEVEN_HOURS]')
--out = realm.run([klist, realm.ccache, '-e'])
-+out = realm.run([klist, '-e', realm.ccache])
- verify_time(out, '7:00:00')
-
- # Test AS+TGS success path with different values.
-@@ -43,7 +48,7 @@ realm.kinit(realm.user_princ, password('user'),
- rflags + ['-X', 'indicators=ONE_HOUR'])
- realm.run([kvno, realm.host_princ])
- realm.run(['./adata', realm.host_princ], expected_msg='+97: [ONE_HOUR]')
--out = realm.run([klist, realm.ccache, '-e'])
-+out = realm.run([klist, '-e', realm.ccache])
- verify_time(out, '1:00:00')
-
- # Test TGS failure path (using previous creds).
diff --git a/Fix-certauth-built-in-module-returns.patch b/Fix-certauth-built-in-module-returns.patch
deleted file mode 100644
index 1c927d5..0000000
--- a/Fix-certauth-built-in-module-returns.patch
+++ /dev/null
@@ -1,124 +0,0 @@
-From 0d93e336e2cb8319bfd3e0fa096e5ee8ea3bbbbf Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Thu, 24 Aug 2017 11:11:46 -0400
-Subject: [PATCH] Fix certauth built-in module returns
-
-The PKINIT certauth eku module should never authoritatively authorize
-a certificate, because an extended key usage does not establish a
-relationship between the certificate and any specific user; it only
-establishes that the certificate was created for PKINIT client
-authentication. Therefore, pkinit_eku_authorize() should return
-KRB5_PLUGIN_NO_HANDLE on success, not 0.
-
-The certauth san module should pass if it does not find any SANs of
-the types it can match against; the presence of other types of SANs
-should not cause it to explicitly deny a certificate. Check for an
-empty result from crypto_retrieve_cert_sans() in verify_client_san(),
-instead of returning ENOENT from crypto_retrieve_cert_sans() when
-there are no SANs at all.
-
-ticket: 8561
-(cherry picked from commit 07243f85a760fb37f0622d7ff0177db3f19ab025)
----
- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 39 ++++++++++------------
- src/plugins/preauth/pkinit/pkinit_srv.c | 14 +++++---
- 2 files changed, 27 insertions(+), 26 deletions(-)
-
-diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
-index 70e230ec2..7fa2efd21 100644
---- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
-+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
-@@ -2137,7 +2137,6 @@ crypto_retrieve_X509_sans(krb5_context context,
-
- if (!(ext = X509_get_ext(cert, l)) || !(ialt = X509V3_EXT_d2i(ext))) {
- pkiDebug("%s: found no subject alt name extensions\n", __FUNCTION__);
-- retval = ENOENT;
- goto cleanup;
- }
- num_sans = sk_GENERAL_NAME_num(ialt);
-@@ -2240,31 +2239,29 @@ crypto_retrieve_X509_sans(krb5_context context,
- sk_GENERAL_NAME_pop_free(ialt, GENERAL_NAME_free);
-
- retval = 0;
-- if (princs)
-+ if (princs != NULL && *princs != NULL) {
- *princs_ret = princs;
-- if (upns)
-+ princs = NULL;
-+ }
-+ if (upns != NULL && *upns != NULL) {
- *upn_ret = upns;
-- if (dnss)
-+ upns = NULL;
-+ }
-+ if (dnss != NULL && *dnss != NULL) {
- *dns_ret = dnss;
-+ dnss = NULL;
-+ }
-
- cleanup:
-- if (retval) {
-- if (princs != NULL) {
-- for (i = 0; princs[i] != NULL; i++)
-- krb5_free_principal(context, princs[i]);
-- free(princs);
-- }
-- if (upns != NULL) {
-- for (i = 0; upns[i] != NULL; i++)
-- krb5_free_principal(context, upns[i]);
-- free(upns);
-- }
-- if (dnss != NULL) {
-- for (i = 0; dnss[i] != NULL; i++)
-- free(dnss[i]);
-- free(dnss);
-- }
-- }
-+ for (i = 0; princs != NULL && princs[i] != NULL; i++)
-+ krb5_free_principal(context, princs[i]);
-+ free(princs);
-+ for (i = 0; upns != NULL && upns[i] != NULL; i++)
-+ krb5_free_principal(context, upns[i]);
-+ free(upns);
-+ for (i = 0; dnss != NULL && dnss[i] != NULL; i++)
-+ free(dnss[i]);
-+ free(dnss);
- return retval;
- }
-
-diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
-index 9c6e96c9e..8e77606f8 100644
---- a/src/plugins/preauth/pkinit/pkinit_srv.c
-+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
-@@ -187,14 +187,18 @@ verify_client_san(krb5_context context,
- &princs,
- plgctx->opts->allow_upn ? &upns : NULL,
- NULL);
-- if (retval == ENOENT) {
-- TRACE_PKINIT_SERVER_NO_SAN(context);
-- goto out;
-- } else if (retval) {
-+ if (retval) {
- pkiDebug("%s: error from retrieve_certificate_sans()\n", __FUNCTION__);
- retval = KRB5KDC_ERR_CLIENT_NAME_MISMATCH;
- goto out;
- }
-+
-+ if (princs == NULL && upns == NULL) {
-+ TRACE_PKINIT_SERVER_NO_SAN(context);
-+ retval = ENOENT;
-+ goto out;
-+ }
-+
- /* XXX Verify this is consistent with client side XXX */
- #if 0
- retval = call_san_checking_plugins(context, plgctx, reqctx, princs,
-@@ -1495,7 +1499,7 @@ pkinit_eku_authorize(krb5_context context, krb5_certauth_moddata moddata,
- return KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE;
- }
-
-- return 0;
-+ return KRB5_PLUGIN_NO_HANDLE;
- }
-
- static krb5_error_code
diff --git a/Fix-in_clock_skew-and-use-it-in-AS-client-code.patch b/Fix-in_clock_skew-and-use-it-in-AS-client-code.patch
deleted file mode 100644
index a8a53cf..0000000
--- a/Fix-in_clock_skew-and-use-it-in-AS-client-code.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From e2d34698687c00504b83e1c0deb56dc6232bef42 Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Mon, 24 Apr 2017 02:02:36 -0400
-Subject: [PATCH] Fix in_clock_skew() and use it in AS client code
-
-Add a context parameter to the in_clock_skew() macro so that it isn't
-implicitly relying on a local variable. Use it in
-get_in_tkt.c:verify_as_reply().
-
-(cherry picked from commit 28a07a6461bb443b7fa75cc5cb859ad0db4cbb5a)
----
- src/lib/krb5/krb/gc_via_tkt.c | 2 +-
- src/lib/krb5/krb/get_in_tkt.c | 4 ++--
- src/lib/krb5/krb/int-proto.h | 3 ++-
- 3 files changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/src/lib/krb5/krb/gc_via_tkt.c b/src/lib/krb5/krb/gc_via_tkt.c
-index 4c0a1a461..c85d8b8d8 100644
---- a/src/lib/krb5/krb/gc_via_tkt.c
-+++ b/src/lib/krb5/krb/gc_via_tkt.c
-@@ -305,7 +305,7 @@ krb5int_process_tgs_reply(krb5_context context,
- goto cleanup;
-
- if (!in_cred->times.starttime &&
-- !in_clock_skew(dec_rep->enc_part2->times.starttime,
-+ !in_clock_skew(context, dec_rep->enc_part2->times.starttime,
- timestamp)) {
- retval = KRB5_KDCREP_SKEW;
- goto cleanup;
-diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
-index 54badbbc3..a058f5bd7 100644
---- a/src/lib/krb5/krb/get_in_tkt.c
-+++ b/src/lib/krb5/krb/get_in_tkt.c
-@@ -287,8 +287,8 @@ verify_as_reply(krb5_context context,
- return retval;
- } else {
- if ((request->from == 0) &&
-- (labs(as_reply->enc_part2->times.starttime - time_now)
-- > context->clockskew))
-+ !in_clock_skew(context, as_reply->enc_part2->times.starttime,
-+ time_now))
- return (KRB5_KDCREP_SKEW);
- }
- return 0;
-diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h
-index 6da74858e..44eca359f 100644
---- a/src/lib/krb5/krb/int-proto.h
-+++ b/src/lib/krb5/krb/int-proto.h
-@@ -83,7 +83,8 @@ krb5int_construct_matching_creds(krb5_context context, krb5_flags options,
- krb5_creds *in_creds, krb5_creds *mcreds,
- krb5_flags *fields);
-
--#define in_clock_skew(date, now) (labs((date)-(now)) < context->clockskew)
-+#define in_clock_skew(context, date, now) \
-+ (labs((date) - (now)) < (context)->clockskew)
-
- #define IS_TGS_PRINC(p) ((p)->length == 2 && \
- data_eq_string((p)->data[0], KRB5_TGS_NAME))
diff --git a/Fix-more-time-manipulations-for-y2038.patch b/Fix-more-time-manipulations-for-y2038.patch
deleted file mode 100644
index a57a64c..0000000
--- a/Fix-more-time-manipulations-for-y2038.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From 7b28a408650c58d0ea98fddab5034642af32fdaf Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Wed, 17 May 2017 14:52:09 -0400
-Subject: [PATCH] Fix more time manipulations for y2038
-
-Use timestamp helper functions to ensure that more operations are safe
-after y2038, and display the current timestamp as unsigned in
-krb5int_trace().
-
-ticket: 8352
-(cherry picked from commit a60db180211a383bd382afe729e9309acb8dcf53)
----
- src/kadmin/server/misc.c | 2 +-
- src/kdc/dispatch.c | 2 +-
- src/lib/krb5/os/c_ustime.c | 8 ++++----
- src/lib/krb5/os/trace.c | 2 +-
- 4 files changed, 7 insertions(+), 7 deletions(-)
-
-diff --git a/src/kadmin/server/misc.c b/src/kadmin/server/misc.c
-index 27a6376af..a75b65a26 100644
---- a/src/kadmin/server/misc.c
-+++ b/src/kadmin/server/misc.c
-@@ -184,7 +184,7 @@ check_min_life(void *server_handle, krb5_principal principal,
- (void) kadm5_free_principal_ent(handle->lhandle, &princ);
- return (ret == KADM5_UNK_POLICY) ? 0 : ret;
- }
-- if((now - princ.last_pwd_change) < pol.pw_min_life &&
-+ if(ts_delta(now, princ.last_pwd_change) < pol.pw_min_life &&
- !(princ.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
- if (msg_ret != NULL) {
- time_t until;
-diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c
-index 3a169ebc7..16a35d2be 100644
---- a/src/kdc/dispatch.c
-+++ b/src/kdc/dispatch.c
-@@ -104,7 +104,7 @@ reseed_random(krb5_context kdc_err_context)
- if (last_os_random == 0)
- last_os_random = now;
- /* Grab random data from OS every hour*/
-- if (now-last_os_random >= 60 * 60) {
-+ if (ts_delta(now, last_os_random) >= 60 * 60) {
- krb5_c_random_os_entropy(kdc_err_context, 0, NULL);
- last_os_random = now;
- }
-diff --git a/src/lib/krb5/os/c_ustime.c b/src/lib/krb5/os/c_ustime.c
-index 871d72183..68fb381f4 100644
---- a/src/lib/krb5/os/c_ustime.c
-+++ b/src/lib/krb5/os/c_ustime.c
-@@ -102,17 +102,17 @@ krb5_crypto_us_timeofday(krb5_int32 *seconds, krb5_int32 *microseconds)
- putting now.sec in the past. But don't just use '<' because we
- need to properly handle the case where the administrator intentionally
- adjusted time backwards. */
-- if ((now.sec == last_time.sec-1) ||
-- ((now.sec == last_time.sec) && (now.usec <= last_time.usec))) {
-+ if (now.sec == ts_incr(last_time.sec, -1) ||
-+ (now.sec == last_time.sec && !ts_after(last_time.usec, now.usec))) {
- /* Correct 'now' to be exactly one microsecond later than 'last_time'.
- Note that _because_ we perform this hack, 'now' may be _earlier_
- than 'last_time', even though the system time is monotonically
- increasing. */
-
- now.sec = last_time.sec;
-- now.usec = ++last_time.usec;
-+ now.usec = ts_incr(last_time.usec, 1);
- if (now.usec >= 1000000) {
-- ++now.sec;
-+ now.sec = ts_incr(now.sec, 1);
- now.usec = 0;
- }
- }
-diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c
-index a19246128..74c315c90 100644
---- a/src/lib/krb5/os/trace.c
-+++ b/src/lib/krb5/os/trace.c
-@@ -350,7 +350,7 @@ krb5int_trace(krb5_context context, const char *fmt, ...)
- goto cleanup;
- if (krb5_crypto_us_timeofday(&sec, &usec) != 0)
- goto cleanup;
-- if (asprintf(&msg, "[%d] %d.%d: %s\n", (int) getpid(), (int) sec,
-+ if (asprintf(&msg, "[%d] %u.%d: %s\n", (int) getpid(), (unsigned int) sec,
- (int) usec, str) < 0)
- goto cleanup;
- info.message = msg;
diff --git a/Improve-PKINIT-UPN-SAN-matching.patch b/Improve-PKINIT-UPN-SAN-matching.patch
deleted file mode 100644
index 26b27f1..0000000
--- a/Improve-PKINIT-UPN-SAN-matching.patch
+++ /dev/null
@@ -1,151 +0,0 @@
-From 03265620488b84238c31170356b5f41c80f0e9d9 Mon Sep 17 00:00:00 2001
-From: Matt Rogers <mrogers@redhat.com>
-Date: Mon, 5 Dec 2016 12:17:59 -0500
-Subject: [PATCH] Improve PKINIT UPN SAN matching
-
-Add the match_client() kdcpreauth callback and use it in
-verify_client_san(). match_client() preserves the direct UPN to
-request principal comparison and adds a direct comparison to the
-client principal, falling back to an alias DB search and comparison
-against the client principal. Change crypto_retreive_X509_sans() to
-parse UPN values as enterprise principals.
-
-[ghudson@mit.edu: use match_client for both kinds of SANs]
-
-ticket: 8528 (new)
-(cherry picked from commit 46ff765e1fb8cbec2bb602b43311269e695dbedc)
----
- src/include/krb5/kdcpreauth_plugin.h | 13 ++++++++++
- src/kdc/kdc_preauth.c | 28 ++++++++++++++++++++--
- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 4 +++-
- src/plugins/preauth/pkinit/pkinit_srv.c | 10 ++++----
- 4 files changed, 48 insertions(+), 7 deletions(-)
-
-diff --git a/src/include/krb5/kdcpreauth_plugin.h b/src/include/krb5/kdcpreauth_plugin.h
-index f455effae..92aa5a5a5 100644
---- a/src/include/krb5/kdcpreauth_plugin.h
-+++ b/src/include/krb5/kdcpreauth_plugin.h
-@@ -221,6 +221,19 @@ typedef struct krb5_kdcpreauth_callbacks_st {
-
- /* End of version 3 kdcpreauth callbacks. */
-
-+ /*
-+ * Return true if princ matches the principal named in the request or the
-+ * client principal (possibly canonicalized). If princ does not match,
-+ * attempt a database lookup of princ with aliases allowed and compare the
-+ * result to the client principal, returning true if it matches.
-+ * Otherwise, return false.
-+ */
-+ krb5_boolean (*match_client)(krb5_context context,
-+ krb5_kdcpreauth_rock rock,
-+ krb5_principal princ);
-+
-+ /* End of version 4 kdcpreauth callbacks. */
-+
- } *krb5_kdcpreauth_callbacks;
-
- /* Optional: preauth plugin initialization function. */
-diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
-index 605fcb7ad..0ce79c667 100644
---- a/src/kdc/kdc_preauth.c
-+++ b/src/kdc/kdc_preauth.c
-@@ -568,8 +568,31 @@ set_cookie(krb5_context context, krb5_kdcpreauth_rock rock,
- return kdc_fast_set_cookie(rock->rstate, pa_type, data);
- }
-
-+static krb5_boolean
-+match_client(krb5_context context, krb5_kdcpreauth_rock rock,
-+ krb5_principal princ)
-+{
-+ krb5_db_entry *ent;
-+ krb5_boolean match = FALSE;
-+ krb5_principal req_client = rock->request->client;
-+ krb5_principal client = rock->client->princ;
-+
-+ /* Check for a direct match against the request principal or
-+ * the post-canon client principal. */
-+ if (krb5_principal_compare_flags(context, princ, req_client,
-+ KRB5_PRINCIPAL_COMPARE_ENTERPRISE) ||
-+ krb5_principal_compare(context, princ, client))
-+ return TRUE;
-+
-+ if (krb5_db_get_principal(context, princ, KRB5_KDB_FLAG_ALIAS_OK, &ent))
-+ return FALSE;
-+ match = krb5_principal_compare(context, ent->princ, client);
-+ krb5_db_free_principal(context, ent);
-+ return match;
-+}
-+
- static struct krb5_kdcpreauth_callbacks_st callbacks = {
-- 3,
-+ 4,
- max_time_skew,
- client_keys,
- free_keys,
-@@ -583,7 +606,8 @@ static struct krb5_kdcpreauth_callbacks_st callbacks = {
- client_keyblock,
- add_auth_indicator,
- get_cookie,
-- set_cookie
-+ set_cookie,
-+ match_client
- };
-
- static krb5_error_code
-diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
-index 74fffbf32..bc6e7662e 100644
---- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
-+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
-@@ -2190,7 +2190,9 @@ crypto_retrieve_X509_sans(krb5_context context,
- /* Prevent abuse of embedded null characters. */
- if (memchr(name.data, '\0', name.length))
- break;
-- ret = krb5_parse_name(context, name.data, &upns[u]);
-+ ret = krb5_parse_name_flags(context, name.data,
-+ KRB5_PRINCIPAL_PARSE_ENTERPRISE,
-+ &upns[u]);
- if (ret) {
- pkiDebug("%s: failed parsing ms-upn san value\n",
- __FUNCTION__);
-diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
-index 295be25e1..b5638a367 100644
---- a/src/plugins/preauth/pkinit/pkinit_srv.c
-+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
-@@ -121,6 +121,8 @@ static krb5_error_code
- verify_client_san(krb5_context context,
- pkinit_kdc_context plgctx,
- pkinit_kdc_req_context reqctx,
-+ krb5_kdcpreauth_callbacks cb,
-+ krb5_kdcpreauth_rock rock,
- krb5_principal client,
- int *valid_san)
- {
-@@ -171,7 +173,7 @@ verify_client_san(krb5_context context,
- __FUNCTION__, client_string, san_string);
- krb5_free_unparsed_name(context, san_string);
- #endif
-- if (krb5_principal_compare(context, princs[i], client)) {
-+ if (cb->match_client(context, rock, princs[i])) {
- pkiDebug("%s: pkinit san match found\n", __FUNCTION__);
- *valid_san = 1;
- retval = 0;
-@@ -199,7 +201,7 @@ verify_client_san(krb5_context context,
- __FUNCTION__, client_string, san_string);
- krb5_free_unparsed_name(context, san_string);
- #endif
-- if (krb5_principal_compare(context, upns[i], client)) {
-+ if (cb->match_client(context, rock, upns[i])) {
- pkiDebug("%s: upn san match found\n", __FUNCTION__);
- *valid_san = 1;
- retval = 0;
-@@ -387,8 +389,8 @@ pkinit_server_verify_padata(krb5_context context,
- }
- if (is_signed) {
-
-- retval = verify_client_san(context, plgctx, reqctx, request->client,
-- &valid_san);
-+ retval = verify_client_san(context, plgctx, reqctx, cb, rock,
-+ request->client, &valid_san);
- if (retval)
- goto cleanup;
- if (!valid_san) {
diff --git a/Make-timestamp-manipulations-y2038-safe.patch b/Make-timestamp-manipulations-y2038-safe.patch
deleted file mode 100644
index 26bff26..0000000
--- a/Make-timestamp-manipulations-y2038-safe.patch
+++ /dev/null
@@ -1,1844 +0,0 @@
-From ac30f4753f157dafe93df2941a216fde591fcb69 Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Sat, 22 Apr 2017 12:52:17 -0400
-Subject: [PATCH] Make timestamp manipulations y2038-safe
-
-Wherever we manipulate krb5_timestamp values using arithmetic,
-comparison operations, or conversion to time_t, use the new helper
-functions in k5-int.h to ensure that the operations work after y2038
-and do not exhibit undefined behavior. (Relying on
-implementation-defined conversion to signed values is okay as we test
-that in configure.in.)
-
-In printf format strings, use %u instead of signed types. When
-exporting creds with k5_json_array_fmt(), use a long long so that
-timestamps after y2038 aren't marshalled as negative numbers. When
-parsing timestamps in test programs, use atoll() instead of atol() so
-that positive timestamps after y2038 can be used as input.
-
-In ksu and klist, make printtime() take a krb5_timestamp parameter to
-avoid an unnecessary conversion to time_t and back.
-
-As Leash does not use k5-int.h, use time_t values internally and
-safely convert from libkrb5 timestamp values.
-
-ticket: 8352
-(cherry picked from commit a9cbbf0899f270fbb14f63ffbed1b6d542333641)
----
- src/clients/kinit/kinit.c | 2 +-
- src/clients/klist/klist.c | 20 ++++-------
- src/clients/ksu/ccache.c | 20 +++--------
- src/clients/ksu/ksu.h | 2 +-
- src/kadmin/cli/getdate.y | 2 +-
- src/kadmin/cli/kadmin.c | 5 ++-
- src/kadmin/dbutil/dump.c | 27 ++++++++-------
- src/kadmin/dbutil/kdb5_mkey.c | 6 ++--
- src/kadmin/dbutil/tabdump.c | 2 +-
- src/kadmin/testing/util/tcl_kadm5.c | 12 +++----
- src/kdc/do_as_req.c | 2 +-
- src/kdc/do_tgs_req.c | 6 ++--
- src/kdc/extern.c | 4 ++-
- src/kdc/fast_util.c | 4 +--
- src/kdc/kdc_log.c | 14 ++++----
- src/kdc/kdc_util.c | 20 +++++------
- src/kdc/kdc_util.h | 2 ++
- src/kdc/replay.c | 2 +-
- src/kdc/tgs_policy.c | 7 ++--
- src/lib/gssapi/krb5/accept_sec_context.c | 8 +++--
- src/lib/gssapi/krb5/acquire_cred.c | 13 ++++---
- src/lib/gssapi/krb5/context_time.c | 2 +-
- src/lib/gssapi/krb5/export_cred.c | 5 +--
- src/lib/gssapi/krb5/iakerb.c | 4 +--
- src/lib/gssapi/krb5/init_sec_context.c | 9 ++---
- src/lib/gssapi/krb5/inq_context.c | 2 +-
- src/lib/gssapi/krb5/inq_cred.c | 5 +--
- src/lib/gssapi/krb5/s4u_gss_glue.c | 2 +-
- src/lib/kadm5/chpass_util.c | 8 ++---
- src/lib/kadm5/srv/server_acl.c | 5 +--
- src/lib/kadm5/srv/svr_principal.c | 12 +++----
- src/lib/kdb/kdb5.c | 2 +-
- src/lib/krb5/asn.1/asn1_k_encode.c | 3 +-
- src/lib/krb5/ccache/cc_keyring.c | 14 ++++----
- src/lib/krb5/ccache/cc_memory.c | 4 +--
- src/lib/krb5/ccache/cc_retr.c | 4 +--
- src/lib/krb5/ccache/ccapi/stdcc_util.c | 40 +++++++++++-----------
- src/lib/krb5/ccache/cccursor.c | 2 +-
- src/lib/krb5/keytab/kt_file.c | 6 ++--
- src/lib/krb5/krb/gc_via_tkt.c | 7 ++--
- src/lib/krb5/krb/get_creds.c | 2 +-
- src/lib/krb5/krb/get_in_tkt.c | 38 ++++++--------------
- src/lib/krb5/krb/gic_pwd.c | 4 +--
- src/lib/krb5/krb/int-proto.h | 2 +-
- src/lib/krb5/krb/pac.c | 2 +-
- src/lib/krb5/krb/str_conv.c | 4 +--
- src/lib/krb5/krb/t_kerb.c | 12 ++-----
- src/lib/krb5/krb/valid_times.c | 4 +--
- src/lib/krb5/krb/vfy_increds.c | 2 +-
- src/lib/krb5/os/timeofday.c | 2 +-
- src/lib/krb5/os/toffset.c | 2 +-
- src/lib/krb5/os/ustime.c | 6 ++--
- src/lib/krb5/rcache/rc_dfl.c | 3 +-
- src/lib/krb5/rcache/t_replay.c | 8 ++---
- src/plugins/kdb/db2/lockout.c | 8 ++---
- src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 2 +-
- src/plugins/kdb/ldap/libkdb_ldap/lockout.c | 8 ++---
- src/windows/cns/tktlist.c | 10 +++---
- src/windows/include/leashwin.h | 12 +++----
- src/windows/leash/KrbListTickets.cpp | 12 +++----
- src/windows/leash/LeashView.cpp | 22 ++++++------
- src/windows/leashdll/lshfunc.c | 2 +-
- src/windows/ms2mit/ms2mit.c | 2 +-
- 63 files changed, 230 insertions(+), 255 deletions(-)
-
-diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c
-index f1cd1b73d..50065e32e 100644
---- a/src/clients/kinit/kinit.c
-+++ b/src/clients/kinit/kinit.c
-@@ -318,7 +318,7 @@ parse_options(argc, argv, opts)
- fprintf(stderr, _("Bad start time value %s\n"), optarg);
- errflg++;
- } else {
-- opts->starttime = abs_starttime - time(0);
-+ opts->starttime = ts_delta(abs_starttime, time(NULL));
- }
- }
- break;
-diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c
-index ba19788a2..ffeecc394 100644
---- a/src/clients/klist/klist.c
-+++ b/src/clients/klist/klist.c
-@@ -72,7 +72,7 @@ void do_ccache_name (char *);
- int show_ccache (krb5_ccache);
- int check_ccache (krb5_ccache);
- void do_keytab (char *);
--void printtime (time_t);
-+void printtime (krb5_timestamp);
- void one_addr (krb5_address *);
- void fillit (FILE *, unsigned int, int);
-
-@@ -538,10 +538,10 @@ check_ccache(krb5_ccache cache)
- while (!(ret = krb5_cc_next_cred(kcontext, cache, &cur, &creds))) {
- if (is_local_tgt(creds.server, &princ->realm)) {
- found_tgt = TRUE;
-- if (creds.times.endtime > now)
-+ if (ts_after(creds.times.endtime, now))
- found_current_tgt = TRUE;
- } else if (!krb5_is_config_principal(kcontext, creds.server) &&
-- creds.times.endtime > now) {
-+ ts_after(creds.times.endtime, now)) {
- found_current_cred = TRUE;
- }
- krb5_free_cred_contents(kcontext, &creds);
-@@ -623,19 +623,13 @@ flags_string(cred)
- }
-
- void
--printtime(tv)
-- time_t tv;
-+printtime(krb5_timestamp ts)
- {
-- char timestring[BUFSIZ];
-- char fill;
-+ char timestring[BUFSIZ], fill = ' ';
-
-- fill = ' ';
-- if (!krb5_timestamp_to_sfstring((krb5_timestamp) tv,
-- timestring,
-- timestamp_width+1,
-- &fill)) {
-+ if (!krb5_timestamp_to_sfstring(ts, timestring, timestamp_width + 1,
-+ &fill))
- printf("%s", timestring);
-- }
- }
-
- static void
-diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c
-index a0736f2da..236313b7b 100644
---- a/src/clients/ksu/ccache.c
-+++ b/src/clients/ksu/ccache.c
-@@ -278,11 +278,11 @@ krb5_error_code krb5_check_exp(context, tkt_time)
- context->clockskew);
-
- fprintf(stderr,"krb5_check_exp: currenttime - endtime %d \n",
-- (currenttime - tkt_time.endtime ));
-+ ts_delta(currenttime, tkt_time.endtime));
-
- }
-
-- if (currenttime - tkt_time.endtime > context->clockskew){
-+ if (ts_delta(currenttime, tkt_time.endtime) > context->clockskew) {
- retval = KRB5KRB_AP_ERR_TKT_EXPIRED ;
- return retval;
- }
-@@ -323,21 +323,11 @@ char *flags_string(cred)
- return(buf);
- }
-
--void printtime(tv)
-- time_t tv;
-+void printtime(krb5_timestamp ts)
- {
-- char fmtbuf[18];
-- char fill;
-- krb5_timestamp tstamp;
-+ char fmtbuf[18], fill = ' ';
-
-- /* XXXX ASSUMES sizeof(krb5_timestamp) >= sizeof(time_t) */
-- (void) localtime((time_t *)&tv);
-- tstamp = tv;
-- fill = ' ';
-- if (!krb5_timestamp_to_sfstring(tstamp,
-- fmtbuf,
-- sizeof(fmtbuf),
-- &fill))
-+ if (!krb5_timestamp_to_sfstring(ts, fmtbuf, sizeof(fmtbuf), &fill))
- printf("%s", fmtbuf);
- }
-
-diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h
-index ee8e9d6a0..3bf0bd438 100644
---- a/src/clients/ksu/ksu.h
-+++ b/src/clients/ksu/ksu.h
-@@ -150,7 +150,7 @@ extern krb5_boolean krb5_find_princ_in_cred_list
- extern krb5_error_code krb5_find_princ_in_cache
- (krb5_context, krb5_ccache, krb5_principal, krb5_boolean *);
-
--extern void printtime (time_t);
-+extern void printtime (krb5_timestamp);
-
- /* authorization.c */
- extern krb5_boolean fowner (FILE *, uid_t);
-diff --git a/src/kadmin/cli/getdate.y b/src/kadmin/cli/getdate.y
-index 4f0c56f7e..0a19c5648 100644
---- a/src/kadmin/cli/getdate.y
-+++ b/src/kadmin/cli/getdate.y
-@@ -118,7 +118,7 @@ static int getdate_yyerror (char *);
-
-
- #define EPOCH 1970
--#define EPOCH_END 2038 /* assumes 32 bits */
-+#define EPOCH_END 2106 /* assumes unsigned 32-bit range */
- #define HOUR(x) ((time_t)(x) * 60)
- #define SECSPERDAY (24L * 60L * 60L)
-
-diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c
-index c53c677a8..aee5c83b9 100644
---- a/src/kadmin/cli/kadmin.c
-+++ b/src/kadmin/cli/kadmin.c
-@@ -31,8 +31,7 @@
- * library */
-
- /* for "_" macro */
--#include "k5-platform.h"
--#include <krb5.h>
-+#include "k5-int.h"
- #include <kadm5/admin.h>
- #include <adm_proto.h>
- #include <errno.h>
-@@ -144,8 +143,8 @@ strdate(krb5_timestamp when)
- {
- struct tm *tm;
- static char out[40];
-+ time_t lcltim = ts2tt(when);
-
-- time_t lcltim = when;
- tm = localtime(&lcltim);
- strftime(out, sizeof(out), "%a %b %d %H:%M:%S %Z %Y", tm);
- return out;
-diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
-index cad53cfbf..a6fc4ea77 100644
---- a/src/kadmin/dbutil/dump.c
-+++ b/src/kadmin/dbutil/dump.c
-@@ -379,11 +379,12 @@ k5beta7_common(krb5_context context, krb5_db_entry *entry,
- fprintf(fp, "princ\t%d\t%lu\t%d\t%d\t%d\t%s\t", (int)entry->len,
- (unsigned long)strlen(name), counter, (int)entry->n_key_data,
- (int)entry->e_length, name);
-- fprintf(fp, "%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d", entry->attributes,
-- entry->max_life, entry->max_renewable_life, entry->expiration,
-- entry->pw_expiration,
-- omit_nra ? 0 : entry->last_success,
-- omit_nra ? 0 : entry->last_failed,
-+ fprintf(fp, "%d\t%d\t%d\t%u\t%u\t%u\t%u\t%d", entry->attributes,
-+ entry->max_life, entry->max_renewable_life,
-+ (unsigned int)entry->expiration,
-+ (unsigned int)entry->pw_expiration,
-+ (unsigned int)(omit_nra ? 0 : entry->last_success),
-+ (unsigned int)(omit_nra ? 0 : entry->last_failed),
- omit_nra ? 0 : entry->fail_auth_count);
-
- /* Write out tagged data. */
-@@ -717,7 +718,7 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep,
- {
- int retval, nread, i, j;
- krb5_db_entry *dbentry;
-- int t1, t2, t3, t4, t5, t6, t7;
-+ int t1, t2, t3, t4;
- unsigned int u1, u2, u3, u4, u5;
- char *name = NULL;
- krb5_key_data *kp = NULL, *kd;
-@@ -773,8 +774,8 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep,
- }
-
- /* Get the fixed principal attributes */
-- nread = fscanf(filep, "%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t",
-- &t1, &t2, &t3, &t4, &t5, &t6, &t7, &u1);
-+ nread = fscanf(filep, "%d\t%d\t%d\t%u\t%u\t%d\t%d\t%d\t",
-+ &t1, &t2, &t3, &u1, &u2, &u3, &u4, &u5);
- if (nread != 8) {
- load_err(fname, *linenop, _("cannot read principal attributes"));
- goto fail;
-@@ -782,11 +783,11 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep,
- dbentry->attributes = t1;
- dbentry->max_life = t2;
- dbentry->max_renewable_life = t3;
-- dbentry->expiration = t4;
-- dbentry->pw_expiration = t5;
-- dbentry->last_success = t6;
-- dbentry->last_failed = t7;
-- dbentry->fail_auth_count = u1;
-+ dbentry->expiration = u1;
-+ dbentry->pw_expiration = u2;
-+ dbentry->last_success = u3;
-+ dbentry->last_failed = u4;
-+ dbentry->fail_auth_count = u5;
- dbentry->mask = KADM5_LOAD | KADM5_PRINCIPAL | KADM5_ATTRIBUTES |
- KADM5_MAX_LIFE | KADM5_MAX_RLIFE |
- KADM5_PRINC_EXPIRE_TIME | KADM5_LAST_SUCCESS |
-diff --git a/src/kadmin/dbutil/kdb5_mkey.c b/src/kadmin/dbutil/kdb5_mkey.c
-index 7df8cbc83..2efe3176e 100644
---- a/src/kadmin/dbutil/kdb5_mkey.c
-+++ b/src/kadmin/dbutil/kdb5_mkey.c
-@@ -44,8 +44,8 @@ static char *strdate(krb5_timestamp when)
- {
- struct tm *tm;
- static char out[40];
-+ time_t lcltim = ts2tt(when);
-
-- time_t lcltim = when;
- tm = localtime(&lcltim);
- strftime(out, sizeof(out), "%a %b %d %H:%M:%S %Z %Y", tm);
- return out;
-@@ -481,7 +481,7 @@ kdb5_use_mkey(int argc, char *argv[])
- cur_actkvno != NULL;
- prev_actkvno = cur_actkvno, cur_actkvno = cur_actkvno->next) {
-
-- if (new_actkvno->act_time < cur_actkvno->act_time) {
-+ if (ts_after(cur_actkvno->act_time, new_actkvno->act_time)) {
- if (prev_actkvno) {
- prev_actkvno->next = new_actkvno;
- new_actkvno->next = cur_actkvno;
-@@ -499,7 +499,7 @@ kdb5_use_mkey(int argc, char *argv[])
- }
- }
-
-- if (actkvno_list->act_time > now) {
-+ if (ts_after(actkvno_list->act_time, now)) {
- com_err(progname, EINVAL,
- _("there must be one master key currently active"));
- exit_status++;
-diff --git a/src/kadmin/dbutil/tabdump.c b/src/kadmin/dbutil/tabdump.c
-index 69a3482ec..fb36b060a 100644
---- a/src/kadmin/dbutil/tabdump.c
-+++ b/src/kadmin/dbutil/tabdump.c
-@@ -148,7 +148,7 @@ write_date_iso(struct rec_args *args, krb5_timestamp when)
- struct tm *tm = NULL;
- struct rechandle *h = args->rh;
-
-- t = when;
-+ t = ts2tt(when);
- tm = gmtime(&t);
- if (tm == NULL) {
- errno = EINVAL;
-diff --git a/src/kadmin/testing/util/tcl_kadm5.c b/src/kadmin/testing/util/tcl_kadm5.c
-index a4997c60c..9dde579ef 100644
---- a/src/kadmin/testing/util/tcl_kadm5.c
-+++ b/src/kadmin/testing/util/tcl_kadm5.c
-@@ -697,13 +697,13 @@ static Tcl_DString *unparse_principal_ent(kadm5_principal_ent_t princ,
- } else
- Tcl_DStringAppendElement(str, "null");
-
-- sprintf(buf, "%d", princ->princ_expire_time);
-+ sprintf(buf, "%u", (unsigned int)princ->princ_expire_time);
- Tcl_DStringAppendElement(str, buf);
-
-- sprintf(buf, "%d", princ->last_pwd_change);
-+ sprintf(buf, "%u", (unsigned int)princ->last_pwd_change);
- Tcl_DStringAppendElement(str, buf);
-
-- sprintf(buf, "%d", princ->pw_expiration);
-+ sprintf(buf, "%u", (unsigned int)princ->pw_expiration);
- Tcl_DStringAppendElement(str, buf);
-
- sprintf(buf, "%d", princ->max_life);
-@@ -722,7 +722,7 @@ static Tcl_DString *unparse_principal_ent(kadm5_principal_ent_t princ,
- } else
- Tcl_DStringAppendElement(str, "null");
-
-- sprintf(buf, "%d", princ->mod_date);
-+ sprintf(buf, "%u", (unsigned int)princ->mod_date);
- Tcl_DStringAppendElement(str, buf);
-
- if (mask & KADM5_ATTRIBUTES) {
-@@ -758,10 +758,10 @@ static Tcl_DString *unparse_principal_ent(kadm5_principal_ent_t princ,
- sprintf(buf, "%d", princ->max_renewable_life);
- Tcl_DStringAppendElement(str, buf);
-
-- sprintf(buf, "%d", princ->last_success);
-+ sprintf(buf, "%u", (unsigned int)princ->last_success);
- Tcl_DStringAppendElement(str, buf);
-
-- sprintf(buf, "%d", princ->last_failed);
-+ sprintf(buf, "%u", (unsigned int)princ->last_failed);
- Tcl_DStringAppendElement(str, buf);
-
- sprintf(buf, "%d", princ->fail_auth_count);
-diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
-index a4bf91b1b..f85da6da6 100644
---- a/src/kdc/do_as_req.c
-+++ b/src/kdc/do_as_req.c
-@@ -87,7 +87,7 @@ get_key_exp(krb5_db_entry *entry)
- return entry->pw_expiration;
- if (entry->pw_expiration == 0)
- return entry->expiration;
-- return min(entry->expiration, entry->pw_expiration);
-+ return ts_min(entry->expiration, entry->pw_expiration);
- }
-
- /*
-diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
-index 339259fd1..ac5864603 100644
---- a/src/kdc/do_tgs_req.c
-+++ b/src/kdc/do_tgs_req.c
-@@ -500,12 +500,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
-
- old_starttime = enc_tkt_reply.times.starttime ?
