krb5.git/doc/admin/conf_files, branch keyring MIT Kerberos patches Clarify realm and dbmodules configuration docs 2013-11-06T19:58:03+00:00 Greg Hudson ghudson@mit.edu 2013-11-06T18:33:04+00:00 689d769c10c53bd4fa40e82421c89b96cc86cbae In kdc_conf.rst, add examples showing how to configure a realm parameter and a database parameter. Document that the default DB configuration section is the realm name, and use that in the example. Move the db_module_dir description to the end of the [dbmodules] documentation since it is rarely used and could confuse a reader about the usual structure of the section. ticket: 7759 (new) target_version: 1.12 tags: pullup 
In kdc_conf.rst, add examples showing how to configure a realm
parameter and a database parameter.  Document that the default DB
configuration section is the realm name, and use that in the example.
Move the db_module_dir description to the end of the [dbmodules]
documentation since it is rarely used and could confuse a reader about
the usual structure of the section.

ticket: 7759 (new)
target_version: 1.12
tags: pullup
Add a flag to prevent all host canonicalization 2013-09-06T05:02:28+00:00 Greg Hudson ghudson@mit.edu 2013-09-05T22:30:02+00:00 60edb321af64081e3eb597da0256faf117c9c441 If dns_canonicalize_hostname is set to false in [libdefaults], krb5_sname_to_principal will not canonicalize the hostname using either forward or reverse lookups. ticket: 7703 (new) 
If dns_canonicalize_hostname is set to false in [libdefaults],
krb5_sname_to_principal will not canonicalize the hostname using
either forward or reverse lookups.

ticket: 7703 (new)
Omit signedpath if no_auth_data_required is set 2013-08-20T04:25:02+00:00 Greg Hudson ghudson@mit.edu 2013-08-20T00:01:03+00:00 eaaf406f5ab3224fc262da300476efa21b407bed The no_auth_data_required bit was introduced to suppress PACs in service tickets when the back end supports them. Make it also suppress AD-SIGNEDPATH, so that the ~70-byte expansion of the ticket can be avoided for services which aren't going to do constrained delegation. ticket: 7697 (new) 
The no_auth_data_required bit was introduced to suppress PACs in
service tickets when the back end supports them.  Make it also
suppress AD-SIGNEDPATH, so that the ~70-byte expansion of the ticket
can be avoided for services which aren't going to do constrained
delegation.

ticket: 7697 (new)
Document hostrealm interface 2013-08-15T16:39:58+00:00 Greg Hudson ghudson@mit.edu 2013-08-07T19:48:36+00:00 2721a662a3d88601bff991599928c1566be7485a ticket: 7687 
ticket: 7687
Remove redundant domain_realm mappings 2013-08-12T19:28:07+00:00 Ben Kaduk kaduk@mit.edu 2013-08-12T17:47:42+00:00 8f5ce824012f2caab6770df464f096c38dc4cb2e This fixes a long-standing documentation bug where we claimed that a domain_realm mapping for a host name would not affect entries under that domain name. The code has always had the behavior where a host name mapping implies the corresponding domain name mapping, since the 1.0 release. While here, replace media-lab with csail in example files, as the media lab realm is no longer in use. Also strip port 88 from KDC specifications, and drop the harmful default_{tgs,tkt}_enctypes lines from src/util/profile/krb5.conf. Further cleanup on these files to remove defunct realms may be in order. ticket: 7690 (new) tags: pullup target_version: 1.11.4 
This fixes a long-standing documentation bug where we claimed that
a domain_realm mapping for a host name would not affect entries
under that domain name.  The code has always had the behavior where
a host name mapping implies the corresponding domain name mapping,
since the 1.0 release.

While here, replace media-lab with csail in example files, as the
media lab realm is no longer in use.  Also strip port 88 from KDC
specifications, and drop the harmful default_{tgs,tkt}_enctypes
lines from src/util/profile/krb5.conf.

Further cleanup on these files to remove defunct realms may be in order.

ticket: 7690 (new)
tags: pullup
target_version: 1.11.4
Add server-side otp preauth plugin 2013-07-11T18:14:34+00:00 Nathaniel McCallum npmccallum@redhat.com 2013-04-03T16:38:05+00:00 4b5dd8bcfb10af254fb9efbe4cf39befe5b1e6ac This plugin implements the proposal for providing OTP support by proxying requests to RADIUS. Details can be found inside the provided documentation as well as on the project page. http://k5wiki.kerberos.org/wiki/Projects/OTPOverRADIUS ticket: 7678 
This plugin implements the proposal for providing OTP support by
proxying requests to RADIUS. Details can be found inside the
provided documentation as well as on the project page.

http://k5wiki.kerberos.org/wiki/Projects/OTPOverRADIUS

ticket: 7678
Document dict_file format 2013-07-01T16:07:39+00:00 Greg Hudson ghudson@mit.edu 2013-07-01T16:07:39+00:00 0f0943fb630b8487235c1124cd92cc697af0ac72 Briefly describe the format of the kadmin dictionary file in kdc_conf.rst. 
Briefly describe the format of the kadmin dictionary file in
kdc_conf.rst.
Rely on module ordering for localauth 2013-06-27T06:00:51+00:00 Greg Hudson ghudson@mit.edu 2013-06-14T05:55:27+00:00 a6765ca3fa82fa9ac8045fb583d168c542b19585 Register built-in localauth modules in the order we want them used by default, and document accordingly. ticket: 7665 
Register built-in localauth modules in the order we want them used by
default, and document accordingly.

ticket: 7665
Provide plugin module ordering guarantees 2013-06-27T06:00:51+00:00 Greg Hudson ghudson@mit.edu 2013-06-14T05:33:26+00:00 e0a74797bd3a8395b81e68ecfa7ada6e2b4be4c6 Rewrite the plugin internals so that modules have a well-defined order--either the order of enable_only tags, or dynamic modules followed by the built-in modules in order of registration. ticket: 7665 (new) 
Rewrite the plugin internals so that modules have a well-defined
order--either the order of enable_only tags, or dynamic modules
followed by the built-in modules in order of registration.

ticket: 7665 (new)
Clean up dangling antecedent in allow_weak_crypto 2013-05-31T17:09:45+00:00 Ben Kaduk kaduk@mit.edu 2013-05-31T16:48:46+00:00 2a10e19e19c65af0e3890bdeae03c37089ef02ea The "previous three lists" are not previous any more. Say explicitly which three lists, and make the parenthetical bind to the correct noun. ticket: 7655 (new) tags: pullup target_version: 1.11.4 
The "previous three lists" are not previous any more.
Say explicitly which three lists, and make the parenthetical bind
to the correct noun.

ticket: 7655 (new)
tags: pullup
target_version: 1.11.4