| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
docutils 0.10 properly adds indentation to example blocks in man
pages, so we do not need to force an extra indentation level. Get rid
of the workaround wherever we use it.
ticket: 7954 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
| |
Document DB options in the kadmin/kadmin.local man page, in their own
section. Refer to that section from the documentation of the -x
parameter of each other command which supports DB options. Add
documentation for the "dbname" DB2 option.
ticket: 7946 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make the example and documentation a closer match to reality.
In particular, the list permission is all-or-nothing; it is not
restricted in scope by the target_principal field. Change the
table entry to try and indicate this fact, and do not put list
permissions on any example line that is scoped by a target_principal
pattern.
While here, remove the nonsensical granting of global inquire
permissions to */* (inaccurately described as "all principals"),
and the granting of privileges to foreign-realm principals.
It is not possible to obtain an initial ticket (as required by
the kadmin service) for a principal in a different realm, and
the current kadmind implementation can serve only a single realm
at a time -- this permission literally has no effect. Replace
it with a (presumably automated) "Service Management System"
example, where it might make sense to limit the principals which
are automatically created.
ticket: 7939
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When constructing a draft9 PKINIT request, always include
KRB5_PADATA_AS_CHECKSUM padata to ask for an RFC 4556 ReplyKeyPack.
Do not accept a draft9 ReplyKeyPack in the KDC response.
For now, retain the krb5_reply_key_pack_draft9 ASN.1 codec and the KDC
support for generating a draft9 ReplyKeyPack when a draft9 PKINIT
request does not contain KRB5_PADATA_AS_CHECKSUM.
ticket: 7933
|
| |
|
|
|
|
|
|
| |
Remove the PKINIT Windows Server 2008 beta compatibility code
conditionalized under the "longhorn" variable. It is not required to
interoperate with any released version of Windows.
ticket: 7934 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Describe how to use a commercially-issued server certificate for
anonymous PKINIT. Separate the KDC and client configuration
instructions so that the steps necessary for anonymous PKINIT are not
combined with the additional steps necessary for regular PKINIT.
Describe kpServerAuth as the EKU used in commercially issued server
certificates, not as the value used by Microsoft (which does not
appear to be true according to [MS-PKCA]).
ticket: 7931 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
| |
This variable was never used in the PKINIT code as it was contributed;
there was only code to read its value.
ticket: 7932 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
| |
This feature was never implemented in the PKINIT code as it was
contributed; there was only stub support for reading the filename.
ticket: 7928 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
| |
Add some longer-form documentation for the new HTTPS support, walking a
prospective administrator through generating a bare minimal signing
setup, deploying a WSGI-based proxy server onto an Apache httpd server
using mod_ssl and mod_wsgi, and configuring clients to use it.
ticket: 7929
|
| |
|
|
|
|
|
|
| |
Add an http_anchors per-realm setting which we'll apply when using an
HTTPS proxy, more or less mimicking the syntax of its similarly-named
PKINIT counterpart. We only check the [realms] section, though.
ticket: 7929
|
| |
|
|
|
|
|
|
|
|
| |
Don't use "otp" as the example clpreauth module name in
host_config.rst, since we now ship an effectively built-in otp
clpreauth module. Instead use "mypreauth".
ticket: 7920 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
| |
It really is all privileges, including setting keys and
disallowing the propagation of the principal database.
|
| |
|
|
| |
[ghudson@mit.edu: editorial changes]
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Where we have ATHENA.MIT.EDU stanzas in sample or test krb5.conf files
which define kdc entries, also define a master_kdc entry. Remove
default_domain and v4_instance_convert entries in examples as they are
only needed for krb5/krb4 principal conversions. In the krb5_conf.rst
example, remove enctype specifications as we don't want to encourage
their use when they aren't necessary, and remove a redundant
domain_realm entry.
ticket: 7901 (new)
|
| |
|
|
|
|
|
|
|
|
|
| |
Since f72c3ffa the policy is initialized as part of database.
adb_policy_close is now a no-op, and adb_policy_init just makes sure
the database is initialized. adb_policy_init is only called from
kadm5_flush, and only if database initialization was successful
beforehand, rendering this call redundant.