- enc_tkt_reply.times.starttime : enc_tkt_reply.times.authtime;
-- old_life = enc_tkt_reply.times.endtime - old_starttime;
-+ old_life = ts_delta(enc_tkt_reply.times.endtime, old_starttime);
-
- enc_tkt_reply.times.starttime = kdc_time;
- enc_tkt_reply.times.endtime =
-- min(header_ticket->enc_part2->times.renew_till,
-- kdc_time + old_life);
-+ ts_min(header_ticket->enc_part2->times.renew_till,
-+ ts_incr(kdc_time, old_life));
- } else {
- /* not a renew request */
- enc_tkt_reply.times.starttime = kdc_time;
-diff --git a/src/kdc/extern.c b/src/kdc/extern.c
-index fe627494b..84b5c6ad5 100644
---- a/src/kdc/extern.c
-+++ b/src/kdc/extern.c
-@@ -37,6 +37,8 @@
- kdc_realm_t **kdc_realmlist = (kdc_realm_t **) NULL;
- int kdc_numrealms = 0;
- krb5_data empty_string = {0, 0, ""};
--krb5_timestamp kdc_infinity = KRB5_INT32_MAX; /* XXX */
- krb5_keyblock psr_key;
- krb5_int32 max_dgram_reply_size = MAX_DGRAM_SIZE;
-+
-+/* With ts_after(), this is the largest timestamp value. */
-+krb5_timestamp kdc_infinity = -1;
-diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c
-index 9df940219..e05107ef3 100644
---- a/src/kdc/fast_util.c
-+++ b/src/kdc/fast_util.c
-@@ -607,7 +607,7 @@ kdc_fast_read_cookie(krb5_context context, struct kdc_request_state *state,
- ret = krb5_timeofday(context, &now);
- if (ret)
- goto cleanup;
-- if (now - COOKIE_LIFETIME > cookie->time) {
-+ if (ts2tt(now) > cookie->time + COOKIE_LIFETIME) {
- /* Don't accept the cookie contents. Only return an error if the
- * cookie is relevant to the request. */
- if (is_relevant(cookie->data, req->padata))
-@@ -700,7 +700,7 @@ kdc_fast_make_cookie(krb5_context context, struct kdc_request_state *state,
- ret = krb5_timeofday(context, &now);
- if (ret)
- goto cleanup;
-- cookie.time = now;
-+ cookie.time = ts2tt(now);
- cookie.data = contents;
- ret = encode_krb5_secure_cookie(&cookie, &der_cookie);
- if (ret)
-diff --git a/src/kdc/kdc_log.c b/src/kdc/kdc_log.c
-index 94a2a1c87..c044a3553 100644
---- a/src/kdc/kdc_log.c
-+++ b/src/kdc/kdc_log.c
-@@ -79,9 +79,9 @@ log_as_req(krb5_context context, const krb5_fulladdr *from,
- /* success */
- char rep_etypestr[128];
- rep_etypes2str(rep_etypestr, sizeof(rep_etypestr), reply);
-- krb5_klog_syslog(LOG_INFO, _("AS_REQ (%s) %s: ISSUE: authtime %d, %s, "
-+ krb5_klog_syslog(LOG_INFO, _("AS_REQ (%s) %s: ISSUE: authtime %u, %s, "
- "%s for %s"),
-- ktypestr, fromstring, authtime,
-+ ktypestr, fromstring, (unsigned int)authtime,
- rep_etypestr, cname2, sname2);
- } else {
- /* fail */
-@@ -156,10 +156,10 @@ log_tgs_req(krb5_context ctx, const krb5_fulladdr *from,
- name (useful), and doesn't log ktypestr (probably not
- important). */
- if (errcode != KRB5KDC_ERR_SERVER_NOMATCH) {
-- krb5_klog_syslog(LOG_INFO, _("TGS_REQ (%s) %s: %s: authtime %d, %s%s "
-+ krb5_klog_syslog(LOG_INFO, _("TGS_REQ (%s) %s: %s: authtime %u, %s%s "
- "%s for %s%s%s"),
-- ktypestr, fromstring, status, authtime, rep_etypestr,
-- !errcode ? "," : "", logcname, logsname,
-+ ktypestr, fromstring, status, (unsigned int)authtime,
-+ rep_etypestr, !errcode ? "," : "", logcname, logsname,
- errcode ? ", " : "", errcode ? emsg : "");
- if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION))
- krb5_klog_syslog(LOG_INFO,
-@@ -171,9 +171,9 @@ log_tgs_req(krb5_context ctx, const krb5_fulladdr *from,
- logaltcname);
-
- } else
-- krb5_klog_syslog(LOG_INFO, _("TGS_REQ %s: %s: authtime %d, %s for %s, "
-+ krb5_klog_syslog(LOG_INFO, _("TGS_REQ %s: %s: authtime %u, %s for %s, "
- "2nd tkt client %s"),
-- fromstring, status, authtime,
-+ fromstring, status, (unsigned int)authtime,
- logcname, logsname, logaltcname);
-
- /* OpenSolaris: audit_krb5kdc_tgs_req(...) or
-diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
-index 30c501c67..b710aefe4 100644
---- a/src/kdc/kdc_util.c
-+++ b/src/kdc/kdc_util.c
-@@ -654,7 +654,7 @@ validate_as_request(kdc_realm_t *kdc_active_realm,
- }
-
- /* The client must not be expired */
-- if (client.expiration && client.expiration < kdc_time) {
-+ if (client.expiration && ts_after(kdc_time, client.expiration)) {
- *status = "CLIENT EXPIRED";
- if (vague_errors)
- return(KRB_ERR_GENERIC);
-@@ -664,7 +664,7 @@ validate_as_request(kdc_realm_t *kdc_active_realm,
-
- /* The client's password must not be expired, unless the server is
- a KRB5_KDC_PWCHANGE_SERVICE. */
-- if (client.pw_expiration && client.pw_expiration < kdc_time &&
-+ if (client.pw_expiration && ts_after(kdc_time, client.pw_expiration) &&
- !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) {
- *status = "CLIENT KEY EXPIRED";
- if (vague_errors)
-@@ -674,7 +674,7 @@ validate_as_request(kdc_realm_t *kdc_active_realm,
- }
-
- /* The server must not be expired */
-- if (server.expiration && server.expiration < kdc_time) {
-+ if (server.expiration && ts_after(kdc_time, server.expiration)) {
- *status = "SERVICE EXPIRED";
- return(KDC_ERR_SERVICE_EXP);
- }
-@@ -1771,9 +1771,9 @@ kdc_get_ticket_endtime(kdc_realm_t *kdc_active_realm,
- if (till == 0)
- till = kdc_infinity;
-
-- until = min(till, endtime);
-+ until = ts_min(till, endtime);
-
-- life = until - starttime;
-+ life = ts_delta(until, starttime);
-
- if (client != NULL && client->max_life != 0)
- life = min(life, client->max_life);
-@@ -1782,7 +1782,7 @@ kdc_get_ticket_endtime(kdc_realm_t *kdc_active_realm,
- if (kdc_active_realm->realm_maxlife != 0)
- life = min(life, kdc_active_realm->realm_maxlife);
-
-- *out_endtime = starttime + life;
-+ *out_endtime = ts_incr(starttime, life);
- }
-
- /*
-@@ -1812,22 +1812,22 @@ kdc_get_ticket_renewtime(kdc_realm_t *realm, krb5_kdc_req *request,
- if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE))
- rtime = request->rtime ? request->rtime : kdc_infinity;
- else if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE_OK) &&
-- tkt->times.endtime < request->till)
-+ ts_after(request->till, tkt->times.endtime))
- rtime = request->till;
- else
- return;
-
- /* Truncate it to the allowable renewable time. */
- if (tgt != NULL)
-- rtime = min(rtime, tgt->times.renew_till);
-+ rtime = ts_min(rtime, tgt->times.renew_till);
- max_rlife = min(server->max_renewable_life, realm->realm_maxrlife);
- if (client != NULL)
- max_rlife = min(max_rlife, client->max_renewable_life);
-- rtime = min(rtime, tkt->times.starttime + max_rlife);
-+ rtime = ts_min(rtime, ts_incr(tkt->times.starttime, max_rlife));
-
- /* Make the ticket renewable if the truncated requested time is larger than
- * the ticket end time. */
-- if (rtime > tkt->times.endtime) {
-+ if (ts_after(rtime, tkt->times.endtime)) {
- setflag(tkt->flags, TKT_FLG_RENEWABLE);
- tkt->times.renew_till = rtime;
- }
-diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
-index bcf05fc27..672f94380 100644
---- a/src/kdc/kdc_util.h
-+++ b/src/kdc/kdc_util.h
-@@ -452,6 +452,8 @@ struct krb5_kdcpreauth_rock_st {
- #define max(a, b) ((a) > (b) ? (a) : (b))
- #endif
-
-+#define ts_min(a, b) (ts_after(a, b) ? (b) : (a))
-+
- #define ADDRTYPE2FAMILY(X) \
- ((X) == ADDRTYPE_INET6 ? AF_INET6 : (X) == ADDRTYPE_INET ? AF_INET : -1)
-
-diff --git a/src/kdc/replay.c b/src/kdc/replay.c
-index 8da7ac19a..fab39cf88 100644
---- a/src/kdc/replay.c
-+++ b/src/kdc/replay.c
-@@ -61,7 +61,7 @@ static size_t total_size = 0;
- static krb5_ui_4 seed;
-
- #define STALE_TIME (2*60) /* two minutes */
--#define STALE(ptr, now) (abs((ptr)->timein - (now)) >= STALE_TIME)
-+#define STALE(ptr, now) (labs(ts_delta((ptr)->timein, now)) >= STALE_TIME)
-
- /* Return x rotated to the left by r bits. */
- static inline krb5_ui_4
-diff --git a/src/kdc/tgs_policy.c b/src/kdc/tgs_policy.c
-index a30cacc66..d0f25d1b7 100644
---- a/src/kdc/tgs_policy.c
-+++ b/src/kdc/tgs_policy.c
-@@ -186,7 +186,7 @@ static int
- check_tgs_svc_time(krb5_kdc_req *req, krb5_db_entry server, krb5_ticket *tkt,
- krb5_timestamp kdc_time, const char **status)
- {
-- if (server.expiration && server.expiration < kdc_time) {
-+ if (server.expiration && ts_after(kdc_time, server.expiration)) {
- *status = "SERVICE EXPIRED";
- return KDC_ERR_SERVICE_EXP;
- }
-@@ -222,7 +222,7 @@ check_tgs_times(krb5_kdc_req *req, krb5_ticket_times *times,
- KDC time. */
- if (req->kdc_options & KDC_OPT_VALIDATE) {
- starttime = times->starttime ? times->starttime : times->authtime;
-- if (starttime > kdc_time) {
-+ if (ts_after(starttime, kdc_time)) {
- *status = "NOT_YET_VALID";
- return KRB_AP_ERR_TKT_NYV;
- }
-@@ -231,7 +231,8 @@ check_tgs_times(krb5_kdc_req *req, krb5_ticket_times *times,
- * Check the renew_till time. The endtime was already
- * been checked in the initial authentication check.
- */
-- if ((req->kdc_options & KDC_OPT_RENEW) && times->renew_till < kdc_time) {
-+ if ((req->kdc_options & KDC_OPT_RENEW) &&
-+ ts_after(kdc_time, times->renew_till)) {
- *status = "TKT_EXPIRED";
- return KRB_AP_ERR_TKT_EXPIRED;
- }
-diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
-index 580d08cbf..06967aa27 100644
---- a/src/lib/gssapi/krb5/accept_sec_context.c
-+++ b/src/lib/gssapi/krb5/accept_sec_context.c
-@@ -351,8 +351,10 @@ kg_accept_dce(minor_status, context_handle, verifier_cred_handle,
- if (mech_type)
- *mech_type = ctx->mech_used;
-
-- if (time_rec)
-- *time_rec = ctx->krb_times.endtime + ctx->k5_context->clockskew - now;
-+ if (time_rec) {
-+ *time_rec = ts_delta(ctx->krb_times.endtime, now) +
-+ ctx->k5_context->clockskew;
-+ }
-
- /* Never return GSS_C_DELEG_FLAG since we don't support DCE credential
- * delegation yet. */
-@@ -1146,7 +1148,7 @@ kg_accept_krb5(minor_status, context_handle,
- /* Add the maximum allowable clock skew as a grace period for context
- * expiration, just as we do for the ticket. */
- if (time_rec)
-- *time_rec = ctx->krb_times.endtime + context->clockskew - now;
-+ *time_rec = ts_delta(ctx->krb_times.endtime, now) + context->clockskew;
-
- if (ret_flags)
- *ret_flags = ctx->gss_flags;
-diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
-index 03ee25ec1..362ba9d86 100644
---- a/src/lib/gssapi/krb5/acquire_cred.c
-+++ b/src/lib/gssapi/krb5/acquire_cred.c
-@@ -550,7 +550,7 @@ set_refresh_time(krb5_context context, krb5_ccache ccache,
- char buf[128];
- krb5_data d;
-
-- snprintf(buf, sizeof(buf), "%ld", (long)refresh_time);
-+ snprintf(buf, sizeof(buf), "%u", (unsigned int)ts2tt(refresh_time));
- d = string2data(buf);
- (void)krb5_cc_set_config(context, ccache, NULL, KRB5_CC_CONF_REFRESH_TIME,
- &d);
-@@ -566,8 +566,9 @@ kg_cred_time_to_refresh(krb5_context context, krb5_gss_cred_id_rec *cred)
-
- if (krb5_timeofday(context, &now))
- return FALSE;
-- if (cred->refresh_time != 0 && now >= cred->refresh_time) {
-- set_refresh_time(context, cred->ccache, cred->refresh_time + 30);
-+ if (cred->refresh_time != 0 && !ts_after(cred->refresh_time, now)) {
-+ set_refresh_time(context, cred->ccache,
-+ ts_incr(cred->refresh_time, 30));
- return TRUE;
- }
- return FALSE;
-@@ -586,7 +587,8 @@ kg_cred_set_initial_refresh(krb5_context context, krb5_gss_cred_id_rec *cred,
- return;
-
- /* Make a note to refresh these when they are halfway to expired. */
-- refresh = times->starttime + (times->endtime - times->starttime) / 2;
-+ refresh = ts_incr(times->starttime,
-+ ts_delta(times->endtime, times->starttime) / 2);
- set_refresh_time(context, cred->ccache, refresh);
- }
-
-@@ -848,7 +850,8 @@ acquire_cred_context(krb5_context context, OM_uint32 *minor_status,
- GSS_C_NO_NAME);
- if (GSS_ERROR(ret))
- goto error_out;
-- *time_rec = (cred->expire > now) ? (cred->expire - now) : 0;
-+ *time_rec = ts_after(cred->expire, now) ?
-+ ts_delta(cred->expire, now) : 0;
- k5_mutex_unlock(&cred->lock);
- }
- }
-diff --git a/src/lib/gssapi/krb5/context_time.c b/src/lib/gssapi/krb5/context_time.c
-index 450593288..1fdb5a16f 100644
---- a/src/lib/gssapi/krb5/context_time.c
-+++ b/src/lib/gssapi/krb5/context_time.c
-@@ -51,7 +51,7 @@ krb5_gss_context_time(minor_status, context_handle, time_rec)
- return(GSS_S_FAILURE);
- }
-
-- lifetime = ctx->krb_times.endtime - now;
-+ lifetime = ts_delta(ctx->krb_times.endtime, now);
- if (!ctx->initiate)
- lifetime += ctx->k5_context->clockskew;
- if (lifetime <= 0) {
-diff --git a/src/lib/gssapi/krb5/export_cred.c b/src/lib/gssapi/krb5/export_cred.c
-index 652b2604b..8054e4a77 100644
---- a/src/lib/gssapi/krb5/export_cred.c
-+++ b/src/lib/gssapi/krb5/export_cred.c
-@@ -410,10 +410,11 @@ json_kgcred(krb5_context context, krb5_gss_cred_id_t cred,
- if (ret)
- goto cleanup;
-
-- ret = k5_json_array_fmt(&array, "ivvbbvvvvbiivs", cred->usage, name, imp,
-+ ret = k5_json_array_fmt(&array, "ivvbbvvvvbLLvs", cred->usage, name, imp,
- cred->default_identity, cred->iakerb_mech, keytab,
- rcache, ccache, ckeytab, cred->have_tgt,
-- cred->expire, cred->refresh_time, etypes,
-+ (long long)ts2tt(cred->expire),
-+ (long long)ts2tt(cred->refresh_time), etypes,
- cred->password);
- if (ret)
- goto cleanup;
-diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
-index 2dc4d0c1a..bb1072fe4 100644
---- a/src/lib/gssapi/krb5/iakerb.c
-+++ b/src/lib/gssapi/krb5/iakerb.c
-@@ -494,7 +494,7 @@ iakerb_tkt_creds_ctx(iakerb_ctx_id_t ctx,
- if (code != 0)
- goto cleanup;
-
-- creds.times.endtime = now + time_req;
-+ creds.times.endtime = ts_incr(now, time_req);
- }
-
- if (cred->name->ad_context != NULL) {
-@@ -669,7 +669,7 @@ iakerb_get_initial_state(iakerb_ctx_id_t ctx,
- if (code != 0)
- goto cleanup;
-
-- in_creds.times.endtime = now + time_req;
-+ in_creds.times.endtime = ts_incr(now, time_req);
- }
-
- /* Make an AS request if we have no creds or it's time to refresh them. */
-diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
-index 2a7467f54..1be1b5878 100644
---- a/src/lib/gssapi/krb5/init_sec_context.c
-+++ b/src/lib/gssapi/krb5/init_sec_context.c
-@@ -214,7 +214,8 @@ static krb5_error_code get_credentials(context, cred, server, now,
- * boundaries) because accept_sec_context code is also similarly
- * non-forgiving.
- */
-- if (!krb5_gss_dbg_client_expcreds && result_creds->times.endtime < now) {
-+ if (!krb5_gss_dbg_client_expcreds &&
-+ ts_after(now, result_creds->times.endtime)) {
- code = KRB5KRB_AP_ERR_TKT_EXPIRED;
- goto cleanup;
- }
-@@ -573,7 +574,7 @@ kg_new_connection(
- if (time_req == 0 || time_req == GSS_C_INDEFINITE) {
- ctx->krb_times.endtime = 0;
- } else {
-- ctx->krb_times.endtime = now + time_req;
-+ ctx->krb_times.endtime = ts_incr(now, time_req);
- }
-
- if ((code = kg_duplicate_name(context, cred->name, &ctx->here)))
-@@ -657,7 +658,7 @@ kg_new_connection(
- if (time_rec) {
- if ((code = krb5_timeofday(context, &now)))
- goto cleanup;
-- *time_rec = ctx->krb_times.endtime - now;
-+ *time_rec = ts_delta(ctx->krb_times.endtime, now);
- }
-
- /* set the other returns */
-@@ -871,7 +872,7 @@ mutual_auth(
- if (time_rec) {
- if ((code = krb5_timeofday(context, &now)))
- goto fail;
-- *time_rec = ctx->krb_times.endtime - now;
-+ *time_rec = ts_delta(ctx->krb_times.endtime, now);
- }
-
- if (ret_flags)
-diff --git a/src/lib/gssapi/krb5/inq_context.c b/src/lib/gssapi/krb5/inq_context.c
-index d2e466e60..cac024da1 100644
---- a/src/lib/gssapi/krb5/inq_context.c
-+++ b/src/lib/gssapi/krb5/inq_context.c
-@@ -120,7 +120,7 @@ krb5_gss_inquire_context(minor_status, context_handle, initiator_name,
-
- /* Add the maximum allowable clock skew as a grace period for context
- * expiration, just as we do for the ticket during authentication. */
-- lifetime = ctx->krb_times.endtime - now;
-+ lifetime = ts_delta(ctx->krb_times.endtime, now);
- if (!ctx->initiate)
- lifetime += context->clockskew;
- if (lifetime < 0)
-diff --git a/src/lib/gssapi/krb5/inq_cred.c b/src/lib/gssapi/krb5/inq_cred.c
-index 4e35a0563..e662ae53a 100644
---- a/src/lib/gssapi/krb5/inq_cred.c
-+++ b/src/lib/gssapi/krb5/inq_cred.c
-@@ -130,8 +130,9 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
- goto fail;
- }
-
-- if (cred->expire > 0) {
-- if ((lifetime = cred->expire - now) < 0)
-+ if (cred->expire != 0) {
-+ lifetime = ts_delta(cred->expire, now);
-+ if (lifetime < 0)
- lifetime = 0;
- }
- else
-diff --git a/src/lib/gssapi/krb5/s4u_gss_glue.c b/src/lib/gssapi/krb5/s4u_gss_glue.c
-index ff1c310bc..10848c1df 100644
---- a/src/lib/gssapi/krb5/s4u_gss_glue.c
-+++ b/src/lib/gssapi/krb5/s4u_gss_glue.c
-@@ -284,7 +284,7 @@ kg_compose_deleg_cred(OM_uint32 *minor_status,
- if (code != 0)
- goto cleanup;
-
-- *time_rec = cred->expire - now;
-+ *time_rec = ts_delta(cred->expire, now);
- }
-
- major_status = GSS_S_COMPLETE;
-diff --git a/src/lib/kadm5/chpass_util.c b/src/lib/kadm5/chpass_util.c
-index 408b0eb31..1680a5504 100644
---- a/src/lib/kadm5/chpass_util.c
-+++ b/src/lib/kadm5/chpass_util.c
-@@ -4,15 +4,11 @@
- */
-
-
--#include "autoconf.h"
--#include <stdio.h>
--#include <time.h>
--#include <string.h>
-+#include "k5-int.h"
-
- #include <kadm5/admin.h>
- #include "admin_internal.h"
-
--#include <krb5.h>
-
- #define string_text error_message
-
-@@ -218,7 +214,7 @@ kadm5_ret_t _kadm5_chpass_principal_util(void *server_handle,
- time_t until;
- char *time_string, *ptr;
-
-- until = princ_ent.last_pwd_change + policy_ent.pw_min_life;
-+ until = ts_incr(princ_ent.last_pwd_change, policy_ent.pw_min_life);
-
- time_string = ctime(&until);
- if (*(ptr = &time_string[strlen(time_string)-1]) == '\n')
-diff --git a/src/lib/kadm5/srv/server_acl.c b/src/lib/kadm5/srv/server_acl.c
-index 3c2844d14..c4bb16dc7 100644
---- a/src/lib/kadm5/srv/server_acl.c
-+++ b/src/lib/kadm5/srv/server_acl.c
-@@ -408,13 +408,14 @@ kadm5int_acl_impose_restrictions(kcontext, recp, maskp, rp)
- }
- if (rp->mask & KADM5_PRINC_EXPIRE_TIME) {
- if (!(*maskp & KADM5_PRINC_EXPIRE_TIME)
-- || (recp->princ_expire_time > (now + rp->princ_lifetime)))
-+ || ts_after(recp->princ_expire_time,
-+ ts_incr(now, rp->princ_lifetime)))
- recp->princ_expire_time = now + rp->princ_lifetime;
- *maskp |= KADM5_PRINC_EXPIRE_TIME;
- }
- if (rp->mask & KADM5_PW_EXPIRATION) {
- if (!(*maskp & KADM5_PW_EXPIRATION)
-- || (recp->pw_expiration > (now + rp->pw_lifetime)))
-+ || ts_after(recp->pw_expiration, ts_incr(now, rp->pw_lifetime)))
- recp->pw_expiration = now + rp->pw_lifetime;
- *maskp |= KADM5_PW_EXPIRATION;
- }
-diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
-index 8f4da0e52..137e1fb64 100644
---- a/src/lib/kadm5/srv/svr_principal.c
-+++ b/src/lib/kadm5/srv/svr_principal.c
-@@ -400,7 +400,7 @@ kadm5_create_principal_3(void *server_handle,
- kdb->pw_expiration = 0;
- if (have_polent) {
- if(polent.pw_max_life)
-- kdb->pw_expiration = now + polent.pw_max_life;
-+ kdb->pw_expiration = ts_incr(now, polent.pw_max_life);
- else
- kdb->pw_expiration = 0;
- }
-@@ -612,7 +612,7 @@ kadm5_modify_principal(void *server_handle,
- &(kdb->pw_expiration));
- if (ret)
- goto done;
-- kdb->pw_expiration += pol.pw_max_life;
-+ kdb->pw_expiration = ts_incr(kdb->pw_expiration, pol.pw_max_life);
- } else {
- kdb->pw_expiration = 0;
- }
-@@ -1445,7 +1445,7 @@ kadm5_chpass_principal_3(void *server_handle,
- }
-
- if (pol.pw_max_life)
-- kdb->pw_expiration = now + pol.pw_max_life;
-+ kdb->pw_expiration = ts_incr(now, pol.pw_max_life);
- else
- kdb->pw_expiration = 0;
- } else {
-@@ -1624,7 +1624,7 @@ kadm5_randkey_principal_3(void *server_handle,
- #endif
-
- if (pol.pw_max_life)
-- kdb->pw_expiration = now + pol.pw_max_life;
-+ kdb->pw_expiration = ts_incr(now, pol.pw_max_life);
- else
- kdb->pw_expiration = 0;
- } else {
-@@ -1774,7 +1774,7 @@ kadm5_setv4key_principal(void *server_handle,
- #endif
-
- if (pol.pw_max_life)
-- kdb->pw_expiration = now + pol.pw_max_life;
-+ kdb->pw_expiration = ts_incr(now, pol.pw_max_life);
- else
- kdb->pw_expiration = 0;
- } else {
-@@ -2027,7 +2027,7 @@ kadm5_setkey_principal_4(void *server_handle, krb5_principal principal,
- }
- if (have_pol) {
- if (pol.pw_max_life)
-- kdb->pw_expiration = now + pol.pw_max_life;
-+ kdb->pw_expiration = ts_incr(now, pol.pw_max_life);
- else
- kdb->pw_expiration = 0;
- } else {
-diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c
-index 690725765..07392572e 100644
---- a/src/lib/kdb/kdb5.c
-+++ b/src/lib/kdb/kdb5.c
-@@ -1297,7 +1297,7 @@ find_actkvno(krb5_actkvno_node *list, krb5_timestamp now)
- * are in the future, we will return the first node; if all are in the
- * past, we will return the last node.
- */
-- while (list->next != NULL && list->next->act_time <= now)
-+ while (list->next != NULL && !ts_after(list->next->act_time, now))
- list = list->next;
- return list->act_kvno;
- }
-diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c
-index a827ca608..889460989 100644
---- a/src/lib/krb5/asn.1/asn1_k_encode.c
-+++ b/src/lib/krb5/asn.1/asn1_k_encode.c
-@@ -158,8 +158,7 @@ static asn1_error_code
- encode_kerberos_time(asn1buf *buf, const void *p, taginfo *rettag,
- size_t *len_out)
- {
-- /* Range checking for time_t vs krb5_timestamp? */
-- time_t val = *(krb5_timestamp *)p;
-+ time_t val = ts2tt(*(krb5_timestamp *)p);
- rettag->asn1class = UNIVERSAL;
- rettag->construction = PRIMITIVE;
- rettag->tagnum = ASN1_GENERALTIME;
-diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c
-index 4fe3f0d6f..fba710b1b 100644
---- a/src/lib/krb5/ccache/cc_keyring.c
-+++ b/src/lib/krb5/ccache/cc_keyring.c
-@@ -751,7 +751,7 @@ update_keyring_expiration(krb5_context context, krb5_ccache id)
- for (;;) {
- if (krcc_next_cred(context, id, &cursor, &creds) != 0)
- break;
-- if (creds.times.endtime > endtime)
-+ if (ts_after(creds.times.endtime, endtime))
- endtime = creds.times.endtime;
- krb5_free_cred_contents(context, &creds);
- }
-@@ -765,7 +765,7 @@ update_keyring_expiration(krb5_context context, krb5_ccache id)
-
- /* Setting the timeout to zero would reset the timeout, so we set it to one
- * second instead if creds are already expired. */
-- timeout = (endtime > now) ? endtime - now : 1;
-+ timeout = ts_after(endtime, now) ? ts_delta(endtime, now) : 1;
- (void)keyctl_set_timeout(data->cache_id, timeout);
- }
-
-@@ -1316,8 +1316,10 @@ krcc_store(krb5_context context, krb5_ccache id, krb5_creds *creds)
- if (ret)
- goto errout;
-
-- if (creds->times.endtime > now)
-- (void)keyctl_set_timeout(cred_key, creds->times.endtime - now);
-+ if (ts_after(creds->times.endtime, now)) {
-+ (void)keyctl_set_timeout(cred_key,
-+ ts_delta(creds->times.endtime, now));
-+ }
-
- update_keyring_expiration(context, id);
-
-@@ -1680,8 +1682,8 @@ static void
- krcc_update_change_time(krcc_data *data)
- {
- krb5_timestamp now_time = time(NULL);
-- data->changetime = (data->changetime >= now_time) ?
-- data->changetime + 1 : now_time;
-+ data->changetime = ts_after(now_time, data->changetime) ?
-+ now_time : ts_incr(data->changetime, 1);
- }
-
- /*
-diff --git a/src/lib/krb5/ccache/cc_memory.c b/src/lib/krb5/ccache/cc_memory.c
-index 0354575c5..c5425eb3a 100644
---- a/src/lib/krb5/ccache/cc_memory.c
-+++ b/src/lib/krb5/ccache/cc_memory.c
-@@ -720,8 +720,8 @@ static void
- update_mcc_change_time(krb5_mcc_data *d)
- {
- krb5_timestamp now_time = time(NULL);
-- d->changetime = (d->changetime >= now_time) ?
-- d->changetime + 1 : now_time;
-+ d->changetime = ts_after(now_time, d->changetime) ?
-+ now_time : ts_incr(d->changetime, 1);
- }
-
- static krb5_error_code KRB5_CALLCONV
-diff --git a/src/lib/krb5/ccache/cc_retr.c b/src/lib/krb5/ccache/cc_retr.c
-index 1314d24bd..1a32e00c8 100644
---- a/src/lib/krb5/ccache/cc_retr.c
-+++ b/src/lib/krb5/ccache/cc_retr.c
-@@ -46,11 +46,11 @@ static krb5_boolean
- times_match(const krb5_ticket_times *t1, const krb5_ticket_times *t2)
- {
- if (t1->renew_till) {
-- if (t1->renew_till > t2->renew_till)
-+ if (ts_after(t1->renew_till, t2->renew_till))
- return FALSE; /* this one expires too late */
- }
- if (t1->endtime) {
-- if (t1->endtime > t2->endtime)
-+ if (ts_after(t1->endtime, t2->endtime))
- return FALSE; /* this one expires too late */
- }
- /* only care about expiration on a times_match */
-diff --git a/src/lib/krb5/ccache/ccapi/stdcc_util.c b/src/lib/krb5/ccache/ccapi/stdcc_util.c
-index 9f44af3d0..6092ee432 100644
---- a/src/lib/krb5/ccache/ccapi/stdcc_util.c
-+++ b/src/lib/krb5/ccache/ccapi/stdcc_util.c
-@@ -16,8 +16,8 @@
- #include <malloc.h>
- #endif
-
-+#include "k5-int.h"
- #include "stdcc_util.h"
--#include "krb5.h"
- #ifdef _WIN32 /* it's part of krb5.h everywhere else */
- #include "kv5m_err.h"
- #endif
-@@ -321,10 +321,10 @@ copy_cc_cred_union_to_krb5_creds (krb5_context in_context,
- keyblock_contents = NULL;
-
- /* copy times */
-- out_creds->times.authtime = cv5->authtime + offset_seconds;
-- out_creds->times.starttime = cv5->starttime + offset_seconds;
-- out_creds->times.endtime = cv5->endtime + offset_seconds;
-- out_creds->times.renew_till = cv5->renew_till + offset_seconds;
-+ out_creds->times.authtime = ts_incr(cv5->authtime, offset_seconds);
-+ out_creds->times.starttime = ts_incr(cv5->starttime, offset_seconds);
-+ out_creds->times.endtime = ts_incr(cv5->endtime, offset_seconds);
-+ out_creds->times.renew_till = ts_incr(cv5->renew_till, offset_seconds);
- out_creds->is_skey = cv5->is_skey;
- out_creds->ticket_flags = cv5->ticket_flags;
-
-@@ -451,11 +451,11 @@ copy_krb5_creds_to_cc_cred_union (krb5_context in_context,
- cv5->keyblock.data = keyblock_data;
- keyblock_data = NULL;
-
-- cv5->authtime = in_creds->times.authtime - offset_seconds;
-- cv5->starttime = in_creds->times.starttime - offset_seconds;
-- cv5->endtime = in_creds->times.endtime - offset_seconds;
-- cv5->renew_till = in_creds->times.renew_till - offset_seconds;
-- cv5->is_skey = in_creds->is_skey;
-+ cv5->authtime = ts_incr(in_creds->times.authtime, -offset_seconds);
-+ cv5->starttime = ts_incr(in_creds->times.starttime, -offset_seconds);
-+ cv5->endtime = ts_incr(in_creds->times.endtime, -offset_seconds);
-+ cv5->renew_till = ts_incr(in_creds->times.renew_till, -offset_seconds);
-+ cv5->is_skey = in_creds->is_skey;
- cv5->ticket_flags = in_creds->ticket_flags;
-
- if (in_creds->ticket.data) {
-@@ -732,10 +732,10 @@ void dupCCtoK5(krb5_context context, cc_creds *src, krb5_creds *dest)
- err = krb5_get_time_offsets(context, &offset_seconds, &offset_microseconds);
- if (err) return;
- #endif
-- dest->times.authtime = src->authtime + offset_seconds;
-- dest->times.starttime = src->starttime + offset_seconds;
-- dest->times.endtime = src->endtime + offset_seconds;
-- dest->times.renew_till = src->renew_till + offset_seconds;
-+ dest->times.authtime = ts_incr(src->authtime, offset_seconds);
-+ dest->times.starttime = ts_incr(src->starttime, offset_seconds);
-+ dest->times.endtime = ts_incr(src->endtime, offset_seconds);
-+ dest->times.renew_till = ts_incr(src->renew_till, offset_seconds);
- dest->is_skey = src->is_skey;
- dest->ticket_flags = src->ticket_flags;
-
-@@ -804,10 +804,10 @@ void dupK5toCC(krb5_context context, krb5_creds *creds, cred_union **cu)
- err = krb5_get_time_offsets(context, &offset_seconds, &offset_microseconds);
- if (err) return;
- #endif
-- c->authtime = creds->times.authtime - offset_seconds;
-- c->starttime = creds->times.starttime - offset_seconds;
-- c->endtime = creds->times.endtime - offset_seconds;
-- c->renew_till = creds->times.renew_till - offset_seconds;
-+ c->authtime = ts_incr(creds->times.authtime, -offset_seconds);
-+ c->starttime = ts_incr(creds->times.starttime, -offset_seconds);
-+ c->endtime = ts_incr(creds->times.endtime, -offset_seconds);
-+ c->renew_till = ts_incr(creds->times.renew_till, -offset_seconds);
- c->is_skey = creds->is_skey;
- c->ticket_flags = creds->ticket_flags;
-
-@@ -925,11 +925,11 @@ times_match(t1, t2)
- register const krb5_ticket_times *t2;
- {
- if (t1->renew_till) {
-- if (t1->renew_till > t2->renew_till)
-+ if (ts_after(t1->renew_till, t2->renew_till))
- return FALSE; /* this one expires too late */
- }
- if (t1->endtime) {
-- if (t1->endtime > t2->endtime)
-+ if (ts_after(t1->endtime, t2->endtime))
- return FALSE; /* this one expires too late */
- }
- /* only care about expiration on a times_match */
-diff --git a/src/lib/krb5/ccache/cccursor.c b/src/lib/krb5/ccache/cccursor.c
-index c31a3f5f0..e631f2051 100644
---- a/src/lib/krb5/ccache/cccursor.c
-+++ b/src/lib/krb5/ccache/cccursor.c
-@@ -159,7 +159,7 @@ krb5_cccol_last_change_time(krb5_context context,
- ret = krb5_cccol_cursor_next(context, c, &ccache);
- if (ccache) {
- ret = krb5_cc_last_change_time(context, ccache, &last_time);
-- if (!ret && last_time > max_change_time) {
-+ if (!ret && ts_after(last_time, max_change_time)) {
- max_change_time = last_time;
- }
- ret = 0;
-diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c
-index 674d88bab..76efb71c6 100644
---- a/src/lib/krb5/keytab/kt_file.c
-+++ b/src/lib/krb5/keytab/kt_file.c
-@@ -264,9 +264,11 @@ more_recent(const krb5_keytab_entry *k1, const krb5_keytab_entry *k2)
- * limitations (8-bit kvno storage), pre-1.14 kadmin protocol limitations
- * (8-bit kvno marshalling), or KDB limitations (16-bit kvno storage).
