Remove admin_keytab references in code and docs

The admin keytab hasn't been needed or used by kadmind since 1.4
(except possibly by legacy admin daemons which we no longer ship).
Eliminate remaining references to it in code, test cases, and
documentation.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25729 dc483132-0cff-0310-8789-dd5450dbe970

19 files changed, 4 insertions, 103 deletions

diff --git a/doc/admin.texinfo b/doc/admin.texinfo
index cf39f187ce..33a53e156f 100644
--- a/doc/admin.texinfo
+++ b/doc/admin.texinfo
@@ -1635,11 +1635,6 @@ subsection:
 uses to determine which principals are allowed which permissions on the
 database.  The default is @code{@value{DefaultAclFile}}.
 
-@itemx admin_keytab
-(String.)  Location of the keytab file that the legacy administration
-daemons @code{kadmind4} and @code{v5passwdd} use to authenticate to
-the database.  The default is @code{@value{DefaultAdminKeytab}}.
-
 @itemx default_principal_expiration
 (Absolute time string.)  Specifies the default expiration date of
 principals created in this realm.  The default value for this tag is
diff --git a/doc/rst_source/krb_admins/admin_commands/kadmind.rst b/doc/rst_source/krb_admins/admin_commands/kadmind.rst
index 9554a6f535..6228f1601a 100644
--- a/doc/rst_source/krb_admins/admin_commands/kadmind.rst
+++ b/doc/rst_source/krb_admins/admin_commands/kadmind.rst
@@ -36,14 +36,6 @@ for it to work:
     some of which are optional.  See the CONFIGURATION VALUES section
     below.
 
-keytab
-    kadmind requires a keytab containing correct entries for the
-    ``kadmin/admin`` and ``kadmin/changepw`` principals for every
-    realm that kadmind will answer requests for.  The keytab can be
-    created with the :ref:`kadmin(1)` client.  The location of the
-    keytab is determined by the **admin_keytab** configuration
-    variable (see CONFIGURATION VALUES).
-
 ACL file
     kadmind's ACL (access control list) tells it which principals are
     allowed to perform KADM5 administration actions.  The path of the
@@ -137,12 +129,6 @@ understands the following relations, all of which should appear in the
 **acl_file**
     The path of kadmind's ACL file.  **Mandatory**.  No default.
 
-**admin_keytab**
-    The name of the keytab containing entries for the principals
-    ``kadmin/admin`` and ``kadmin/changepw`` in each realm that
-    kadmind will serve.  The default is the value of the KRB5_KTNAME
-    environment variable, if defined.  **Mandatory**.
-
 **dict_file**
     The path of kadmind's password dictionary.  A principal with any
     password policy will not be allowed to select any password in the
diff --git a/doc/rst_source/krb_admins/conf_files/kdc_conf.rst b/doc/rst_source/krb_admins/conf_files/kdc_conf.rst
index 40d29b06d3..013e8b3ecb 100644
--- a/doc/rst_source/krb_admins/conf_files/kdc_conf.rst
+++ b/doc/rst_source/krb_admins/conf_files/kdc_conf.rst
@@ -97,12 +97,6 @@ subsection:
     which permissions on the database.  The default is
     ``/usr/local/var/krb5kdc/kadm5.acl``.
 
-**admin_keytab**
-    (String.)  Location of the keytab file that the legacy
-    administration daemons kadmind4 and v5passwdd use to authenticate
-    to the database.  The default is
-    ``/usr/local/var/krb5kdc/kadm5.keytab``.
-
 **database_name**
     This string specifies the location of the Kerberos database for
     this realm.
diff --git a/doc/rst_source/krb_admins/install_kdc.rst b/doc/rst_source/krb_admins/install_kdc.rst
index 65580da748..634c82aa12 100644
--- a/doc/rst_source/krb_admins/install_kdc.rst
+++ b/doc/rst_source/krb_admins/install_kdc.rst
@@ -126,7 +126,6 @@ An example kdc.conf file::
             # explicitly configure the following four values:
             #    database_name = /var/krb5kdc/principal
             #    key_stash_file = /var/krb5kdc/.k5.ATHENA.MIT.EDU
-            #    admin_keytab = FILE:/var/krb5kdc/kadm5.keytab
             #    acl_file = /var/krb5kdc/kadm5.acl
         }
 
@@ -142,7 +141,7 @@ your Kerberos realm and server respectively.
 