Remove adb_policy_init and adb_policy_close and all their references
in the code and documentation.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In krb5_salttype_to_string, output the salt type name we would
recognize as input.
In the output of getprinc, display the enctype and salt type in a form
we would accept--either enctype:salttype if the salt type is not the
default, or just the enctype if it is.
Update t_mkey.py and t_salt.py to expect the new output format.
Update documentation examples to show the new format.
ticket: 5958
|
| |
|
|
|
|
|
|
|
| |
In kadmin_local.rst, update the example to reflect the new way we
display enctypes after #5014.
ticket: 7890 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
| |
--with-crypto=openssl is incorrect; it's --with-crypto-impl=openssl.
[ghudson@mit.edu: wrap source line at 70 columns; improve grammar of
the next sentence]
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In particular, it is set by default. This can lead to confusing
behavior wherein adding a k5login file removes a user's remote
access.
Make an example more concrete to account for this case.
ticket: 7876 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
| |
When we removed the maximum number of ulog entries (#7368), we did not
update the documentation for that parameter in kdc.conf. Reported by
Richard Basch.
ticket: 7849
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove obsolete parenthetical statement in the description of the
"-update" switch to "kdb5_util load". Using the "-update" flag to
load a second dump made using the "-ov" switch is no longer necessary
now that the "-r13" format is the default. Add statement that the
"-b7" dump format was the default for versions prior to 1.2.2 (to
match the statement from "dump" section).
[tlyu@mit.edu: commit message]
ticket: 7865
tags: pullup
target_version: 1.12.2
|
| |
|
|
|
|
| |
References to krb5_int16.rst and krb5_ui_2.rst were missing, but
recently began causing sphinx-build errors because Doxygen started
generating them after the stdint.h changes.
|
| |
|
|
|
| |
Added 'otp' as an acceptable attribute name. Added examples.
Also, x-ref kadmin document from otp.rst.
|
| |
|
|
|
|
|
| |
Also remove an outdated caveat, but add a new one about policy changes
causing full resyncs.
ticket: 7855
|
| |
|
|
|
|
|
|
|
|
| |
The -A option causes kpropd to contact a specified admin server
(normally an intermediate slave running kadmind -proponly) instead of
the master admin server.
Based on code submitted by Richard Basch.
ticket: 7855
|
| |
|
|
|
|
|
|
|
|
|
| |
The -proponly option causes kadmind to only service the iprop service,
not the kpasswd or kadmin services. An intermediate slave in a
hierarchical iprop setup runs kadmind -proponly in order to provide
incremental updates to downstream slaves.
Based on code submitted by Richard Basch.
ticket: 7855
|
| |
|
|
| |
ticket: 7857
|
| |
|
|
|
|
|
|
|
| |
Documentation build instructions in doc/README were out of date.
Update them.
ticket: 7864 (new)
tags: pullup
target_version: 1.12.2
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Some system configurations expect Unix-domain sockets to live under
/run or /var/run, and not other parts of /var where persistent
application state lives. Define a new directory KDC_RUN_DIR using
$runstatedir (new in autoconf 2.70, so fall back to $localstatedir/run
if it's not set) and use that for the default socket path.
[ghudson@mit.edu: commit message, otp.rst formatting fix]
ticket: 7859 (new)
|
| | |
|
| |
|
|
|
|
|
| |
The plan is to make Troubleshooting section of the documentation a
one-stop-shop place for all error diagnostics, explanations and possible
solutions. The relocation of kprop error messages descriptions is part of
this consolidation effort.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The documentation for klist -s erroneously suggests that it doesn't
affect the exit status behavior and that it merely checks for the
existence of the ccache (only mentioning the expired ticket check at
the end). Make it clearer and simpler, but avoid going into a lot of
detail about the nature of the expiration check.
ticket: 7806 (new)
target_version: 1.12.1
tags: pullup
|
| |
|
|
|
|
|
|
|
|
| |
Add a new section to kdc_conf.rst to describe keysalt lists, and
update other documentation to better distinguish enctype lists from
keysalt lists.
ticket: 7608
target_version: 1.12
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
| |
Some error messages that kprop could print were quoted incorrectly in
install_kdc.rst.