- */
-- if (k1->timestamp >= k2->timestamp && k1->vno < 128 && k2->vno > 240)
-+ if (!ts_after(k2->timestamp, k1->timestamp) &&
-+ k1->vno < 128 && k2->vno > 240)
- return TRUE;
-- if (k1->timestamp <= k2->timestamp && k1->vno > 240 && k2->vno < 128)
-+ if (!ts_after(k1->timestamp, k2->timestamp) &&
-+ k1->vno > 240 && k2->vno < 128)
- return FALSE;
-
- /* Otherwise do a simple version comparison. */
-diff --git a/src/lib/krb5/krb/gc_via_tkt.c b/src/lib/krb5/krb/gc_via_tkt.c
-index c85d8b8d8..cf1ea361f 100644
---- a/src/lib/krb5/krb/gc_via_tkt.c
-+++ b/src/lib/krb5/krb/gc_via_tkt.c
-@@ -287,18 +287,19 @@ krb5int_process_tgs_reply(krb5_context context,
- retval = KRB5_KDCREP_MODIFIED;
-
- if ((in_cred->times.endtime != 0) &&
-- (dec_rep->enc_part2->times.endtime > in_cred->times.endtime))
-+ ts_after(dec_rep->enc_part2->times.endtime, in_cred->times.endtime))
- retval = KRB5_KDCREP_MODIFIED;
-
- if ((kdcoptions & KDC_OPT_RENEWABLE) &&
- (in_cred->times.renew_till != 0) &&
-- (dec_rep->enc_part2->times.renew_till > in_cred->times.renew_till))
-+ ts_after(dec_rep->enc_part2->times.renew_till,
-+ in_cred->times.renew_till))
- retval = KRB5_KDCREP_MODIFIED;
-
- if ((kdcoptions & KDC_OPT_RENEWABLE_OK) &&
- (dec_rep->enc_part2->flags & KDC_OPT_RENEWABLE) &&
- (in_cred->times.endtime != 0) &&
-- (dec_rep->enc_part2->times.renew_till > in_cred->times.endtime))
-+ ts_after(dec_rep->enc_part2->times.renew_till, in_cred->times.endtime))
- retval = KRB5_KDCREP_MODIFIED;
-
- if (retval != 0)
-diff --git a/src/lib/krb5/krb/get_creds.c b/src/lib/krb5/krb/get_creds.c
-index 110abeb2b..be5b2d18c 100644
---- a/src/lib/krb5/krb/get_creds.c
-+++ b/src/lib/krb5/krb/get_creds.c
-@@ -816,7 +816,7 @@ get_cached_local_tgt(krb5_context context, krb5_tkt_creds_context ctx,
- return code;
-
- /* Check if the TGT is expired before bothering the KDC with it. */
-- if (now > tgt->times.endtime) {
-+ if (ts_after(now, tgt->times.endtime)) {
- krb5_free_creds(context, tgt);
- return KRB5KRB_AP_ERR_TKT_EXPIRED;
- }
-diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
-index a058f5bd7..40aba1905 100644
---- a/src/lib/krb5/krb/get_in_tkt.c
-+++ b/src/lib/krb5/krb/get_in_tkt.c
-@@ -39,24 +39,6 @@ static krb5_error_code sort_krb5_padata_sequence(krb5_context context,
- krb5_data *realm,
- krb5_pa_data **padata);
-
--/*
-- * This function performs 32 bit bounded addition so we can generate
-- * lifetimes without overflowing krb5_int32
-- */
--static krb5_int32
--krb5int_addint32 (krb5_int32 x, krb5_int32 y)
--{
-- if ((x > 0) && (y > (KRB5_INT32_MAX - x))) {
-- /* sum will be be greater than KRB5_INT32_MAX */
-- return KRB5_INT32_MAX;
-- } else if ((x < 0) && (y < (KRB5_INT32_MIN - x))) {
-- /* sum will be less than KRB5_INT32_MIN */
-- return KRB5_INT32_MIN;
-- }
--
-- return x + y;
--}
--
- /*
- * Decrypt the AS reply in ctx, populating ctx->reply->enc_part2. If
- * strengthen_key is not null, combine it with the reply key as specified in
-@@ -267,21 +249,21 @@ verify_as_reply(krb5_context context,
- (request->from != 0) &&
- (request->from != as_reply->enc_part2->times.starttime))
- || ((request->till != 0) &&
-- (as_reply->enc_part2->times.endtime > request->till))
-+ ts_after(as_reply->enc_part2->times.endtime, request->till))
- || ((request->kdc_options & KDC_OPT_RENEWABLE) &&
- (request->rtime != 0) &&
-- (as_reply->enc_part2->times.renew_till > request->rtime))
-+ ts_after(as_reply->enc_part2->times.renew_till, request->rtime))
- || ((request->kdc_options & KDC_OPT_RENEWABLE_OK) &&
- !(request->kdc_options & KDC_OPT_RENEWABLE) &&
- (as_reply->enc_part2->flags & KDC_OPT_RENEWABLE) &&
- (request->till != 0) &&
-- (as_reply->enc_part2->times.renew_till > request->till))
-+ ts_after(as_reply->enc_part2->times.renew_till, request->till))
- ) {
- return KRB5_KDCREP_MODIFIED;
- }
-
- if (context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) {
-- time_offset = as_reply->enc_part2->times.authtime - time_now;
-+ time_offset = ts_delta(as_reply->enc_part2->times.authtime, time_now);
- retval = krb5_set_time_offsets(context, time_offset, 0);
- if (retval)
- return retval;
-@@ -790,15 +772,15 @@ set_request_times(krb5_context context, krb5_init_creds_context ctx)
- return code;
-
- /* Omit request start time unless the caller explicitly asked for one. */
-- from = krb5int_addint32(now, ctx->start_time);
-+ from = ts_incr(now, ctx->start_time);
- if (ctx->start_time != 0)
- ctx->request->from = from;
-
-- ctx->request->till = krb5int_addint32(from, ctx->tkt_life);
-+ ctx->request->till = ts_incr(from, ctx->tkt_life);
-
- if (ctx->renew_life > 0) {
- /* Don't ask for a smaller renewable time than the lifetime. */
-- ctx->request->rtime = krb5int_addint32(from, ctx->renew_life);
-+ ctx->request->rtime = ts_incr(from, ctx->renew_life);
- if (ctx->request->rtime < ctx->request->till)
- ctx->request->rtime = ctx->request->till;
- ctx->request->kdc_options &= ~KDC_OPT_RENEWABLE_OK;
-@@ -1438,7 +1420,7 @@ note_req_timestamp(krb5_context context, krb5_init_creds_context ctx,
-
- if (k5_time_with_offset(0, 0, &now, &usec) != 0)
- return;
-- ctx->pa_offset = kdc_time - now;
-+ ctx->pa_offset = ts_delta(kdc_time, now);
- ctx->pa_offset_usec = kdc_usec - usec;
- ctx->pa_offset_state = (ctx->fast_state->armor_key != NULL) ?
- AUTH_OFFSET : UNAUTH_OFFSET;
-@@ -1807,6 +1789,7 @@ k5_populate_gic_opt(krb5_context context, krb5_get_init_creds_opt **out,
- {
- int i;
- krb5_int32 starttime;
-+ krb5_deltat lifetime;
- krb5_get_init_creds_opt *opt;
- krb5_error_code retval;
-
-@@ -1838,7 +1821,8 @@ k5_populate_gic_opt(krb5_context context, krb5_get_init_creds_opt **out,
- if (retval)
- goto cleanup;
- if (creds->times.starttime) starttime = creds->times.starttime;
-- krb5_get_init_creds_opt_set_tkt_life(opt, creds->times.endtime - starttime);
-+ lifetime = ts_delta(creds->times.endtime, starttime);
-+ krb5_get_init_creds_opt_set_tkt_life(opt, lifetime);
- }
- *out = opt;
- return 0;
-diff --git a/src/lib/krb5/krb/gic_pwd.c b/src/lib/krb5/krb/gic_pwd.c
-index 6f3a29f2c..3565a7c4c 100644
---- a/src/lib/krb5/krb/gic_pwd.c
-+++ b/src/lib/krb5/krb/gic_pwd.c
-@@ -211,7 +211,7 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options,
- if (ret != 0)
- return;
- if (!is_last_req &&
-- (pw_exp < now || (pw_exp - now) > 7 * 24 * 60 * 60))
-+ (ts_after(now, pw_exp) || ts_delta(pw_exp, now) > 7 * 24 * 60 * 60))
- return;
-
- if (!prompter)
-@@ -221,7 +221,7 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options,
- if (ret != 0)
- return;
-
-- delta = pw_exp - now;
-+ delta = ts_delta(pw_exp, now);
- if (delta < 3600) {
- snprintf(banner, sizeof(banner),
- _("Warning: Your password will expire in less than one hour "
-diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h
-index 44eca359f..48bd9f8f7 100644
---- a/src/lib/krb5/krb/int-proto.h
-+++ b/src/lib/krb5/krb/int-proto.h
-@@ -84,7 +84,7 @@ krb5int_construct_matching_creds(krb5_context context, krb5_flags options,
- krb5_flags *fields);
-
- #define in_clock_skew(context, date, now) \
-- (labs((date) - (now)) < (context)->clockskew)
-+ (labs(ts_delta(date, now)) < (context)->clockskew)
-
- #define IS_TGS_PRINC(p) ((p)->length == 2 && \
- data_eq_string((p)->data[0], KRB5_TGS_NAME))
-diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
-index 9098927b5..c70585a9e 100644
---- a/src/lib/krb5/krb/pac.c
-+++ b/src/lib/krb5/krb/pac.c
-@@ -378,7 +378,7 @@ k5_time_to_seconds_since_1970(int64_t ntTime, krb5_timestamp *elapsedSeconds)
-
- abstime = ntTime > 0 ? ntTime - NT_TIME_EPOCH : -ntTime;
-
-- if (abstime > KRB5_INT32_MAX)
-+ if (abstime > UINT32_MAX)
- return ERANGE;
-
- *elapsedSeconds = abstime;
-diff --git a/src/lib/krb5/krb/str_conv.c b/src/lib/krb5/krb/str_conv.c
-index 3ab7eacac..f0a2ae20b 100644
---- a/src/lib/krb5/krb/str_conv.c
-+++ b/src/lib/krb5/krb/str_conv.c
-@@ -207,7 +207,7 @@ krb5_error_code KRB5_CALLCONV
- krb5_timestamp_to_string(krb5_timestamp timestamp, char *buffer, size_t buflen)
- {
- size_t ret;
-- time_t timestamp2 = timestamp;
-+ time_t timestamp2 = ts2tt(timestamp);
- struct tm tmbuf;
- const char *fmt = "%c"; /* This is to get around gcc -Wall warning that
- the year returned might be two digits */
-@@ -229,7 +229,7 @@ krb5_timestamp_to_sfstring(krb5_timestamp timestamp, char *buffer, size_t buflen
- struct tm *tmp;
- size_t i;
- size_t ndone;
-- time_t timestamp2 = timestamp;
-+ time_t timestamp2 = ts2tt(timestamp);
- struct tm tmbuf;
-
- static const char * const sftime_format_table[] = {
-diff --git a/src/lib/krb5/krb/t_kerb.c b/src/lib/krb5/krb/t_kerb.c
-index 60cfb5b15..74ac14d9a 100644
---- a/src/lib/krb5/krb/t_kerb.c
-+++ b/src/lib/krb5/krb/t_kerb.c
-@@ -5,16 +5,8 @@
- */
-
- #include "autoconf.h"
--#include "krb5.h"
--#include <stdio.h>
--#include <string.h>
--#include <stdlib.h>
--#include <unistd.h>
-+#include "k5-int.h"
- #include <time.h>
--#include <sys/types.h>
--#include <sys/socket.h>
--#include <netinet/in.h>
--#include <arpa/inet.h>
-
- #include "com_err.h"
-
-@@ -37,7 +29,7 @@ test_string_to_timestamp(krb5_context ctx, char *ktime)
- com_err("krb5_string_to_timestamp", retval, 0);
- return;
- }
-- t = (time_t) timestamp;
-+ t = ts2tt(timestamp);
- printf("Parsed time was %s", ctime(&t));
- }
-
-diff --git a/src/lib/krb5/krb/valid_times.c b/src/lib/krb5/krb/valid_times.c
-index d63122183..9e509b2dd 100644
---- a/src/lib/krb5/krb/valid_times.c
-+++ b/src/lib/krb5/krb/valid_times.c
-@@ -47,10 +47,10 @@ krb5int_validate_times(krb5_context context, krb5_ticket_times *times)
- else
- starttime = times->authtime;
-
-- if (starttime - currenttime > context->clockskew)
-+ if (ts_delta(starttime, currenttime) > context->clockskew)
- return KRB5KRB_AP_ERR_TKT_NYV; /* ticket not yet valid */
-
-- if ((currenttime - times->endtime) > context->clockskew)
-+ if (ts_delta(currenttime, times->endtime) > context->clockskew)
- return KRB5KRB_AP_ERR_TKT_EXPIRED; /* ticket expired */
-
- return 0;
-diff --git a/src/lib/krb5/krb/vfy_increds.c b/src/lib/krb5/krb/vfy_increds.c
-index 9786d63b5..b4878ba38 100644
---- a/src/lib/krb5/krb/vfy_increds.c
-+++ b/src/lib/krb5/krb/vfy_increds.c
-@@ -120,7 +120,7 @@ get_vfy_cred(krb5_context context, krb5_creds *creds, krb5_principal server,
- ret = krb5_timeofday(context, &in_creds.times.endtime);
- if (ret)
- goto cleanup;
-- in_creds.times.endtime += 5*60;
-+ in_creds.times.endtime = ts_incr(in_creds.times.endtime, 5 * 60);
- ret = krb5_get_credentials(context, 0, ccache, &in_creds, &out_creds);
- if (ret)
- goto cleanup;
-diff --git a/src/lib/krb5/os/timeofday.c b/src/lib/krb5/os/timeofday.c
-index fddb12142..887f24c22 100644
---- a/src/lib/krb5/os/timeofday.c
-+++ b/src/lib/krb5/os/timeofday.c
-@@ -60,7 +60,7 @@ krb5_check_clockskew(krb5_context context, krb5_timestamp date)
- retval = krb5_timeofday(context, &currenttime);
- if (retval)
- return retval;
-- if (!(labs((date)-currenttime) < context->clockskew))
-+ if (labs(ts_delta(date, currenttime)) >= context->clockskew)
- return KRB5KRB_AP_ERR_SKEW;
-
- return 0;
-diff --git a/src/lib/krb5/os/toffset.c b/src/lib/krb5/os/toffset.c
-index 456193a41..37bc69f49 100644
---- a/src/lib/krb5/os/toffset.c
-+++ b/src/lib/krb5/os/toffset.c
-@@ -47,7 +47,7 @@ krb5_set_real_time(krb5_context context, krb5_timestamp seconds, krb5_int32 micr
- if (retval)
- return retval;
-
-- os_ctx->time_offset = seconds - sec;
-+ os_ctx->time_offset = ts_delta(seconds, sec);
- os_ctx->usec_offset = (microseconds > -1) ? microseconds - usec : 0;
-
- os_ctx->os_flags = ((os_ctx->os_flags & ~KRB5_OS_TOFFSET_TIME) |
-diff --git a/src/lib/krb5/os/ustime.c b/src/lib/krb5/os/ustime.c
-index 056357683..1c1b571eb 100644
---- a/src/lib/krb5/os/ustime.c
-+++ b/src/lib/krb5/os/ustime.c
-@@ -49,13 +49,13 @@ k5_time_with_offset(krb5_timestamp offset, krb5_int32 offset_usec,
- usec += offset_usec;
- if (usec > 1000000) {
- usec -= 1000000;
-- sec++;
-+ sec = ts_incr(sec, 1);
- }
- if (usec < 0) {
- usec += 1000000;
-- sec--;
-+ sec = ts_incr(sec, -1);
- }
-- sec += offset;
-+ sec = ts_incr(sec, offset);
-
- *time_out = sec;
- *usec_out = usec;
-diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c
-index c0f12ed9d..6b043844d 100644
---- a/src/lib/krb5/rcache/rc_dfl.c
-+++ b/src/lib/krb5/rcache/rc_dfl.c
-@@ -97,8 +97,7 @@ alive(krb5_int32 mytime, krb5_donot_replay *new1, krb5_deltat t)
- {
- if (mytime == 0)
- return CMP_HOHUM; /* who cares? */
-- /* I hope we don't have to worry about overflow */
-- if (new1->ctime + t < mytime)
-+ if (ts_after(mytime, ts_incr(new1->ctime, t)))
- return CMP_EXPIRED;
- return CMP_HOHUM;
- }
-diff --git a/src/lib/krb5/rcache/t_replay.c b/src/lib/krb5/rcache/t_replay.c
-index db273ec2f..b99cdf1ab 100644
---- a/src/lib/krb5/rcache/t_replay.c
-+++ b/src/lib/krb5/rcache/t_replay.c
-@@ -110,7 +110,7 @@ store(krb5_context ctx, char *rcspec, char *client, char *server, char *msg,
- krb5_donot_replay rep;
- krb5_data d;
-
-- if (now_timestamp > 0)
-+ if (now_timestamp != 0)
- krb5_set_debugging_time(ctx, now_timestamp, now_usec);
- if ((retval = krb5_rc_resolve_full(ctx, &rc, rcspec)))
- goto cleanup;
-@@ -221,13 +221,13 @@ main(int argc, char **argv)
- msg = (**argv) ? *argv : NULL;
- argc--; argv++;
- if (!argc) usage(progname);
-- timestamp = (krb5_timestamp) atol(*argv);
-+ timestamp = (krb5_timestamp) atoll(*argv);
- argc--; argv++;
- if (!argc) usage(progname);
- usec = (krb5_int32) atol(*argv);
- argc--; argv++;
- if (!argc) usage(progname);
-- now_timestamp = (krb5_timestamp) atol(*argv);
-+ now_timestamp = (krb5_timestamp) atoll(*argv);
- argc--; argv++;
- if (!argc) usage(progname);
- now_usec = (krb5_int32) atol(*argv);
-@@ -249,7 +249,7 @@ main(int argc, char **argv)
- rcspec = *argv;
- argc--; argv++;
- if (!argc) usage(progname);
-- now_timestamp = (krb5_timestamp) atol(*argv);
-+ now_timestamp = (krb5_timestamp) atoll(*argv);
- argc--; argv++;
- if (!argc) usage(progname);
- now_usec = (krb5_int32) atol(*argv);
-diff --git a/src/plugins/kdb/db2/lockout.c b/src/plugins/kdb/db2/lockout.c
-index 7d151b55b..3a4f41821 100644
---- a/src/plugins/kdb/db2/lockout.c
-+++ b/src/plugins/kdb/db2/lockout.c
-@@ -100,7 +100,7 @@ locked_check_p(krb5_context context,
-
- /* If the entry was unlocked since the last failure, it's not locked. */
- if (krb5_dbe_lookup_last_admin_unlock(context, entry, &unlock_time) == 0 &&
-- entry->last_failed <= unlock_time)
-+ !ts_after(entry->last_failed, unlock_time))
- return FALSE;
-
- if (max_fail == 0 || entry->fail_auth_count < max_fail)
-@@ -109,7 +109,7 @@ locked_check_p(krb5_context context,
- if (lockout_duration == 0)
- return TRUE; /* principal permanently locked */
-
-- return (stamp < entry->last_failed + lockout_duration);
-+ return ts_after(ts_incr(entry->last_failed, lockout_duration), stamp);
- }
-
- krb5_error_code
-@@ -200,13 +200,13 @@ krb5_db2_lockout_audit(krb5_context context,
- status == KRB5KRB_AP_ERR_BAD_INTEGRITY)) {
- if (krb5_dbe_lookup_last_admin_unlock(context, entry,
- &unlock_time) == 0 &&
-- entry->last_failed <= unlock_time) {
-+ !ts_after(entry->last_failed, unlock_time)) {
- /* Reset fail_auth_count after administrative unlock. */
- entry->fail_auth_count = 0;
- }
-
- if (failcnt_interval != 0 &&
-- stamp > entry->last_failed + failcnt_interval) {
-+ ts_after(stamp, ts_incr(entry->last_failed, failcnt_interval))) {
- /* Reset fail_auth_count after failcnt_interval. */
- entry->fail_auth_count = 0;
- }
-diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
-index 7ba53f959..88a170495 100644
---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
-+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
-@@ -1734,7 +1734,7 @@ getstringtime(krb5_timestamp epochtime)
- {
- struct tm tme;
- char *strtime=NULL;
-- time_t posixtime = epochtime;
-+ time_t posixtime = ts2tt(epochtime);
-
- strtime = calloc (50, 1);
- if (strtime == NULL)
-diff --git a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
-index 0fc56c2fe..1088ecc5a 100644
---- a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
-+++ b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
-@@ -93,7 +93,7 @@ locked_check_p(krb5_context context,
-
- /* If the entry was unlocked since the last failure, it's not locked. */
- if (krb5_dbe_lookup_last_admin_unlock(context, entry, &unlock_time) == 0 &&
-- entry->last_failed <= unlock_time)
-+ !ts_after(entry->last_failed, unlock_time))
- return FALSE;
-
- if (max_fail == 0 || entry->fail_auth_count < max_fail)
-@@ -102,7 +102,7 @@ locked_check_p(krb5_context context,
- if (lockout_duration == 0)
- return TRUE; /* principal permanently locked */
-
-- return (stamp < entry->last_failed + lockout_duration);
-+ return ts_after(ts_incr(entry->last_failed, lockout_duration), stamp);
- }
-
- krb5_error_code
-@@ -196,14 +196,14 @@ krb5_ldap_lockout_audit(krb5_context context,
- status == KRB5KRB_AP_ERR_BAD_INTEGRITY)) {
- if (krb5_dbe_lookup_last_admin_unlock(context, entry,
- &unlock_time) == 0 &&
-- entry->last_failed <= unlock_time) {
-+ !ts_after(entry->last_failed, unlock_time)) {
- /* Reset fail_auth_count after administrative unlock. */
- entry->fail_auth_count = 0;
- entry->mask |= KADM5_FAIL_AUTH_COUNT;
- }
-
- if (failcnt_interval != 0 &&
-- stamp > entry->last_failed + failcnt_interval) {
-+ ts_after(stamp, ts_incr(entry->last_failed, failcnt_interval))) {
- /* Reset fail_auth_count after failcnt_interval */
- entry->fail_auth_count = 0;
- entry->mask |= KADM5_FAIL_AUTH_COUNT;
-diff --git a/src/windows/cns/tktlist.c b/src/windows/cns/tktlist.c
-index f2805f5cd..26e699fae 100644
---- a/src/windows/cns/tktlist.c
-+++ b/src/windows/cns/tktlist.c
-@@ -35,6 +35,8 @@
- #include "cns.h"
- #include "tktlist.h"
-
-+#define ts2tt(t) (time_t)(uint32_t)(t)
-+
- /*
- * Ticket information for a list line
- */
-@@ -167,10 +169,10 @@ ticket_init_list (HWND hwnd)
-
- ncred++;
- strcpy (buf, " ");
-- strncat(buf, short_date (c.times.starttime - kwin_get_epoch()),
-+ strncat(buf, short_date(ts2tt(c.times.starttime) - kwin_get_epoch()),
- sizeof(buf) - 1 - strlen(buf));
- strncat(buf, " ", sizeof(buf) - 1 - strlen(buf));
-- strncat(buf, short_date (c.times.endtime - kwin_get_epoch()),
-+ strncat(buf, short_date(ts2tt(c.times.endtime) - kwin_get_epoch()),
- sizeof(buf) - 1 - strlen(buf));
- strncat(buf, " ", sizeof(buf) - 1 - strlen(buf));
-
-@@ -192,8 +194,8 @@ ticket_init_list (HWND hwnd)
- return -1;
-
- lpinfo->ticket = TRUE;
-- lpinfo->issue_time = c.times.starttime - kwin_get_epoch();
-- lpinfo->lifetime = c.times.endtime - c.times.starttime;
-+ lpinfo->issue_time = ts2tt(c.times.starttime) - kwin_get_epoch();
-+ lpinfo->lifetime = ts2tt(c.times.endtime) - c.times.starttime;
- strcpy(lpinfo->buf, buf);
-
- rc = ListBox_AddItemData(hwnd, lpinfo);
-diff --git a/src/windows/include/leashwin.h b/src/windows/include/leashwin.h
-index 9577365a7..325dce2e9 100644
---- a/src/windows/include/leashwin.h
-+++ b/src/windows/include/leashwin.h
-@@ -111,9 +111,9 @@ struct TicketList {
- TicketList *next;
- char *service;
- char *encTypes;
-- krb5_timestamp issued;
-- krb5_timestamp valid_until;
-- krb5_timestamp renew_until;
-+ time_t issued;
-+ time_t valid_until;
-+ time_t renew_until;
- unsigned long flags;
- };
-
-@@ -124,9 +124,9 @@ struct TICKETINFO {
- char *ccache_name;
- TicketList *ticket_list;
- int btickets; /* Do we have tickets? */
-- long issued; /* The issue time */
-- long valid_until; /* */
-- long renew_until; /* The Renew time (k5 only) */
-+ time_t issued; /* The issue time */
-+ time_t valid_until; /* */
-+ time_t renew_until; /* The Renew time (k5 only) */
- unsigned long flags;
- };
-
-diff --git a/src/windows/leash/KrbListTickets.cpp b/src/windows/leash/KrbListTickets.cpp
-index beab0ea11..5dd37b05a 100644
---- a/src/windows/leash/KrbListTickets.cpp
-+++ b/src/windows/leash/KrbListTickets.cpp
-@@ -92,10 +92,10 @@ etype_string(krb5_enctype enctype)
- static void
- CredToTicketInfo(krb5_creds KRBv5Credentials, TICKETINFO *ticketinfo)
- {
-- ticketinfo->issued = KRBv5Credentials.times.starttime;
-- ticketinfo->valid_until = KRBv5Credentials.times.endtime;
-+ ticketinfo->issued = (DWORD)KRBv5Credentials.times.starttime;
-+ ticketinfo->valid_until = (DWORD)KRBv5Credentials.times.endtime;
- ticketinfo->renew_until = KRBv5Credentials.ticket_flags & TKT_FLG_RENEWABLE ?
-- KRBv5Credentials.times.renew_till : 0;
-+ (DWORD)KRBv5Credentials.times.renew_till : (DWORD)0;
- _tzset();
- if ( ticketinfo->valid_until - time(0) <= 0L )
- ticketinfo->btickets = EXPD_TICKETS;
-@@ -137,10 +137,10 @@ CredToTicketList(krb5_context ctx, krb5_creds KRBv5Credentials,
- functionName = "calloc()";
- goto cleanup;
- }
-- list->issued = KRBv5Credentials.times.starttime;
-- list->valid_until = KRBv5Credentials.times.endtime;
-+ list->issued = (DWORD)KRBv5Credentials.times.starttime;
-+ list->valid_until = (DWORD)KRBv5Credentials.times.endtime;
- if (KRBv5Credentials.ticket_flags & TKT_FLG_RENEWABLE)
-- list->renew_until = KRBv5Credentials.times.renew_till;
-+ list->renew_until = (DWORD)KRBv5Credentials.times.renew_till;
- else
- list->renew_until = 0;
-
-diff --git a/src/windows/leash/LeashView.cpp b/src/windows/leash/LeashView.cpp
-index ef2a5a3e0..253ae3f06 100644
---- a/src/windows/leash/LeashView.cpp
-+++ b/src/windows/leash/LeashView.cpp
-@@ -229,22 +229,22 @@ static HFONT CreateBoldItalicFont(HFONT font)
-
- bool change_icon_size = true;
-
--void krb5TimestampToFileTime(krb5_timestamp t, LPFILETIME pft)
-+void TimestampToFileTime(time_t t, LPFILETIME pft)
- {
- // Note that LONGLONG is a 64-bit value
-- LONGLONG ll;
-+ ULONGLONG ll;
-
-- ll = Int32x32To64(t, 10000000) + 116444736000000000;
-+ ll = UInt32x32To64((DWORD)t, 10000000) + 116444736000000000;
- pft->dwLowDateTime = (DWORD)ll;
- pft->dwHighDateTime = ll >> 32;
- }
-
- // allocate outstr
--void krb5TimestampToLocalizedString(krb5_timestamp t, LPTSTR *outStr)
-+void TimestampToLocalizedString(time_t t, LPTSTR *outStr)
- {
- FILETIME ft, lft;
- SYSTEMTIME st;
-- krb5TimestampToFileTime(t, &ft);
-+ TimestampToFileTime(t, &ft);
- FileTimeToLocalFileTime(&ft, &lft);
- FileTimeToSystemTime(&lft, &st);
- TCHAR timeFormat[80]; // 80 is max required for LOCALE_STIMEFORMAT
-@@ -1125,9 +1125,9 @@ void CLeashView::AddDisplayItem(CListCtrl &list,
- CCacheDisplayData *elem,
- int iItem,
- char *principal,
-- long issued,
-- long valid_until,
-- long renew_until,
-+ time_t issued,
-+ time_t valid_until,
-+ time_t renew_until,
- char *encTypes,
- unsigned long flags,
- char *ccache_name)
-@@ -1145,7 +1145,7 @@ void CLeashView::AddDisplayItem(CListCtrl &list,
- if (issued == 0) {
- list.SetItemText(iItem, iSubItem++, "Unknown");
- } else {
-- krb5TimestampToLocalizedString(issued, &localTimeStr);
-+ TimestampToLocalizedString(issued, &localTimeStr);
- list.SetItemText(iItem, iSubItem++, localTimeStr);
- }
- }
-@@ -1155,7 +1155,7 @@ void CLeashView::AddDisplayItem(CListCtrl &list,
- } else if (valid_until < now) {
- list.SetItemText(iItem, iSubItem++, "Expired");
- } else if (renew_until) {
-- krb5TimestampToLocalizedString(renew_until, &localTimeStr);
-+ TimestampToLocalizedString(renew_until, &localTimeStr);
- DurationToString(renew_until - now, &durationStr);
- if (localTimeStr && durationStr) {
- _snprintf(tempStr, MAX_DURATION_STR, "%s %s", localTimeStr, durationStr);
-@@ -1172,7 +1172,7 @@ void CLeashView::AddDisplayItem(CListCtrl &list,
- } else if (valid_until < now) {
- list.SetItemText(iItem, iSubItem++, "Expired");
- } else {
-- krb5TimestampToLocalizedString(valid_until, &localTimeStr);
-+ TimestampToLocalizedString(valid_until, &localTimeStr);
- DurationToString(valid_until - now, &durationStr);
- if (localTimeStr && durationStr) {
- _snprintf(tempStr, MAX_DURATION_STR, "%s %s", localTimeStr, durationStr);
-diff --git a/src/windows/leashdll/lshfunc.c b/src/windows/leashdll/lshfunc.c
-index 0f76cc334..8dafb7bed 100644
---- a/src/windows/leashdll/lshfunc.c
-+++ b/src/windows/leashdll/lshfunc.c
-@@ -2898,7 +2898,7 @@ static BOOL cc_have_tickets(krb5_context ctx, krb5_ccache cache)
- _tzset();
- while (!(code = pkrb5_cc_next_cred(ctx, cache, &cur, &creds))) {
- if ((!pkrb5_is_config_principal(ctx, creds.server)) &&
-- (creds.times.endtime - time(0) > 0))
-+ ((time_t)(DWORD)creds.times.endtime - time(0) > 0))
- have_tickets = TRUE;
-
- pkrb5_free_cred_contents(ctx, &creds);
-diff --git a/src/windows/ms2mit/ms2mit.c b/src/windows/ms2mit/ms2mit.c
-index c3325034a..2b4373cc1 100644
---- a/src/windows/ms2mit/ms2mit.c
-+++ b/src/windows/ms2mit/ms2mit.c
-@@ -74,7 +74,7 @@ cc_has_tickets(krb5_context kcontext, krb5_ccache ccache, int *has_tickets)
- break;
-
- if (!krb5_is_config_principal(kcontext, creds.server) &&
-- creds.times.endtime > now)
-+ ts_after(creds.times.endtime, now))
- *has_tickets = 1;
-
- krb5_free_cred_contents(kcontext, &creds);
diff --git a/Remove-incomplete-PKINIT-OCSP-support.patch b/Remove-incomplete-PKINIT-OCSP-support.patch
deleted file mode 100644
index 2f40965..0000000
--- a/Remove-incomplete-PKINIT-OCSP-support.patch
+++ /dev/null
@@ -1,134 +0,0 @@
-From 466d09c9b2c456d663672cb6d5f661ef86e8536e Mon Sep 17 00:00:00 2001
-From: Robbie Harwood <rharwood@redhat.com>
-Date: Mon, 31 Jul 2017 16:03:41 -0400
-Subject: [PATCH] Remove incomplete PKINIT OCSP support
-
-pkinit_kdc_ocsp is non-functional in the PKINIT OpenSSL crypto
-implementation, so remove most traces of it, including its man page
-entry. If it is present in kdc.conf, error out of PKINIT
-initialization instead of silently ignoring the realm entirely.
-
-ticket: 8603 (new)
-(cherry picked from commit 3ff426b9048a8024e5c175256c63cd0ad0572320)
----
- doc/admin/conf_files/kdc_conf.rst | 3 ---
- src/man/kdc.conf.man | 3 ---
- src/plugins/preauth/pkinit/pkinit.h | 2 +-
- src/plugins/preauth/pkinit/pkinit_identity.c | 11 -----------
- src/plugins/preauth/pkinit/pkinit_srv.c | 12 ++++++++++--
- 5 files changed, 11 insertions(+), 20 deletions(-)
-
-diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst
-index 4e54f7e1d..d00e7926c 100644
---- a/doc/admin/conf_files/kdc_conf.rst
-+++ b/doc/admin/conf_files/kdc_conf.rst
-@@ -765,9 +765,6 @@ For information about the syntax of some of these options, see
- pkinit is used to authenticate. This option may be specified
- multiple times. (New in release 1.14.)
-
--**pkinit_kdc_ocsp**
-- Specifies the location of the KDC's OCSP.
--
- **pkinit_pool**
- Specifies the location of intermediate certificates which may be
- used by the KDC to complete the trust chain between a client's
-diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
-index d207ebd7f..c47da0117 100644
---- a/src/man/kdc.conf.man
-+++ b/src/man/kdc.conf.man
-@@ -886,9 +886,6 @@ Specifies an authentication indicator to include in the ticket if
- pkinit is used to authenticate. This option may be specified
- multiple times. (New in release 1.14.)
- .TP
--.B \fBpkinit_kdc_ocsp\fP
--Specifies the location of the KDC\(aqs OCSP.
--.TP
- .B \fBpkinit_pool\fP
- Specifies the location of intermediate certificates which may be
- used by the KDC to complete the trust chain between a client\(aqs
-diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h
-index 876db94c3..a49f3078e 100644
---- a/src/plugins/preauth/pkinit/pkinit.h
-+++ b/src/plugins/preauth/pkinit/pkinit.h
-@@ -73,6 +73,7 @@
- #define KRB5_CONF_PKINIT_IDENTITIES "pkinit_identities"
- #define KRB5_CONF_PKINIT_IDENTITY "pkinit_identity"
- #define KRB5_CONF_PKINIT_KDC_HOSTNAME "pkinit_kdc_hostname"
-+/* pkinit_kdc_ocsp has been removed */
- #define KRB5_CONF_PKINIT_KDC_OCSP "pkinit_kdc_ocsp"
- #define KRB5_CONF_PKINIT_POOL "pkinit_pool"
- #define KRB5_CONF_PKINIT_REQUIRE_CRL_CHECKING "pkinit_require_crl_checking"
-@@ -173,7 +174,6 @@ typedef struct _pkinit_identity_opts {
- char **anchors;
- char **intermediates;
- char **crls;
-- char *ocsp;
- int idtype;
- char *cert_filename;
- char *key_filename;
-diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c
-index 177a2cad8..a897efa25 100644
---- a/src/plugins/preauth/pkinit/pkinit_identity.c
-+++ b/src/plugins/preauth/pkinit/pkinit_identity.c
-@@ -125,7 +125,6 @@ pkinit_init_identity_opts(pkinit_identity_opts **idopts)
- opts->anchors = NULL;
- opts->intermediates = NULL;
- opts->crls = NULL;
-- opts->ocsp = NULL;
-
- opts->cert_filename = NULL;
- opts->key_filename = NULL;
-@@ -174,12 +173,6 @@ pkinit_dup_identity_opts(pkinit_identity_opts *src_opts,
- if (retval)
- goto cleanup;
-
-- if (src_opts->ocsp != NULL) {
-- newopts->ocsp = strdup(src_opts->ocsp);
-- if (newopts->ocsp == NULL)
-- goto cleanup;
-- }
--
- if (src_opts->cert_filename != NULL) {
- newopts->cert_filename = strdup(src_opts->cert_filename);
- if (newopts->cert_filename == NULL)
-@@ -674,10 +667,6 @@ pkinit_identity_prompt(krb5_context context,
- if (retval)
- goto errout;
- }
-- if (idopts->ocsp != NULL) {
-- retval = ENOTSUP;
-- goto errout;
-- }
-
- errout:
- return retval;
-diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
-index 731d14eb8..32ca122f2 100644
---- a/src/plugins/preauth/pkinit/pkinit_srv.c
-+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
-@@ -1252,7 +1252,7 @@ static krb5_error_code
- pkinit_init_kdc_profile(krb5_context context, pkinit_kdc_context plgctx)
- {
- krb5_error_code retval;
-- char *eku_string = NULL;
-+ char *eku_string = NULL, *ocsp_check = NULL;
-
- pkiDebug("%s: entered for realm %s\n", __FUNCTION__, plgctx->realmname);
- retval = pkinit_kdcdefault_string(context, plgctx->realmname,
-@@ -1287,7 +1287,15 @@ pkinit_init_kdc_profile(krb5_context context, pkinit_kdc_context plgctx)
-
- pkinit_kdcdefault_string(context, plgctx->realmname,
- KRB5_CONF_PKINIT_KDC_OCSP,
-- &plgctx->idopts->ocsp);
-+ &ocsp_check);
-+ if (ocsp_check != NULL) {
-+ free(ocsp_check);
-+ retval = ENOTSUP;
-+ krb5_set_error_message(context, retval,
-+ _("OCSP is not supported: (realm: %s)"),
-+ plgctx->realmname);
-+ goto errout;
-+ }
-
- pkinit_kdcdefault_integer(context, plgctx->realmname,
- KRB5_CONF_PKINIT_DH_MIN_BITS,
diff --git a/Use-GSSAPI-fallback-skiptest.patch b/Use-GSSAPI-fallback-skiptest.patch
index 118df5a..14beb76 100644
--- a/Use-GSSAPI-fallback-skiptest.patch
+++ b/Use-GSSAPI-fallback-skiptest.patch
@@ -1,4 +1,4 @@
-From 6d0b40b26e7fea1cd394618c1ab6d5e366bbc069 Mon Sep 17 00:00:00 2001
+From 697f19c5bfd4470c167d35c7af43c82a32660b82 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 1 Mar 2017 17:46:22 -0500
Subject: [PATCH] Use GSSAPI fallback skiptest
diff --git a/Use-expected_msg-in-test-scripts.patch b/Use-expected_msg-in-test-scripts.patch
deleted file mode 100644
index d4dc83e..0000000
--- a/Use-expected_msg-in-test-scripts.patch
+++ /dev/null
@@ -1,2584 +0,0 @@
-From 24ac588502b1731a7fd2629804f8d9ed1668297e Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Wed, 18 Jan 2017 11:22:58 -0500
-Subject: [PATCH] Use expected_msg in test scripts
-
-(cherry picked from commit d406afa363554097ac48646a29249c04f498c88e)
----
- src/appl/gss-sample/t_gss_sample.py | 18 ++-
- src/appl/user_user/t_user2user.py | 6 +-
- src/kdc/t_emptytgt.py | 5 +-
- src/lib/krb5/krb/t_expire_warn.py | 13 +-
- src/tests/gssapi/t_authind.py | 5 +-
- src/tests/gssapi/t_ccselect.py | 10 +-
- src/tests/gssapi/t_client_keytab.py | 60 +++------
- src/tests/gssapi/t_enctypes.py | 4 +-
- src/tests/gssapi/t_export_cred.py | 4 +-
- src/tests/gssapi/t_gssapi.py | 97 +++++---------
- src/tests/gssapi/t_s4u.py | 21 ++-
- src/tests/t_audit.py | 11 +-
- src/tests/t_authdata.py | 58 +++-----
- src/tests/t_ccache.py | 38 ++----
- src/tests/t_crossrealm.py | 14 +-
- src/tests/t_dump.py | 31 ++---
- src/tests/t_general.py | 12 +-
- src/tests/t_hostrealm.py | 5 +-
- src/tests/t_iprop.py | 103 ++++++---------
- src/tests/t_kadm5_hook.py | 10 +-
- src/tests/t_kadmin_acl.py | 254 ++++++++++++++----------------------
- src/tests/t_kadmin_parsing.py | 30 ++---
- src/tests/t_kdb.py | 127 +++++++-----------
- src/tests/t_kdb_locking.py | 5 +-
- src/tests/t_keydata.py | 16 +--
- src/tests/t_keyrollover.py | 16 +--
- src/tests/t_keytab.py | 50 +++----
- src/tests/t_kprop.py | 13 +-
- src/tests/t_localauth.py | 5 +-
- src/tests/t_mkey.py | 45 +++----
- src/tests/t_otp.py | 10 +-
- src/tests/t_pkinit.py | 27 ++--
- src/tests/t_policy.py | 101 +++++---------
- src/tests/t_preauth.py | 14 +-
- src/tests/t_pwqual.py | 25 ++--
- src/tests/t_referral.py | 10 +-
- src/tests/t_renew.py | 5 +-
- src/tests/t_salt.py | 12 +-
- src/tests/t_skew.py | 22 ++--
- src/tests/t_stringattr.py | 4 +-
- 40 files changed, 475 insertions(+), 841 deletions(-)
-
-diff --git a/src/appl/gss-sample/t_gss_sample.py b/src/appl/gss-sample/t_gss_sample.py
-index 8a6b0304f..0299e4590 100755
---- a/src/appl/gss-sample/t_gss_sample.py
-+++ b/src/appl/gss-sample/t_gss_sample.py
-@@ -31,22 +31,20 @@ gss_server = os.path.join(appdir, 'gss-server')
- # Run a gss-server process and a gss-client process, with additional
- # gss-client flags given by options and additional gss-server flags
- # given by server_options. Return the output of gss-client.