 .. note:: You have to have write permission on the target directories
           (these directories must exist) used by **database_name**,
-          **key_stash_file**, **admin_keytab**, and **acl_file**.
+          **key_stash_file**, and **acl_file**.
 
 
 .. _create_db:
diff --git a/src/config-files/kdc.conf b/src/config-files/kdc.conf
index 3355699ff8..b17f3aaf99 100644
--- a/src/config-files/kdc.conf
+++ b/src/config-files/kdc.conf
@@ -4,7 +4,6 @@
 [realms]
 	ATHENA.MIT.EDU = {
 		database_name = /usr/local/var/krb5kdc/principal
-		admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab
 		acl_file = /usr/local/var/krb5kdc/kadm5.acl
 		key_stash_file = /usr/local/var/krb5kdc/.k5.ATHENA.MIT.EDU
 		kdc_ports = 750,88
diff --git a/src/config-files/kdc.conf.M b/src/config-files/kdc.conf.M
index b47c25168f..5e2e6506ed 100644
--- a/src/config-files/kdc.conf.M
+++ b/src/config-files/kdc.conf.M
@@ -94,13 +94,6 @@ specifies the location of the access control list (acl) file that
 kadmin uses to determine which principals are allowed which permissions
 on the database. The default value is /usr/local/var/krb5kdc/kadm5.acl.
 
-.IP admin_keytab
-This
-.B string
-Specifies the location of the keytab file that kadmin uses to
-authenticate to the database.  The default value is
-/usr/local/var/krb5kdc/kadm5.keytab.
-
 .IP database_name
 This
 .B string
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 21228babbf..7ef421d2d9 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -185,7 +185,6 @@ typedef INT64_TYPE krb5_int64;
 