Also fix minor typos.
ticket: 7785 (new)
target_version: 1.12
tags: pullup
|
| |
|
|
|
|
|
|
|
| |
kdb5_util.rst incorrectly describes the current default dump format
version as 6 when it should be 7. Reported by Jeff D'Angelo.
ticket: 7777
target_version: 1.12
tags: pullup
|
| |
|
|
|
|
|
| |
Re-fill to 70 columns. Replace non-ascii apostrophes with ASCII ones.
Edit wording slightly.
ticket: 7776
|
| |
|
|
|
|
|
|
|
| |
This is to add a short introductory document on credential
caches to the Concepts section of Kerberos documentation.
ticket: 7776 (new)
target_version: 1.12
tags: pullup
|
| |
|
|
|
|
|
|
|
| |
In kadm5.acl, *N in the target principal name refers to the Nth
wildcard in the acting principal pattern, not the Nth component.
ticket: 7774 (new)
target_version: 1.12
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In the "KDC replication and account lockout" section of lockout.rst,
specifically call out kprop and incremental propagation as the
mechanisms which do not replicate account lockout state, and add a
note that KDCs using LDAP may not be affected by that section's
concerns.
ticket: 7773 (new)
target_version: 1.12
tags: pullup
|
| |
|
|
|
|
| |
This configure option hasn't done anything since 1.8, so don't mention
it in configure --help or the documentation. The disable_last_success
and disable_lockout DB options are now used to turn it off.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In kdc_conf.rst, add examples showing how to configure a realm
parameter and a database parameter. Document that the default DB
configuration section is the realm name, and use that in the example.
Move the db_module_dir description to the end of the [dbmodules]
documentation since it is rarely used and could confuse a reader about
the usual structure of the section.
ticket: 7759 (new)
target_version: 1.12
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The kpropd -S option is no longer needed to run kpropd in standalone
mode, but its functionality is not deprecated; standalone mode is
automatically activated when appropriate. Clarify the kpropd
documentation on standalone mode to avoid giving the impression that
the mode is deprecated.
ticket: 7751 (new)
target_version: 1.12
tags: pullup
|
| |
|
|
|
|
|
|
|
| |
Add a new section to database.rst documenting the procedure for
rolling the master key.
ticket: 7732 (new)
target_version: 1.12
tags: pullup
|
| |
|
|
|
|
|
|
|
| |
kdb5_util update_princ_encryption should update to the active master
key version, not the most recent.
ticket: 6507
target_version: 1.12
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In pkinit.rst, add "-days" options to the example commands for
creating certificate and briefly discuss the issue of expiration dates
so that the administrator thinks about it. In troubleshoot.rst, add
an entry for the "certificate has expired" error which results from
PKINIT (when linked with OpenSSL) when a certificate has expired.
ticket: 7719 (new)
target_version: 1.12
tags: pullup
|
| |
|
|
|
|
| |
Some literal blocks in the new AEAD and IOV documentation in
gssapi.rst started with ":" instead of "::", causing documentation
build errors.
|
| |
|
|
| |
Release 1.9.5 was the last planned release for the krb5-1.9 series.
|
| | |
|
| |
|
|
|
|
|
|
| |
If dns_canonicalize_hostname is set to false in [libdefaults],
krb5_sname_to_principal will not canonicalize the hostname using
either forward or reverse lookups.
ticket: 7703 (new)
|
| |
|
|
|
|
|
|
|
|
| |
The no_auth_data_required bit was introduced to suppress PACs in
service tickets when the back end supports them. Make it also
suppress AD-SIGNEDPATH, so that the ~70-byte expansion of the ticket
can be avoided for services which aren't going to do constrained
delegation.
ticket: 7697 (new)
|
