1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
|
This document references, accompanies and extends the password changing
protocol document, "A Proposal for a Standardized Kerberos Password
Changing Protocol" by Theodore Ts'o.
Administrative Command Extensions to the Password Changing Protocol
===================================================================
The following commands and their accompanying definitions are an
extension to the password changing protocol which allow remote
administrative clients to perform functions analogous to those which
are performed using the local database editing utility. These
commands are encoded in the "command request" PDU described in the
password changing protocol, and the server's responses to these
commands are encoded in the "command reply" PDU.
These commands are (optional commands are marked with an asterisk):
ADD-PRINCIPAL
DELETE-PRINCIPAL
RENAME-PRINCIPAL
MODIFY-PRINCIPAL
OTHER-CHANGEPW
OTHER-RANDOM-CHANGEPW
INQUIRE-PRINCIPAL
EXTRACT-KEY (*)
In order to support these additional commands, the following additional
status codes are also defined:
Number Symbolic Name Meaning
64 P_ALREADY_EXISTS The specified principal already exists.
65 P_DOES_NOT_EXIST The specified principal does not exist.
66 NOT_AUTHORIZED The access control list on the server prevents
this operation.
67 BAD_OPTION Either: 1) A bad option was specified; 2) A
conflicting set of options would result from
this operation; or 3) Existing options prevent
this type of operation.
68 VALUE_REQUIRED The specified option requires a value.
69 SYSTEM_ERROR A system error occurred while processing a
request.
The add principal operation
---------------------------
o Command String "ADD-PRINCIPAL"
o Arguments
<new-principal-string> - name of new principal
<keyword-value-pair> - either "KEYWORD=value" or "KEYWORD".
.
.
.
o Returns
SUCCESS - operation successful
SYSTEM_ERROR - system error
NOT_AUTHORIZED - not allowed to perform this
P_ALREADY_EXISTS - new principal already exists
BAD_OPTION - bad option supplied
VALUE_REQUIRED - value required with keyword
o Supplemental Returns
NONE - if successful
error message text - if failure
o Description
If the specified principal does not exist, the arguments parse
correctly, and the arguments when combined with defaulted values
do not produce a conflicting set of options then add the specified
principal with the specified attributes. See below for the list of
settable attributes.
o Access Required
Client principal must have ADD_PRINCIPAL permission.
The delete principal operation
------------------------------
o Command String "DELETE-PRINCIPAL"
o Argument
<principal-string> - principal to delete
o Returns
SUCCESS - operation successful
SYSTEM_ERROR - system error
NOT_AUTHORIZED - not allowed to perform this
P_DOES_NOT_EXIST - old principal does not exist
o Supplemental returns
NONE - if successful
error message text - if failure
o Description
If the specified principal exists, then delete it from the database.
o Access Required
Client principal must have DELETE_PRINCIPAL permission.
The rename principal operation
------------------------------
o Command String "RENAME-PRINCIPAL"
o Arguments
<orig-principal-string> - original name
<new-principal-string> - new name
o Returns
SUCCESS - operation successful
SYSTEM_ERROR - system error
NOT_AUTHORIZED - not allowed to perform this
P_DOES_NOT_EXIST - old principal does not exist
P_ALREADY_EXISTS - new principal already exists
o Supplemental Returns
NONE - if successful
error message text - if failure
o Description
If the original principal exists and the new principal name does not
exist, rename the original principal to the specified name.
o Access Required
Client principal must have ADD_PRINCIPAL and DELETE_PRINCIPAL
permission.
The modify principal operation
------------------------------
o Command String "MODIFY-PRINCIPAL"
o Arguments
<principal-string> - name of principal
<keyword-value-pair> - either KEYWORD=value or KEYWORD.
.
.
.
o Returns
SUCCESS - operation successful
SYSTEM_ERROR - system error
NOT_AUTHORIZED - not allowed to perform this
P_DOES_NOT_EXIST - principal doesn't exist
BAD_OPTION - bad option supplied
VALUE_REQUIRED - value required with keyword
o Supplemental returns
NONE - if successful
error message text - if failure
o Description
If the specified principal exists, the arguments parse correctly, and
the arguments when combined with existing values do not produce a
conflicting set of options, then modify the specified principal with
the specified attributes. See below for the list of settable
attributes.
o Access Required
Client principal must have MODIFY_PRINCIPAL permission.
The change password operation
-----------------------------
o Command String "OTHER-CHANGEPW"
o Arguments
<principal-string> - principal to change password for
<new-password> - new password
o Returns
SUCCESS - operation successful
PW_UNACCEPT - specified password is bad
SYSTEM_ERROR - system error
NOT_AUTHORIZED - not allowed to perform this
P_DOES_NOT_EXIST - old principal does not exist
BAD_OPTION - principal has a random key
o Supplemental returns
NONE - if successful
error message text - if failure
o Description
If the specified principal exists, and does not have a random key,
then change the password to the specified password. The original
password is NOT required.
o Access Required
Client principal must have CHANGEPW permission.
