krb5.git/doc/admin, branch keyring MIT Kerberos patches Clarify realm and dbmodules configuration docs 2013-11-06T19:58:03+00:00 Greg Hudson ghudson@mit.edu 2013-11-06T18:33:04+00:00 689d769c10c53bd4fa40e82421c89b96cc86cbae In kdc_conf.rst, add examples showing how to configure a realm parameter and a database parameter. Document that the default DB configuration section is the realm name, and use that in the example. Move the db_module_dir description to the end of the [dbmodules] documentation since it is rarely used and could confuse a reader about the usual structure of the section. ticket: 7759 (new) target_version: 1.12 tags: pullup 
In kdc_conf.rst, add examples showing how to configure a realm
parameter and a database parameter.  Document that the default DB
configuration section is the realm name, and use that in the example.
Move the db_module_dir description to the end of the [dbmodules]
documentation since it is rarely used and could confuse a reader about
the usual structure of the section.

ticket: 7759 (new)
target_version: 1.12
tags: pullup
Clarify kpropd standalone mode documentation 2013-11-01T14:55:39+00:00 Greg Hudson ghudson@mit.edu 2013-10-30T22:22:00+00:00 bfec0671ca6df811453d46a2f47afc7168b980fc The kpropd -S option is no longer needed to run kpropd in standalone mode, but its functionality is not deprecated; standalone mode is automatically activated when appropriate. Clarify the kpropd documentation on standalone mode to avoid giving the impression that the mode is deprecated. ticket: 7751 (new) target_version: 1.12 tags: pullup 
The kpropd -S option is no longer needed to run kpropd in standalone
mode, but its functionality is not deprecated; standalone mode is
automatically activated when appropriate.  Clarify the kpropd
documentation on standalone mode to avoid giving the impression that
the mode is deprecated.

ticket: 7751 (new)
target_version: 1.12
tags: pullup
Document master key rollover 2013-10-30T16:58:23+00:00 Greg Hudson ghudson@mit.edu 2013-10-25T16:30:48+00:00 e4b5d426a1e1e00367cc44a9619535ab71b20393 Add a new section to database.rst documenting the procedure for rolling the master key. ticket: 7732 (new) target_version: 1.12 tags: pullup 
Add a new section to database.rst documenting the procedure for
rolling the master key.

ticket: 7732 (new)
target_version: 1.12
tags: pullup
Use active master key in update_princ_encryption 2013-10-25T15:36:11+00:00 Greg Hudson ghudson@mit.edu 2013-10-23T15:55:19+00:00 4ccc18bc3ddc49d0fd0d2de00ec91c0fa44c53a8 kdb5_util update_princ_encryption should update to the active master key version, not the most recent. ticket: 6507 target_version: 1.12 tags: pullup 
kdb5_util update_princ_encryption should update to the active master
key version, not the most recent.

ticket: 6507
target_version: 1.12
tags: pullup
Discuss cert expiry, no-key princs in PKINIT docs 2013-10-17T18:13:03+00:00 Greg Hudson ghudson@mit.edu 2013-10-14T22:14:00+00:00 f3977b6883f0172a2af9006522a1b35546f86749 In pkinit.rst, add "-days" options to the example commands for creating certificate and briefly discuss the issue of expiration dates so that the administrator thinks about it. In troubleshoot.rst, add an entry for the "certificate has expired" error which results from PKINIT (when linked with OpenSSL) when a certificate has expired. ticket: 7719 (new) target_version: 1.12 tags: pullup 
In pkinit.rst, add "-days" options to the example commands for
creating certificate and briefly discuss the issue of expiration dates
so that the administrator thinks about it.  In troubleshoot.rst, add
an entry for the "certificate has expired" error which results from
PKINIT (when linked with OpenSSL) when a certificate has expired.

ticket: 7719 (new)
target_version: 1.12
tags: pullup
Add a flag to prevent all host canonicalization 2013-09-06T05:02:28+00:00 Greg Hudson ghudson@mit.edu 2013-09-05T22:30:02+00:00 60edb321af64081e3eb597da0256faf117c9c441 If dns_canonicalize_hostname is set to false in [libdefaults], krb5_sname_to_principal will not canonicalize the hostname using either forward or reverse lookups. ticket: 7703 (new) 
If dns_canonicalize_hostname is set to false in [libdefaults],
krb5_sname_to_principal will not canonicalize the hostname using
either forward or reverse lookups.

ticket: 7703 (new)
Omit signedpath if no_auth_data_required is set 2013-08-20T04:25:02+00:00 Greg Hudson ghudson@mit.edu 2013-08-20T00:01:03+00:00 eaaf406f5ab3224fc262da300476efa21b407bed The no_auth_data_required bit was introduced to suppress PACs in service tickets when the back end supports them. Make it also suppress AD-SIGNEDPATH, so that the ~70-byte expansion of the ticket can be avoided for services which aren't going to do constrained delegation. ticket: 7697 (new) 
The no_auth_data_required bit was introduced to suppress PACs in
service tickets when the back end supports them.  Make it also
suppress AD-SIGNEDPATH, so that the ~70-byte expansion of the ticket
can be avoided for services which aren't going to do constrained
delegation.

ticket: 7697 (new)
Add a note about how to apply/remove policies 2013-08-16T17:21:25+00:00 Brad Davis brd@FreeBSD.org 2013-08-15T21:39:56+00:00 af0d51a9683c5f71737a5662f156bbb449b2a8a8 Put a note in the the policies section of the documentation for how to apply policies to principals. [kaduk@mit.edu: reformat commit message] ticket: 7693 (new) 
Put a note in the the policies section of the documentation for how to
apply policies to principals.

[kaduk@mit.edu: reformat commit message]

ticket: 7693 (new)
Document hostrealm interface 2013-08-15T16:39:58+00:00 Greg Hudson ghudson@mit.edu 2013-08-07T19:48:36+00:00 2721a662a3d88601bff991599928c1566be7485a ticket: 7687 
ticket: 7687
Remove redundant domain_realm mappings 2013-08-12T19:28:07+00:00 Ben Kaduk kaduk@mit.edu 2013-08-12T17:47:42+00:00 8f5ce824012f2caab6770df464f096c38dc4cb2e This fixes a long-standing documentation bug where we claimed that a domain_realm mapping for a host name would not affect entries under that domain name. The code has always had the behavior where a host name mapping implies the corresponding domain name mapping, since the 1.0 release. While here, replace media-lab with csail in example files, as the media lab realm is no longer in use. Also strip port 88 from KDC specifications, and drop the harmful default_{tgs,tkt}_enctypes lines from src/util/profile/krb5.conf. Further cleanup on these files to remove defunct realms may be in order. ticket: 7690 (new) tags: pullup target_version: 1.11.4 
This fixes a long-standing documentation bug where we claimed that
a domain_realm mapping for a host name would not affect entries
under that domain name.  The code has always had the behavior where
a host name mapping implies the corresponding domain name mapping,
since the 1.0 release.

While here, replace media-lab with csail in example files, as the
media lab realm is no longer in use.  Also strip port 88 from KDC
specifications, and drop the harmful default_{tgs,tkt}_enctypes
lines from src/util/profile/krb5.conf.

Further cleanup on these files to remove defunct realms may be in order.

ticket: 7690 (new)
tags: pullup
target_version: 1.11.4