--def run_client_server(realm, options, server_options, expected_code=0):
-+def run_client_server(realm, options, server_options, **kwargs):
- portstr = str(realm.server_port())
- server_args = [gss_server, '-export', '-port', portstr]
- server_args += server_options + ['host']
- server = realm.start_server(server_args, 'starting...')
-- out = realm.run([gss_client, '-port', portstr] + options +
-- [hostname, 'host', 'testmsg'], expected_code=expected_code)
-+ realm.run([gss_client, '-port', portstr] + options +
-+ [hostname, 'host', 'testmsg'], **kwargs)
- stop_daemon(server)
-- return out
-
- # Run a gss-server and gss-client process, and verify that gss-client
- # displayed the expected output for a successful negotiation.
- def server_client_test(realm, options, server_options):
-- out = run_client_server(realm, options, server_options)
-- if 'Signature verified.' not in out:
-- fail('Expected message not seen in gss-client output')
-+ run_client_server(realm, options, server_options,
-+ expected_msg='Signature verified.')
-
- # Make up a filename to hold user's initial credentials.
- def ccache_savefile(realm):
-@@ -81,10 +79,10 @@ def pw_test(realm, options, server_options=[]):
- # IAKERB, gss_aqcuire_cred_with_password() otherwise).
- def wrong_pw_test(realm, options, server_options=[], iakerb=False):
- options = options + ['-user', realm.user_princ, '-pass', 'wrongpw']
-- out = run_client_server(realm, options, server_options, expected_code=1)
- failed_op = 'initializing context' if iakerb else 'acquiring creds'
-- if 'GSS-API error ' + failed_op not in out:
-- fail('Expected error not seen in gss-client output')
-+ msg = 'GSS-API error ' + failed_op
-+ run_client_server(realm, options, server_options, expected_code=1,
-+ expected_msg=msg)
-
- # Perform a test of the server and client with initial credentials
- # obtained with the client keytab
-diff --git a/src/appl/user_user/t_user2user.py b/src/appl/user_user/t_user2user.py
-index 8bdef8e07..2a7d03f8d 100755
---- a/src/appl/user_user/t_user2user.py
-+++ b/src/appl/user_user/t_user2user.py
-@@ -10,9 +10,9 @@ for realm in multipass_realms():
- else:
- srv_output = realm.start_server(['./uuserver', '9999'], 'Server started')
-
-- output = realm.run(['./uuclient', hostname, 'testing message', '9999'])
-- if 'uu-client: server says \"Hello, other end of connection.\"' not in output:
-- fail('Message not echoed back.')
-+ msg = 'uu-client: server says "Hello, other end of connection."'
-+ realm.run(['./uuclient', hostname, 'testing message', '9999'],
-+ expected_msg=msg)
-
-
- success('User-2-user test programs')
-diff --git a/src/kdc/t_emptytgt.py b/src/kdc/t_emptytgt.py
-index 8f7717a01..2d0432e33 100755
---- a/src/kdc/t_emptytgt.py
-+++ b/src/kdc/t_emptytgt.py
-@@ -2,7 +2,6 @@
- from k5test import *
-
- realm = K5Realm(create_host=False)
--output = realm.run([kvno, 'krbtgt/'], expected_code=1)
--if 'not found in Kerberos database' not in output:
-- fail('TGT lookup for empty realm failed in unexpected way')
-+realm.run([kvno, 'krbtgt/'], expected_code=1,
-+ expected_msg='not found in Kerberos database')
- success('Empty tgt lookup.')
-diff --git a/src/lib/krb5/krb/t_expire_warn.py b/src/lib/krb5/krb/t_expire_warn.py
-index e021379ab..aed39e399 100755
---- a/src/lib/krb5/krb/t_expire_warn.py
-+++ b/src/lib/krb5/krb/t_expire_warn.py
-@@ -39,15 +39,10 @@ realm.run([kadminl, 'addprinc', '-pw', 'pass', '-pwexpire', '3 days', 'days'])
- output = realm.run(['./t_expire_warn', 'noexpire', 'pass', '0'])
- if output:
- fail('Unexpected output for noexpire')
--output = realm.run(['./t_expire_warn', 'minutes', 'pass', '0'])
--if ' less than one hour on ' not in output:
-- fail('Expected warning not seen for minutes')
--output = realm.run(['./t_expire_warn', 'hours', 'pass', '0'])
--if ' hours on ' not in output:
-- fail('Expected warning not seen for hours')
--output = realm.run(['./t_expire_warn', 'days', 'pass', '0'])
--if ' days on ' not in output:
-- fail('Expected warning not seen for days')
-+realm.run(['./t_expire_warn', 'minutes', 'pass', '0'],
-+ expected_msg=' less than one hour on ')
-+realm.run(['./t_expire_warn', 'hours', 'pass', '0'], expected_msg=' hours on ')
-+realm.run(['./t_expire_warn', 'days', 'pass', '0'], expected_msg=' days on ')
-
- # Check for expected expire callback behavior. These tests are
- # carefully agnostic about whether the KDC supports last_req fields,
-diff --git a/src/tests/gssapi/t_authind.py b/src/tests/gssapi/t_authind.py
-index 316bc4093..dfd0a9a04 100644
---- a/src/tests/gssapi/t_authind.py
-+++ b/src/tests/gssapi/t_authind.py
-@@ -24,9 +24,8 @@ if ('Attribute auth-indicators Authenticated Complete') not in out:
- if '73757065727374726f6e67' not in out:
- fail('Expected auth indicator not seen in name attributes')
-
--out = realm.run(['./t_srcattrs', 'p:service/2'], expected_code=1)
--if 'gss_init_sec_context: KDC policy rejects request' not in out:
-- fail('Expected error message not seen for indicator mismatch')
-+msg = 'gss_init_sec_context: KDC policy rejects request'
-+realm.run(['./t_srcattrs', 'p:service/2'], expected_code=1, expected_msg=msg)
-
- realm.kinit(realm.user_princ, password('user'), ['-X', 'indicators=one two'])
- out = realm.run(['./t_srcattrs', 'p:service/2'])
-diff --git a/src/tests/gssapi/t_ccselect.py b/src/tests/gssapi/t_ccselect.py
-index 6be6b4ec0..1ea614d30 100755
---- a/src/tests/gssapi/t_ccselect.py
-+++ b/src/tests/gssapi/t_ccselect.py
-@@ -45,9 +45,8 @@ refserver = 'p:host/' + hostname + '@'
-
- # Verify that we can't get initiator creds with no credentials in the
- # collection.
--output = r1.run(['./t_ccselect', host1, '-'], expected_code=1)
--if 'No Kerberos credentials available' not in output:
-- fail('Expected error not seen in output when no credentials available')
-+r1.run(['./t_ccselect', host1, '-'], expected_code=1,
-+ expected_msg='No Kerberos credentials available')
-
- # Make a directory collection and use it for client commands in both realms.
- ccdir = os.path.join(r1.testdir, 'cc')
-@@ -117,8 +116,7 @@ if output != (zaphod + '\n'):
- output = r1.run(['./t_ccselect', refserver])
- if output != (bob + '\n'):
- fail('bob not chosen via primary cache when no .k5identity line matches.')
--output = r1.run(['./t_ccselect', 'h:bogus@' + hostname], expected_code=1)
--if 'Can\'t find client principal noprinc' not in output:
-- fail('Expected error not seen when k5identity selects bad principal.')
-+r1.run(['./t_ccselect', 'h:bogus@' + hostname], expected_code=1,
-+ expected_msg="Can't find client principal noprinc")
-
- success('GSSAPI credential selection tests')
-diff --git a/src/tests/gssapi/t_client_keytab.py b/src/tests/gssapi/t_client_keytab.py
-index 4c8747a50..2da87f45b 100755
---- a/src/tests/gssapi/t_client_keytab.py
-+++ b/src/tests/gssapi/t_client_keytab.py
-@@ -15,9 +15,7 @@ realm.extract_keytab(realm.user_princ, realm.client_keytab)
- realm.extract_keytab(bob, realm.client_keytab)
-
- # Test 1: no name/cache specified, pick first principal from client keytab
--out = realm.run(['./t_ccselect', phost])
--if realm.user_princ not in out:
-- fail('Authenticated as wrong principal')
-+realm.run(['./t_ccselect', phost], expected_msg=realm.user_princ)
- realm.run([kdestroy])
-
- # Test 2: no name/cache specified, pick principal from k5identity
-@@ -25,36 +23,27 @@ k5idname = os.path.join(realm.testdir, '.k5identity')
- k5id = open(k5idname, 'w')
- k5id.write('%s service=host host=%s\n' % (bob, hostname))
- k5id.close()
--out = realm.run(['./t_ccselect', gssserver])
--if bob not in out:
-- fail('Authenticated as wrong principal')
-+realm.run(['./t_ccselect', gssserver], expected_msg=bob)
- os.remove(k5idname)
- realm.run([kdestroy])
-
- # Test 3: no name/cache specified, default ccache has name but no creds
- realm.run(['./ccinit', realm.ccache, bob])
--out = realm.run(['./t_ccselect', phost])
--if bob not in out:
-- fail('Authenticated as wrong principal')
-+realm.run(['./t_ccselect', phost], expected_msg=bob)
- # Leave tickets for next test.
-
- # Test 4: name specified, non-collectable default cache doesn't match
--out = realm.run(['./t_ccselect', phost, puser], expected_code=1)
--if 'Principal in credential cache does not match desired name' not in out:
-- fail('Expected error not seen')
-+msg = 'Principal in credential cache does not match desired name'
-+realm.run(['./t_ccselect', phost, puser], expected_code=1, expected_msg=msg)
- realm.run([kdestroy])
-
- # Test 5: name specified, nonexistent default cache
--out = realm.run(['./t_ccselect', phost, pbob])
--if bob not in out:
-- fail('Authenticated as wrong principal')
-+realm.run(['./t_ccselect', phost, pbob], expected_msg=bob)
- # Leave tickets for next test.
-
- # Test 6: name specified, matches default cache, time to refresh
- realm.run(['./ccrefresh', realm.ccache, '1'])
--out = realm.run(['./t_ccselect', phost, pbob])
--if bob not in out:
-- fail('Authenticated as wrong principal')
-+realm.run(['./t_ccselect', phost, pbob], expected_msg=bob)
- out = realm.run(['./ccrefresh', realm.ccache])
- if int(out) < 1000:
- fail('Credentials apparently not refreshed')
-@@ -67,9 +56,8 @@ realm.run([kdestroy])
-
- # Test 8: ccache specified with name but no creds; name not in client keytab
- realm.run(['./ccinit', realm.ccache, realm.host_princ])
--out = realm.run(['./t_imp_cred', phost], expected_code=1)
--if 'Credential cache is empty' not in out:
-- fail('Expected error not seen')
-+realm.run(['./t_imp_cred', phost], expected_code=1,
-+ expected_msg='Credential cache is empty')
- realm.run([kdestroy])
-
- # Test 9: ccache specified with name but no creds; name in client keytab
-@@ -104,16 +92,12 @@ realm.env['KRB5CCNAME'] = ccname
- # Test 12: name specified, matching cache in collection with no creds
- bobcache = os.path.join(ccdir, 'tktbob')
- realm.run(['./ccinit', bobcache, bob])
--out = realm.run(['./t_ccselect', phost, pbob])
--if bob not in out:
-- fail('Authenticated as wrong principal')
-+realm.run(['./t_ccselect', phost, pbob], expected_msg=bob)
- # Leave tickets for next test.
-
- # Test 13: name specified, matching cache in collection, time to refresh
- realm.run(['./ccrefresh', bobcache, '1'])
--out = realm.run(['./t_ccselect', phost, pbob])
--if bob not in out:
-- fail('Authenticated as wrong principal')
-+realm.run(['./t_ccselect', phost, pbob], expected_msg=bob)
- out = realm.run(['./ccrefresh', bobcache])
- if int(out) < 1000:
- fail('Credentials apparently not refreshed')
-@@ -121,22 +105,15 @@ realm.run([kdestroy, '-A'])
-
- # Test 14: name specified, collection has default for different principal
- realm.kinit(realm.user_princ, password('user'))
--out = realm.run(['./t_ccselect', phost, pbob])
--if bob not in out:
-- fail('Authenticated as wrong principal')
--out = realm.run([klist])
--if 'Default principal: %s\n' % realm.user_princ not in out:
-- fail('Default cache overwritten by acquire_cred')
-+realm.run(['./t_ccselect', phost, pbob], expected_msg=bob)
-+msg = 'Default principal: %s\n' % realm.user_princ
-+realm.run([klist], expected_msg=msg)
- realm.run([kdestroy, '-A'])
-
- # Test 15: name specified, collection has no default cache
--out = realm.run(['./t_ccselect', phost, pbob])
--if bob not in out:
-- fail('Authenticated as wrong principal')
-+realm.run(['./t_ccselect', phost, pbob], expected_msg=bob)
- # Make sure the tickets we acquired didn't become the default
--out = realm.run([klist], expected_code=1)
--if 'No credentials cache found' not in out:
-- fail('Expected error not seen')
-+realm.run([klist], expected_code=1, expected_msg='No credentials cache found')
- realm.run([kdestroy, '-A'])
-
- # Test 16: default client keytab cannot be resolved, but valid
-@@ -145,8 +122,7 @@ conf = {'libdefaults': {'default_client_keytab_name': '%{'}}
- bad_cktname = realm.special_env('bad_cktname', False, krb5_conf=conf)
- del bad_cktname['KRB5_CLIENT_KTNAME']
- realm.kinit(realm.user_princ, password('user'))
--out = realm.run(['./t_ccselect', phost], env=bad_cktname)
--if realm.user_princ not in out:
-- fail('Expected principal not seen for bad client keytab name')
-+realm.run(['./t_ccselect', phost], env=bad_cktname,
-+ expected_msg=realm.user_princ)
-
- success('Client keytab tests')
-diff --git a/src/tests/gssapi/t_enctypes.py b/src/tests/gssapi/t_enctypes.py
-index 862f22989..f513db2b5 100755
---- a/src/tests/gssapi/t_enctypes.py
-+++ b/src/tests/gssapi/t_enctypes.py
-@@ -58,9 +58,7 @@ def test(msg, ienc, aenc, tktenc='', tktsession='', proto='', isubkey='',
- # and check that it fails with the expected error message.
- def test_err(msg, ienc, aenc, expected_err):
- shutil.copyfile(os.path.join(realm.testdir, 'save'), realm.ccache)
-- out = realm.run(cmdline(ienc, aenc), expected_code=1)
-- if expected_err not in out:
-- fail(msg)
-+ realm.run(cmdline(ienc, aenc), expected_code=1, expected_msg=expected_err)
-
-
- # By default, all of the key enctypes should be aes256.
-diff --git a/src/tests/gssapi/t_export_cred.py b/src/tests/gssapi/t_export_cred.py
-index 698835928..b98962788 100755
---- a/src/tests/gssapi/t_export_cred.py
-+++ b/src/tests/gssapi/t_export_cred.py
-@@ -23,9 +23,7 @@ def ccache_restore(realm):
- def check(realm, args):
- ccache_restore(realm)
- realm.run(['./t_export_cred'] + args)
-- output = realm.run([klist, '-f'])
-- if 'Flags: Ff' not in output:
-- fail('Forwarded tickets not found in ccache after t_export_cred')
-+ realm.run([klist, '-f'], expected_msg='Flags: Ff')
-
- # Check a given set of arguments with no specified mech and with krb5
- # and SPNEGO as the specified mech.
-diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py
-index e23c936d7..397e58962 100755
---- a/src/tests/gssapi/t_gssapi.py
-+++ b/src/tests/gssapi/t_gssapi.py
-@@ -28,57 +28,40 @@ realm.run([kadminl, 'renprinc', 'service1/abraham', 'service1/andrew'])
-
- # Test with no acceptor name, including client/keytab principal
- # mismatch (non-fatal) and missing keytab entry (fatal).
--output = realm.run(['./t_accname', 'p:service1/andrew'])
--if 'service1/abraham' not in output:
-- fail('Expected service1/abraham in t_accname output')
--output = realm.run(['./t_accname', 'p:service1/barack'])
--if 'service1/barack' not in output:
-- fail('Expected service1/barack in t_accname output')
--output = realm.run(['./t_accname', 'p:service2/calvin'])
--if 'service2/calvin' not in output:
-- fail('Expected service1/barack in t_accname output')
--output = realm.run(['./t_accname', 'p:service2/dwight'], expected_code=1)
--if ' not found in keytab' not in output:
-- fail('Expected error message not seen in t_accname output')
-+realm.run(['./t_accname', 'p:service1/andrew'],
-+ expected_msg='service1/abraham')
-+realm.run(['./t_accname', 'p:service1/barack'], expected_msg='service1/barack')
-+realm.run(['./t_accname', 'p:service2/calvin'], expected_msg='service2/calvin')
-+realm.run(['./t_accname', 'p:service2/dwight'], expected_code=1,
-+ expected_msg=' not found in keytab')
-
- # Test with acceptor name containing service only, including
- # client/keytab hostname mismatch (non-fatal) and service name
- # mismatch (fatal).
--output = realm.run(['./t_accname', 'p:service1/andrew', 'h:service1'])
--if 'service1/abraham' not in output:
-- fail('Expected service1/abraham in t_accname output')
--output = realm.run(['./t_accname', 'p:service1/andrew', 'h:service2'],
-- expected_code=1)
--if ' not found in keytab' not in output:
-- fail('Expected error message not seen in t_accname output')
--output = realm.run(['./t_accname', 'p:service2/calvin', 'h:service2'])
--if 'service2/calvin' not in output:
-- fail('Expected service2/calvin in t_accname output')
--output = realm.run(['./t_accname', 'p:service2/calvin', 'h:service1'],
-- expected_code=1)
--if ' found in keytab but does not match server principal' not in output:
-- fail('Expected error message not seen in t_accname output')
-+realm.run(['./t_accname', 'p:service1/andrew', 'h:service1'],
-+ expected_msg='service1/abraham')
-+realm.run(['./t_accname', 'p:service1/andrew', 'h:service2'], expected_code=1,
-+ expected_msg=' not found in keytab')
-+realm.run(['./t_accname', 'p:service2/calvin', 'h:service2'],
-+ expected_msg='service2/calvin')
-+realm.run(['./t_accname', 'p:service2/calvin', 'h:service1'], expected_code=1,
-+ expected_msg=' found in keytab but does not match server principal')
-
- # Test with acceptor name containing service and host. Use the
- # client's un-canonicalized hostname as acceptor input to mirror what
- # many servers do.
--output = realm.run(['./t_accname', 'p:' + realm.host_princ,
-- 'h:host@%s' % socket.gethostname()])
--if realm.host_princ not in output:
-- fail('Expected %s in t_accname output' % realm.host_princ)
--output = realm.run(['./t_accname', 'p:host/-nomatch-',
-- 'h:host@%s' % socket.gethostname()],
-- expected_code=1)
--if ' not found in keytab' not in output:
-- fail('Expected error message not seen in t_accname output')
-+realm.run(['./t_accname', 'p:' + realm.host_princ,
-+ 'h:host@%s' % socket.gethostname()], expected_msg=realm.host_princ)
-+realm.run(['./t_accname', 'p:host/-nomatch-',
-+ 'h:host@%s' % socket.gethostname()], expected_code=1,
-+ expected_msg=' not found in keytab')
-
- # Test krb5_gss_import_cred.
- realm.run(['./t_imp_cred', 'p:service1/barack'])
- realm.run(['./t_imp_cred', 'p:service1/barack', 'service1/barack'])
- realm.run(['./t_imp_cred', 'p:service1/andrew', 'service1/abraham'])
--output = realm.run(['./t_imp_cred', 'p:service2/dwight'], expected_code=1)
--if ' not found in keytab' not in output:
-- fail('Expected error message not seen in t_imp_cred output')
-+realm.run(['./t_imp_cred', 'p:service2/dwight'], expected_code=1,
-+ expected_msg=' not found in keytab')
-
- # Test credential store extension.
- tmpccname = 'FILE:' + os.path.join(realm.testdir, 'def_cache')
-@@ -116,10 +99,8 @@ ignore_conf = {'libdefaults': {'ignore_acceptor_hostname': 'true'}}
- realm = K5Realm(krb5_conf=ignore_conf)
- realm.run([kadminl, 'addprinc', '-randkey', 'host/-nomatch-'])
- realm.run([kadminl, 'xst', 'host/-nomatch-'])
--output = realm.run(['./t_accname', 'p:host/-nomatch-',
-- 'h:host@%s' % socket.gethostname()])
--if 'host/-nomatch-' not in output:
-- fail('Expected host/-nomatch- in t_accname output')
-+realm.run(['./t_accname', 'p:host/-nomatch-',
-+ 'h:host@%s' % socket.gethostname()], expected_msg='host/-nomatch-')
-
- realm.stop()
-
-@@ -141,41 +122,25 @@ r3.stop()
- realm = K5Realm()
-
- # Test deferred resolution of the default ccache for initiator creds.
--output = realm.run(['./t_inq_cred'])
--if realm.user_princ not in output:
-- fail('Expected %s in t_inq_cred output' % realm.user_princ)
--output = realm.run(['./t_inq_cred', '-k'])
--if realm.user_princ not in output:
-- fail('Expected %s in t_inq_cred output' % realm.user_princ)
--output = realm.run(['./t_inq_cred', '-s'])
--if realm.user_princ not in output:
-- fail('Expected %s in t_inq_cred output' % realm.user_princ)
-+realm.run(['./t_inq_cred'], expected_msg=realm.user_princ)
-+realm.run(['./t_inq_cred', '-k'], expected_msg=realm.user_princ)
-+realm.run(['./t_inq_cred', '-s'], expected_msg=realm.user_princ)
-
- # Test picking a name from the keytab for acceptor creds.
--output = realm.run(['./t_inq_cred', '-a'])
--if realm.host_princ not in output:
-- fail('Expected %s in t_inq_cred output' % realm.host_princ)
--output = realm.run(['./t_inq_cred', '-k', '-a'])
--if realm.host_princ not in output:
-- fail('Expected %s in t_inq_cred output' % realm.host_princ)
--output = realm.run(['./t_inq_cred', '-s', '-a'])
--if realm.host_princ not in output:
-- fail('Expected %s in t_inq_cred output' % realm.host_princ)
-+realm.run(['./t_inq_cred', '-a'], expected_msg=realm.host_princ)
-+realm.run(['./t_inq_cred', '-k', '-a'], expected_msg=realm.host_princ)
-+realm.run(['./t_inq_cred', '-s', '-a'], expected_msg=realm.host_princ)
-
- # Test client keytab initiation (non-deferred) with a specified name.
- realm.extract_keytab(realm.user_princ, realm.client_keytab)
- os.remove(realm.ccache)
--output = realm.run(['./t_inq_cred', '-k'])
--if realm.user_princ not in output:
-- fail('Expected %s in t_inq_cred output' % realm.user_princ)
-+realm.run(['./t_inq_cred', '-k'], expected_msg=realm.user_princ)
-
- # Test deferred client keytab initiation and GSS_C_BOTH cred usage.
- os.remove(realm.client_keytab)
- os.remove(realm.ccache)
- shutil.copyfile(realm.keytab, realm.client_keytab)
--output = realm.run(['./t_inq_cred', '-k', '-b'])
--if realm.host_princ not in output:
-- fail('Expected %s in t_inq_cred output' % realm.host_princ)
-+realm.run(['./t_inq_cred', '-k', '-b'], expected_msg=realm.host_princ)
-
- # Test gss_export_name behavior.
- out = realm.run(['./t_export_name', 'u:x'])
-diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py
-index 7366e3915..e4cd68469 100755
---- a/src/tests/gssapi/t_s4u.py
-+++ b/src/tests/gssapi/t_s4u.py
-@@ -42,10 +42,8 @@ if ('auth1: ' + realm.user_princ not in output or
- # result in no delegated credential being created by
- # accept_sec_context.
- realm.kinit(realm.user_princ, password('user'), ['-c', usercache])
--output = realm.run(['./t_s4u2proxy_krb5', usercache, storagecache, pservice1,
-- pservice1, pservice2])
--if 'no credential delegated' not in output:
-- fail('krb5 -> no delegated cred')
-+realm.run(['./t_s4u2proxy_krb5', usercache, storagecache, pservice1,
-+ pservice1, pservice2], expected_msg='no credential delegated')
-
- # Try S4U2Self. Ask for an S4U2Proxy step; this won't happen because
- # service/1 isn't allowed to get a forwardable S4U2Self ticket.
-@@ -61,17 +59,15 @@ if ('Warning: no delegated cred handle' not in output or
- # Correct that problem and try again. As above, the S4U2Proxy step
- # won't actually succeed since we don't support that in DB2.
- realm.run([kadminl, 'modprinc', '+ok_to_auth_as_delegate', service1])
--output = realm.run(['./t_s4u', puser, pservice2], expected_code=1)
--if 'NOT_ALLOWED_TO_DELEGATE' not in output:
-- fail('s4u2self')
-+realm.run(['./t_s4u', puser, pservice2], expected_code=1,
-+ expected_msg='NOT_ALLOWED_TO_DELEGATE')
-
- # Again with SPNEGO. This uses SPNEGO for the initial authentication,
- # but still uses krb5 for S4U2Proxy--the delegated cred is returned as
- # a krb5 cred, not a SPNEGO cred, and t_s4u uses the delegated cred
- # directly rather than saving and reacquiring it.
--output = realm.run(['./t_s4u', '--spnego', puser, pservice2], expected_code=1)
--if 'NOT_ALLOWED_TO_DELEGATE' not in output:
-- fail('s4u2self')
-+realm.run(['./t_s4u', '--spnego', puser, pservice2], expected_code=1,
-+ expected_msg='NOT_ALLOWED_TO_DELEGATE')
-
- realm.stop()
-
-@@ -148,9 +144,8 @@ realm.stop()
- # fail, but we can check that the right server principal was used.
- r1, r2 = cross_realms(2, create_user=False)
- r1.run([kinit, '-k', r1.host_princ])
--out = r1.run(['./t_s4u', 'p:' + r2.host_princ], expected_code=1)
--if 'Server not found in Kerberos database' not in out:
-- fail('cross-realm s4u2self (t_s4u output)')
-+r1.run(['./t_s4u', 'p:' + r2.host_princ], expected_code=1,
-+ expected_msg='Server not found in Kerberos database')
- r1.stop()
- r2.stop()
- with open(os.path.join(r2.testdir, 'kdc.log')) as f:
-diff --git a/src/tests/t_audit.py b/src/tests/t_audit.py
-index 69c9251e0..00e96bfea 100755
---- a/src/tests/t_audit.py
-+++ b/src/tests/t_audit.py
-@@ -14,18 +14,15 @@ realm.run([kvno, 'target'])
-
- # Make S4U2Self and S4U2Proxy requests so they will be audited. The
- # S4U2Proxy request is expected to fail.
--out = realm.run([kvno, '-k', realm.keytab, '-U', 'user', '-P', 'target'],
-- expected_code=1)
--if 'NOT_ALLOWED_TO_DELEGATE' not in out:
-- fail('Unexpected error for S4U2Proxy')
-+realm.run([kvno, '-k', realm.keytab, '-U', 'user', '-P', 'target'],
-+ expected_code=1, expected_msg='NOT_ALLOWED_TO_DELEGATE')
-
- # Make a U2U request so it will be audited.
- uuserver = os.path.join(buildtop, 'appl', 'user_user', 'uuserver')
- uuclient = os.path.join(buildtop, 'appl', 'user_user', 'uuclient')
- port_arg = str(realm.server_port())
- realm.start_server([uuserver, port_arg], 'Server started')
--output = realm.run([uuclient, hostname, 'testing message', port_arg])
--if 'Hello' not in output:
-- fail('U2U request failed unexpectedly')
-+realm.run([uuclient, hostname, 'testing message', port_arg],
-+ expected_msg='Hello')
-
- success('Audit tests')
-diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py
-index 33525022b..dd92b338f 100644
---- a/src/tests/t_authdata.py
-+++ b/src/tests/t_authdata.py
-@@ -24,10 +24,8 @@ if ' -5: test1' not in out or '?-6: test2' not in out:
- if 'fake' in out:
- fail('KDC-only authdata not filtered for request with authdata')
-
--out = realm.run(['./adata', realm.host_princ, '!-1', 'mandatoryforkdc'],
-- expected_code=1)
--if 'KDC policy rejects request' not in out:
-- fail('Wrong error seen for mandatory-for-kdc failure')
-+realm.run(['./adata', realm.host_princ, '!-1', 'mandatoryforkdc'],
-+ expected_code=1, expected_msg='KDC policy rejects request')
-
- # The no_auth_data_required server flag should suppress SIGNTICKET,
- # but not module or request authdata.
-@@ -98,45 +96,32 @@ realm2.extract_keytab('krbtgt/LOCAL', realm.keytab)
- # AS request to local-realm service
- realm.kinit(realm.user_princ, password('user'),
- ['-X', 'indicators=indcl', '-r', '2d', '-S', realm.host_princ])
--out = realm.run(['./adata', realm.host_princ])
--if '+97: [indcl]' not in out:
-- fail('auth-indicator not seen for AS req to service')
-+realm.run(['./adata', realm.host_princ], expected_msg='+97: [indcl]')
-
- # Ticket modification request
- realm.kinit(realm.user_princ, None, ['-R', '-S', realm.host_princ])
--out = realm.run(['./adata', realm.host_princ])
--if '+97: [indcl]' not in out:
-- fail('auth-indicator not seen for ticket modification request')
-+realm.run(['./adata', realm.host_princ], expected_msg='+97: [indcl]')
-
- # AS request to cross TGT
- realm.kinit(realm.user_princ, password('user'),
- ['-X', 'indicators=indcl', '-S', 'krbtgt/FOREIGN'])
--out = realm.run(['./adata', 'krbtgt/FOREIGN'])
--if '+97: [indcl]' not in out:
-- fail('auth-indicator not seen for AS req to cross-realm TGT')
-+realm.run(['./adata', 'krbtgt/FOREIGN'], expected_msg='+97: [indcl]')
-
- # Multiple indicators
- realm.kinit(realm.user_princ, password('user'),
- ['-X', 'indicators=indcl indcl2 indcl3'])
--out = realm.run(['./adata', realm.krbtgt_princ])
--if '+97: [indcl, indcl2, indcl3]' not in out:
-- fail('multiple auth-indicators not seen for normal AS req')
-+realm.run(['./adata', realm.krbtgt_princ],
-+ expected_msg='+97: [indcl, indcl2, indcl3]')
-
- # AS request to local TGT (resulting creds are used for TGS tests)
- realm.kinit(realm.user_princ, password('user'), ['-X', 'indicators=indcl'])
--out = realm.run(['./adata', realm.krbtgt_princ])
--if '+97: [indcl]' not in out:
-- fail('auth-indicator not seen for normal AS req')
-+realm.run(['./adata', realm.krbtgt_princ], expected_msg='+97: [indcl]')
-
- # Local TGS request for local realm service
--out = realm.run(['./adata', realm.host_princ])
--if '+97: [indcl]' not in out:
-- fail('auth-indicator not seen for local TGS req')
-+realm.run(['./adata', realm.host_princ], expected_msg='+97: [indcl]')
-
- # Local TGS request for cross TGT service
--out = realm.run(['./adata', 'krbtgt/FOREIGN'])
--if '+97: [indcl]' not in out:
-- fail('auth-indicator not seen for TGS req to cross-realm TGT')
-+realm.run(['./adata', 'krbtgt/FOREIGN'], expected_msg='+97: [indcl]')
-
- # We don't yet have support for passing auth indicators across realms,
- # so just verify that indicators don't survive cross-realm requests.
-@@ -152,16 +137,13 @@ if '97:' in out:
-
- # Test that the CAMMAC signature still works during a krbtgt rollover.
- realm.run([kadminl, 'cpw', '-randkey', '-keepold', realm.krbtgt_princ])
--out = realm.run(['./adata', realm.host_princ])
--if '+97: [indcl]' not in out:
-- fail('auth-indicator not seen for local TGS req after krbtgt rotation')
-+realm.run(['./adata', realm.host_princ], expected_msg='+97: [indcl]')
-
- # Test indicator enforcement.
- realm.addprinc('restricted')
- realm.run([kadminl, 'setstr', 'restricted', 'require_auth', 'superstrong'])
--out = realm.run([kvno, 'restricted'], expected_code=1)
--if 'KDC policy rejects request' not in out:
-- fail('expected error not seen for auth indicator enforcement')
-+realm.run([kvno, 'restricted'], expected_code=1,
-+ expected_msg='KDC policy rejects request')
- realm.run([kadminl, 'setstr', 'restricted', 'require_auth', 'indcl'])
- realm.run([kvno, 'restricted'])
- realm.kinit(realm.user_princ, password('user'), ['-X', 'indicators=ind1 ind2'])
-@@ -222,13 +204,11 @@ if '+97: [indcl]' not in out or '[inds1]' in out:
- # Test that KDB module authdata is included in an AS request, by
- # default or with an explicit PAC request.
- realm.kinit(realm.user_princ, None, ['-k'])
--out = realm.run(['./adata', realm.krbtgt_princ])
--if '-456: db-authdata-test' not in out:
-- fail('DB authdata not seen in default AS request')
-+realm.run(['./adata', realm.krbtgt_princ],
-+ expected_msg='-456: db-authdata-test')
- realm.kinit(realm.user_princ, None, ['-k', '--request-pac'])
--out = realm.run(['./adata', realm.krbtgt_princ])
--if '-456: db-authdata-test' not in out:
-- fail('DB authdata not seen with --request-pac')
-+realm.run(['./adata', realm.krbtgt_princ],
-+ expected_msg='-456: db-authdata-test')
-
- # Test that KDB module authdata is suppressed in an AS request by a
- # negative PAC request.
-@@ -238,9 +218,7 @@ if '-456: db-authdata-test' in out:
- fail('DB authdata not suppressed by --no-request-pac')
-
- # Test that KDB authdata is included in a TGS request by default.
--out = realm.run(['./adata', 'service/1'])
--if '-456: db-authdata-test' not in out:
-- fail('DB authdata not seen in TGS request')
-+realm.run(['./adata', 'service/1'], expected_msg='-456: db-authdata-test')
-
- # Test that KDB authdata is suppressed in a TGS request by the
- # +no_auth_data_required flag.
-diff --git a/src/tests/t_ccache.py b/src/tests/t_ccache.py
-index 47d963130..2dcd19102 100755
---- a/src/tests/t_ccache.py
-+++ b/src/tests/t_ccache.py
-@@ -35,15 +35,11 @@ if not test_keyring:
-
- # Test kdestroy and klist of a non-existent ccache.
- realm.run([kdestroy])
--output = realm.run([klist], expected_code=1)
--if 'No credentials cache found' not in output:
-- fail('Expected error message not seen in klist output')
-+realm.run([klist], expected_code=1, expected_msg='No credentials cache found')
-
- # Test kinit with an inaccessible ccache.
--out = realm.run([kinit, '-c', 'testdir/xx/yy', realm.user_princ],
-- input=(password('user') + '\n'), expected_code=1)
--if 'Failed to store credentials' not in out:
-- fail('Expected error message not seen in kinit output')
-+realm.kinit(realm.user_princ, password('user'), flags=['-c', 'testdir/xx/yy'],
-+ expected_code=1, expected_msg='Failed to store credentials')
-
- # Test klist -s with a single ccache.
- realm.run([klist, '-s'], expected_code=1)
-@@ -65,9 +61,7 @@ def collection_test(realm, ccname):
-
- realm.run([klist, '-A', '-s'], expected_code=1)
- realm.kinit('alice', password('alice'))
-- output = realm.run([klist])
-- if 'Default principal: alice@' not in output:
-- fail('Initial kinit failed to get credentials for alice.')
-+ realm.run([klist], expected_msg='Default principal: alice@')
- realm.run([klist, '-A', '-s'])
- realm.run([kdestroy])
- output = realm.run([klist], expected_code=1)
-@@ -130,25 +124,20 @@ if test_keyring:
- realm.env['KRB5CCNAME'] = 'KEYRING:' + cname
- realm.run([kdestroy, '-A'])
- realm.kinit(realm.user_princ, password('user'))
-- out = realm.run([klist, '-l'])
-- if 'KEYRING:legacy:' + cname + ':' + cname not in out:
-- fail('Wrong initial primary name in keyring legacy collection')
-+ msg = 'KEYRING:legacy:' + cname + ':' + cname
-+ realm.run([klist, '-l'], expected_msg=msg)
- # Make sure this cache is linked to the session keyring.
- id = realm.run([keyctl, 'search', '@s', 'keyring', cname])
-- out = realm.run([keyctl, 'list', id.strip()])
-- if 'user: __krb5_princ__' not in out:
-- fail('Legacy cache not linked into session keyring')
-+ realm.run([keyctl, 'list', id.strip()],
-+ expected_msg='user: __krb5_princ__')
- # Remove the collection keyring. When the collection is
- # reinitialized, the legacy cache should reappear inside it
- # automatically as the primary cache.
- cleanup_keyring('@s', col_ringname)
-- out = realm.run([klist])
-- if realm.user_princ not in out:
-- fail('Cannot see legacy cache after removing collection')
-+ realm.run([klist], expected_msg=realm.user_princ)
- coll_id = realm.run([keyctl, 'search', '@s', 'keyring', '_krb_' + cname])
-- out = realm.run([keyctl, 'list', coll_id.strip()])
-- if (id.strip() + ':') not in out:
-- fail('Legacy cache did not reappear in collection after klist')
-+ msg = id.strip() + ':'
-+ realm.run([keyctl, 'list', coll_id.strip()], expected_msg=msg)
- # Destroy the cache and check that it is unlinked from the session keyring.
