From: Tom Yu Date: Mon, 11 Aug 2014 20:58:08 +0000 (-0400) Subject: Updates for krb5-1.12.2 X-Git-Tag: krb5-1.12.2-final X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=64fca7954952bc0d177bb14de4b363b1041db1d7;p=thirdparty%2Fkrb5.git Updates for krb5-1.12.2 --- diff --git a/README b/README index 6cf44eae7d..b9eff7172f 100644 --- a/README +++ b/README @@ -73,6 +73,103 @@ from using single-DES cryptosystems. Among these is a configuration variable that enables "weak" enctypes, which defaults to "false" beginning with krb5-1.8. +Major changes in 1.12.2 (2014-08-11) +------------------------------------ + +* Work around a gcc optimizer bug that could cause DB2 KDC database + operations to spin in an infinite loop + +* Fix a backward compatibility problem with the LDAP KDB schema that + could prevent krb5-1.11 and later from decoding entries created by + krb5-1.6. + +* Avoid an infinite loop under some circumstances when the GSS + mechglue loads a dynamic mechanism. + +* Fix krb5kdc argument parsing so "-w" and "-r" options work together + reliably. + +* Handle certain invalid RFC 1964 GSS tokens correctly to avoid + invalid memory reference vulnerabilities. [CVE-2014-4341 + CVE-2014-4342] + +* Fix memory management vulnerabilities in GSSAPI SPNEGO. + [CVE-2014-4343 CVE-2014-4344] + +* Fix buffer overflow vulnerability in LDAP KDB back end. + [CVE-2014-4345] + +krb5-1.12.2 changes by ticket ID +-------------------------------- + +3277 configure --sysconfdir=/etc can make redundant entries in + profile search paths +7793 preauth context leaks on failure +7818 Clean up rcache if GSS krb5 acquire_cred fails +7820 gss_init_sec_context() can ignore time sync with keyring + caches +7822 Avoid assertion failure in error_message +7836 Allow empty store in gss_acquire_cred_from +7839 Reinitialize ulog when wrapping serial number +7849 kdc.conf(5) - 1.11 / 1.12 - inaccurate + re. iprop_master_ulogsize +7853 Check for unstable ulog in ulog_get_entries +7854 Fix kpropd -x +7856 Support referrals from Windows Server 2003 +7858 SPNEGO server responds incorrectly to Microsoft krb5 mech type +7860 libdb2 tests hang +7862 ksu broken with 2FA principals +7864 Update doc build instructions +7865 kdb5_util doc update: -update with -ov dump not needed since + -r13 +7866 improper malloc() handling in process_chpw_request() +7870 Conditionalize use of LDAP_OPT_DEBUG_LEVEL +7872 GSS krb5 sequence number checking fails on initial gap token +7874 Initialize err variable in krb5_sendto_kdc +7875 Fix memory leak in krb5_verify_init_creds +7876 Mention k5login_authoritative in k5login docs +7878 Fix unlikely double free in PKINIT client code +7881 Fix returning KDB_NOENTRY in find_alternate_tgs() +7890 Update example kadmin getprinc enctype display +7894 Get getopt from unistd.h (not getopt.h) in tests +7897 Fix leak in kadm5_flush with LDAP KDB +7902 Check for asprintf failure in kdb5_util create +7911 OTP RADIUS tries one too few times and times out too quickly +7912 Fix invalid JSON handling in KDC OTP module +7914 Problem with krb5int_c_combine_keys() +7916 pkinit doesn't handle slotid parameter properly +7917 pkinit doesn't deal with token label properly +7919 LDAP key data encoder/decoder does not treat KrbKey salt as + optional +7920 Change example module name in host_config.rst +7924 tcl_kadm5.c is incompatible with Tcl 8.6 +7926 1.12 breaks gssapi mechanisms that recursively call into + libgssapi +7928 Do not document pkinit_mapping_file +7930 Add missing profile functions to libkrb5 exports +7931 Improve PKINIT certificate documentation +7932 Do not document pkinit_win2k +7941 Fix several memory leaks in LDAP KDB modules +7943 Fix error checking in PKINIT authdata creation +7945 krb5kdc -w and -r do not work together +7946 Consolidate DB option documentation +7948 Fix unlikely null dereference in mk_cred() +7949 Handle invalid RFC 1964 tokens [CVE-2014-4341 CVE-2014-4342] +7952 Fix unlikely null dereference in TGS client code +7954 Remove indent workaround in man page RST sources +7955 Fix build on systems without RTM_OLD* +7966 Fix leak on GSS module symbol resolution error +7967 Error when building with "make -j8" +7969 Double-free in initiator during SPNEGO renegotiation + [CVE-2014-4343] +7970 NULL