 /* cofiguration variables */
 #define KRB5_CONF_ACL_FILE                       "acl_file"
-#define KRB5_CONF_ADMIN_KEYTAB                   "admin_keytab"
 #define KRB5_CONF_ADMIN_SERVER                   "admin_server"
 #define KRB5_CONF_ALLOW_WEAK_CRYPTO              "allow_weak_crypto"
 #define KRB5_CONF_AP_REQ_CHECKSUM_TYPE           "ap_req_checksum_type"
diff --git a/src/kadmin/server/kadmind.M b/src/kadmin/server/kadmind.M
index d54b7c2151..83c67ec3eb 100644
--- a/src/kadmin/server/kadmind.M
+++ b/src/kadmin/server/kadmind.M
@@ -32,19 +32,6 @@ understands a number of variable settings in this file, some of which are
 mandatory and some of which are optional.  See the CONFIGURATION VALUES
 section below.
 .TP
-keytab
-.B Kadmind
-requires a keytab containing correct entries for the 
-.I kadmin/admin
-and
-.I kadmin/changepw
-principals for every realm that kadmind will answer requests for.  The
-keytab can be created with the
-.IR kadmin (8)
-client.  The location of the keytab is determined by the
-.I admin_keytab
-configuration variable (see CONFIGURATION VALUES).
-.TP
 ACL file
 .BR Kadmind 's
 ACL (access control list) tells it which principals are allowed to
@@ -145,17 +132,6 @@ The path of kadmind's password dictionary.  A principal with any
 password policy will not be allowed to select any password in the
 dictionary.  Optional.  No default.
 .TP
-admin_keytab
-The name of the keytab containing entries for the principals
-.I kadmin/admin
-and
-.I kadmin/changepw
-in each realm that
-.B kadmind
-will serve.  The default is the value of the 
-.SM KRB5_KTNAME
-environment variable, if defined.  Mandatory.
-.TP
 kadmind_port
 The
 .SM TCP
diff --git a/src/kadmin/testing/proto/kdc.conf.proto b/src/kadmin/testing/proto/kdc.conf.proto
index 6f9edeb5b3..943270d98f 100644
--- a/src/kadmin/testing/proto/kdc.conf.proto
+++ b/src/kadmin/testing/proto/kdc.conf.proto
@@ -5,7 +5,6 @@
 	__REALM__ = {
 		profile = __K5ROOT__/krb5.conf
 		database_name = __K5ROOT__/kdb5
-		admin_keytab = __K5ROOT__/ovsec_adm.srvtab
 		key_stash_file = __K5ROOT__/.k5.__REALM__
 		acl_file = __K5ROOT__/ovsec_adm.acl
 		dict_file = __K5ROOT__/ovsec_adm.dict
diff --git a/src/kadmin/testing/tcl/util.t b/src/kadmin/testing/tcl/util.t
index 7721609902..6751f89e63 100644
--- a/src/kadmin/testing/tcl/util.t
+++ b/src/kadmin/testing/tcl/util.t
@@ -29,8 +29,6 @@ proc config_params {masks values} {
 	    "KADM5_CONFIG_ADBNAME" {set params [lreplace $params 5 5 $value]}
 	    "KADM5_CONFIG_ADB_LOCKFILE" {
 		set params [lreplace $params 6 6 $value]}
-	    "KADM5_CONFIG_ADMIN_KEYTAB" {
-		set params [lreplace $params 7 7 $value]}
 	    "KADM5_CONFIG_ACL_FILE" {set params [lreplace $params 8 8 $value]}
 	    "KADM5_CONFIG_DICT_FILE" {
 		set params [lreplace $params 9 9 $value]}
diff --git a/src/kadmin/testing/util/tcl_kadm5.c b/src/kadmin/testing/util/tcl_kadm5.c
index b33cf0a0fa..0d9c7f11d7 100644
--- a/src/kadmin/testing/util/tcl_kadm5.c
+++ b/src/kadmin/testing/util/tcl_kadm5.c
@@ -86,7 +86,6 @@ static struct flagval config_mask_flags[] = {
     {"KADM5_CONFIG_MAX_RLIFE", KADM5_CONFIG_MAX_RLIFE},
     {"KADM5_CONFIG_EXPIRATION", KADM5_CONFIG_EXPIRATION},
     {"KADM5_CONFIG_FLAGS", KADM5_CONFIG_FLAGS},
-    {"KADM5_CONFIG_ADMIN_KEYTAB", KADM5_CONFIG_ADMIN_KEYTAB},
     {"KADM5_CONFIG_STASH_FILE", KADM5_CONFIG_STASH_FILE},
     {"KADM5_CONFIG_ENCTYPE", KADM5_CONFIG_ENCTYPE},
     {"KADM5_CONFIG_ADBNAME", KADM5_CONFIG_ADBNAME},
@@ -1033,11 +1032,7 @@ static int parse_config_params(Tcl_Interp *interp, char *list,
     }
     /* Ignore argv[5], which used to set the admin_dbname field.  */
     /* Ignore argv[6], which used to set the admin_lockfile field.  */
-    if ((retcode = parse_str(interp, argv[7], &params->admin_keytab)) != TCL_OK) {
-        Tcl_AppendElement(interp, "while parsing admin_keytab name");
-        retcode = TCL_ERROR;
-        goto finished;
-    }
+    /* Ignore argv[7], which used to set the admin_keytab field.  */
     if ((retcode = parse_str(interp, argv[8], &params->acl_file)) != TCL_OK) {
         Tcl_AppendElement(interp, "while parsing acl_file name");
         retcode = TCL_ERROR;
diff --git a/src/lib/kadm5/admin.h b/src/lib/kadm5/admin.h
index d1a76f737d..4ce56c6261 100644
--- a/src/lib/kadm5/admin.h
+++ b/src/lib/kadm5/admin.h
@@ -134,7 +134,7 @@ typedef long            kadm5_ret_t;
 #define KADM5_CONFIG_MAX_RLIFE          0x00000010
 #define KADM5_CONFIG_EXPIRATION         0x00000020
 #define KADM5_CONFIG_FLAGS              0x00000040
-#define KADM5_CONFIG_ADMIN_KEYTAB       0x00000080
+/*#define KADM5_CONFIG_ADMIN_KEYTAB       0x00000080*/
 #define KADM5_CONFIG_STASH_FILE         0x00000100
 #define KADM5_CONFIG_ENCTYPE            0x00000200
 #define KADM5_CONFIG_ADBNAME            0x00000400
@@ -240,7 +240,6 @@ typedef struct _kadm5_config_params {
        file.  */
     char *             dbname;
 