- realm.run([kdestroy])
- realm.run([keyctl, 'search', '@s', 'keyring', cname], expected_code=1)
-@@ -160,8 +149,7 @@ conf = {'libdefaults': {'default_ccache_name': 'testdir/%{null}abc%{uid}'}}
- realm = K5Realm(krb5_conf=conf, create_kdb=False)
- del realm.env['KRB5CCNAME']
- uidstr = str(os.getuid())
--out = realm.run([klist], expected_code=1)
--if 'testdir/abc%s' % uidstr not in out:
-- fail('Wrong ccache in klist')
-+msg = 'testdir/abc%s' % uidstr
-+realm.run([klist], expected_code=1, expected_msg=msg)
-
- success('Credential cache tests')
-diff --git a/src/tests/t_crossrealm.py b/src/tests/t_crossrealm.py
-index 0d967b8a5..1fa48793a 100755
---- a/src/tests/t_crossrealm.py
-+++ b/src/tests/t_crossrealm.py
-@@ -25,9 +25,7 @@
- from k5test import *
-
- def test_kvno(r, princ, test, env=None):
-- output = r.run([kvno, princ], env=env)
-- if princ not in output:
-- fail('%s: principal %s not in kvno output' % (test, princ))
-+ r.run([kvno, princ], env=env, expected_msg=princ)
-
-
- def stop(*realms):
-@@ -85,9 +83,8 @@ capaths = {'capaths': {'A': {'C': 'B'}}}
- r1, r2, r3 = cross_realms(3, xtgts=((0,1), (1,2)),
- args=({'realm': 'A', 'krb5_conf': capaths},
- {'realm': 'B'}, {'realm': 'C'}))
--output = r1.run([kvno, r3.host_princ], expected_code=1)
--if 'KDC policy rejects request' not in output:
-- fail('transited 1: Expected error message not in output')
-+r1.run([kvno, r3.host_princ], expected_code=1,
-+ expected_msg='KDC policy rejects request')
- stop(r1, r2, r3)
-
- # Test a different kind of transited error. The KDC for D does not
-@@ -99,9 +96,8 @@ r1, r2, r3, r4 = cross_realms(4, xtgts=((0,1), (1,2), (2,3)),
- {'realm': 'B', 'krb5_conf': capaths},
- {'realm': 'C', 'krb5_conf': capaths},
- {'realm': 'D'}))
--output = r1.run([kvno, r4.host_princ], expected_code=1)
--if 'Illegal cross-realm ticket' not in output:
-- fail('transited 2: Expected error message not in output')
-+r1.run([kvno, r4.host_princ], expected_code=1,
-+ expected_msg='Illegal cross-realm ticket')
- stop(r1, r2, r3, r4)
-
- success('Cross-realm tests')
-diff --git a/src/tests/t_dump.py b/src/tests/t_dump.py
-index 5d3a43762..8a9462bd8 100755
---- a/src/tests/t_dump.py
-+++ b/src/tests/t_dump.py
-@@ -36,12 +36,10 @@ if 'Expiration date: [never]' not in out or 'MKey: vno 1' not in out:
- out = realm.run([kadminl, 'getpols'])
- if 'fred\n' not in out or 'barney\n' not in out:
- fail('Missing policy after load')
--out = realm.run([kadminl, 'getpol', 'compat'])
--if 'Number of old keys kept: 5' not in out:
-- fail('Policy (1.8 format) has wrong value after load')
--out = realm.run([kadminl, 'getpol', 'barney'])
--if 'Number of old keys kept: 1' not in out:
-- fail('Policy has wrong value after load')
-+realm.run([kadminl, 'getpol', 'compat'],
-+ expected_msg='Number of old keys kept: 5')
-+realm.run([kadminl, 'getpol', 'barney'],
-+ expected_msg='Number of old keys kept: 1')
-
- # Dump/load again, and make sure everything is still there.
- realm.run([kdb5_util, 'dump', dumpfile])
-@@ -81,15 +79,10 @@ dump_compare(realm, ['-ov'], srcdump_ov)
- def load_dump_check_compare(realm, opt, srcfile):
- realm.run([kdb5_util, 'destroy', '-f'])
- realm.run([kdb5_util, 'load'] + opt + [srcfile])
-- out = realm.run([kadminl, 'getprincs'])
-- if 'user@' not in out:
-- fail('Loaded dumpfile missing user principal')
-- out = realm.run([kadminl, 'getprinc', 'nokeys'])
-- if 'Number of keys: 0' not in out:
-- fail('Loading dumpfile did not process zero-key principal')
-- out = realm.run([kadminl, 'getpols'])
-- if 'testpol' not in out:
-- fail('Loaded dumpfile missing test policy')
-+ realm.run([kadminl, 'getprincs'], expected_msg='user@')
-+ realm.run([kadminl, 'getprinc', 'nokeys'],
-+ expected_msg='Number of keys: 0')
-+ realm.run([kadminl, 'getpols'], expected_msg='testpol')
- dump_compare(realm, opt, srcfile)
-
- # Load each format of dump, check it, re-dump it, and compare.
-@@ -99,12 +92,8 @@ load_dump_check_compare(realm, ['-b7'], srcdump_b7)
-
- # Loading the last (-b7 format) dump won't have loaded the
- # per-principal kadm data. Load that incrementally with -ov.
--out = realm.run([kadminl, 'getprinc', 'user'])
--if 'Policy: [none]' not in out:
-- fail('Loaded b7 dump unexpectedly contains user policy reference')
-+realm.run([kadminl, 'getprinc', 'user'], expected_msg='Policy: [none]')
- realm.run([kdb5_util, 'load', '-update', '-ov', srcdump_ov])
--out = realm.run([kadminl, 'getprinc', 'user'])
--if 'Policy: testpol' not in out:
-- fail('Loading ov dump did not add user policy reference')
-+realm.run([kadminl, 'getprinc', 'user'], expected_msg='Policy: testpol')
-
- success('Dump/load tests')
-diff --git a/src/tests/t_general.py b/src/tests/t_general.py
-index 16bf6c5e3..6621b7230 100755
---- a/src/tests/t_general.py
-+++ b/src/tests/t_general.py
-@@ -3,10 +3,9 @@ from k5test import *
-
- for realm in multipass_realms(create_host=False):
- # Check that kinit fails appropriately with the wrong password.
-- output = realm.run([kinit, realm.user_princ], input='wrong\n',
-- expected_code=1)
-- if 'Password incorrect while getting initial credentials' not in output:
-- fail('Expected error message not seen in kinit output')
-+ msg = 'Password incorrect while getting initial credentials'
-+ realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1,
-+ expected_msg=msg)
-
- # Check that we can kinit as a different principal.
- realm.kinit(realm.admin_princ, password('admin'))
-@@ -42,9 +41,8 @@ realm.run(['./responder', '-r', 'password=%s' % password('user'),
- # Test that WRONG_REALM responses aren't treated as referrals unless
- # they contain a crealm field pointing to a different realm.
- # (Regression test for #8060.)
--out = realm.run([kinit, '-C', 'notfoundprinc'], expected_code=1)
--if 'not found in Kerberos database' not in out:
-- fail('Expected error message not seen in kinit -C output')
-+realm.run([kinit, '-C', 'notfoundprinc'], expected_code=1,
-+ expected_msg='not found in Kerberos database')
-
- # Spot-check KRB5_TRACE output
- expected_trace = ('Sending initial UDP request',
-diff --git a/src/tests/t_hostrealm.py b/src/tests/t_hostrealm.py
-index 76b282d2a..224c067ef 100755
---- a/src/tests/t_hostrealm.py
-+++ b/src/tests/t_hostrealm.py
-@@ -20,9 +20,8 @@ def test(realm, args, expected_realms, msg, env=None):
- fail(msg)
-
- def test_error(realm, args, expected_error, msg, env=None):
-- out = realm.run(['./hrealm'] + args, env=env, expected_code=1)
-- if expected_error not in out:
-- fail(msg)
-+ realm.run(['./hrealm'] + args, env=env, expected_code=1,
-+ expected_msg=expected_error)
-
- def testh(realm, host, expected_realms, msg, env=None):
- test(realm, ['-h', host], expected_realms, msg, env=env)
-diff --git a/src/tests/t_iprop.py b/src/tests/t_iprop.py
-index e64fdd279..8e23cd5de 100755
---- a/src/tests/t_iprop.py
-+++ b/src/tests/t_iprop.py
-@@ -214,9 +214,8 @@ check_ulog(7, 1, 7, [None, pr1, pr3, pr2, pr2, pr2, pr2])
- kpropd1.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd1, False, 6, 7)
- check_ulog(2, 6, 7, [None, pr2], slave1)
--out = realm.run([kadminl, 'getprinc', pr2], env=slave1)
--if 'Attributes: DISALLOW_ALL_TIX' not in out:
-- fail('slave1 does not have modification from master')
-+realm.run([kadminl, 'getprinc', pr2], env=slave1,
-+ expected_msg='Attributes: DISALLOW_ALL_TIX')
-
- # Start kadmind -proponly for slave1. (Use the slave1m environment
- # which defines iprop_port to $port8.)
-@@ -245,15 +244,13 @@ check_ulog(8, 1, 8, [None, pr1, pr3, pr2, pr2, pr2, pr2, pr1])
- kpropd1.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd1, False, 7, 8)
- check_ulog(3, 6, 8, [None, pr2, pr1], slave1)
--out = realm.run([kadminl, 'getprinc', pr1], env=slave1)
--if 'Maximum ticket life: 0 days 00:20:00' not in out:
-- fail('slave1 does not have modification from master')
-+realm.run([kadminl, 'getprinc', pr1], env=slave1,
-+ expected_msg='Maximum ticket life: 0 days 00:20:00')
- kpropd3.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd3, False, 7, 8)
- check_ulog(2, 7, 8, [None, pr1], slave3)
--out = realm.run([kadminl, '-r', realm.realm, 'getprinc', pr1], env=slave3)
--if 'Maximum ticket life: 0 days 00:20:00' not in out:
-- fail('slave3 does not have modification from slave1')
-+realm.run([kadminl, '-r', realm.realm, 'getprinc', pr1], env=slave3,
-+ expected_msg='Maximum ticket life: 0 days 00:20:00')
- stop_daemon(kpropd3)
-
- # Test dissimilar default_realm and domain_realm map settings (no -r realm).
-@@ -287,15 +284,13 @@ check_ulog(9, 1, 9, [None, pr1, pr3, pr2, pr2, pr2, pr2, pr1, pr1])
- kpropd1.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd1, False, 8, 9)
- check_ulog(4, 6, 9, [None, pr2, pr1, pr1], slave1)
--out = realm.run([kadminl, 'getprinc', pr1], env=slave1)
--if 'Maximum renewable life: 0 days 22:00:00\n' not in out:
-- fail('slave1 does not have modification from master')
-+realm.run([kadminl, 'getprinc', pr1], env=slave1,
-+ expected_msg='Maximum renewable life: 0 days 22:00:00\n')
- kpropd2.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd2, False, 8, 9)
- check_ulog(3, 7, 9, [None, pr1, pr1], slave2)
--out = realm.run([kadminl, 'getprinc', pr1], env=slave2)
--if 'Maximum renewable life: 0 days 22:00:00\n' not in out:
-- fail('slave2 does not have modification from slave1')
-+realm.run([kadminl, 'getprinc', pr1], env=slave2,
-+ expected_msg='Maximum renewable life: 0 days 22:00:00\n')
-
- # Reset the ulog on slave1 to force a full resync from master. The
- # resync will use the old dump file and then propagate changes.
-@@ -317,15 +312,11 @@ check_ulog(10, 1, 10, [None, pr1, pr3, pr2, pr2, pr2, pr2, pr1, pr1, pr2])
- kpropd1.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd1, False, 9, 10)
- check_ulog(5, 6, 10, [None, pr2, pr1, pr1, pr2], slave1)
--out = realm.run([kadminl, 'getprinc', pr2], env=slave1)
--if 'Attributes:\n' not in out:
-- fail('slave1 does not have modification from master')
-+realm.run([kadminl, 'getprinc', pr2], env=slave1, expected_msg='Attributes:\n')
- kpropd2.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd2, False, 9, 10)
- check_ulog(4, 7, 10, [None, pr1, pr1, pr2], slave2)
--out = realm.run([kadminl, 'getprinc', pr2], env=slave2)
--if 'Attributes:\n' not in out:
-- fail('slave2 does not have modification from slave1')
-+realm.run([kadminl, 'getprinc', pr2], env=slave2, expected_msg='Attributes:\n')
-
- # Create a policy and check that it propagates via full resync.
- realm.run([kadminl, 'addpol', '-minclasses', '2', 'testpol'])
-@@ -333,15 +324,13 @@ check_ulog(1, 1, 1, [None])
- kpropd1.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd1, True, 10, 1)
- check_ulog(1, 1, 1, [None], slave1)
--out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1)
--if 'Minimum number of password character classes: 2' not in out:
-- fail('slave1 does not have policy from master')
-+realm.run([kadminl, 'getpol', 'testpol'], env=slave1,
-+ expected_msg='Minimum number of password character classes: 2')
- kpropd2.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd2, True, 10, 1)
- check_ulog(1, 1, 1, [None], slave2)
--out = realm.run([kadminl, 'getpol', 'testpol'], env=slave2)
--if 'Minimum number of password character classes: 2' not in out:
-- fail('slave2 does not have policy from slave1')
-+realm.run([kadminl, 'getpol', 'testpol'], env=slave2,
-+ expected_msg='Minimum number of password character classes: 2')
-
- # Modify the policy and test that it also propagates via full resync.
- realm.run([kadminl, 'modpol', '-minlength', '17', 'testpol'])
-@@ -349,15 +338,13 @@ check_ulog(1, 1, 1, [None])
- kpropd1.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd1, True, 1, 1)
- check_ulog(1, 1, 1, [None], slave1)
--out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1)
--if 'Minimum password length: 17' not in out:
-- fail('slave1 does not have policy change from master')
-+realm.run([kadminl, 'getpol', 'testpol'], env=slave1,
-+ expected_msg='Minimum password length: 17')
- kpropd2.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd2, True, 1, 1)
- check_ulog(1, 1, 1, [None], slave2)
--out = realm.run([kadminl, 'getpol', 'testpol'], env=slave2)
--if 'Minimum password length: 17' not in out:
-- fail('slave2 does not have policy change from slave1')
-+realm.run([kadminl, 'getpol', 'testpol'], env=slave2,
-+ expected_msg='Minimum password length: 17')
-
- # Delete the policy and test that it propagates via full resync.
- realm.run([kadminl, 'delpol', 'testpol'])
-@@ -365,15 +352,13 @@ check_ulog(1, 1, 1, [None])
- kpropd1.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd1, True, 1, 1)
- check_ulog(1, 1, 1, [None], slave1)
--out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1, expected_code=1)
--if 'Policy does not exist' not in out:
-- fail('slave1 did not get policy deletion from master')
-+realm.run([kadminl, 'getpol', 'testpol'], env=slave1, expected_code=1,
-+ expected_msg='Policy does not exist')
- kpropd2.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd2, True, 1, 1)
- check_ulog(1, 1, 1, [None], slave2)
--out = realm.run([kadminl, 'getpol', 'testpol'], env=slave2, expected_code=1)
--if 'Policy does not exist' not in out:
-- fail('slave2 did not get policy deletion from slave1')
-+realm.run([kadminl, 'getpol', 'testpol'], env=slave2, expected_code=1,
-+ expected_msg='Policy does not exist')
-
- # Modify a principal on the master and test that it propagates incrementally.
- realm.run([kadminl, 'modprinc', '-maxlife', '10 minutes', pr1])
-@@ -381,15 +366,13 @@ check_ulog(2, 1, 2, [None, pr1])
- kpropd1.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd1, False, 1, 2)
- check_ulog(2, 1, 2, [None, pr1], slave1)
--out = realm.run([kadminl, 'getprinc', pr1], env=slave1)
--if 'Maximum ticket life: 0 days 00:10:00' not in out:
-- fail('slave1 does not have modification from master')
-+realm.run([kadminl, 'getprinc', pr1], env=slave1,
-+ expected_msg='Maximum ticket life: 0 days 00:10:00')
- kpropd2.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd2, False, 1, 2)
- check_ulog(2, 1, 2, [None, pr1], slave2)
--out = realm.run([kadminl, 'getprinc', pr1], env=slave2)
--if 'Maximum ticket life: 0 days 00:10:00' not in out:
-- fail('slave2 does not have modification from slave1')
-+realm.run([kadminl, 'getprinc', pr1], env=slave2,
-+ expected_msg='Maximum ticket life: 0 days 00:10:00')
-
- # Delete a principal and test that it propagates incrementally.
- realm.run([kadminl, 'delprinc', pr3])
-@@ -397,15 +380,13 @@ check_ulog(3, 1, 3, [None, pr1, pr3])
- kpropd1.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd1, False, 2, 3)
- check_ulog(3, 1, 3, [None, pr1, pr3], slave1)
--out = realm.run([kadminl, 'getprinc', pr3], env=slave1, expected_code=1)
--if 'Principal does not exist' not in out:
-- fail('slave1 does not have principal deletion from master')
-+realm.run([kadminl, 'getprinc', pr3], env=slave1, expected_code=1,
-+ expected_msg='Principal does not exist')
- kpropd2.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd2, False, 2, 3)
- check_ulog(3, 1, 3, [None, pr1, pr3], slave2)
--out = realm.run([kadminl, 'getprinc', pr3], env=slave2, expected_code=1)
--if 'Principal does not exist' not in out:
-- fail('slave2 does not have principal deletion from slave1')
-+realm.run([kadminl, 'getprinc', pr3], env=slave2, expected_code=1,
-+ expected_msg='Principal does not exist')
-
- # Rename a principal and test that it propagates incrementally.
- renpr = "quacked@" + realm.realm
-@@ -414,16 +395,14 @@ check_ulog(6, 1, 6, [None, pr1, pr3, renpr, pr1, renpr])
- kpropd1.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd1, False, 3, 6)
- check_ulog(6, 1, 6, [None, pr1, pr3, renpr, pr1, renpr], slave1)
--out = realm.run([kadminl, 'getprinc', pr1], env=slave1, expected_code=1)
--if 'Principal does not exist' not in out:
-- fail('slave1 does not have principal deletion from master')
-+realm.run([kadminl, 'getprinc', pr1], env=slave1, expected_code=1,
-+ expected_msg='Principal does not exist')
- realm.run([kadminl, 'getprinc', renpr], env=slave1)
- kpropd2.send_signal(signal.SIGUSR1)
- wait_for_prop(kpropd2, False, 3, 6)
- check_ulog(6, 1, 6, [None, pr1, pr3, renpr, pr1, renpr], slave2)
--out = realm.run([kadminl, 'getprinc', pr1], env=slave2, expected_code=1)
--if 'Principal does not exist' not in out:
-- fail('slave2 does not have principal deletion from master')
-+realm.run([kadminl, 'getprinc', pr1], env=slave2, expected_code=1,
-+ expected_msg='Principal does not exist')
- realm.run([kadminl, 'getprinc', renpr], env=slave2)
-
- pr1 = renpr
-@@ -455,9 +434,8 @@ out = realm.run_kpropd_once(slave1, ['-d'])
- if 'Got incremental updates (sno=2 ' not in out:
- fail('Expected full dump and synchronized from kpropd -t')
- check_ulog(2, 1, 2, [None, pr1], slave1)
--out = realm.run([kadminl, 'getprinc', pr1], env=slave1)
--if 'Maximum ticket life: 0 days 00:05:00' not in out:
-- fail('slave1 does not have modification from master after kpropd -t')
-+realm.run([kadminl, 'getprinc', pr1], env=slave1,
-+ expected_msg='Maximum ticket life: 0 days 00:05:00')
-
- # Propagate a policy change via full resync.
- realm.run([kadminl, 'addpol', '-minclasses', '3', 'testpol'])
-@@ -467,8 +445,7 @@ if ('Full propagation transfer finished' not in out or
- 'KDC is synchronized' not in out):
- fail('Expected full dump and synchronized from kpropd -t')
- check_ulog(1, 1, 1, [None], slave1)
--out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1)
--if 'Minimum number of password character classes: 3' not in out:
-- fail('slave1 does not have policy from master after kpropd -t')
-+realm.run([kadminl, 'getpol', 'testpol'], env=slave1,
-+ expected_msg='Minimum number of password character classes: 3')
-
- success('iprop tests')
-diff --git a/src/tests/t_kadm5_hook.py b/src/tests/t_kadm5_hook.py
-index 708e328b0..c1c8c9419 100755
---- a/src/tests/t_kadm5_hook.py
-+++ b/src/tests/t_kadm5_hook.py
-@@ -7,12 +7,10 @@ plugin = os.path.join(buildtop, "plugins", "kadm5_hook", "test",
- hook_krb5_conf = {'plugins': {'kadm5_hook': { 'module': 'test:' + plugin}}}
-
- realm = K5Realm(krb5_conf=hook_krb5_conf, create_user=False, create_host=False)
--output = realm.run([kadminl, 'addprinc', '-randkey', 'test'])
--if "create: stage precommit" not in output:
-- fail('kadm5_hook test output not found')
-+realm.run([kadminl, 'addprinc', '-randkey', 'test'],
-+ expected_msg='create: stage precommit')
-
--output = realm.run([kadminl, 'renprinc', 'test', 'test2'])
--if "rename: stage precommit" not in output:
-- fail('kadm5_hook test output not found')
-+realm.run([kadminl, 'renprinc', 'test', 'test2'],
-+ expected_msg='rename: stage precommit')
-
- success('kadm5_hook')
-diff --git a/src/tests/t_kadmin_acl.py b/src/tests/t_kadmin_acl.py
-index 188929a76..bbbbae99e 100755
---- a/src/tests/t_kadmin_acl.py
-+++ b/src/tests/t_kadmin_acl.py
-@@ -87,27 +87,24 @@ for pw in (['-pw', 'newpw'], ['-randkey']):
- args = pw + ks
- kadmin_as(all_changepw, ['cpw'] + args + ['unselected'])
- kadmin_as(some_changepw, ['cpw'] + args + ['selected'])
-- out = kadmin_as(none, ['cpw'] + args + ['selected'], expected_code=1)
-- if 'Operation requires ``change-password\'\' privilege' not in out:
-- fail('cpw failure (no perms)')
-- out = kadmin_as(some_changepw, ['cpw'] + args + ['unselected'],
-- expected_code=1)
-- if 'Operation requires ``change-password\'\' privilege' not in out:
-- fail('cpw failure (target)')
-- out = kadmin_as(none, ['cpw'] + args + ['none'])
-+ msg = "Operation requires ``change-password'' privilege"
-+ kadmin_as(none, ['cpw'] + args + ['selected'], expected_code=1,
-+ expected_msg=msg)
-+ kadmin_as(some_changepw, ['cpw'] + args + ['unselected'],
-+ expected_code=1, expected_msg=msg)
-+ kadmin_as(none, ['cpw'] + args + ['none'])
- realm.run([kadminl, 'modprinc', '-policy', 'minlife', 'none'])
-- out = kadmin_as(none, ['cpw'] + args + ['none'], expected_code=1)
-- if 'Current password\'s minimum life has not expired' not in out:
-- fail('cpw failure (minimum life)')
-+ msg = "Current password's minimum life has not expired"
-+ kadmin_as(none, ['cpw'] + args + ['none'], expected_code=1,
-+ expected_msg=msg)
- realm.run([kadminl, 'modprinc', '-clearpolicy', 'none'])
- realm.run([kadminl, 'delprinc', 'selected'])
- realm.run([kadminl, 'delprinc', 'unselected'])
-
- kadmin_as(all_add, ['addpol', 'policy'])
- realm.run([kadminl, 'delpol', 'policy'])
--out = kadmin_as(none, ['addpol', 'policy'], expected_code=1)
--if 'Operation requires ``add\'\' privilege' not in out:
-- fail('addpol failure (no perms)')
-+kadmin_as(none, ['addpol', 'policy'], expected_code=1,
-+ expected_msg="Operation requires ``add'' privilege")
-
- # addprinc can generate two different RPC calls depending on options.
- for ks in ([], ['-e', 'aes256-cts']):
-@@ -117,89 +114,62 @@ for ks in ([], ['-e', 'aes256-cts']):
- kadmin_as(some_add, ['addprinc'] + args + ['selected'])
- realm.run([kadminl, 'delprinc', 'selected'])
- kadmin_as(restricted_add, ['addprinc'] + args + ['unselected'])
-- out = realm.run([kadminl, 'getprinc', 'unselected'])
-- if 'REQUIRES_PRE_AUTH' not in out:
-- fail('addprinc success (restrictions) -- restriction check')
-+ realm.run([kadminl, 'getprinc', 'unselected'],
-+ expected_msg='REQUIRES_PRE_AUTH')
- realm.run([kadminl, 'delprinc', 'unselected'])
-- out = kadmin_as(none, ['addprinc'] + args + ['selected'], expected_code=1)
-- if 'Operation requires ``add\'\' privilege' not in out:
-- fail('addprinc failure (no perms)')
-- out = kadmin_as(some_add, ['addprinc'] + args + ['unselected'],
-- expected_code=1)
-- if 'Operation requires ``add\'\' privilege' not in out:
-- fail('addprinc failure (target)')
-+ kadmin_as(none, ['addprinc'] + args + ['selected'], expected_code=1,
-+ expected_msg="Operation requires ``add'' privilege")
-+ kadmin_as(some_add, ['addprinc'] + args + ['unselected'], expected_code=1,
-+ expected_msg="Operation requires ``add'' privilege")
-
- realm.addprinc('unselected', 'pw')
- kadmin_as(all_delete, ['delprinc', 'unselected'])
- realm.addprinc('selected', 'pw')
- kadmin_as(some_delete, ['delprinc', 'selected'])
- realm.addprinc('unselected', 'pw')
--out = kadmin_as(none, ['delprinc', 'unselected'], expected_code=1)
--if 'Operation requires ``delete\'\' privilege' not in out:
-- fail('delprinc failure (no perms)')
--out = kadmin_as(some_delete, ['delprinc', 'unselected'], expected_code=1)
--if 'Operation requires ``delete\'\' privilege' not in out:
-- fail('delprinc failure (no target)')
-+kadmin_as(none, ['delprinc', 'unselected'], expected_code=1,
-+ expected_msg="Operation requires ``delete'' privilege")
-+kadmin_as(some_delete, ['delprinc', 'unselected'], expected_code=1,
-+ expected_msg="Operation requires ``delete'' privilege")
- realm.run([kadminl, 'delprinc', 'unselected'])
-
--out = kadmin_as(all_inquire, ['getpol', 'minlife'])
--if 'Policy: minlife' not in out:
-- fail('getpol success (acl)')
--out = kadmin_as(none, ['getpol', 'minlife'], expected_code=1)
--if 'Operation requires ``get\'\' privilege' not in out:
-- fail('getpol failure (no perms)')
-+kadmin_as(all_inquire, ['getpol', 'minlife'], expected_msg='Policy: minlife')
-+kadmin_as(none, ['getpol', 'minlife'], expected_code=1,
-+ expected_msg="Operation requires ``get'' privilege")
- realm.run([kadminl, 'modprinc', '-policy', 'minlife', 'none'])
--out = kadmin_as(none, ['getpol', 'minlife'])
--if 'Policy: minlife' not in out:
-- fail('getpol success (self policy exemption)')
-+kadmin_as(none, ['getpol', 'minlife'], expected_msg='Policy: minlife')
- realm.run([kadminl, 'modprinc', '-clearpolicy', 'none'])
-
- realm.addprinc('selected', 'pw')
- realm.addprinc('unselected', 'pw')
--out = kadmin_as(all_inquire, ['getprinc', 'unselected'])
--if 'Principal: unselected@KRBTEST.COM' not in out:
-- fail('getprinc success (acl)')
--out = kadmin_as(some_inquire, ['getprinc', 'selected'])
--if 'Principal: selected@KRBTEST.COM' not in out:
-- fail('getprinc success (target)')
--out = kadmin_as(none, ['getprinc', 'selected'], expected_code=1)
--if 'Operation requires ``get\'\' privilege' not in out:
-- fail('getprinc failure (no perms)')
--out = kadmin_as(some_inquire, ['getprinc', 'unselected'], expected_code=1)
--if 'Operation requires ``get\'\' privilege' not in out:
-- fail('getprinc failure (target)')
--out = kadmin_as(none, ['getprinc', 'none'])
--if 'Principal: none@KRBTEST.COM' not in out:
-- fail('getprinc success (self exemption)')
-+kadmin_as(all_inquire, ['getprinc', 'unselected'],
-+ expected_msg='Principal: unselected@KRBTEST.COM')
-+kadmin_as(some_inquire, ['getprinc', 'selected'],
-+ expected_msg='Principal: selected@KRBTEST.COM')
-+kadmin_as(none, ['getprinc', 'selected'], expected_code=1,
-+ expected_msg="Operation requires ``get'' privilege")
-+kadmin_as(some_inquire, ['getprinc', 'unselected'], expected_code=1,
-+ expected_msg="Operation requires ``get'' privilege")
-+kadmin_as(none, ['getprinc', 'none'],
-+ expected_msg='Principal: none@KRBTEST.COM')
- realm.run([kadminl, 'delprinc', 'selected'])
- realm.run([kadminl, 'delprinc', 'unselected'])
-
--out = kadmin_as(all_list, ['listprincs'])
--if 'K/M@KRBTEST.COM' not in out:
-- fail('listprincs success (acl)')
--out = kadmin_as(none, ['listprincs'], expected_code=1)
--if 'Operation requires ``list\'\' privilege' not in out:
-- fail('listprincs failure (no perms)')
-+kadmin_as(all_list, ['listprincs'], expected_msg='K/M@KRBTEST.COM')
-+kadmin_as(none, ['listprincs'], expected_code=1,
-+ expected_msg="Operation requires ``list'' privilege")
-
- realm.addprinc('selected', 'pw')
- realm.addprinc('unselected', 'pw')
- realm.run([kadminl, 'setstr', 'selected', 'key', 'value'])
- realm.run([kadminl, 'setstr', 'unselected', 'key', 'value'])
--out = kadmin_as(all_inquire, ['getstrs', 'unselected'])
--if 'key: value' not in out:
-- fail('getstrs success (acl)')
--out = kadmin_as(some_inquire, ['getstrs', 'selected'])
--if 'key: value' not in out:
-- fail('getstrs success (target)')
--out = kadmin_as(none, ['getstrs', 'selected'], expected_code=1)
--if 'Operation requires ``get\'\' privilege' not in out:
-- fail('getstrs failure (no perms)')
--out = kadmin_as(some_inquire, ['getstrs', 'unselected'], expected_code=1)
--if 'Operation requires ``get\'\' privilege' not in out:
-- fail('getstrs failure (target)')
--out = kadmin_as(none, ['getstrs', 'none'])
--if '(No string attributes.)' not in out:
-- fail('getstrs success (self exemption)')
-+kadmin_as(all_inquire, ['getstrs', 'unselected'], expected_msg='key: value')
-+kadmin_as(some_inquire, ['getstrs', 'selected'], expected_msg='key: value')
-+kadmin_as(none, ['getstrs', 'selected'], expected_code=1,
-+ expected_msg="Operation requires ``get'' privilege")
-+kadmin_as(some_inquire, ['getstrs', 'unselected'], expected_code=1,
-+ expected_msg="Operation requires ``get'' privilege")
-+kadmin_as(none, ['getstrs', 'none'], expected_msg='(No string attributes.)')