The change random password command
----------------------------------
o Command String "OTHER-RANDOM-CHANGEPW"
o Argument
<principal-string> - principal to change password for
o Returns
SUCCESS - operation successful
SYSTEM_ERROR - system error
NOT_AUTHORIZED - not allowed to perform this
P_DOES_NOT_EXIST - old principal does not exist
BAD_OPTION - principal does not have a random key
o Supplemental Returns
NONE - if successful
error message text - if failure
o Description
If the specified principal exists, and has a random key, then
generate a new random password. The original password is NOT
required.
o Access Required
Client principal must have CHANGEPW permission.
The inquire principal command
-----------------------------
o Command String "INQUIRE-PRINCIPAL"
o Argument
<principal-string> - name of principal or null argument
o Returns
SUCCESS - operation successful
SYSTEM_ERROR - system error
NOT_AUTHORIZED - not allowed to perform this
P_DOES_NOT_EXIST - principal doesn't exist
o Supplemental Returns
If the return is SUCCESS
<next-principal-string> - name of next principal in database
<keyword-value-pair> - KEYWORD=value list
.
.
.
Otherwise
error message text - if failure
o Description
If a principal is specified, then the database is searched for that
particular principal and its attributes are returned as keyword-value
pairs. If no principal is specified, then the first database entry
is returned. The name of the next principal in the database is always
returned to allow for scanning. See below for the list of attributes
that can be returned.
o Access Required
Client principal must have INQUIRE_PRINCIPAL permission.
The OPTIONAL extract service key table entry command
----------------------------------------------------
o Command String "EXTRACT-KEY"
o Arguments
<instance-string> - instance to extract for
<name-string> - name to extract for
o Returns
SUCCESS - operation successful
CMD_UNKNOWN - operation not supported by server
SYSTEM_ERROR - system error
NOT_AUTHORIZED - not allowed to perform this
P_DOES_NOT_EXIST - principal does not exist
o Supplemental Returns
<keytab-entry> - if successful
error message text - if failure
o Description
If the specified name/instance exists in the database, then
extract the service key entry and return it in <keytab-entry>.
The description of <keytab-entry> follows below.
o Access Required
Client principal must have EXTRACT permission.
Keywords
--------
The following list of keywords are used for the ADD-PRINCIPAL and
MODIFY-PRINCIPAL commands and are returned from the
INQUIRE-PRINCIPAL command.
Valid Keyword Value Type Value
------- --------------- --------------- --------------------------------------
(S) PASSWORD <string> New password.
(SR) KVNO <integer> Key version number.
(SR) MAXLIFE <integer> The maximum lifetime of tickets for
this principal in seconds.
(SR) MAXRENEWLIFE <integer> The maximum renewable lifetime of
tickets for this principal in seconds.
(SR) EXPIRATION <general-time> When the new principal expires.
(SR) PWEXPIRATION <general-time> When the password expires for this
principal.
(SR) RANDOMKEY <integer> Specifies that this is to have a
random key generated for it.
(SR) FLAGS <integer> Specifies flag value for this
principal's attributes field in the
database.
(SR) SALTTYPE <string> Comma-separated list of salt types
supported for this principal. See
note below.
(R) MKVNO <integer> Master key version number.
(R) LASTPWCHANGE <general-time> Last time of password change.
(R) LASTSUCCESS <general-time> Last successful password entry.
(R) LASTFAILED <general-time> Last failed password attempt.
(R) FAILCOUNT <integer> Number of failed password attempts.
(R) MODNAME <string> Principal name who performed last
modification.
(R) MODDATE <general-time> Last modification date.
The valid field indicates whether an attribute is Settable (e.g. appropriate
for use with ADD-PRINCIPAL, et. al.; Returnable (e.g. returned by
INQUIRE-PRINCIPAL); or both Settable and Returnable.
Note: The value for SALTTYPE is a comma-separated list of strings. The
individual values for these may be either "KRB5" or "KRB4" or a site-specific
value.
Keytab Entry
------------
If the EXTRACT SERVICE KEY function is supported, then the successful
response to this command is the key entry. This is a series of 6
reply components as follows:
component type value
--------- --------------- -----------------------------------------
1 <string> Principal name
2 <integer> Key entry timestamp
3 <integer> Key's version number.
4 <integer> Key's keytype.
5 <integer> Key's encryption type.
6 <octet-string> Key's key value.
All of these components are mandatory.
|