-    char *             admin_keytab;
     char *             acl_file;
     char *             dict_file;
 
diff --git a/src/lib/kadm5/alt_prof.c b/src/lib/kadm5/alt_prof.c
index 35f078e1ac..f182ce6439 100644
--- a/src/lib/kadm5/alt_prof.c
+++ b/src/lib/kadm5/alt_prof.c
@@ -616,17 +616,6 @@ krb5_error_code kadm5_get_config_params(context, use_kdc_config,
     GET_STRING_PARAM(dbname, KADM5_CONFIG_DBNAME, KRB5_CONF_DATABASE_NAME,
                      DEFAULT_KDB_FILE);
 
-    /* Get the value for the admin (policy) database lock file*/
-    if (!GET_STRING_PARAM(admin_keytab, KADM5_CONFIG_ADMIN_KEYTAB,
-                          KRB5_CONF_ADMIN_KEYTAB, NULL)) {
-        const char *s = getenv("KRB5_KTNAME");
-        if (s == NULL)
-            s = DEFAULT_KADM5_KEYTAB;
-        params.admin_keytab = strdup(s);
-        if (params.admin_keytab)
-            params.mask |= KADM5_CONFIG_ADMIN_KEYTAB;
-    }
-
     /* Get the name of the acl file */
     GET_STRING_PARAM(acl_file, KADM5_CONFIG_ACL_FILE, KRB5_CONF_ACL_FILE,
                      DEFAULT_KADM5_ACL_FILE);
@@ -862,7 +851,6 @@ kadm5_free_config_params(context, params)
         free(params->stash_file);
         free(params->keysalts);
         free(params->admin_server);
-        free(params->admin_keytab);
         free(params->dict_file);
         free(params->acl_file);
         free(params->realm);
diff --git a/src/lib/kadm5/clnt/client_init.c b/src/lib/kadm5/clnt/client_init.c
index a1d20fb7e0..a8abebfcfb 100644
--- a/src/lib/kadm5/clnt/client_init.c
+++ b/src/lib/kadm5/clnt/client_init.c
@@ -236,8 +236,7 @@ init_any(krb5_context context, char *client_name, enum init_type init_type,
 #define ILLEGAL_PARAMS (KADM5_CONFIG_DBNAME | KADM5_CONFIG_ADBNAME |    \
                         KADM5_CONFIG_ADB_LOCKFILE |                     \
                         KADM5_CONFIG_ACL_FILE | KADM5_CONFIG_DICT_FILE  \
-                        | KADM5_CONFIG_ADMIN_KEYTAB |                   \
-                        KADM5_CONFIG_STASH_FILE |                       \
+                        | KADM5_CONFIG_STASH_FILE |                     \
                         KADM5_CONFIG_MKEY_NAME | KADM5_CONFIG_ENCTYPE   \
                         | KADM5_CONFIG_MAX_LIFE |                       \
                         KADM5_CONFIG_MAX_RLIFE |                        \
diff --git a/src/man/kadmind.8 b/src/man/kadmind.8
index b4eade4ef2..5f622d2452 100644
--- a/src/man/kadmind.8
+++ b/src/man/kadmind.8
@@ -49,12 +49,6 @@ The KDC configuration file contains configuration information for the KDC and th
 of  variable  settings in this file, some of which are mandatory and some of which are optional.
 See the CONFIGURATION VALUES section below.
 .TP
-.B \fIkeytab\fP
-.sp
-Kadmind requires a keytab containing correct entries for the kadmin/admin and kadmin/changepw principals for every realm that
-\fIkadmind\fP will answer requests for.  The keytab can be created with the kadmin(8) client.
-The location of the keytab is determined by the \fIadmin_keytab\fP configuration variable (see CONFIGURATION VALUES).
-.TP
 .B \fIACL\fP file
 .sp