- realm.run([kadminl, 'delprinc', 'selected'])
- realm.run([kadminl, 'delprinc', 'unselected'])
-
-@@ -207,27 +177,21 @@ out = kadmin_as(all_modify, ['modpol', '-maxlife', '1 hour', 'policy'],
- expected_code=1)
- if 'Operation requires' in out:
- fail('modpol success (acl)')
--out = kadmin_as(none, ['modpol', '-maxlife', '1 hour', 'policy'],
-- expected_code=1)
--if 'Operation requires ``modify\'\' privilege' not in out:
-- fail('modpol failure (no perms)')
-+kadmin_as(none, ['modpol', '-maxlife', '1 hour', 'policy'], expected_code=1,
-+ expected_msg="Operation requires ``modify'' privilege")
-
- realm.addprinc('selected', 'pw')
- realm.addprinc('unselected', 'pw')
- kadmin_as(all_modify, ['modprinc', '-maxlife', '1 hour', 'unselected'])
- kadmin_as(some_modify, ['modprinc', '-maxlife', '1 hour', 'selected'])
- kadmin_as(restricted_modify, ['modprinc', '-maxlife', '1 hour', 'unselected'])
--out = realm.run([kadminl, 'getprinc', 'unselected'])
--if 'REQUIRES_PRE_AUTH' not in out:
-- fail('addprinc success (restrictions) -- restriction check')
--out = kadmin_as(all_inquire, ['modprinc', '-maxlife', '1 hour', 'selected'],
-- expected_code=1)
--if 'Operation requires ``modify\'\' privilege' not in out:
-- fail('addprinc failure (no perms)')
--out = kadmin_as(some_modify, ['modprinc', '-maxlife', '1 hour', 'unselected'],
-- expected_code=1)
--if 'Operation requires' not in out:
-- fail('modprinc failure (target)')
-+realm.run([kadminl, 'getprinc', 'unselected'],
-+ expected_msg='REQUIRES_PRE_AUTH')
-+kadmin_as(all_inquire, ['modprinc', '-maxlife', '1 hour', 'selected'],
-+ expected_code=1,
-+ expected_msg="Operation requires ``modify'' privilege")
-+kadmin_as(some_modify, ['modprinc', '-maxlife', '1 hour', 'unselected'],
-+ expected_code=1, expected_msg='Operation requires')
- realm.run([kadminl, 'delprinc', 'selected'])
- realm.run([kadminl, 'delprinc', 'unselected'])
-
-@@ -235,12 +199,10 @@ realm.addprinc('selected', 'pw')
- realm.addprinc('unselected', 'pw')
- kadmin_as(all_modify, ['purgekeys', 'unselected'])
- kadmin_as(some_modify, ['purgekeys', 'selected'])
--out = kadmin_as(none, ['purgekeys', 'selected'], expected_code=1)
--if 'Operation requires ``modify\'\' privilege' not in out:
-- fail('purgekeys failure (no perms)')
--out = kadmin_as(some_modify, ['purgekeys', 'unselected'], expected_code=1)
--if 'Operation requires ``modify\'\' privilege' not in out:
-- fail('purgekeys failure (target)')
-+kadmin_as(none, ['purgekeys', 'selected'], expected_code=1,
-+ expected_msg="Operation requires ``modify'' privilege")
-+kadmin_as(some_modify, ['purgekeys', 'unselected'], expected_code=1,
-+ expected_msg="Operation requires ``modify'' privilege")
- kadmin_as(none, ['purgekeys', 'none'])
- realm.run([kadminl, 'delprinc', 'selected'])
- realm.run([kadminl, 'delprinc', 'unselected'])
-@@ -250,36 +212,27 @@ kadmin_as(all_rename, ['renprinc', 'from', 'to'])
- realm.run([kadminl, 'renprinc', 'to', 'from'])
- kadmin_as(some_rename, ['renprinc', 'from', 'to'])
- realm.run([kadminl, 'renprinc', 'to', 'from'])
--out = kadmin_as(all_add, ['renprinc', 'from', 'to'], expected_code=1)
--if 'Operation requires ``delete\'\' privilege' not in out:
-- fail('renprinc failure (no delete perms)')
--out = kadmin_as(all_delete, ['renprinc', 'from', 'to'], expected_code=1)
--if 'Operation requires ``add\'\' privilege' not in out:
-- fail('renprinc failure (no add perms)')
--out = kadmin_as(some_rename, ['renprinc', 'from', 'notto'], expected_code=1)
--if 'Operation requires ``add\'\' privilege' not in out:
-- fail('renprinc failure (new target)')
-+kadmin_as(all_add, ['renprinc', 'from', 'to'], expected_code=1,
-+ expected_msg="Operation requires ``delete'' privilege")
-+kadmin_as(all_delete, ['renprinc', 'from', 'to'], expected_code=1,
-+ expected_msg="Operation requires ``add'' privilege")
-+kadmin_as(some_rename, ['renprinc', 'from', 'notto'], expected_code=1,
-+ expected_msg="Operation requires ``add'' privilege")
- realm.run([kadminl, 'renprinc', 'from', 'notfrom'])
--out = kadmin_as(some_rename, ['renprinc', 'notfrom', 'to'], expected_code=1)
--if 'Operation requires ``delete\'\' privilege' not in out:
-- fail('renprinc failure (old target)')
--out = kadmin_as(restricted_rename, ['renprinc', 'notfrom', 'to'],
-- expected_code=1)
--if 'Operation requires ``add\'\' privilege' not in out:
-- fail('renprinc failure (restrictions)')
-+kadmin_as(some_rename, ['renprinc', 'notfrom', 'to'], expected_code=1,
-+ expected_msg="Operation requires ``delete'' privilege")
-+kadmin_as(restricted_rename, ['renprinc', 'notfrom', 'to'], expected_code=1,
-+ expected_msg="Operation requires ``add'' privilege")
- realm.run([kadminl, 'delprinc', 'notfrom'])
-
- realm.addprinc('selected', 'pw')
- realm.addprinc('unselected', 'pw')
- kadmin_as(all_modify, ['setstr', 'unselected', 'key', 'value'])
- kadmin_as(some_modify, ['setstr', 'selected', 'key', 'value'])
--out = kadmin_as(none, ['setstr', 'selected', 'key', 'value'], expected_code=1)
--if 'Operation requires ``modify\'\' privilege' not in out:
-- fail('addprinc failure (no perms)')
--out = kadmin_as(some_modify, ['setstr', 'unselected', 'key', 'value'],
-- expected_code=1)
--if 'Operation requires' not in out:
-- fail('modprinc failure (target)')
-+kadmin_as(none, ['setstr', 'selected', 'key', 'value'], expected_code=1,
-+ expected_msg="Operation requires ``modify'' privilege")
-+kadmin_as(some_modify, ['setstr', 'unselected', 'key', 'value'],
-+ expected_code=1, expected_msg='Operation requires')
- realm.run([kadminl, 'delprinc', 'selected'])
- realm.run([kadminl, 'delprinc', 'unselected'])
-
-@@ -287,28 +240,21 @@ kadmin_as(admin, ['addprinc', '-pw', 'pw', 'anytarget'])
- realm.run([kadminl, 'delprinc', 'anytarget'])
- kadmin_as(wctarget, ['addprinc', '-pw', 'pw', 'wild/card'])
- realm.run([kadminl, 'delprinc', 'wild/card'])
--out = kadmin_as(wctarget, ['addprinc', '-pw', 'pw', 'wild/card/extra'],
-- expected_code=1)
--if 'Operation requires' not in out:
-- fail('addprinc failure (target wildcard extra component)')
-+kadmin_as(wctarget, ['addprinc', '-pw', 'pw', 'wild/card/extra'],
-+ expected_code=1, expected_msg='Operation requires')
- realm.addprinc('admin/user', 'pw')
- kadmin_as(admin, ['delprinc', 'admin/user'])
--out = kadmin_as(admin, ['delprinc', 'none'], expected_code=1)
--if 'Operation requires' not in out:
-- fail('delprinc failure (wildcard backreferences not matched)')
-+kadmin_as(admin, ['delprinc', 'none'], expected_code=1,
-+ expected_msg='Operation requires')
- realm.addprinc('four/one/three', 'pw')
- kadmin_as(onetwothreefour, ['delprinc', 'four/one/three'])
-
- kadmin_as(restrictions, ['addprinc', '-pw', 'pw', 'type1'])
--out = realm.run([kadminl, 'getprinc', 'type1'])
--if 'Policy: minlife' not in out:
-- fail('restriction (policy)')
-+realm.run([kadminl, 'getprinc', 'type1'], expected_msg='Policy: minlife')
- realm.run([kadminl, 'delprinc', 'type1'])
- kadmin_as(restrictions, ['addprinc', '-pw', 'pw', '-policy', 'minlife',
- 'type2'])
--out = realm.run([kadminl, 'getprinc', 'type2'])
--if 'Policy: [none]' not in out:
-- fail('restriction (clearpolicy)')
-+realm.run([kadminl, 'getprinc', 'type2'], expected_msg='Policy: [none]')
- realm.run([kadminl, 'delprinc', 'type2'])
- kadmin_as(restrictions, ['addprinc', '-pw', 'pw', '-maxlife', '1 minute',
- 'type3'])
-@@ -319,40 +265,32 @@ if ('Maximum ticket life: 0 days 00:01:00' not in out or
- realm.run([kadminl, 'delprinc', 'type3'])
- kadmin_as(restrictions, ['addprinc', '-pw', 'pw', '-maxrenewlife', '1 day',
- 'type3'])
--out = realm.run([kadminl, 'getprinc', 'type3'])
--if 'Maximum renewable life: 0 days 02:00:00' not in out:
-- fail('restriction (maxrenewlife high)')
-+realm.run([kadminl, 'getprinc', 'type3'],
-+ expected_msg='Maximum renewable life: 0 days 02:00:00')
-
- realm.run([kadminl, 'addprinc', '-pw', 'pw', 'extractkeys'])
--out = kadmin_as(all_wildcard, ['ktadd', '-norandkey', 'extractkeys'],
-- expected_code=1)
--if 'Operation requires ``extract-keys\'\' privilege' not in out:
-- fail('extractkeys failure (all_wildcard)')
-+kadmin_as(all_wildcard, ['ktadd', '-norandkey', 'extractkeys'],
-+ expected_code=1,
-+ expected_msg="Operation requires ``extract-keys'' privilege")
- kadmin_as(all_extract, ['ktadd', '-norandkey', 'extractkeys'])
- realm.kinit('extractkeys', flags=['-k'])
- os.remove(realm.keytab)
-
- kadmin_as(all_modify, ['modprinc', '+lockdown_keys', 'extractkeys'])
--out = kadmin_as(all_changepw, ['cpw', '-pw', 'newpw', 'extractkeys'],
-- expected_code=1)
--if 'Operation requires ``change-password\'\' privilege' not in out:
-- fail('extractkeys failure (all_changepw)')
-+kadmin_as(all_changepw, ['cpw', '-pw', 'newpw', 'extractkeys'],
-+ expected_code=1,
-+ expected_msg="Operation requires ``change-password'' privilege")
- kadmin_as(all_changepw, ['cpw', '-randkey', 'extractkeys'])
--out = kadmin_as(all_extract, ['ktadd', '-norandkey', 'extractkeys'],
-- expected_code=1)
--if 'Operation requires ``extract-keys\'\' privilege' not in out:
-- fail('extractkeys failure (all_extract)')
--out = kadmin_as(all_delete, ['delprinc', 'extractkeys'], expected_code=1)
--if 'Operation requires ``delete\'\' privilege' not in out:
-- fail('extractkeys failure (all_delete)')
--out = kadmin_as(all_rename, ['renprinc', 'extractkeys', 'renamedprinc'],
-- expected_code=1)
--if 'Operation requires ``delete\'\' privilege' not in out:
-- fail('extractkeys failure (all_rename)')
--out = kadmin_as(all_modify, ['modprinc', '-lockdown_keys', 'extractkeys'],
-- expected_code=1)
--if 'Operation requires ``modify\'\' privilege' not in out:
-- fail('extractkeys failure (all_modify)')
-+kadmin_as(all_extract, ['ktadd', '-norandkey', 'extractkeys'], expected_code=1,
-+ expected_msg="Operation requires ``extract-keys'' privilege")
-+kadmin_as(all_delete, ['delprinc', 'extractkeys'], expected_code=1,
-+ expected_msg="Operation requires ``delete'' privilege")
-+kadmin_as(all_rename, ['renprinc', 'extractkeys', 'renamedprinc'],
-+ expected_code=1,
-+ expected_msg="Operation requires ``delete'' privilege")
-+kadmin_as(all_modify, ['modprinc', '-lockdown_keys', 'extractkeys'],
-+ expected_code=1,
-+ expected_msg="Operation requires ``modify'' privilege")
- realm.run([kadminl, 'modprinc', '-lockdown_keys', 'extractkeys'])
- kadmin_as(all_extract, ['ktadd', '-norandkey', 'extractkeys'])
- realm.kinit('extractkeys', flags=['-k'])
-diff --git a/src/tests/t_kadmin_parsing.py b/src/tests/t_kadmin_parsing.py
-index 92d72d2b0..8de387c64 100644
---- a/src/tests/t_kadmin_parsing.py
-+++ b/src/tests/t_kadmin_parsing.py
-@@ -57,33 +57,27 @@ realm = K5Realm(create_host=False, get_creds=False)
- realm.run([kadminl, 'addpol', 'pol'])
- for instr, outstr in intervals:
- realm.run([kadminl, 'modprinc', '-maxlife', instr, realm.user_princ])
-- out = realm.run([kadminl, 'getprinc', realm.user_princ])
-- if 'Maximum ticket life: ' + outstr + '\n' not in out:
-- fail('princ maxlife: ' + instr)
-+ msg = 'Maximum ticket life: ' + outstr + '\n'
-+ realm.run([kadminl, 'getprinc', realm.user_princ], expected_msg=msg)
-
- realm.run([kadminl, 'modprinc', '-maxrenewlife', instr, realm.user_princ])
-- out = realm.run([kadminl, 'getprinc', realm.user_princ])
-- if 'Maximum renewable life: ' + outstr + '\n' not in out:
-- fail('princ maxrenewlife: ' + instr)
-+ msg = 'Maximum renewable life: ' + outstr + '\n'
-+ realm.run([kadminl, 'getprinc', realm.user_princ], expected_msg=msg)
-
- realm.run([kadminl, 'modpol', '-maxlife', instr, 'pol'])
-- out = realm.run([kadminl, 'getpol', 'pol'])
-- if 'Maximum password life: ' + outstr + '\n' not in out:
-- fail('pol maxlife: ' + instr)
-+ msg = 'Maximum password life: ' + outstr + '\n'
-+ realm.run([kadminl, 'getpol', 'pol'], expected_msg=msg)
-
- realm.run([kadminl, 'modpol', '-minlife', instr, 'pol'])
-- out = realm.run([kadminl, 'getpol', 'pol'])
-- if 'Minimum password life: ' + outstr + '\n' not in out:
-- fail('pol maxlife: ' + instr)
-+ msg = 'Minimum password life: ' + outstr + '\n'
-+ realm.run([kadminl, 'getpol', 'pol'], expected_msg=msg)
-
- realm.run([kadminl, 'modpol', '-failurecountinterval', instr, 'pol'])
-- out = realm.run([kadminl, 'getpol', 'pol'])
-- if 'Password failure count reset interval: ' + outstr + '\n' not in out:
-- fail('pol maxlife: ' + instr)
-+ msg = 'Password failure count reset interval: ' + outstr + '\n'
-+ realm.run([kadminl, 'getpol', 'pol'], expected_msg=msg)
-
- realm.run([kadminl, 'modpol', '-lockoutduration', instr, 'pol'])
-- out = realm.run([kadminl, 'getpol', 'pol'])
-- if 'Password lockout duration: ' + outstr + '\n' not in out:
-- fail('pol maxlife: ' + instr)
-+ msg = 'Password lockout duration: ' + outstr + '\n'
-+ realm.run([kadminl, 'getpol', 'pol'], expected_msg=msg)
-
- success('kadmin command parsing tests')
-diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py
-index 185225afa..44635b089 100755
---- a/src/tests/t_kdb.py
-+++ b/src/tests/t_kdb.py
-@@ -167,47 +167,31 @@ if out != 'KRBTEST.COM\n':
- # because we're sticking a krbPrincipalAux objectclass onto a subtree
- # krbContainer, but it works and it avoids having to load core.schema
- # in the test LDAP server.
--out = realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=krb5', 'princ1'],
-- expected_code=1)
--if 'DN is out of the realm subtree' not in out:
-- fail('Unexpected kadmin.local output for out-of-realm dn')
-+realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=krb5', 'princ1'],
-+ expected_code=1, expected_msg='DN is out of the realm subtree')
- realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=t2,cn=krb5', 'princ1'])
--out = realm.run([kadminl, 'getprinc', 'princ1'])
--if 'Principal: princ1' not in out:
-- fail('Unexpected kadmin.local output after creating princ1')
--out = realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=t2,cn=krb5',
-- 'again'], expected_code=1)
--if 'ldap object is already kerberized' not in out:
-- fail('Unexpected kadmin.local output trying to re-kerberize DN')
-+realm.run([kadminl, 'getprinc', 'princ1'], expected_msg='Principal: princ1')
-+realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=t2,cn=krb5', 'again'],
-+ expected_code=1, expected_msg='ldap object is already kerberized')
- # Check that we can't set linkdn on a non-standalone object.
--out = realm.run([kadminl, 'modprinc', '-x', 'linkdn=cn=t1,cn=krb5', 'princ1'],
-- expected_code=1)
--if 'link information can not be set' not in out:
-- fail('Unexpected kadmin.local output trying to set linkdn on princ1')
-+realm.run([kadminl, 'modprinc', '-x', 'linkdn=cn=t1,cn=krb5', 'princ1'],
-+ expected_code=1, expected_msg='link information can not be set')
-
- # Create a principal with a specified linkdn.
--out = realm.run([kadminl, 'ank', '-randkey', '-x', 'linkdn=cn=krb5', 'princ2'],
-- expected_code=1)
--if 'DN is out of the realm subtree' not in out:
-- fail('Unexpected kadmin.local output for out-of-realm linkdn')
-+realm.run([kadminl, 'ank', '-randkey', '-x', 'linkdn=cn=krb5', 'princ2'],
-+ expected_code=1, expected_msg='DN is out of the realm subtree')
- realm.run([kadminl, 'ank', '-randkey', '-x', 'linkdn=cn=t1,cn=krb5', 'princ2'])
- # Check that we can't reset linkdn.
--out = realm.run([kadminl, 'modprinc', '-x', 'linkdn=cn=t2,cn=krb5', 'princ2'],
-- expected_code=1)
--if 'kerberos principal is already linked' not in out:
-- fail('Unexpected kadmin.local output for re-specified linkdn')
-+realm.run([kadminl, 'modprinc', '-x', 'linkdn=cn=t2,cn=krb5', 'princ2'],
-+ expected_code=1, expected_msg='kerberos principal is already linked')
-
- # Create a principal with a specified containerdn.
--out = realm.run([kadminl, 'ank', '-randkey', '-x', 'containerdn=cn=krb5',
-- 'princ3'], expected_code=1)
--if 'DN is out of the realm subtree' not in out:
-- fail('Unexpected kadmin.local output for out-of-realm containerdn')
-+realm.run([kadminl, 'ank', '-randkey', '-x', 'containerdn=cn=krb5', 'princ3'],
-+ expected_code=1, expected_msg='DN is out of the realm subtree')
- realm.run([kadminl, 'ank', '-randkey', '-x', 'containerdn=cn=t1,cn=krb5',
- 'princ3'])
--out = realm.run([kadminl, 'modprinc', '-x', 'containerdn=cn=t2,cn=krb5',
-- 'princ3'], expected_code=1)
--if 'containerdn option not supported' not in out:
-- fail('Unexpected kadmin.local output trying to reset containerdn')
-+realm.run([kadminl, 'modprinc', '-x', 'containerdn=cn=t2,cn=krb5', 'princ3'],
-+ expected_code=1, expected_msg='containerdn option not supported')
-
- # Create and modify a ticket policy.
- kldaputil(['create_policy', '-maxtktlife', '3hour', '-maxrenewlife', '6hour',
-@@ -255,9 +239,8 @@ if out:
- kldaputil(['create_policy', 'tktpol2'])
-
- # Try to create a password policy conflicting with a ticket policy.
--out = realm.run([kadminl, 'addpol', 'tktpol2'], expected_code=1)
--if 'Already exists while creating policy "tktpol2"' not in out:
-- fail('Expected error not seen in kadmin.local output')
-+realm.run([kadminl, 'addpol', 'tktpol2'], expected_code=1,
-+ expected_msg='Already exists while creating policy "tktpol2"')
-
- # Try to create a ticket policy conflicting with a password policy.
- realm.run([kadminl, 'addpol', 'pwpol'])
-@@ -266,16 +249,13 @@ if 'Already exists while creating policy object' not in out:
- fail('Expected error not seen in kdb5_ldap_util output')
-
- # Try to use a password policy as a ticket policy.
--out = realm.run([kadminl, 'modprinc', '-x', 'tktpolicy=pwpol', 'princ4'],
-- expected_code=1)
--if 'Object class violation' not in out:
-- fail('Expected error not seem in kadmin.local output')
-+realm.run([kadminl, 'modprinc', '-x', 'tktpolicy=pwpol', 'princ4'],
-+ expected_code=1, expected_msg='Object class violation')
-
- # Use a ticket policy as a password policy (CVE-2014-5353). This
- # works with a warning; use kadmin.local -q so the warning is shown.
--out = realm.run([kadminl, '-q', 'modprinc -policy tktpol2 princ4'])
--if 'WARNING: policy "tktpol2" does not exist' not in out:
-- fail('Expected error not seen in kadmin.local output')
-+realm.run([kadminl, '-q', 'modprinc -policy tktpol2 princ4'],
-+ expected_msg='WARNING: policy "tktpol2" does not exist')
-
- # Do some basic tests with a KDC against the LDAP module, exercising the
- # db_args processing code.
-@@ -298,9 +278,8 @@ if 'krbPrincipalAuthInd: otp' not in out:
- if 'krbPrincipalAuthInd: radius' not in out:
- fail('Expected krbPrincipalAuthInd value not in output')
-
--out = realm.run([kadminl, 'getstrs', 'authind'])
--if 'require_auth: otp radius' not in out:
-- fail('Expected auth indicators value not in output')
-+realm.run([kadminl, 'getstrs', 'authind'],
-+ expected_msg='require_auth: otp radius')
-
- # Test service principal aliases.
- realm.addprinc('canon', password('canon'))
-@@ -311,12 +290,10 @@ ldap_modify('dn: krbPrincipalName=canon@KRBTEST.COM,cn=t1,cn=krb5\n'
- '-\n'
- 'add: krbCanonicalName\n'
- 'krbCanonicalName: canon@KRBTEST.COM\n')
--out = realm.run([kadminl, 'getprinc', 'alias'])
--if 'Principal: canon@KRBTEST.COM\n' not in out:
-- fail('Could not fetch canon through alias')
--out = realm.run([kadminl, 'getprinc', 'canon'])
--if 'Principal: canon@KRBTEST.COM\n' not in out:
-- fail('Could not fetch canon through canon')
-+realm.run([kadminl, 'getprinc', 'alias'],
-+ expected_msg='Principal: canon@KRBTEST.COM\n')
-+realm.run([kadminl, 'getprinc', 'canon'],
-+ expected_msg='Principal: canon@KRBTEST.COM\n')
- realm.run([kvno, 'alias'])
- realm.run([kvno, 'canon'])
- out = realm.run([klist])
-@@ -334,9 +311,8 @@ ldap_modify('dn: krbPrincipalName=krbtgt/KRBTEST.COM@KRBTEST.COM,'
- '-\n'
- 'add: krbCanonicalName\n'
- 'krbCanonicalName: krbtgt/KRBTEST.COM@KRBTEST.COM\n')
--out = realm.run([kadminl, 'getprinc', 'tgtalias'])
--if 'Principal: krbtgt/KRBTEST.COM@KRBTEST.COM' not in out:
-- fail('Could not fetch krbtgt through tgtalias')
-+realm.run([kadminl, 'getprinc', 'tgtalias'],
-+ expected_msg='Principal: krbtgt/KRBTEST.COM@KRBTEST.COM')
- realm.kinit(realm.user_princ, password('user'))
- realm.run([kvno, 'tgtalias'])
- realm.klist(realm.user_princ, 'tgtalias@KRBTEST.COM')
-@@ -352,9 +328,8 @@ realm.klist(realm.user_princ, 'alias@KRBTEST.COM')
-
- # Test client principal aliases, with and without preauth.
- realm.kinit('canon', password('canon'))
--out = realm.kinit('alias', password('canon'), expected_code=1)
--if 'not found in Kerberos database' not in out:
-- fail('Wrong error message for kinit to alias without -C flag')
-+realm.kinit('alias', password('canon'), expected_code=1,
-+ expected_msg='not found in Kerberos database')
- realm.kinit('alias', password('canon'), ['-C'])
- realm.run([kvno, 'alias'])
- realm.klist('canon@KRBTEST.COM', 'alias@KRBTEST.COM')
-@@ -413,31 +388,24 @@ realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts,aes128-cts',
- 'kvnoprinc'])
- realm.run([kadminl, 'cpw', '-randkey', '-keepold', '-e',
- 'aes256-cts,aes128-cts', 'kvnoprinc'])
--out = realm.run([kadminl, 'getprinc', 'kvnoprinc'])
--if 'Number of keys: 4' not in out:
-- fail('After cpw -keepold, wrong number of keys')
-+realm.run([kadminl, 'getprinc', 'kvnoprinc'], expected_msg='Number of keys: 4')
- realm.run([kadminl, 'cpw', '-randkey', '-keepold', '-e',
- 'aes256-cts,aes128-cts', 'kvnoprinc'])
--out = realm.run([kadminl, 'getprinc', 'kvnoprinc'])
--if 'Number of keys: 6' not in out:
-- fail('After cpw -keepold, wrong number of keys')
-+realm.run([kadminl, 'getprinc', 'kvnoprinc'], expected_msg='Number of keys: 6')
-
- # Regression test for #8041 (NULL dereference on keyless principals).
- realm.run([kadminl, 'addprinc', '-nokey', 'keylessprinc'])
--out = realm.run([kadminl, 'getprinc', 'keylessprinc'])
--if 'Number of keys: 0' not in out:
-- fail('Failed to create a principal with no keys')
-+realm.run([kadminl, 'getprinc', 'keylessprinc'],
-+ expected_msg='Number of keys: 0')
- realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes256-cts,aes128-cts',
- 'keylessprinc'])
- realm.run([kadminl, 'cpw', '-randkey', '-keepold', '-e',
- 'aes256-cts,aes128-cts', 'keylessprinc'])
--out = realm.run([kadminl, 'getprinc', 'keylessprinc'])
--if 'Number of keys: 4' not in out:
-- fail('Failed to add keys to keylessprinc')
-+realm.run([kadminl, 'getprinc', 'keylessprinc'],
-+ expected_msg='Number of keys: 4')
- realm.run([kadminl, 'purgekeys', '-all', 'keylessprinc'])
--out = realm.run([kadminl, 'getprinc', 'keylessprinc'])
--if 'Number of keys: 0' not in out:
-- fail('After purgekeys -all, keys remain')
-+realm.run([kadminl, 'getprinc', 'keylessprinc'],
-+ expected_msg='Number of keys: 0')
-
- # Test for 8354 (old password history entries when -keepold is used)
- realm.run([kadminl, 'addpol', '-history', '2', 'keepoldpasspol'])
-@@ -451,9 +419,8 @@ realm.stop()
- # Briefly test dump and load.
- dumpfile = os.path.join(realm.testdir, 'dump')
- realm.run([kdb5_util, 'dump', dumpfile])
--out = realm.run([kdb5_util, 'load', dumpfile], expected_code=1)
--if 'KDB module requires -update argument' not in out:
-- fail('Unexpected error from kdb5_util load without -update')
-+realm.run([kdb5_util, 'load', dumpfile], expected_code=1,
-+ expected_msg='KDB module requires -update argument')
- realm.run([kdb5_util, 'load', '-update', dumpfile])
-
- # Destroy the realm.
-@@ -501,14 +468,10 @@ realm.addprinc(realm.user_princ, password('user'))
- realm.kinit(realm.user_princ, password('user'))
- realm.stop()
- # Exercise DB options, which should cause binding to fail.
--out = realm.run([kadminl, '-x', 'sasl_authcid=ab', 'getprinc', 'user'],
-- expected_code=1)
--if 'Cannot bind to LDAP server' not in out:
-- fail('Expected error not seen in kadmin.local output')
--out = realm.run([kadminl, '-x', 'bindpwd=wrong', 'getprinc', 'user'],
-- expected_code=1)
--if 'Cannot bind to LDAP server' not in out:
-- fail('Expected error not seen in kadmin.local output')
-+realm.run([kadminl, '-x', 'sasl_authcid=ab', 'getprinc', 'user'],
-+ expected_code=1, expected_msg='Cannot bind to LDAP server')
-+realm.run([kadminl, '-x', 'bindpwd=wrong', 'getprinc', 'user'],
-+ expected_code=1, expected_msg='Cannot bind to LDAP server')
- realm.run([kdb5_ldap_util, 'destroy', '-f'])
-
- # We could still use tests to exercise:
-diff --git a/src/tests/t_kdb_locking.py b/src/tests/t_kdb_locking.py
-index e8d86e09b..aac0a220f 100755
---- a/src/tests/t_kdb_locking.py
-+++ b/src/tests/t_kdb_locking.py
-@@ -21,9 +21,8 @@ if not os.path.exists(kadm5_lock):
- fail('kadm5 lock file not created: ' + kadm5_lock)
- os.unlink(kadm5_lock)
-
--output = realm.kinit(p, p, [], expected_code=1)
--if 'A service is not available' not in output:
-- fail('krb5kdc should have returned service not available error')
-+realm.kinit(p, p, [], expected_code=1,
-+ expected_msg='A service is not available')
-
- f = open(kadm5_lock, 'w')
- f.close()
-diff --git a/src/tests/t_keydata.py b/src/tests/t_keydata.py
-index 686e543bd..5c04a8523 100755
---- a/src/tests/t_keydata.py
-+++ b/src/tests/t_keydata.py
-@@ -5,27 +5,19 @@ realm = K5Realm(create_user=False, create_host=False)
-
- # Create a principal with no keys.
- realm.run([kadminl, 'addprinc', '-nokey', 'user'])
--out = realm.run([kadminl, 'getprinc', 'user'])
--if 'Number of keys: 0' not in out:
-- fail('getprinc (addprinc -nokey)')
-+realm.run([kadminl, 'getprinc', 'user'], expected_msg='Number of keys: 0')
-
- # Change its password and check the resulting kvno.
- realm.run([kadminl, 'cpw', '-pw', 'password', 'user'])
--out = realm.run([kadminl, 'getprinc', 'user'])
--if 'vno 1' not in out:
-- fail('getprinc (cpw -pw)')
-+realm.run([kadminl, 'getprinc', 'user'], expected_msg='vno 1')
-
- # Delete all of its keys.
- realm.run([kadminl, 'purgekeys', '-all', 'user'])
--out = realm.run([kadminl, 'getprinc', 'user'])
--if 'Number of keys: 0' not in out:
-- fail('getprinc (purgekeys)')
-+realm.run([kadminl, 'getprinc', 'user'], expected_msg='Number of keys: 0')
-
- # Randomize its keys and check the resulting kvno.
- realm.run([kadminl, 'cpw', '-randkey', 'user'])
--out = realm.run([kadminl, 'getprinc', 'user'])
--if 'vno 1' not in out:
-- fail('getprinc (cpw -randkey)')
-+realm.run([kadminl, 'getprinc', 'user'], expected_msg='vno 1')
-
- # Return true if patype appears to have been received in a hint list
- # from a KDC error message, based on the trace file fname.
-diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py
-index 35d0b61b8..bfd38914b 100755
---- a/src/tests/t_keyrollover.py
-+++ b/src/tests/t_keyrollover.py
-@@ -23,25 +23,17 @@ realm.run([kvno, princ1])
- realm.run([kadminl, 'purgekeys', realm.krbtgt_princ])
- # Make sure an old TGT fails after purging old TGS key.
- realm.run([kvno, princ2], expected_code=1)
--output = realm.run([klist, '-e'])
--
--expected = 'krbtgt/%s@%s\n\tEtype (skey, tkt): des-cbc-crc, des-cbc-crc' % \
-+msg = 'krbtgt/%s@%s\n\tEtype (skey, tkt): des-cbc-crc, des-cbc-crc' % \
- (realm.realm, realm.realm)
--
--if expected not in output:
-- fail('keyrollover: expected TGS enctype not found')
-+realm.run([klist, '-e'], expected_msg=msg)
-
- # Check that new key actually works.
- realm.kinit(realm.user_princ, password('user'))
- realm.run([kvno, realm.host_princ])
--output = realm.run([klist, '-e'])
--
--expected = 'krbtgt/%s@%s\n\tEtype (skey, tkt): ' \
-+msg = 'krbtgt/%s@%s\n\tEtype (skey, tkt): ' \
- 'aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96' % \
- (realm.realm, realm.realm)
--
--if expected not in output:
-- fail('keyrollover: expected TGS enctype not found after change')
-+realm.run([klist, '-e'], expected_msg=msg)
-
- # Test that the KDC only accepts the first enctype for a kvno, for a
- # local-realm TGS request. To set this up, we abuse an edge-case
-diff --git a/src/tests/t_keytab.py b/src/tests/t_keytab.py
-index a06e6c296..a48740ba5 100755
---- a/src/tests/t_keytab.py
-+++ b/src/tests/t_keytab.py
-@@ -14,9 +14,8 @@ realm.run([ktutil], input=('rkt %s\ndelent 1\nwkt %s\n' %
- realm.kinit(realm.host_princ, flags=['-k', '-t', pkeytab])
-
- # Test kinit with no keys for client in keytab.
--output = realm.kinit(realm.user_princ, flags=['-k'], expected_code=1)
--if 'no suitable keys' not in output:
-- fail('Expected error not seen in kinit output')
-+realm.kinit(realm.user_princ, flags=['-k'], expected_code=1,
-+ expected_msg='no suitable keys')
-
- # Test kinit and klist with client keytab defaults.
- realm.extract_keytab(realm.user_princ, realm.client_keytab);
-@@ -31,14 +30,12 @@ if realm.client_keytab not in out or realm.user_princ not in out:
-
- # Test implicit request for keytab (-i or -t without -k)
- realm.run([kdestroy])
--output = realm.kinit(realm.host_princ, flags=['-t', realm.keytab])
--if 'keytab specified, forcing -k' not in output:
-- fail('Expected output not seen from kinit -t keytab')
-+realm.kinit(realm.host_princ, flags=['-t', realm.keytab],
-+ expected_msg='keytab specified, forcing -k')
- realm.klist(realm.host_princ)
- realm.run([kdestroy])
--output = realm.kinit(realm.user_princ, flags=['-i'])
--if 'keytab specified, forcing -k' not in output:
-- fail('Expected output not seen from kinit -i')
-+realm.kinit(realm.user_princ, flags=['-i'],
-+ expected_msg='keytab specified, forcing -k')
- realm.klist(realm.user_princ)
-
- # Test extracting keys with multiple key versions present.
-@@ -70,12 +67,10 @@ def test_key_rotate(realm, princ, expected_kvno):
- realm.run_kadmin(['ktadd', '-k', realm.keytab, princ])
- realm.run([kadminl, 'ktrem', princ, 'old'])
- realm.kinit(princ, flags=['-k'])
-- out = realm.run([klist, '-k'])
-- if ('%d %s' % (expected_kvno, princ)) not in out:
-- fail('kvno %d not listed in keytab' % expected_kvno)
-- out = realm.run_kadmin(['getprinc', princ])
-- if ('Key: vno %d,' % expected_kvno) not in out:
-- fail('vno %d not seen in getprinc output' % expected_kvno)
-+ msg = '%d %s' % (expected_kvno, princ)
-+ out = realm.run([klist, '-k'], expected_msg=msg)
-+ msg = 'Key: vno %d,' % expected_kvno
-+ out = realm.run_kadmin(['getprinc', princ], expected_msg=msg)
-
- princ = 'foo/bar@%s' % realm.realm
- realm.addprinc(princ)
-@@ -109,9 +104,8 @@ f = open(realm.keytab, 'w')
- f.write('\x05\x02\x00\x00\x00' + chr(len(record)))
- f.write(record)
- f.close()
--out = realm.run([klist, '-k'])
--if (' 2 %s' % realm.user_princ) not in out:
-- fail('Expected entry not seen in klist -k output')
-+msg = ' 2 %s' % realm.user_princ
-+out = realm.run([klist, '-k'], expected_msg=msg)
-
- # Make sure zero-fill isn't treated as a 32-bit kvno.
- f = open(realm.keytab, 'w')
-@@ -119,9 +113,8 @@ f.write('\x05\x02\x00\x00\x00' + chr(len(record) + 4))
- f.write(record)
- f.write('\x00\x00\x00\x00')
- f.close()
--out = realm.run([klist, '-k'])
--if (' 2 %s' % realm.user_princ) not in out:
-- fail('Expected entry not seen in klist -k output')
-+msg = ' 2 %s' % realm.user_princ
-+out = realm.run([klist, '-k'], expected_msg=msg)
-
- # Make sure a hand-crafted 32-bit kvno is recognized.
- f = open(realm.keytab, 'w')
-@@ -129,9 +122,8 @@ f.write('\x05\x02\x00\x00\x00' + chr(len(record) + 4))
- f.write(record)
- f.write('\x00\x00\x00\x03')
- f.close()
--out = realm.run([klist, '-k'])
--if (' 3 %s' % realm.user_princ) not in out:
-- fail('Expected entry not seen in klist -k output')
-+msg = ' 3 %s' % realm.user_princ
-+out = realm.run([klist, '-k'], expected_msg=msg)
-
- # Test parameter expansion in profile variables
- realm.stop()
-@@ -142,11 +134,9 @@ realm = K5Realm(krb5_conf=conf, create_kdb=False)
- del realm.env['KRB5_KTNAME']
- del realm.env['KRB5_CLIENT_KTNAME']
- uidstr = str(os.getuid())
--out = realm.run([klist, '-k'], expected_code=1)
--if 'FILE:testdir/abc%s' % uidstr not in out:
-- fail('Wrong keytab in klist -k output')
--out = realm.run([klist, '-ki'], expected_code=1)
--if 'FILE:testdir/xyz%s' % uidstr not in out:
-- fail('Wrong keytab in klist -ki output')
-+msg = 'FILE:testdir/abc%s' % uidstr
-+out = realm.run([klist, '-k'], expected_code=1, expected_msg=msg)
-+msg = 'FILE:testdir/xyz%s' % uidstr
-+out = realm.run([klist, '-ki'], expected_code=1, expected_msg=msg)
-
- success('Keytab-related tests')
-diff --git a/src/tests/t_kprop.py b/src/tests/t_kprop.py
-index 02cdfeec2..39169675d 100755
---- a/src/tests/t_kprop.py
-+++ b/src/tests/t_kprop.py
-@@ -43,9 +43,7 @@ for realm in multipass_realms(create_user=False):
- realm.run([kprop, '-f', dumpfile, '-P', str(realm.kprop_port()), hostname])
- check_output(kpropd)
-
-- out = realm.run([kadminl, 'listprincs'], slave)
-- if 'wakawaka' not in out:
-- fail('Slave does not have all principals from master')
-+ realm.run([kadminl, 'listprincs'], slave, expected_msg='wakawaka')
-
- # default_realm tests follow.
- # default_realm and domain_realm different than realm.realm (test -r argument).
-@@ -79,9 +77,8 @@ realm.run([kdb5_util, 'dump', dumpfile])
- realm.run([kprop, '-r', realm.realm, '-f', dumpfile, '-P',
- str(realm.kprop_port()), hostname])
- check_output(kpropd)
--out = realm.run([kadminl, '-r', realm.realm, 'listprincs'], slave2)
--if 'wakawaka' not in out:
-- fail('Slave does not have all principals from master')
-+realm.run([kadminl, '-r', realm.realm, 'listprincs'], slave2,
-+ expected_msg='wakawaka')
-
- stop_daemon(kpropd)
-
-@@ -90,8 +87,6 @@ kpropd = realm.start_kpropd(slave3, ['-d'])
- realm.run([kdb5_util, 'dump', dumpfile])
- realm.run([kprop, '-f', dumpfile, '-P', str(realm.kprop_port()), hostname])
- check_output(kpropd)
--out = realm.run([kadminl, 'listprincs'], slave3)
--if 'wakawaka' not in out:
-- fail('Slave does not have all principals from master')
-+realm.run([kadminl, 'listprincs'], slave3, expected_msg='wakawaka')
-
- success('kprop tests')
-diff --git a/src/tests/t_localauth.py b/src/tests/t_localauth.py
-index 4590485ac..aa625d038 100755
---- a/src/tests/t_localauth.py
-+++ b/src/tests/t_localauth.py
-@@ -14,9 +14,8 @@ def test_an2ln(env, aname, result, msg):
- fail(msg)
-
- def test_an2ln_err(env, aname, err, msg):
-- out = realm.run(['./localauth', aname], env=env, expected_code=1)
-- if err not in out:
-- fail(msg)
-+ realm.run(['./localauth', aname], env=env, expected_code=1,
-+ expected_msg=err)
-
- def test_userok(env, aname, lname, ok, msg):
- out = realm.run(['./localauth', aname, lname], env=env)
-diff --git a/src/tests/t_mkey.py b/src/tests/t_mkey.py
-index c53b71b45..615cd91ca 100755
---- a/src/tests/t_mkey.py
-+++ b/src/tests/t_mkey.py
-@@ -92,9 +92,8 @@ def check_stash(*expected):
-
- # Verify that the user principal has the expected mkvno.
- def check_mkvno(princ, expected_mkvno):
-- out = realm.run([kadminl, 'getprinc', princ])
-- if ('MKey: vno %d\n' % expected_mkvno) not in out:
-- fail('Unexpected mkvno in user DB entry')
-+ msg = 'MKey: vno %d\n' % expected_mkvno
-+ realm.run([kadminl, 'getprinc', princ], expected_msg=msg)
-
-
- # Change the password using either kadmin.local or kadmin, then check
-@@ -160,9 +159,8 @@ check_mkvno(realm.user_princ, 1)
- collisionfile = os.path.join(realm.testdir, 'stash_tmp')
- f = open(collisionfile, 'w')
- f.close()
--output = realm.run([kdb5_util, 'stash'], expected_code=1)
--if 'Temporary stash file already exists' not in output:
-- fail('Did not detect temp stash file collision')
-+realm.run([kdb5_util, 'stash'], expected_code=1,
-+ expected_msg='Temporary stash file already exists')
- os.unlink(collisionfile)
-
- # Add a new master key with no options. Verify that:
-@@ -179,9 +177,8 @@ change_password_check_mkvno(True, realm.user_princ, 'abcd', 1)
- change_password_check_mkvno(False, realm.user_princ, 'user', 1)
-
- # Verify that use_mkey won't make all master keys inactive.
--out = realm.run([kdb5_util, 'use_mkey', '1', 'now+1day'], expected_code=1)
--if 'there must be one master key currently active' not in out:
-- fail('Unexpected error from use_mkey making all mkeys inactive')
-+realm.run([kdb5_util, 'use_mkey', '1', 'now+1day'], expected_code=1,
-+ expected_msg='there must be one master key currently active')
- check_mkey_list((2, defetype, False, False), (1, defetype, True, True))
-
- # Make the new master key active. Verify that:
-@@ -194,9 +191,8 @@ change_password_check_mkvno(True, realm.user_princ, 'abcd', 2)
- change_password_check_mkvno(False, realm.user_princ, 'user', 2)
-
- # Check purge_mkeys behavior with both master keys still in use.
--out = realm.run([kdb5_util, 'purge_mkeys', '-f', '-v'])
--if 'All keys in use, nothing purged.' not in out:
-- fail('Unexpected output from purge_mkeys with both mkeys in use')
-+realm.run([kdb5_util, 'purge_mkeys', '-f', '-v'],
-+ expected_msg='All keys in use, nothing purged.')
-
- # Do an update_princ_encryption dry run and for real. Verify that:
- # 1. The target master key is 2 (the active mkvno).
-@@ -226,9 +222,8 @@ update_princ_encryption(False, 2, nprincs - 1, 0)
- check_mkvno(realm.user_princ, 2)
-
- # Test the safety check for purging with an outdated stash file.
--out = realm.run([kdb5_util, 'purge_mkeys', '-f'], expected_code=1)
--if 'stash file needs updating' not in out:
-- fail('Unexpected error from purge_mkeys safety check')
-+realm.run([kdb5_util, 'purge_mkeys', '-f'], expected_code=1,
-+ expected_msg='stash file needs updating')
-
- # Update the master stash file and check it. Save a copy of the old
- # one for a later test.
-@@ -253,18 +248,15 @@ check_mkey_list((2, defetype, True, True))
- check_master_dbent(2, (2, defetype))
- os.rename(stash_file, stash_file + '.save')
- os.rename(stash_file + '.old', stash_file)
--out = realm.run([kadminl, 'getprinc', 'user'], expected_code=1)
--if 'Unable to decrypt latest master key' not in out:
-- fail('Unexpected error from kadmin.local with old stash file')
-+realm.run([kadminl, 'getprinc', 'user'], expected_code=1,
-+ expected_msg='Unable to decrypt latest master key')
- os.rename(stash_file + '.save', stash_file)
- realm.run([kdb5_util, 'stash'])
- check_stash((2, defetype))
--out = realm.run([kdb5_util, 'use_mkey', '1'], expected_code=1)
--if '1 is an invalid KVNO value' not in out:
-- fail('Unexpected error from use_mkey with invalid kvno')
--out = realm.run([kdb5_util, 'purge_mkeys', '-f', '-v'])
--if 'There is only one master key which can not be purged.' not in out:
-- fail('Unexpected output from purge_mkeys with one mkey')
-+realm.run([kdb5_util, 'use_mkey', '1'], expected_code=1,
-+ expected_msg='1 is an invalid KVNO value')
-+realm.run([kdb5_util, 'purge_mkeys', '-f', '-v'],
-+ expected_msg='There is only one master key which can not be purged.')
-
- # Add a third master key with a specified enctype. Verify that:
- # 1. The new master key receives the correct number.
-@@ -331,8 +323,7 @@ check_mkey_list((2, defetype, True, True), (1, des3, True, False))
- # Regression test for #8395. Purge the master key and verify that a
- # master key fetch does not segfault.