 \fIkadmind\fP\(aqs \fIACL\fP (access control list) tells it which principals are allowed to perform KADM5 administration actions.
@@ -146,11 +140,6 @@ all of which should appear in the [realms] section:
 .sp
 The path of \fIkadmind\fP\(aqs \fIACL\fP file.  \fBMandatory\fP.  No default.
 .TP
-.B \fBadmin_keytab\fP
-.sp
-The  name  of  the keytab containing entries for the principals kadmin/admin and kadmin/changepw in each realm that \fIkadmind\fP will
-serve.  The default is the value of the KRB5_KTNAME environment variable, if defined.  \fBMandatory\fP.
-.TP
 .B \fBdict_file\fP
 .sp
 The path of \fIkadmind\fP\(aqs password dictionary.  A principal with any password policy will not be allowed to select any  password  in
diff --git a/src/man/kdc.conf.5 b/src/man/kdc.conf.5
index 7f7668431f..49f300773d 100644
--- a/src/man/kdc.conf.5
+++ b/src/man/kdc.conf.5
@@ -101,10 +101,6 @@ For each realm, the following tags may be specified in the [realms] subsection:
 .sp
 (String.) Location of the access control list (acl) file that kadmin uses to determine which principals are allowed which permissions on the database. The default is \fI/usr/local/var/krb5kdc/kadm5.acl\fP.
 .TP
-.B \fBadmin_keytab\fP
-.sp
-(String.) Location of the keytab file that the legacy administration daemons kadmind4 and v5passwdd use to authenticate to the database. The default is \fI/usr/local/var/krb5kdc/kadm5.keytab\fP.
-.TP
 .B \fBdatabase_name\fP
 .sp
 This string specifies the location of the Kerberos database for this realm.
diff --git a/src/tests/kdc_realm/input_conf/kdc_pri_template.conf b/src/tests/kdc_realm/input_conf/kdc_pri_template.conf
index 31b2f9232f..2867607179 100755
--- a/src/tests/kdc_realm/input_conf/kdc_pri_template.conf
+++ b/src/tests/kdc_realm/input_conf/kdc_pri_template.conf
@@ -4,7 +4,6 @@
 [realms]
 	Y.COM = {
 		database_name = %(tier2)s/principal
-		admin_keytab = FILE:%(tier2)s/kadm5.keytab
 		acl_file = %(tier2)s/kadm5.acl
 		key_stash_file = %(tier2)s/.k5.ATHENA.MIT.EDU
 		kdc_ports = 7777
diff --git a/src/tests/kdc_realm/input_conf/kdc_ref_template.conf b/src/tests/kdc_realm/input_conf/kdc_ref_template.conf
index 819713c187..fc51010597 100755
--- a/src/tests/kdc_realm/input_conf/kdc_ref_template.conf
+++ b/src/tests/kdc_realm/input_conf/kdc_ref_template.conf
@@ -4,7 +4,6 @@
 [realms]
 	Z.COM = {
 		database_name = %(tier1)s/principal
-		admin_keytab = FILE:%(tier1)s/kadm5.keytab
 		acl_file = %(tier1)s/kadm5.acl
 		key_stash_file = %(tier1)s/.k5.ATHENA.MIT.EDU
 		kdc_ports = 7778
diff --git a/src/tests/mk_migr/ldap_backend/input_conf/kdc_template_ldap.conf b/src/tests/mk_migr/ldap_backend/input_conf/kdc_template_ldap.conf
index 94a82a7528..559eabff0e 100644
--- a/src/tests/mk_migr/ldap_backend/input_conf/kdc_template_ldap.conf
+++ b/src/tests/mk_migr/ldap_backend/input_conf/kdc_template_ldap.conf
@@ -6,7 +6,6 @@
                 database_name = %(sandir)s/krb5kdc/principal
                 acl_file = %(sandir)s/kadm5.acl
                 key_stash_file = %(sandir)s/krb5kdc/.k5.EXAMPLE.ORG
-                admin_keytab = FILE:%(sandir)s/krb5kdc/kadm5.keytab
                 kdc_ports = 8888
                 kpasswd_port = 8887
                 kadmind_port = 8886