- realm.run([kadminl, 'purgekeys', '-all', 'K/M'])
--out = realm.run([kadminl, 'getprinc', realm.user_princ], expected_code=1)
--if 'Cannot find master key record in database' not in out:
-- fail('Unexpected output from failed master key fetch')
-+realm.run([kadminl, 'getprinc', realm.user_princ], expected_code=1,
-+ expected_msg='Cannot find master key record in database')
-
- success('Master key rollover tests')
-diff --git a/src/tests/t_otp.py b/src/tests/t_otp.py
-index f098374f9..9b18ff94b 100755
---- a/src/tests/t_otp.py
-+++ b/src/tests/t_otp.py
-@@ -199,9 +199,8 @@ realm.run([kadminl, 'setstr', realm.user_princ, 'otp', otpconfig('udp')])
- realm.kinit(realm.user_princ, 'accept', flags=flags)
- verify(daemon, queue, True, realm.user_princ.split('@')[0], 'accept')
- realm.extract_keytab(realm.krbtgt_princ, realm.keytab)
--out = realm.run(['./adata', realm.krbtgt_princ])
--if '+97: [indotp1, indotp2]' not in out:
-- fail('auth indicators not seen in OTP ticket')
-+realm.run(['./adata', realm.krbtgt_princ],
-+ expected_msg='+97: [indotp1, indotp2]')
-
- # Repeat with an indicators override in the string attribute.
- daemon = UDPRadiusDaemon(args=(server_addr, secret_file, 'accept', queue))
-@@ -212,9 +211,8 @@ realm.run([kadminl, 'setstr', realm.user_princ, 'otp', oconf])
- realm.kinit(realm.user_princ, 'accept', flags=flags)
- verify(daemon, queue, True, realm.user_princ.split('@')[0], 'accept')
- realm.extract_keytab(realm.krbtgt_princ, realm.keytab)
--out = realm.run(['./adata', realm.krbtgt_princ])
--if '+97: [indtok1, indtok2]' not in out:
-- fail('auth indicators not seen in OTP ticket')
-+realm.run(['./adata', realm.krbtgt_princ],
-+ expected_msg='+97: [indtok1, indtok2]')
-
- # Detect upstream pyrad bug
- # https://github.com/wichert/pyrad/pull/18
-diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
-index f56141564..e943f4974 100755
---- a/src/tests/t_pkinit.py
-+++ b/src/tests/t_pkinit.py
-@@ -101,10 +101,9 @@ realm.kinit('user@krbtest.com',
- flags=['-E', '-X', 'X509_user_identity=%s' % p12_upn2_identity])
-
- # Test a mismatch.
--out = realm.run([kinit, '-X', 'X509_user_identity=%s' % p12_upn2_identity,
-- 'user2'], expected_code=1)
--if 'kinit: Client name mismatch while getting initial credentials' not in out:
-- fail('Wrong error for UPN SAN mismatch')
-+msg = 'kinit: Client name mismatch while getting initial credentials'
-+realm.run([kinit, '-X', 'X509_user_identity=%s' % p12_upn2_identity, 'user2'],
-+ expected_code=1, expected_msg=msg)
- realm.stop()
-
- realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf,
-@@ -118,9 +117,8 @@ realm.klist(realm.user_princ)
- realm.run([kvno, realm.host_princ])
-
- # Test anonymous PKINIT.
--out = realm.kinit('@%s' % realm.realm, flags=['-n'], expected_code=1)
--if 'not found in Kerberos database' not in out:
-- fail('Wrong error for anonymous PKINIT without anonymous enabled')
-+realm.kinit('@%s' % realm.realm, flags=['-n'], expected_code=1,
-+ expected_msg='not found in Kerberos database')
- realm.addprinc('WELLKNOWN/ANONYMOUS')
- realm.kinit('@%s' % realm.realm, flags=['-n'])
- realm.klist('WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS')
-@@ -135,9 +133,8 @@ f.write('WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS a *')
- f.close()
- realm.start_kadmind()
- realm.run([kadmin, '-n', 'addprinc', '-pw', 'test', 'testadd'])
--out = realm.run([kadmin, '-n', 'getprinc', 'testadd'], expected_code=1)
--if "Operation requires ``get'' privilege" not in out:
-- fail('Anonymous kadmin has too much privilege')
-+realm.run([kadmin, '-n', 'getprinc', 'testadd'], expected_code=1,
-+ expected_msg="Operation requires ``get'' privilege")
- realm.stop_kadmind()
-
- # Test with anonymous restricted; FAST should work but kvno should fail.
-@@ -146,9 +143,8 @@ realm.stop_kdc()
- realm.start_kdc(env=r_env)
- realm.kinit('@%s' % realm.realm, flags=['-n'])
- realm.kinit('@%s' % realm.realm, flags=['-n', '-T', realm.ccache])
--out = realm.run([kvno, realm.host_princ], expected_code=1)
--if 'KDC policy rejects request' not in out:
-- fail('Wrong error for restricted anonymous PKINIT')
-+realm.run([kvno, realm.host_princ], expected_code=1,
-+ expected_msg='KDC policy rejects request')
-
- # Regression test for #8458: S4U2Self requests crash the KDC if
- # anonymous is restricted.
-@@ -200,9 +196,8 @@ realm.kinit(realm.user_princ,
- password='encrypted')
- realm.klist(realm.user_princ)
- realm.run([kvno, realm.host_princ])
--out = realm.run(['./adata', realm.host_princ])
--if '+97: [indpkinit1, indpkinit2]' not in out:
-- fail('auth indicators not seen in PKINIT ticket')
-+realm.run(['./adata', realm.host_princ],
-+ expected_msg='+97: [indpkinit1, indpkinit2]')
-
- # Run the basic test - PKINIT with FILE: identity, with a password on the key,
- # supplied by the responder.
-diff --git a/src/tests/t_policy.py b/src/tests/t_policy.py
-index bfec96a93..26c4e466e 100755
---- a/src/tests/t_policy.py
-+++ b/src/tests/t_policy.py
-@@ -7,35 +7,27 @@ realm = K5Realm(create_host=False, start_kadmind=True)
- # Test password quality enforcement.
- realm.run([kadminl, 'addpol', '-minlength', '6', '-minclasses', '2', 'pwpol'])
- realm.run([kadminl, 'addprinc', '-randkey', '-policy', 'pwpol', 'pwuser'])
--out = realm.run([kadminl, 'cpw', '-pw', 'sh0rt', 'pwuser'], expected_code=1)
--if 'Password is too short' not in out:
-- fail('short password')
--out = realm.run([kadminl, 'cpw', '-pw', 'longenough', 'pwuser'],
-- expected_code=1)
--if 'Password does not contain enough character classes' not in out:
-- fail('insufficient character classes')
-+realm.run([kadminl, 'cpw', '-pw', 'sh0rt', 'pwuser'], expected_code=1,
-+ expected_msg='Password is too short')
-+realm.run([kadminl, 'cpw', '-pw', 'longenough', 'pwuser'], expected_code=1,
-+ expected_msg='Password does not contain enough character classes')
- realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser'])
-
- # Test some password history enforcement. Even with no history value,
- # the current password should be denied.
--out = realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser'],
-- expected_code=1)
--if 'Cannot reuse password' not in out:
-- fail('reuse of current password')
-+realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser'], expected_code=1,
-+ expected_msg='Cannot reuse password')
- realm.run([kadminl, 'modpol', '-history', '2', 'pwpol'])
- realm.run([kadminl, 'cpw', '-pw', 'an0therpw', 'pwuser'])
--out = realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser'],
-- expected_code=1)
--if 'Cannot reuse password' not in out:
-- fail('reuse of old password')
-+realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser'], expected_code=1,
-+ expected_msg='Cannot reuse password')
- realm.run([kadminl, 'cpw', '-pw', '3rdpassword', 'pwuser'])
- realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser'])
-
- # Test references to nonexistent policies.
- realm.run([kadminl, 'addprinc', '-randkey', '-policy', 'newpol', 'newuser'])
--out = realm.run([kadminl, 'getprinc', 'newuser'])
--if 'Policy: newpol [does not exist]\n' not in out:
-- fail('getprinc output for principal referencing nonexistent policy')
-+realm.run([kadminl, 'getprinc', 'newuser'],
-+ expected_msg='Policy: newpol [does not exist]\n')
- realm.run([kadminl, 'modprinc', '-policy', 'newpol', 'pwuser'])
- # pwuser should allow reuse of the current password since newpol doesn't exist.
- realm.run([kadminl, 'cpw', '-pw', '3rdpassword', 'pwuser'])
-@@ -45,29 +37,20 @@ realm.run([kadmin, '-p', 'pwuser', '-w', '3rdpassword', 'cpw', '-pw',
-
- # Create newpol and verify that it is enforced.
- realm.run([kadminl, 'addpol', '-minlength', '3', 'newpol'])
--out = realm.run([kadminl, 'getprinc', 'pwuser'])
--if 'Policy: newpol\n' not in out:
-- fail('getprinc after creating policy (pwuser)')
--out = realm.run([kadminl, 'cpw', '-pw', 'aa', 'pwuser'], expected_code=1)
--if 'Password is too short' not in out:
-- fail('short password after creating policy (pwuser)')
--out = realm.run([kadminl, 'cpw', '-pw', '3rdpassword', 'pwuser'],
-- expected_code=1)
--if 'Cannot reuse password' not in out:
-- fail('reuse of current password after creating policy')
-+realm.run([kadminl, 'getprinc', 'pwuser'], expected_msg='Policy: newpol\n')
-+realm.run([kadminl, 'cpw', '-pw', 'aa', 'pwuser'], expected_code=1,
-+ expected_msg='Password is too short')
-+realm.run([kadminl, 'cpw', '-pw', '3rdpassword', 'pwuser'], expected_code=1,
-+ expected_msg='Cannot reuse password')
-
--out = realm.run([kadminl, 'getprinc', 'newuser'])
--if 'Policy: newpol\n' not in out:
-- fail('getprinc after creating policy (newuser)')
--out = realm.run([kadminl, 'cpw', '-pw', 'aa', 'newuser'], expected_code=1)
--if 'Password is too short' not in out:
-- fail('short password after creating policy (newuser)')
-+realm.run([kadminl, 'getprinc', 'newuser'], expected_msg='Policy: newpol\n')
-+realm.run([kadminl, 'cpw', '-pw', 'aa', 'newuser'], expected_code=1,
-+ expected_msg='Password is too short')
-
- # Delete the policy and verify that it is no longer enforced.
- realm.run([kadminl, 'delpol', 'newpol'])
--out = realm.run([kadminl, 'getpol', 'newpol'], expected_code=1)
--if 'Policy does not exist' not in out:
-- fail('deletion of referenced policy')
-+realm.run([kadminl, 'getpol', 'newpol'], expected_code=1,
-+ expected_msg='Policy does not exist')
- realm.run([kadminl, 'cpw', '-pw', 'aa', 'pwuser'])
-
- # Test basic password lockout support.
-@@ -78,18 +61,14 @@ realm.run([kadminl, 'modprinc', '+requires_preauth', '-policy', 'lockout',
- 'user'])
-
- # kinit twice with the wrong password.
--output = realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1)
--if 'Password incorrect while getting initial credentials' not in output:
-- fail('Expected error message not seen in kinit output')
--output = realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1)
--if 'Password incorrect while getting initial credentials' not in output:
-- fail('Expected error message not seen in kinit output')
-+realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1,
-+ expected_msg='Password incorrect while getting initial credentials')
-+realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1,
-+ expected_msg='Password incorrect while getting initial credentials')
-
- # Now the account should be locked out.
--output = realm.run([kinit, realm.user_princ], expected_code=1)
--if 'Client\'s credentials have been revoked while getting initial credentials' \
-- not in output:
-- fail('Expected lockout error message not seen in kinit output')
-+m = 'Client\'s credentials have been revoked while getting initial credentials'
-+realm.run([kinit, realm.user_princ], expected_code=1, expected_msg=m)
-
- # Check that modprinc -unlock allows a further attempt.
- realm.run([kadminl, 'modprinc', '-unlock', 'user'])
-@@ -113,10 +92,8 @@ realm.run([kadminl, 'cpw', '-pw', 'pw2', 'user'])
- # Swap the keys, simulating older kadmin having chosen the second entry.
- realm.run(['./hist', 'swap'])
- # Make sure we can read the history entry.
--out = realm.run([kadminl, 'cpw', '-pw', password('user'), 'user'],
-- expected_code=1)
--if 'Cannot reuse password' not in out:
-- fail('Expected error not seen in output')
-+realm.run([kadminl, 'cpw', '-pw', password('user'), 'user'], expected_code=1,
-+ expected_msg='Cannot reuse password')
-
- # Test key/salt constraints.
-
-@@ -142,9 +119,8 @@ realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes256-cts', 'server'])
-
- # Test modpol.
- realm.run([kadminl, 'modpol', '-allowedkeysalts', 'aes256-cts,rc4-hmac', 'ak'])
--out = realm.run([kadminl, 'getpol', 'ak'])
--if not 'Allowed key/salt types: aes256-cts,rc4-hmac' in out:
-- fail('getpol does not implement allowedkeysalts?')
-+realm.run([kadminl, 'getpol', 'ak'],
-+ expected_msg='Allowed key/salt types: aes256-cts,rc4-hmac')
-
- # Test subsets and full set.
- realm.run([kadminl, 'cpw', '-randkey', '-e', 'rc4-hmac', 'server'])
-@@ -153,19 +129,14 @@ realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes256-cts,rc4-hmac', 'server'])
- realm.run([kadminl, 'cpw', '-randkey', '-e', 'rc4-hmac,aes256-cts', 'server'])
-
- # Check that the order we got is the one from the policy.
--out = realm.run([kadminl, 'getprinc', '-terse', 'server'])
--if not '2\t1\t6\t18\t0\t1\t6\t23\t0' in out:
-- fail('allowed_keysalts policy did not preserve order')
-+realm.run([kadminl, 'getprinc', '-terse', 'server'],
-+ expected_msg='2\t1\t6\t18\t0\t1\t6\t23\t0')
-
- # Test partially intersecting sets.
--out = realm.run([kadminl, 'cpw', '-randkey', '-e', 'rc4-hmac,aes128-cts',
-- 'server'], expected_code=1)
--if not 'Invalid key/salt tuples' in out:
-- fail('allowed_keysalts policy not applied properly')
--out = realm.run([kadminl, 'cpw', '-randkey', '-e',
-- 'rc4-hmac,aes256-cts,aes128-cts', 'server'], expected_code=1)
--if not 'Invalid key/salt tuples' in out:
-- fail('allowed_keysalts policy not applied properly')
-+realm.run([kadminl, 'cpw', '-randkey', '-e', 'rc4-hmac,aes128-cts', 'server'],
-+ expected_code=1, expected_msg='Invalid key/salt tuples')
-+realm.run([kadminl, 'cpw', '-randkey', '-e', 'rc4-hmac,aes256-cts,aes128-cts',
-+ 'server'], expected_code=1, expected_msg='Invalid key/salt tuples')
-
- # Test reset of allowedkeysalts.
- realm.run([kadminl, 'modpol', '-allowedkeysalts', '-', 'ak'])
-diff --git a/src/tests/t_preauth.py b/src/tests/t_preauth.py
-index 0ef8bbca4..1823a797d 100644
---- a/src/tests/t_preauth.py
-+++ b/src/tests/t_preauth.py
-@@ -10,18 +10,12 @@ realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf)
- realm.run([kadminl, 'modprinc', '+requires_preauth', realm.user_princ])
- realm.run([kadminl, 'setstr', realm.user_princ, 'teststring', 'testval'])
- realm.run([kadminl, 'addprinc', '-nokey', '+requires_preauth', 'nokeyuser'])
--out = realm.run([kinit, realm.user_princ], input=password('user')+'\n')
--if 'testval' not in out:
-- fail('Decrypted string attribute not in kinit output')
--out = realm.run([kinit, 'nokeyuser'], input=password('user')+'\n',
-- expected_code=1)
--if 'no key' not in out:
-- fail('Expected "no key" message not in kinit output')
-+realm.kinit(realm.user_princ, password('user'), expected_msg='testval')
-+realm.kinit('nokeyuser', password('user'), expected_code=1,
-+ expected_msg='no key')
-
- # Exercise KDC_ERR_MORE_PREAUTH_DATA_REQUIRED and secure cookies.
- realm.run([kadminl, 'setstr', realm.user_princ, '2rt', 'secondtrip'])
--out = realm.run([kinit, realm.user_princ], input=password('user')+'\n')
--if '2rt: secondtrip' not in out:
-- fail('multi round-trip cookie test')
-+realm.kinit(realm.user_princ, password('user'), expected_msg='2rt: secondtrip')
-
- success('Pre-authentication framework tests')
-diff --git a/src/tests/t_pwqual.py b/src/tests/t_pwqual.py
-index 0d1d387d8..011110bd1 100755
---- a/src/tests/t_pwqual.py
-+++ b/src/tests/t_pwqual.py
-@@ -18,29 +18,24 @@ f.close()
- realm.run([kadminl, 'addpol', 'pol'])
-
- # The built-in "empty" module rejects empty passwords even without a policy.
--out = realm.run([kadminl, 'addprinc', '-pw', '', 'p1'], expected_code=1)
--if 'Empty passwords are not allowed' not in out:
-- fail('Expected error not seen for empty password')
-+realm.run([kadminl, 'addprinc', '-pw', '', 'p1'], expected_code=1,
-+ expected_msg='Empty passwords are not allowed')
-
- # The built-in "dict" module rejects dictionary words, but only with a policy.
- realm.run([kadminl, 'addprinc', '-pw', 'birds', 'p2'])
--out = realm.run([kadminl, 'addprinc', '-pw', 'birds', '-policy', 'pol', 'p3'],
-- expected_code=1)
--if 'Password is in the password dictionary' not in out:
-- fail('Expected error not seen from dictionary password')
-+realm.run([kadminl, 'addprinc', '-pw', 'birds', '-policy', 'pol', 'p3'],
-+ expected_code=1,
-+ expected_msg='Password is in the password dictionary')
-
- # The built-in "princ" module rejects principal components, only with a policy.
- realm.run([kadminl, 'addprinc', '-pw', 'p4', 'p4'])
--out = realm.run([kadminl, 'addprinc', '-pw', 'p5', '-policy', 'pol', 'p5'],
-- expected_code=1)
--if 'Password may not match principal name' not in out:
-- fail('Expected error not seen from principal component')
-+realm.run([kadminl, 'addprinc', '-pw', 'p5', '-policy', 'pol', 'p5'],
-+ expected_code=1,
-+ expected_msg='Password may not match principal name')
-
- # The dynamic "combo" module rejects pairs of dictionary words.
--out = realm.run([kadminl, 'addprinc', '-pw', 'birdsoranges', 'p6'],
-- expected_code=1)
--if 'Password may not be a pair of dictionary words' not in out:
-- fail('Expected error not seen from combo module')
-+realm.run([kadminl, 'addprinc', '-pw', 'birdsoranges', 'p6'], expected_code=1,
-+ expected_msg='Password may not be a pair of dictionary words')
-
- # These plugin ordering tests aren't specifically related to the
- # password quality interface, but are convenient to put here.
-diff --git a/src/tests/t_referral.py b/src/tests/t_referral.py
-index 559fbd5f7..9765116aa 100755
---- a/src/tests/t_referral.py
-+++ b/src/tests/t_referral.py
-@@ -23,9 +23,8 @@ def testref(realm, nametype):
- # Get credentials and check that we get an error, not a referral.
- def testfail(realm, nametype):
- shutil.copyfile(savefile, realm.ccache)
-- out = realm.run(['./gcred', nametype, 'a/x.d'], expected_code=1)
-- if 'not found in Kerberos database' not in out:
-- fail('unexpected error')
-+ realm.run(['./gcred', nametype, 'a/x.d'], expected_code=1,
-+ expected_msg='not found in Kerberos database')
-
- # Create a modified KDC environment and restart the KDC.
- def restart_kdc(realm, kdc_conf):
-@@ -116,9 +115,8 @@ r1, r2 = cross_realms(2, xtgts=(),
- create_host=False)
- r2.addprinc('abc\@XYZ', 'pw')
- r1.start_kdc()
--out = r1.kinit('user', expected_code=1)
--if 'not found in Kerberos database' not in out:
-- fail('Expected error not seen for referral without canonicalize flag')
-+r1.kinit('user', expected_code=1,
-+ expected_msg='not found in Kerberos database')
- r1.kinit('user', password('user'), ['-C'])
- r1.klist('user@KRBTEST2.COM', 'krbtgt/KRBTEST2.COM')
- r1.kinit('abc@XYZ', 'pw', ['-E'])
-diff --git a/src/tests/t_renew.py b/src/tests/t_renew.py
-index a5f0d4bc1..106c8ecd3 100755
---- a/src/tests/t_renew.py
-+++ b/src/tests/t_renew.py
-@@ -32,9 +32,8 @@ realm.run([kvno, realm.user_princ])
-
- # Make sure we can't renew non-renewable tickets.
- test('non-renewable', '1h', '1h', False)
--out = realm.kinit(realm.user_princ, flags=['-R'], expected_code=1)
--if "KDC can't fulfill requested option" not in out:
-- fail('expected error not seen renewing non-renewable ticket')
-+realm.kinit(realm.user_princ, flags=['-R'], expected_code=1,
-+ expected_msg="KDC can't fulfill requested option")
-
- # Test that -allow_renewable on the client principal works.
- realm.run([kadminl, 'modprinc', '-allow_renewable', 'user'])
-diff --git a/src/tests/t_salt.py b/src/tests/t_salt.py
-index e923c92d1..ddb1905ed 100755
---- a/src/tests/t_salt.py
-+++ b/src/tests/t_salt.py
-@@ -62,13 +62,11 @@ for ks in dup_kstypes:
- # fails.
- def test_reject_afs3(realm, etype):
- query = 'ank -e ' + etype + ':afs3 -pw password princ1'
-- out = realm.run([kadminl, 'ank', '-e', etype + ':afs3', '-pw', 'password',
-- 'princ1'], expected_code=1)
-- if 'Invalid key generation parameters from KDC' not in out:
-- fail('Allowed afs3 salt for ' + etype)
-- out = realm.run([kadminl, 'getprinc', 'princ1'], expected_code=1)
-- if 'Principal does not exist' not in out:
-- fail('Created principal with afs3 salt and enctype ' + etype)
-+ realm.run([kadminl, 'ank', '-e', etype + ':afs3', '-pw', 'password',
-+ 'princ1'], expected_code=1,
-+ expected_msg='Invalid key generation parameters from KDC')
-+ realm.run([kadminl, 'getprinc', 'princ1'], expected_code=1,
-+ expected_msg='Principal does not exist')
-
- # Verify that the afs3 salt is rejected for arcfour and pbkdf2 enctypes.
- # We do not currently do any verification on the key-generation parameters
-diff --git a/src/tests/t_skew.py b/src/tests/t_skew.py
-index b72971070..f2ae06695 100755
---- a/src/tests/t_skew.py
-+++ b/src/tests/t_skew.py
-@@ -37,22 +37,16 @@ realm.kinit(realm.user_princ, password('user'),
-
- # kinit should detect too much skew in the KDC response. kinit with
- # FAST should fail from the KDC since the armor AP-REQ won't be valid.
--out = realm.kinit(realm.user_princ, password('user'), expected_code=1)
--if 'Clock skew too great in KDC reply' not in out:
-- fail('Expected error message not seen in kinit skew case')
--out = realm.kinit(realm.user_princ, None, flags=['-T', fast_cache],
-- expected_code=1)
--if 'Clock skew too great while' not in out:
-- fail('Expected error message not seen in kinit FAST skew case')
-+realm.kinit(realm.user_princ, password('user'), expected_code=1,
-+ expected_msg='Clock skew too great in KDC reply')
-+realm.kinit(realm.user_princ, None, flags=['-T', fast_cache], expected_code=1,
-+ expected_msg='Clock skew too great while')
-
- # kinit (with preauth) should fail from the KDC, with or without FAST.
- realm.run([kadminl, 'modprinc', '+requires_preauth', 'user'])
--out = realm.kinit(realm.user_princ, password('user'), expected_code=1)
--if 'Clock skew too great while' not in out:
-- fail('Expected error message not seen in kinit skew case (preauth)')
--out = realm.kinit(realm.user_princ, None, flags=['-T', fast_cache],
-- expected_code=1)
--if 'Clock skew too great while' not in out:
-- fail('Expected error message not seen in kinit FAST skew case (preauth)')
-+realm.kinit(realm.user_princ, password('user'), expected_code=1,
-+ expected_msg='Clock skew too great while')
-+realm.kinit(realm.user_princ, None, flags=['-T', fast_cache], expected_code=1,
-+ expected_msg='Clock skew too great while')
-
- success('Clock skew tests')
-diff --git a/src/tests/t_stringattr.py b/src/tests/t_stringattr.py
-index 281c8726f..5672a0f20 100755
---- a/src/tests/t_stringattr.py
-+++ b/src/tests/t_stringattr.py
-@@ -28,9 +28,7 @@ realm = K5Realm(start_kadmind=True, create_host=False, get_creds=False)
-
- realm.prep_kadmin()
-
--out = realm.run_kadmin(['getstrs', 'user'])
--if '(No string attributes.)' not in out:
-- fail('Empty attribute query')
-+realm.run_kadmin(['getstrs', 'user'], expected_msg='(No string attributes.)')
-
- realm.run_kadmin(['setstr', 'user', 'attr1', 'value1'])
- realm.run_kadmin(['setstr', 'user', 'attr2', 'value2'])
diff --git a/Use-expected_trace-in-test-scripts.patch b/Use-expected_trace-in-test-scripts.patch
deleted file mode 100644
index 74516ea..0000000
--- a/Use-expected_trace-in-test-scripts.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From 35a00879008457d21ccc6e623835976a21f5000b Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Tue, 17 Jan 2017 11:25:22 -0500
-Subject: [PATCH] Use expected_trace in test scripts
-
-(cherry picked from commit 7b7e5d964e5d020fdda3fb9843d9b8cf8b29a6f8)
----
- src/tests/t_general.py | 24 ++++++++----------------
- src/tests/t_pkinit.py | 15 ++++++---------
- 2 files changed, 14 insertions(+), 25 deletions(-)
-
-diff --git a/src/tests/t_general.py b/src/tests/t_general.py
-index 6d523fe45..16bf6c5e3 100755
---- a/src/tests/t_general.py
-+++ b/src/tests/t_general.py
-@@ -47,21 +47,13 @@ if 'not found in Kerberos database' not in out:
- fail('Expected error message not seen in kinit -C output')
-
- # Spot-check KRB5_TRACE output
--tracefile = os.path.join(realm.testdir, 'trace')
--realm.run(['env', 'KRB5_TRACE=' + tracefile, kinit, realm.user_princ],
-- input=(password('user') + "\n"))
--f = open(tracefile, 'r')
--trace = f.read()
--f.close()
--expected = ('Sending initial UDP request',
-- 'Received answer',
-- 'Selected etype info',
-- 'AS key obtained',
-- 'Decrypted AS reply',
-- 'FAST negotiation: available',
-- 'Storing user@KRBTEST.COM')
--for e in expected:
-- if e not in trace:
-- fail('Expected output not in kinit trace log')
-+expected_trace = ('Sending initial UDP request',
-+ 'Received answer',
-+ 'Selected etype info',
-+ 'AS key obtained',
-+ 'Decrypted AS reply',
-+ 'FAST negotiation: available',
-+ 'Storing user@KRBTEST.COM')
-+realm.kinit(realm.user_princ, password('user'), expected_trace=expected_trace)
-
- success('FAST kinit, trace logging')
-diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
-index 183977750..f56141564 100755
---- a/src/tests/t_pkinit.py
-+++ b/src/tests/t_pkinit.py
-@@ -176,19 +176,16 @@ realm.klist(realm.user_princ)
-
- # Test a DH parameter renegotiation by temporarily setting a 4096-bit
- # minimum on the KDC.
--tracefile = os.path.join(realm.testdir, 'trace')
- minbits_kdc_conf = {'realms': {'$realm': {'pkinit_dh_min_bits': '4096'}}}
- minbits_env = realm.special_env('restrict', True, kdc_conf=minbits_kdc_conf)
- realm.stop_kdc()
- realm.start_kdc(env=minbits_env)
--realm.run(['env', 'KRB5_TRACE=' + tracefile, kinit, '-X',
-- 'X509_user_identity=' + file_identity, realm.user_princ])
--with open(tracefile, 'r') as f:
-- trace = f.read()
--if ('Key parameters not accepted' not in trace or
-- 'Preauth tryagain input types' not in trace or
-- 'trying again with KDC-provided parameters' not in trace):
-- fail('DH renegotiation steps not found in kinit trace log')
-+expected_trace = ('Key parameters not accepted',
-+ 'Preauth tryagain input types',
-+ 'trying again with KDC-provided parameters')
-+realm.kinit(realm.user_princ,
-+ flags=['-X', 'X509_user_identity=%s' % file_identity],
-+ expected_trace=expected_trace)
- realm.stop_kdc()
- realm.start_kdc()
-
diff --git a/Use-fallback-realm-for-GSSAPI-ccache-selection.patch b/Use-fallback-realm-for-GSSAPI-ccache-selection.patch
deleted file mode 100644
index bc0591a..0000000
--- a/Use-fallback-realm-for-GSSAPI-ccache-selection.patch
+++ /dev/null
@@ -1,185 +0,0 @@
-From feee4c633a7db348ef99f1f0c99a5c2e6cb70f92 Mon Sep 17 00:00:00 2001
-From: Matt Rogers <mrogers@redhat.com>
-Date: Fri, 10 Feb 2017 12:53:42 -0500
-Subject: [PATCH] Use fallback realm for GSSAPI ccache selection
-
-In krb5_cc_select(), if the server principal has an empty realm, use
-krb5_get_fallback_host_realm() and set the server realm to the first
-fallback found. This helps with the selection of a non-default ccache
-when there is no [domain_realms] configuration for the server domain.
-Modify t_ccselect.py tests to account for fallback behavior.
-
-ticket: 8549 (new)
-(cherry picked from commit 234b64bd6139d5b75dadd5abbd5bef5a162e298a)
----
- src/lib/krb5/ccache/ccselect.c | 37 ++++++++++++++++++++++++++-----
- src/tests/gssapi/t_ccselect.py | 50 +++++++++++++++++++++++++++++++++---------
- 2 files changed, 72 insertions(+), 15 deletions(-)
-
-diff --git a/src/lib/krb5/ccache/ccselect.c b/src/lib/krb5/ccache/ccselect.c
-index 2f3071a27..ee4b83a9b 100644
---- a/src/lib/krb5/ccache/ccselect.c
-+++ b/src/lib/krb5/ccache/ccselect.c
-@@ -132,6 +132,8 @@ krb5_cc_select(krb5_context context, krb5_principal server,
- struct ccselect_module_handle **hp, *h;
- krb5_ccache cache;
- krb5_principal princ;
-+ krb5_principal srvcp = NULL;
-+ char **fbrealms = NULL;
-
- *cache_out = NULL;
- *princ_out = NULL;
-@@ -139,7 +141,27 @@ krb5_cc_select(krb5_context context, krb5_principal server,
- if (context->ccselect_handles == NULL) {
- ret = load_modules(context);
- if (ret)
-- return ret;
-+ goto cleanup;
-+ }
-+
-+ /* Try to use the fallback host realm for the server if there is no
-+ * authoritative realm. */
-+ if (krb5_is_referral_realm(&server->realm) &&
-+ server->type == KRB5_NT_SRV_HST && server->length == 2) {
-+ ret = krb5_get_fallback_host_realm(context, &server->data[1],
-+ &fbrealms);
-+ if (ret)
-+ goto cleanup;
-+
-+ /* Make a copy with the first fallback realm. */
-+ ret = krb5_copy_principal(context, server, &srvcp);
-+ if (ret)
-+ goto cleanup;
-+ ret = krb5_set_principal_realm(context, srvcp, fbrealms[0]);
-+ if (ret)
-+ goto cleanup;
-+
-+ server = srvcp;
- }
-
- /* Consult authoritative modules first, then heuristic ones. */
-@@ -155,20 +177,25 @@ krb5_cc_select(krb5_context context, krb5_principal server,
- princ);
- *cache_out = cache;
- *princ_out = princ;
-- return 0;
-+ goto cleanup;
- } else if (ret == KRB5_CC_NOTFOUND) {
- TRACE_CCSELECT_MODNOTFOUND(context, h->vt.name, server, princ);
- *princ_out = princ;
-- return ret;
-+ goto cleanup;
- } else if (ret != KRB5_PLUGIN_NO_HANDLE) {
- TRACE_CCSELECT_MODFAIL(context, h->vt.name, ret, server);
-- return ret;
-+ goto cleanup;
- }
- }
- }
-
- TRACE_CCSELECT_NOTFOUND(context, server);
-- return KRB5_CC_NOTFOUND;
-+ ret = KRB5_CC_NOTFOUND;
-+
-+cleanup:
-+ krb5_free_principal(context, srvcp);
-+ krb5_free_host_realm(context, fbrealms);
-+ return ret;
- }
-
- void
-diff --git a/src/tests/gssapi/t_ccselect.py b/src/tests/gssapi/t_ccselect.py
-index 1ea614d30..668a2cc62 100755
---- a/src/tests/gssapi/t_ccselect.py
-+++ b/src/tests/gssapi/t_ccselect.py
-@@ -31,12 +31,18 @@ r2 = K5Realm(create_user=False, realm='KRBTEST2.COM', portbase=62000,
-
- host1 = 'p:' + r1.host_princ
- host2 = 'p:' + r2.host_princ
-+foo = 'foo.krbtest.com'
-+foo2 = 'foo.krbtest2.com'
-
--# gsserver specifies the target as a GSS name. The resulting
--# principal will have the host-based type, but the realm won't be
--# known before the client cache is selected (since k5test realms have
--# no domain-realm mapping by default).
--gssserver = 'h:host@' + hostname
-+# These strings specify the target as a GSS name. The resulting
-+# principal will have the host-based type, with the referral realm
-+# (since k5test realms have no domain-realm mapping by default).
-+# krb5_cc_select() will use the fallback realm, which is either the
-+# uppercased parent domain, or the default realm if the hostname is a
-+# single component.
-+gssserver = 'h:host@' + foo
-+gssserver2 = 'h:host@' + foo2
-+gsslocal = 'h:host@localhost'
-
- # refserver specifies the target as a principal in the referral realm.
- # The principal won't be treated as a host principal by the
-@@ -66,6 +72,16 @@ r1.addprinc(alice, password('alice'))
- r1.addprinc(bob, password('bob'))
- r2.addprinc(zaphod, password('zaphod'))
-
-+# Create host principals and keytabs for fallback realm tests.
-+r1.addprinc('host/localhost')
-+r2.addprinc('host/localhost')
-+r1.addprinc('host/' + foo)
-+r2.addprinc('host/' + foo2)
-+r1.extract_keytab('host/localhost', r1.keytab)
-+r2.extract_keytab('host/localhost', r2.keytab)
-+r1.extract_keytab('host/' + foo, r1.keytab)
-+r2.extract_keytab('host/' + foo2, r2.keytab)
-+
- # Get tickets for one user in each realm (zaphod will be primary).
- r1.kinit(alice, password('alice'))
- r2.kinit(zaphod, password('zaphod'))
-@@ -93,10 +109,24 @@ if output != (zaphod + '\n'):
- fail('zaphod not chosen as default initiator name for server in r1')
-
- # Check that primary cache is used if server realm is unknown.
--output = r2.run(['./t_ccselect', gssserver])
-+output = r2.run(['./t_ccselect', refserver])
- if output != (zaphod + '\n'):
- fail('zaphod not chosen via primary cache for unknown server realm')
--r1.run(['./t_ccselect', gssserver], expected_code=1)
-+r1.run(['./t_ccselect', gssserver2], expected_code=1)
-+# Check ccache selection using a fallback realm.
-+output = r1.run(['./t_ccselect', gssserver])
-+if output != (alice + '\n'):
-+ fail('alice not chosen via parent domain fallback')
-+output = r2.run(['./t_ccselect', gssserver2])
-+if output != (zaphod + '\n'):
-+ fail('zaphod not chosen via parent domain fallback')
-+# Check ccache selection using a fallback realm (default realm).
-+output = r1.run(['./t_ccselect', gsslocal])
-+if output != (alice + '\n'):
-+ fail('alice not chosen via default realm fallback')
-+output = r2.run(['./t_ccselect', gsslocal])
-+if output != (zaphod + '\n'):
-+ fail('zaphod not chosen via default realm fallback')
-
- # Get a second cred in r1 (bob will be primary).
- r1.kinit(bob, password('bob'))
-@@ -104,19 +134,19 @@ r1.kinit(bob, password('bob'))
- # Try some cache selections using .k5identity.
- k5id = open(os.path.join(r1.testdir, '.k5identity'), 'w')
- k5id.write('%s realm=%s\n' % (alice, r1.realm))
--k5id.write('%s service=ho*t host=%s\n' % (zaphod, hostname))
-+k5id.write('%s service=ho*t host=localhost\n' % zaphod)
- k5id.write('noprinc service=bogus')
- k5id.close()
- output = r1.run(['./t_ccselect', host1])
- if output != (alice + '\n'):
- fail('alice not chosen via .k5identity realm line.')
--output = r2.run(['./t_ccselect', gssserver])
-+output = r2.run(['./t_ccselect', gsslocal])
- if output != (zaphod + '\n'):
- fail('zaphod not chosen via .k5identity service/host line.')
- output = r1.run(['./t_ccselect', refserver])
- if output != (bob + '\n'):
- fail('bob not chosen via primary cache when no .k5identity line matches.')
--r1.run(['./t_ccselect', 'h:bogus@' + hostname], expected_code=1,
-+r1.run(['./t_ccselect', 'h:bogus@' + foo2], expected_code=1,
- expected_msg="Can't find client principal noprinc")
-
- success('GSSAPI credential selection tests')
diff --git a/Use-krb5_timestamp-where-appropriate.patch b/Use-krb5_timestamp-where-appropriate.patch
deleted file mode 100644
index c5b4c25..0000000
--- a/Use-krb5_timestamp-where-appropriate.patch
+++ /dev/null
@@ -1,327 +0,0 @@
-From 0ae9141d53a8d9fe048542f89d17760990bd5bc4 Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Wed, 17 May 2017 15:14:15 -0400
-Subject: [PATCH] Use krb5_timestamp where appropriate
-
-Where krb5_int32 is used to hold the number of seconds since the
-epoch, use krb5_timestamp instead.
-
-(cherry picked from commit ae25f6ec5558140a546db34fea389412d81c0631)
----
- src/clients/klist/klist.c | 2 +-
- src/include/k5-int.h | 2 +-
- src/kadmin/server/misc.c | 2 +-
- src/kdc/dispatch.c | 4 ++--
- src/lib/kadm5/srv/server_acl.c | 2 +-
- src/lib/kadm5/srv/server_kdb.c | 2 +-
- src/lib/kadm5/srv/svr_principal.c | 10 +++++-----
- src/lib/krb5/krb/gen_save_subkey.c | 3 ++-
- src/lib/krb5/krb/get_in_tkt.c | 2 +-
- src/lib/krb5/krb/init_ctx.c | 3 ++-
- src/lib/krb5/os/c_ustime.c | 7 +++++--
- src/lib/krb5/os/toffset.c | 3 ++-
- src/lib/krb5/os/trace.c | 3 ++-
- src/lib/krb5/os/ustime.c | 3 ++-
- src/lib/krb5/rcache/rc_dfl.c | 10 +++++-----
- src/tests/create/kdb5_mkdums.c | 2 +-
- 16 files changed, 34 insertions(+), 26 deletions(-)
-
-diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c
-index ffeecc394..4334415be 100644
---- a/src/clients/klist/klist.c
-+++ b/src/clients/klist/klist.c
-@@ -56,7 +56,7 @@ int show_adtype = 0, show_all = 0, list_all = 0, use_client_keytab = 0;
- int show_config = 0;
- char *defname;
- char *progname;
--krb5_int32 now;
-+krb5_timestamp now;
- unsigned int timestamp_width;
-
- krb5_context kcontext;
-diff --git a/src/include/k5-int.h b/src/include/k5-int.h
-index 82ee20760..ed9c7bf75 100644
---- a/src/include/k5-int.h
-+++ b/src/include/k5-int.h
-@@ -721,7 +721,7 @@ krb5_error_code krb5int_c_copy_keyblock_contents(krb5_context context,
- const krb5_keyblock *from,
- krb5_keyblock *to);
-
--krb5_error_code krb5_crypto_us_timeofday(krb5_int32 *, krb5_int32 *);
-+krb5_error_code krb5_crypto_us_timeofday(krb5_timestamp *, krb5_int32 *);
-
- /*
- * End "los-proto.h"
-diff --git a/src/kadmin/server/misc.c b/src/kadmin/server/misc.c
-index a75b65a26..ba672d714 100644
---- a/src/kadmin/server/misc.c
-+++ b/src/kadmin/server/misc.c
-@@ -159,7 +159,7 @@ kadm5_ret_t
- check_min_life(void *server_handle, krb5_principal principal,
- char *msg_ret, unsigned int msg_len)
- {
-- krb5_int32 now;
-+ krb5_timestamp now;
- kadm5_ret_t ret;
- kadm5_policy_ent_rec pol;
- kadm5_principal_ent_rec princ;
-diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c
-index 16a35d2be..4ecc23481 100644
---- a/src/kdc/dispatch.c
-+++ b/src/kdc/dispatch.c
-@@ -94,8 +94,8 @@ static void
- reseed_random(krb5_context kdc_err_context)
- {
- krb5_error_code retval;
-- krb5_int32 now, now_usec;
-- krb5_int32 usec_difference;
-+ krb5_timestamp now;
-+ krb5_int32 now_usec, usec_difference;
- krb5_data data;
-
- retval = krb5_crypto_us_timeofday(&now, &now_usec);
-diff --git a/src/lib/kadm5/srv/server_acl.c b/src/lib/kadm5/srv/server_acl.c
-index c4bb16dc7..679fc7c41 100644
---- a/src/lib/kadm5/srv/server_acl.c
-+++ b/src/lib/kadm5/srv/server_acl.c
-@@ -375,7 +375,7 @@ kadm5int_acl_impose_restrictions(kcontext, recp, maskp, rp)
- restriction_t *rp;
- {
- krb5_error_code code;
-- krb5_int32 now;
-+ krb5_timestamp now;
-
- DPRINT(DEBUG_CALLS, acl_debug_level,
- ("* kadm5int_acl_impose_restrictions(..., *maskp=0x%08x, rp=0x%08x)\n",
-diff --git a/src/lib/kadm5/srv/server_kdb.c b/src/lib/kadm5/srv/server_kdb.c
-index 612553ba3..f4b8aef2b 100644
---- a/src/lib/kadm5/srv/server_kdb.c
-+++ b/src/lib/kadm5/srv/server_kdb.c
-@@ -365,7 +365,7 @@ kdb_put_entry(kadm5_server_handle_t handle,
- krb5_db_entry *kdb, osa_princ_ent_rec *adb)
- {
- krb5_error_code ret;
-- krb5_int32 now;
-+ krb5_timestamp now;
- XDR xdrs;
- krb5_tl_data tl_data;
-
-diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
-index 137e1fb64..89f34482b 100644
---- a/src/lib/kadm5/srv/svr_principal.c
-+++ b/src/lib/kadm5/srv/svr_principal.c
-@@ -296,7 +296,7 @@ kadm5_create_principal_3(void *server_handle,
- osa_princ_ent_rec adb;
- kadm5_policy_ent_rec polent;
- krb5_boolean have_polent = FALSE;
-- krb5_int32 now;
-+ krb5_timestamp now;
- krb5_tl_data *tl_data_tail;
- unsigned int ret;
- kadm5_server_handle_t handle = server_handle;
-@@ -1322,7 +1322,7 @@ kadm5_chpass_principal_3(void *server_handle,
- int n_ks_tuple, krb5_key_salt_tuple *ks_tuple,
- char *password)
- {
-- krb5_int32 now;
-+ krb5_timestamp now;
- kadm5_policy_ent_rec pol;
- osa_princ_ent_rec adb;
- krb5_db_entry *kdb;
-@@ -1544,7 +1544,7 @@ kadm5_randkey_principal_3(void *server_handle,
- {
- krb5_db_entry *kdb;
- osa_princ_ent_rec adb;
-- krb5_int32 now;
-+ krb5_timestamp now;
- kadm5_policy_ent_rec pol;
- int ret, last_pwd, n_new_keys;
- krb5_boolean have_pol = FALSE;
-@@ -1686,7 +1686,7 @@ kadm5_setv4key_principal(void *server_handle,
- {
- krb5_db_entry *kdb;
- osa_princ_ent_rec adb;
-- krb5_int32 now;
-+ krb5_timestamp now;
- kadm5_policy_ent_rec pol;
- krb5_keysalt keysalt;
- int i, kvno, ret;
-@@ -1891,7 +1891,7 @@ kadm5_setkey_principal_4(void *server_handle, krb5_principal principal,
- {
- krb5_db_entry *kdb;
- osa_princ_ent_rec adb;
-- krb5_int32 now;
-+ krb5_timestamp now;
- kadm5_policy_ent_rec pol;
- krb5_key_data *new_key_data = NULL;
- int i, j, ret, n_new_key_data = 0;
-diff --git a/src/lib/krb5/krb/gen_save_subkey.c b/src/lib/krb5/krb/gen_save_subkey.c
-index 61f36aa36..bc2c46d30 100644
---- a/src/lib/krb5/krb/gen_save_subkey.c
-+++ b/src/lib/krb5/krb/gen_save_subkey.c
-@@ -38,7 +38,8 @@ k5_generate_and_save_subkey(krb5_context context,
- to guarantee randomness, but to make it less likely that multiple
- sessions could pick the same subkey. */
- struct {
-- krb5_int32 sec, usec;
-+ krb5_timestamp sec;
-+ krb5_int32 usec;
- } rnd_data;
- krb5_data d;
- krb5_error_code retval;
-diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
-index 40aba1905..7178bd87b 100644
---- a/src/lib/krb5/krb/get_in_tkt.c
-+++ b/src/lib/krb5/krb/get_in_tkt.c
-@@ -1788,7 +1788,7 @@ k5_populate_gic_opt(krb5_context context, krb5_get_init_creds_opt **out,
- krb5_creds *creds)
- {
- int i;
-- krb5_int32 starttime;
-+ krb5_timestamp starttime;
- krb5_deltat lifetime;
- krb5_get_init_creds_opt *opt;
- krb5_error_code retval;
-diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
-index cf226fdba..4246c5dd2 100644
---- a/src/lib/krb5/krb/init_ctx.c
-+++ b/src/lib/krb5/krb/init_ctx.c
-@@ -139,7 +139,8 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags,
- krb5_context ctx = 0;
- krb5_error_code retval;
- struct {
-- krb5_int32 now, now_usec;
-+ krb5_timestamp now;
-+ krb5_int32 now_usec;
- long pid;
- } seed_data;
- krb5_data seed;
-diff --git a/src/lib/krb5/os/c_ustime.c b/src/lib/krb5/os/c_ustime.c
-index 68fb381f4..f69f2ea4c 100644
---- a/src/lib/krb5/os/c_ustime.c
-+++ b/src/lib/krb5/os/c_ustime.c
-@@ -29,7 +29,10 @@
-
- k5_mutex_t krb5int_us_time_mutex = K5_MUTEX_PARTIAL_INITIALIZER;
-
--struct time_now { krb5_int32 sec, usec; };
-+struct time_now {
-+ krb5_timestamp sec;
-+ krb5_int32 usec;
-+};
-
- #if defined(_WIN32)
-
-@@ -73,7 +76,7 @@ get_time_now(struct time_now *n)
- static struct time_now last_time;
-
- krb5_error_code
--krb5_crypto_us_timeofday(krb5_int32 *seconds, krb5_int32 *microseconds)
-+krb5_crypto_us_timeofday(krb5_timestamp *seconds, krb5_int32 *microseconds)
- {
- struct time_now now;
- krb5_error_code err;
-diff --git a/src/lib/krb5/os/toffset.c b/src/lib/krb5/os/toffset.c
-index 37bc69f49..4bbcdde52 100644
---- a/src/lib/krb5/os/toffset.c
-+++ b/src/lib/krb5/os/toffset.c
-@@ -40,7 +40,8 @@ krb5_error_code KRB5_CALLCONV
- krb5_set_real_time(krb5_context context, krb5_timestamp seconds, krb5_int32 microseconds)
- {
- krb5_os_context os_ctx = &context->os_context;
-- krb5_int32 sec, usec;
-+ krb5_timestamp sec;
-+ krb5_int32 usec;
- krb5_error_code retval;
-
- retval = krb5_crypto_us_timeofday(&sec, &usec);
-diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c
-index 74c315c90..8750b7650 100644
---- a/src/lib/krb5/os/trace.c
-+++ b/src/lib/krb5/os/trace.c
-@@ -340,7 +340,8 @@ krb5int_trace(krb5_context context, const char *fmt, ...)
- va_list ap;
- krb5_trace_info info;
- char *str = NULL, *msg = NULL;
-- krb5_int32 sec, usec;
-+ krb5_timestamp sec;
-+ krb5_int32 usec;
-
- if (context == NULL || context->trace_callback == NULL)
- return;
-diff --git a/src/lib/krb5/os/ustime.c b/src/lib/krb5/os/ustime.c
-index 1c1b571eb..a80fdf68c 100644
---- a/src/lib/krb5/os/ustime.c
-+++ b/src/lib/krb5/os/ustime.c
-@@ -40,7 +40,8 @@ krb5_error_code
- k5_time_with_offset(krb5_timestamp offset, krb5_int32 offset_usec,
- krb5_timestamp *time_out, krb5_int32 *usec_out)
- {
-- krb5_int32 sec, usec;
-+ krb5_timestamp sec;
-+ krb5_int32 usec;
- krb5_error_code retval;
-
- retval = krb5_crypto_us_timeofday(&sec, &usec);
-diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c
-index 6b043844d..41ebf94da 100644
---- a/src/lib/krb5/rcache/rc_dfl.c
-+++ b/src/lib/krb5/rcache/rc_dfl.c
-@@ -93,7 +93,7 @@ cmp(krb5_donot_replay *old, krb5_donot_replay *new1, krb5_deltat t)
- }
-
- static int
--alive(krb5_int32 mytime, krb5_donot_replay *new1, krb5_deltat t)
-+alive(krb5_timestamp mytime, krb5_donot_replay *new1, krb5_deltat t)
- {
- if (mytime == 0)
- return CMP_HOHUM; /* who cares? */
-@@ -129,7 +129,7 @@ struct authlist
-
- static int
- rc_store(krb5_context context, krb5_rcache id, krb5_donot_replay *rep,
-- krb5_int32 now, krb5_boolean fromfile)
-+ krb5_timestamp now, krb5_boolean fromfile)
- {
- struct dfl_data *t = (struct dfl_data *)id->data;
- unsigned int rephash;
-@@ -536,7 +536,7 @@ krb5_rc_dfl_recover_locked(krb5_context context, krb5_rcache id)
- krb5_error_code retval;
- long max_size;
- int expired_entries = 0;
-- krb5_int32 now;
-+ krb5_timestamp now;
-
- if ((retval = krb5_rc_io_open(context, &t->d, t->name))) {
- return retval;
-@@ -706,7 +706,7 @@ krb5_rc_dfl_store(krb5_context context, krb5_rcache id, krb5_donot_replay *rep)
- {
- krb5_error_code ret;
- struct dfl_data *t;
-- krb5_int32 now;
-+ krb5_timestamp now;
-
- ret = krb5_timeofday(context, &now);
- if (ret)
-@@ -762,7 +762,7 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id)
- struct authlist **qt;
- struct authlist *r;
- struct authlist *rt;
-- krb5_int32 now;
-+ krb5_timestamp now;
-
- if (krb5_timestamp(context, &now))
- now = 0;
-diff --git a/src/tests/create/kdb5_mkdums.c b/src/tests/create/kdb5_mkdums.c
-index 622f549f9..7c0666601 100644
---- a/src/tests/create/kdb5_mkdums.c
-+++ b/src/tests/create/kdb5_mkdums.c
-@@ -247,7 +247,7 @@ add_princ(context, str_newprinc)
-
- {
- /* Add mod princ to db entry */
-- krb5_int32 now;
-+ krb5_timestamp now;
-
- retval = krb5_timeofday(context, &now);
- if (retval) {
diff --git a/Use-the-canonical-client-principal-name-for-OTP.patch b/Use-the-canonical-client-principal-name-for-OTP.patch
deleted file mode 100644
index c96aeb5..0000000
--- a/Use-the-canonical-client-principal-name-for-OTP.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 7998de0b9ccd0c8813159cc3f1d49fe107e3e0ba Mon Sep 17 00:00:00 2001
-From: Matt Rogers <mrogers@redhat.com>
-Date: Wed, 5 Apr 2017 16:48:55 -0400
-Subject: [PATCH] Use the canonical client principal name for OTP
-
-In the OTP module, when constructing the RADIUS request, use the
-canonicalized client principal (using the new client_name kdcpreauth
-callback) instead of the request client principal.
-
-ticket: 8571 (new)
----
- src/plugins/preauth/otp/main.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/plugins/preauth/otp/main.c b/src/plugins/preauth/otp/main.c
-index 2649e9a90..a1b681682 100644
---- a/src/plugins/preauth/otp/main.c
-+++ b/src/plugins/preauth/otp/main.c
-@@ -331,7 +331,8 @@ otp_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
-
- /* Send the request. */
- otp_state_verify((otp_state *)moddata, cb->event_context(context, rock),
-- request->client, config, req, on_response, rs);
-+ cb->client_name(context, rock), config, req, on_response,
-+ rs);
- cb->free_string(context, rock, config);
-
- k5_free_pa_otp_req(context, req);
diff --git a/krb5-1.11-kpasswdtest.patch b/krb5-1.11-kpasswdtest.patch
index e68fb05..92f3dab 100644
--- a/krb5-1.11-kpasswdtest.patch
+++ b/krb5-1.11-kpasswdtest.patch
@@ -1,4 +1,4 @@
-From fb8f32ebdf3293d8a6bdb9478fe1f902a399ba7a Mon Sep 17 00:00:00 2001
+From 3e94cf1accf2b33bd0c8cf54eb58b4777f411cc6 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:52:01 -0400
Subject: [PATCH] krb5-1.11-kpasswdtest.patch
diff --git a/krb5-1.11-run_user_0.patch b/krb5-1.11-run_user_0.patch
index ad93b8a..9c4cf0e 100644
--- a/krb5-1.11-run_user_0.patch
+++ b/krb5-1.11-run_user_0.patch
@@ -1,4 +1,4 @@
-From 9c45f66fbc6afb472589dbeb5166f46ad266d319 Mon Sep 17 00:00:00 2001
+From 9e7e92ae1dcd242044f2dfe3b89926ddddb6a221 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:49:57 -0400
Subject: [PATCH] krb5-1.11-run_user_0.patch
diff --git a/krb5-1.12-api.patch b/krb5-1.12-api.patch
index c5bc2e5..0b8ec6f 100644
--- a/krb5-1.12-api.patch
+++ b/krb5-1.12-api.patch
@@ -1,4 +1,4 @@
-From 107a2b8728f1b76feb16df9201919444482e3981 Mon Sep 17 00:00:00 2001
+From 9a6cfaaecd1a37e74dba285decd03bb4a3382f9a Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:47:00 -0400
Subject: [PATCH] krb5-1.12-api.patch
diff --git a/krb5-1.12-ksu-path.patch b/krb5-1.12-ksu-path.patch
index 7f92b1d..43178b9 100644
--- a/krb5-1.12-ksu-path.patch
+++ b/krb5-1.12-ksu-path.patch
@@ -1,4 +1,4 @@
-From 93b86d94b871aed49b14d7fc1a2a9f23c16cbe0f Mon Sep 17 00:00:00 2001
+From 7b3bdbc0ca882325291caad391c4d328f174a614 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:32:09 -0400
Subject: [PATCH] krb5-1.12-ksu-path.patch
diff --git a/krb5-1.12-ktany.patch b/krb5-1.12-ktany.patch
index a941082..24135fd 100644
--- a/krb5-1.12-ktany.patch
+++ b/krb5-1.12-ktany.patch
@@ -1,4 +1,4 @@
-From efee9f8598ba84f2be0983fc1d07a9a72d0ff1b7 Mon Sep 17 00:00:00 2001
+From 1ede8564105568182e3cf6f273ab820453e2f025 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:33:53 -0400
Subject: [PATCH] krb5-1.12-ktany.patch
diff --git a/krb5-1.12.1-pam.patch b/krb5-1.12.1-pam.patch
index 5372fb4..c56606f 100644
--- a/krb5-1.12.1-pam.patch
+++ b/krb5-1.12.1-pam.patch
@@ -1,4 +1,4 @@
-From e0924e10dd431a898c9c95faa04b51edbe59c5ef Mon Sep 17 00:00:00 2001
+From 385194db1a08c1b923f9eb75e9602b56720fd50e Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:29:58 -0400
Subject: [PATCH] krb5-1.12.1-pam.patch
@@ -28,10 +28,10 @@ changes we're proposing for how it handles cache collections.
create mode 100644 src/clients/ksu/pam.h
diff --git a/src/aclocal.m4 b/src/aclocal.m4
-index 9c46da4b5..508e5fe90 100644
+index d6d1279c3..5c9c13e5f 100644
--- a/src/aclocal.m4
+++ b/src/aclocal.m4
-@@ -1675,3 +1675,70 @@ AC_DEFUN(KRB5_AC_PERSISTENT_KEYRING,[
+@@ -1696,3 +1696,70 @@ AC_DEFUN(KRB5_AC_PERSISTENT_KEYRING,[
]))
])dnl
dnl
@@ -141,7 +141,7 @@ index b2fcbf240..5755bb58a 100644
clean:
$(RM) ksu
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
-index 28342c2d7..cab0c1806 100644
+index 7ff676ca7..c6321c01b 100644
--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
@@ -26,6 +26,7 @@
@@ -756,10 +756,10 @@ index 000000000..0ab76569c
+void appl_pam_cleanup(void);
+#endif
diff --git a/src/configure.in b/src/configure.in
-index 037c9f316..daabd12c8 100644
+index 10f45eb12..7288a71ec 100644
--- a/src/configure.in
+++ b/src/configure.in
-@@ -1336,6 +1336,8 @@ AC_SUBST([VERTO_VERSION])
+@@ -1306,6 +1306,8 @@ AC_SUBST([VERTO_VERSION])
AC_PATH_PROG(GROFF, groff)
diff --git a/krb5-1.13-dirsrv-accountlock.patch b/krb5-1.13-dirsrv-accountlock.patch
index 9b0178c..47716dc 100644
--- a/krb5-1.13-dirsrv-accountlock.patch
+++ b/krb5-1.13-dirsrv-accountlock.patch
@@ -1,4 +1,4 @@
-From f2df0b75dfbc9796bf8e1477f4661dfb7cdcf8d4 Mon Sep 17 00:00:00 2001
+From 850689009f9aeddc0b63051a3e2883d02b05387e Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:47:44 -0400
Subject: [PATCH] krb5-1.13-dirsrv-accountlock.patch
@@ -12,10 +12,10 @@ original version filed as RT#5891.
3 files changed, 29 insertions(+)
diff --git a/src/aclocal.m4 b/src/aclocal.m4
-index f5667c35f..2bfb99496 100644
+index 5eeaa2d8a..1fd243094 100644
--- a/src/aclocal.m4
+++ b/src/aclocal.m4
-@@ -1656,6 +1656,15 @@ if test "$with_ldap" = yes; then
+@@ -1677,6 +1677,15 @@ if test "$with_ldap" = yes; then
AC_MSG_NOTICE(enabling OpenLDAP database backend module support)
OPENLDAP_PLUGIN=yes
fi
@@ -32,10 +32,10 @@ index f5667c35f..2bfb99496 100644
dnl
dnl If libkeyutils exists (on Linux) include it and use keyring ccache
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
-index 32efc4f54..af8b2db7b 100644
+index 5b9d1e9fa..4e7270065 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
-@@ -1674,6 +1674,23 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context,
+@@ -1652,6 +1652,23 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context,
ret = krb5_dbe_update_tl_data(context, entry, &userinfo_tl_data);
if (ret)
goto cleanup;
diff --git a/krb5-1.15-beta1-buildconf.patch b/krb5-1.15-beta1-buildconf.patch
index 276c254..b0024ec 100644
--- a/krb5-1.15-beta1-buildconf.patch
+++ b/krb5-1.15-beta1-buildconf.patch
@@ -1,4 +1,4 @@
-From ae5bb11c0f06fdf92f51d237e94c1d410c59aa04 Mon Sep 17 00:00:00 2001
+From 285eaffa69e9c2ff7f0adf017d192b5e7afb7002 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:45:26 -0400
Subject: [PATCH] krb5-1.15-beta1-buildconf.patch
@@ -33,7 +33,7 @@ index c17cb5eb5..1891dea99 100755
lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
library=krb5
diff --git a/src/config/pre.in b/src/config/pre.in
-index fcea229bd..d961b5621 100644
+index d4714d29a..03f5c8890 100644
--- a/src/config/pre.in
+++ b/src/config/pre.in
@@ -185,7 +185,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INSTALL_STRIP)
diff --git a/krb5-1.15.1-selinux-label.patch b/krb5-1.15.1-selinux-label.patch
index 2590f8e..475f74d 100644
--- a/krb5-1.15.1-selinux-label.patch
+++ b/krb5-1.15.1-selinux-label.patch
@@ -1,4 +1,4 @@
-From aaf74b66a51cbda90ba40f73eb8def9b192ab262 Mon Sep 17 00:00:00 2001
+From d38588a165302d915eb6b4da0c2755601547bcd1 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:30:53 -0400
Subject: [PATCH] krb5-1.15.1-selinux-label.patch
@@ -66,7 +66,7 @@ which we used earlier, is some improvement.
create mode 100644 src/util/support/selinux.c
diff --git a/src/aclocal.m4 b/src/aclocal.m4
-index 508e5fe90..607859f17 100644
+index 5c9c13e5f..6257dba40 100644
--- a/src/aclocal.m4
+++ b/src/aclocal.m4
@@ -89,6 +89,7 @@ AC_SUBST_FILE(libnodeps_frag)
@@ -77,7 +77,7 @@ index 508e5fe90..607859f17 100644
KRB5_LIB_PARAMS
KRB5_AC_INITFINI
KRB5_AC_ENABLE_THREADS
-@@ -1742,3 +1743,51 @@ AC_SUBST(PAM_LIBS)
+@@ -1763,3 +1764,51 @@ AC_SUBST(PAM_LIBS)
AC_SUBST(PAM_MAN)
AC_SUBST(NON_PAM_MAN)
])dnl
@@ -151,7 +151,7 @@ index f6184da3f..c17cb5eb5 100755
echo $lib_flags
diff --git a/src/config/pre.in b/src/config/pre.in
-index e0626320c..fcea229bd 100644
+index 3f267eb1f..d4714d29a 100644
--- a/src/config/pre.in
+++ b/src/config/pre.in
@@ -177,6 +177,7 @@ LD = $(PURE) @LD@
@@ -170,12 +170,12 @@ index e0626320c..fcea229bd 100644
+KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(SELINUX_LIBS) $(DL_LIB)
KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS)
GSS_LIBS = $(GSS_KRB5_LIB)
- # needs fixing if ever used on Mac OS X!
+ # needs fixing if ever used on macOS!
diff --git a/src/configure.in b/src/configure.in
-index daabd12c8..acf3a458b 100644
+index 7288a71ec..2b6d5baa7 100644
--- a/src/configure.in
+++ b/src/configure.in
-@@ -1338,6 +1338,8 @@ AC_PATH_PROG(GROFF, groff)
+@@ -1308,6 +1308,8 @@ AC_PATH_PROG(GROFF, groff)
KRB5_WITH_PAM
@@ -185,7 +185,7 @@ index daabd12c8..acf3a458b 100644
if test "${localedir+set}" != set; then
localedir='$(datadir)/locale'
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
-index 64991738a..173cb0264 100644
+index e1b1cb040..9378ae047 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -128,6 +128,7 @@ typedef unsigned char u_char;
@@ -235,7 +235,7 @@ index 000000000..dfaaa847c
+#endif
+#endif
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
-index ac22f4c55..cf60d6c41 100644
+index c86e78274..e81bb0a6d 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -87,6 +87,12 @@
@@ -252,7 +252,7 @@ index ac22f4c55..cf60d6c41 100644
#include <stdlib.h>
diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
-index f7889bd23..cad53cfbf 100644
+index aca136f0b..22e926ae4 100644
--- a/src/kadmin/dbutil/dump.c
+++ b/src/kadmin/dbutil/dump.c
@@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname)
@@ -287,10 +287,10 @@ index f7889bd23..cad53cfbf 100644
com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok);
exit_status++;
diff --git a/src/kdc/main.c b/src/kdc/main.c
-index ebc852bba..a4dffb29a 100644
+index f2226da25..ccac3a759 100644
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
-@@ -872,7 +872,7 @@ write_pid_file(const char *path)
+@@ -873,7 +873,7 @@ write_pid_file(const char *path)
FILE *file;
unsigned long pid;
@@ -385,10 +385,10 @@ index bba64e516..73f0fe62d 100644
_("Credential cache directory %s does not exist"),
dirname);
diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c
-index 6a42f267d..674d88bab 100644
+index 091f2c43f..ecc97ee2f 100644
--- a/src/lib/krb5/keytab/kt_file.c
+++ b/src/lib/krb5/keytab/kt_file.c
-@@ -1022,14 +1022,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode)
+@@ -1024,14 +1024,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode)
KTCHECKLOCK(id);
errno = 0;
@@ -406,10 +406,10 @@ index 6a42f267d..674d88bab 100644
goto report_errno;
writevno = 1;
diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c
-index 83c8d4db8..a19246128 100644
+index e97ce5fe5..779f184cb 100644
--- a/src/lib/krb5/os/trace.c
+++ b/src/lib/krb5/os/trace.c
-@@ -397,7 +397,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename)
+@@ -398,7 +398,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename)
fd = malloc(sizeof(*fd));
if (fd == NULL)
return ENOMEM;
@@ -419,10 +419,10 @@ index 83c8d4db8..a19246128 100644
free(fd);
return errno;
diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c
-index c4d2c744d..c0f12ed9d 100644
+index 1e0cb22c9..f5e93b1ab 100644
--- a/src/lib/krb5/rcache/rc_dfl.c
+++ b/src/lib/krb5/rcache/rc_dfl.c
-@@ -794,6 +794,9 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id)
+@@ -793,6 +793,9 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id)
krb5_error_code retval = 0;
krb5_rcache tmp;
krb5_deltat lifespan = t->lifespan; /* save original lifespan */
@@ -432,7 +432,7 @@ index c4d2c744d..c0f12ed9d 100644
if (! t->recovering) {
name = t->name;
-@@ -815,7 +818,17 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id)
+@@ -814,7 +817,17 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id)
retval = krb5_rc_resolve(context, tmp, 0);
if (retval)
goto cleanup;
@@ -464,7 +464,7 @@ index 7db30a33b..2b9d01921 100644
* maybe someone took away write permission so we could only
* get shared locks?
diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c
-index 4c4036eb4..d90bdeaba 100644
+index d23587a59..e2825650b 100644
--- a/src/plugins/kdb/db2/kdb_db2.c
+++ b/src/plugins/kdb/db2/kdb_db2.c
@@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5_db2_context *dbc)
@@ -500,7 +500,7 @@ index 2977b17f3..d5809a5a9 100644
} else {
diff --git a/src/plugins/kdb/db2/libdb2/hash/hash.c b/src/plugins/kdb/db2/libdb2/hash/hash.c
-index 76f5d4709..1fa8b8389 100644
+index 862dbb164..686a960c9 100644
--- a/src/plugins/kdb/db2/libdb2/hash/hash.c
+++ b/src/plugins/kdb/db2/libdb2/hash/hash.c
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 (Berkeley) 11/7/95";
@@ -511,7 +511,7 @@ index 76f5d4709..1fa8b8389 100644
#include "db-int.h"
#include "hash.h"
#include "page.h"
-@@ -140,7 +141,7 @@ __kdb2_hash_open(file, flags, mode, info, dflags)
+@@ -129,7 +130,7 @@ __kdb2_hash_open(file, flags, mode, info, dflags)
new_table = 1;
}
if (file) {
@@ -580,10 +580,10 @@ index 022156a5e..3d6994c67 100644
if (newfile == NULL) {
com_err(me, errno, _("Error creating file %s"), tmp_file);
diff --git a/src/slave/kpropd.c b/src/slave/kpropd.c
-index 056c31a42..b78c3d9e5 100644
+index d621f108f..99676cc97 100644
--- a/src/slave/kpropd.c
+++ b/src/slave/kpropd.c
-@@ -464,6 +464,9 @@ doit(int fd)
+@@ -488,6 +488,9 @@ doit(int fd)
krb5_enctype etype;
int database_fd;
char host[INET6_ADDRSTRLEN + 1];
@@ -593,7 +593,7 @@ index 056c31a42..b78c3d9e5 100644
signal_wrapper(SIGALRM, alarm_handler);
alarm(params.iprop_resync_timeout);
-@@ -520,9 +523,15 @@ doit(int fd)
+@@ -543,9 +546,15 @@ doit(int fd)
free(name);
exit(1);
}
@@ -631,7 +631,7 @@ index 907c119bb..0f5462aea 100644
retval = errno;
if (retval == 0)
diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in
-index 6239e4176..17bcd2a67 100644
+index 0bf0b7a87..58ac2e333 100644
--- a/src/util/support/Makefile.in
+++ b/src/util/support/Makefile.in
@@ -69,6 +69,7 @@ IPC_SYMS= \
@@ -642,7 +642,7 @@ index 6239e4176..17bcd2a67 100644
init-addrinfo.o \
plugins.o \
errors.o \
-@@ -148,7 +149,7 @@ SRCS=\
+@@ -149,7 +150,7 @@ SRCS=\
SHLIB_EXPDEPS =
# Add -lm if dumping thread stats, for sqrt.
diff --git a/krb5-1.3.1-dns.patch b/krb5-1.3.1-dns.patch
index 766226f..c50f1df 100644
--- a/krb5-1.3.1-dns.patch
+++ b/krb5-1.3.1-dns.patch
@@ -1,4 +1,4 @@
-From 1b95f8a488d1e70bf7698c8b49412306a1b8aba0 Mon Sep 17 00:00:00 2001
+From 4bc124bfff119d436eeb1af7b9d5726e17284d67 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:46:21 -0400
Subject: [PATCH] krb5-1.3.1-dns.patch
@@ -9,10 +9,10 @@ We want to be able to use --with-netlib and --enable-dns at the same time.
1 file changed, 1 insertion(+)
diff --git a/src/aclocal.m4 b/src/aclocal.m4
-index 607859f17..f5667c35f 100644
+index 6257dba40..5eeaa2d8a 100644
--- a/src/aclocal.m4
+++ b/src/aclocal.m4
-@@ -703,6 +703,7 @@ AC_HELP_STRING([--with-netlib=LIBS], use user defined resolver library),
+@@ -726,6 +726,7 @@ AC_HELP_STRING([--with-netlib=LIBS], use user defined resolver library),
LIBS="$LIBS $withval"
AC_MSG_RESULT("netlib will use \'$withval\'")
fi
diff --git a/krb5-1.9-debuginfo.patch b/krb5-1.9-debuginfo.patch
index d3d0080..57a8b32 100644
--- a/krb5-1.9-debuginfo.patch
+++ b/krb5-1.9-debuginfo.patch
@@ -1,4 +1,4 @@
-From e1d7fcf9713fe322ad5740045650dac86427e6ae Mon Sep 17 00:00:00 2001
+From 82f8b63ae3955423456adf15790c10eb1145ec52 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:49:25 -0400
Subject: [PATCH] krb5-1.9-debuginfo.patch
diff --git a/krb5.spec b/krb5.spec
index df62457..53c3d25 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -9,21 +9,21 @@
%global configured_default_ccache_name KEYRING:persistent:%%{uid}
# leave empty or set to e.g., -beta2
-%global prerelease %{nil}
+%global prerelease -beta1
# Should be in form 5.0, 6.1, etc.
%global kdbversion 6.1
Summary: The Kerberos network authentication system
Name: krb5
-Version: 1.15.2
-# for prerelease, should be e.g., 0.3.beta2% { ?dist } (without spaces)
-Release: 2%{?dist}
+Version: 1.16
+# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
+Release: 0.beta1.1%{?dist}
# lookaside-cached sources; two downloads and a build artifact
-Source0: https://web.mit.edu/kerberos/dist/krb5/1.15/krb5-%{version}%{prerelease}.tar.gz
+Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz
# rharwood has trust path to signing key and verifies on check-in
-Source1: https://web.mit.edu/kerberos/dist/krb5/1.15/krb5-%{version}%{prerelease}.tar.gz.asc
+Source1: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz.asc
# This source is generated during the build because it is documentation.
# To override this behavior (e.g., new upstream version), do:
# tar cfT krb5-1.15.2-pdfs.tar /dev/null
@@ -60,38 +60,7 @@ Patch33: krb5-1.13-dirsrv-accountlock.patch
Patch34: krb5-1.9-debuginfo.patch
Patch35: krb5-1.11-run_user_0.patch
Patch36: krb5-1.11-kpasswdtest.patch
-Patch37: Build-with-Werror-implicit-int-where-supported.patch
-Patch38: Add-PKINIT-UPN-tests-to-t_pkinit.py.patch
-Patch39: Add-test-case-for-PKINIT-DH-renegotiation.patch
-Patch40: Use-expected_trace-in-test-scripts.patch
-Patch41: Use-expected_msg-in-test-scripts.patch
-Patch42: Use-fallback-realm-for-GSSAPI-ccache-selection.patch
Patch43: Use-GSSAPI-fallback-skiptest.patch
-Patch44: Improve-PKINIT-UPN-SAN-matching.patch
-Patch45: Add-test-cert-generation-to-make-certs.sh.patch
-Patch46: Deindent-crypto_retrieve_X509_sans.patch
-Patch47: Add-the-client_name-kdcpreauth-callback.patch
-Patch48: Use-the-canonical-client-principal-name-for-OTP.patch
-Patch49: Add-certauth-pluggable-interface.patch
-Patch50: Correct-error-handling-bug-in-prior-commit.patch
-Patch51: Add-k5test-expected_msg-expected_trace.patch
-Patch53: Add-support-to-query-the-SSF-of-a-GSS-context.patch
-Patch55: Remove-incomplete-PKINIT-OCSP-support.patch
-Patch57: Fix-in_clock_skew-and-use-it-in-AS-client-code.patch
-Patch58: Add-timestamp-helper-functions.patch
-Patch59: Make-timestamp-manipulations-y2038-safe.patch
-Patch60: Add-timestamp-tests.patch
-Patch61: Add-y2038-documentation.patch
-Patch62: Fix-more-time-manipulations-for-y2038.patch
-Patch63: Use-krb5_timestamp-where-appropriate.patch
-Patch64: Add-KDC-policy-pluggable-interface.patch
-Patch65: Fix-bugs-in-kdcpolicy-commit.patch
-Patch66: Convert-some-pkiDebug-messages-to-TRACE-macros.patch
-Patch67: Fix-certauth-built-in-module-returns.patch
-Patch68: Add-test-cert-with-no-extensions.patch
-Patch69: Add-PKINIT-test-case-for-generic-client-cert.patch
-Patch70: Add-hostname-based-ccselect-module.patch
-Patch71: Add-German-translation.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@@ -381,7 +350,7 @@ for pdf in admin appdev basic build plugindev user ; do
test -s build-pdf/$pdf.pdf || make -C build-pdf
done
# new krb5-%{version}-pdf
-tar -cf "krb5-%{version}-pdfs.tar.new" build-pdf/*.pdf
+tar -cf "krb5-%{version}%{prerelease}-pdfs.tar.new" build-pdf/*.pdf
# We need to cut off any access to locally-running nameservers, too.
%{__cc} -fPIC -shared -o noport.so -Wall -Wextra $RPM_SOURCE_DIR/noport.c
@@ -745,6 +714,9 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
+* Thu Oct 05 2017 Robbie Harwood <rharwood@redhat.com> - 1.16-0.beta1.1
+- New upstream prerelease (1.16-beta1)
+
* Thu Sep 28 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.2-2
- Add German translation
diff --git a/sources b/sources
index a72430d..d5f6442 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (krb5-1.15.2-pdfs.tar) = 5875efde7ed88dcccd6f624a5252c5c70844fe94015ce4acfdf7f6ccabf52c86965c5a661b161c73e37b46e51aa5e9ea19602ab32e8b50682ecb0a450f0553b6
-SHA512 (krb5-1.15.2.tar.gz) = e5814bb66384b13637c37918df694c6b9933c29c2d952da0ed0dcd2e623b269060b4c16b6c02162039dadebdab99ff1085e37e7621ae4748dafb036424e612c2
-SHA512 (krb5-1.15.2.tar.gz.asc) = 37cee442de29229fa821539c3f1724eb4d37fa9ce5eee644869a7311c8fe10218dac36da3a5297d45168d8fb1ad64dbd614f10d3384d54e4070e56e7fe8a1e63
+SHA512 (krb5-1.16-beta1-pdfs.tar) = 79329b7978101723a5c9f55773ac69bd1986c716e6d8b4cd42cbf17a8e85cd49f13b376e0b4b0ccca485b5a5a79d6bce8ace0c22df79b6f0a47a74c387f83ffd
+SHA512 (krb5-1.16-beta1.tar.gz) = 68dba5212d2dd28ed0bc4961931af8d291bcdf2805baa4e930b0218f7749dc1e4dfe696aacca0529787f274b99fe5a8297f3e13877f724ee983483b399daf2c9
+SHA512 (krb5-1.16-beta1.tar.gz.asc) = 342272496897b4a4452d73186b7d19bbc3155e38fe39e0e852e03ce4757a3284baefbb1c49653e53d36e96ab587a7acb718e14c8281ccca85cb0de4c7d0b730e
generated by cgit (git 2.34.1) at 2024-06-09 11:12:52 +0000