dereference in SPNEGO acceptor for continuation tokens + [CVE-2014-4344] +7971 Fix deleted node handling in libprofile +7972 Fix creation/rename of top-level profile sections +7973 Bad calloc test in krb5_authdata_context_init() +7980 LDAP key data segmentation buffer overflow [CVE-2014-4345] +7982 Use zapfree in krb5_decrypt_tkt_part + Major changes in 1.12.1 (2014-01-15) ------------------------------------ @@ -440,9 +537,12 @@ reports, suggestions, and valuable resources: Holger Isenberg Pavel Jindra Joel Johnson + Anders Kaseorg W. Trevor King Mikkel Kruse Reinhard Kugler + Tomas Kuthan + Pierre Labastie Volker Lendecke Jan iankko Lieskovsky Oliver Loch @@ -474,6 +574,7 @@ reports, suggestions, and valuable resources: Robert Relyea Martin Rex Jason Rogers + Nate Rosenblum Mike Roszkowski Guillaume Rousse Tom Shaw @@ -485,6 +586,7 @@ reports, suggestions, and valuable resources: Bjørn Tore Sund Joe Travaglini Rathor Vipin + Denis Vlasenko Jorgen Wahlsten Stef Walter Max (Weijun) Wang @@ -499,6 +601,7 @@ reports, suggestions, and valuable resources: Nicolas Williams Ross Wilper Augustin Wolf + David Woodhouse Xu Qiang Nickolai Zeldovich Hanz van Zijst diff --git a/src/man/k5identity.man b/src/man/k5identity.man index fee8d8e8d3..4d27e72836 100644 --- a/src/man/k5identity.man +++ b/src/man/k5identity.man @@ -1,4 +1,6 @@ -.TH "K5IDENTITY" "5" " " "1.12.1" "MIT Kerberos" +.\" Man page generated from reStructuredText. +. +.TH "K5IDENTITY" "5" " " "1.12.2" "MIT Kerberos" .SH NAME k5identity \- Kerberos V5 client principal selection rules . @@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructuredText. -. .SH DESCRIPTION .sp The .k5identity file, which resides in a user\(aqs home directory, @@ -98,6 +98,6 @@ kerberos(1), \fIkrb5.conf(5)\fP .SH AUTHOR MIT .SH COPYRIGHT -1985-2013, MIT +1985-2014, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/k5login.man b/src/man/k5login.man index cb433d92c1..c3a91b372a 100644 --- a/src/man/k5login.man +++ b/src/man/k5login.man @@ -1,4 +1,6 @@ -.TH "K5LOGIN" "5" " " "1.12.1" "MIT Kerberos" +.\" Man page generated from reStructuredText. +. +.TH "K5LOGIN" "5" " " "1.12.2" "MIT Kerberos" .SH NAME k5login \- Kerberos V5 acl file for host access . @@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructuredText. -. .SH DESCRIPTION .sp The .k5login file, which resides in a user\(aqs home directory, contains @@ -41,7 +41,7 @@ administrators remote root access to the host via Kerberos. .SH EXAMPLES .sp Suppose the user \fBalice\fP had a .k5login file in her home directory -containing the following line: +containing just the following line: .INDENT 0.0 .INDENT 3.5 .sp @@ -55,7 +55,12 @@ bob@FOOBAR.ORG .sp This would allow \fBbob\fP to use Kerberos network applications, such as ssh(1), to access \fBalice\fP\(aqs account, using \fBbob\fP\(aqs Kerberos -tickets. +tickets. In a default configuration (with \fBk5login_authoritative\fP set +to true in \fIkrb5.conf(5)\fP), this .k5login file would not let +\fBalice\fP use those network applications to access her account, since +she is not listed! With no .k5login file, or with \fBk5login_authoritative\fP +set to false, a default rule would permit the principal \fBalice\fP in the +machine\(aqs default realm to access the \fBalice\fP account. .sp Let us further suppose that \fBalice\fP is a system administrator. Alice and the other system administrators would have their principals @@ -86,6 +91,6 @@ kerberos(1) .SH AUTHOR MIT .SH COPYRIGHT -1985-2013, MIT +1985-2014, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/k5srvutil.man b/src/man/k5srvutil.man index 99ffb84603..abc2fe7c56 100644 --- a/src/man/k5srvutil.man +++ b/src/man/k5srvutil.man @@ -1,4 +1,6 @@ -.TH "K5SRVUTIL" "1" " " "1.12.1" "MIT Kerberos" +.\" Man page generated from reStructuredText. +. +.TH "K5SRVUTIL" "1" " " "1.12.2" "MIT Kerberos" .SH NAME k5srvutil \- host key table (keytab) manipulation utility . @@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructuredText. -. .SH SYNOPSIS .sp \fBk5srvutil\fP \fIoperation\fP @@ -84,6 +84,6 @@ place. .SH AUTHOR MIT .SH COPYRIGHT -1985-2013, MIT +1985-2014, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kadm5.acl.man b/src/man/kadm5.acl.man index f926ee5585..29b92dfb16 100644 --- a/src/man/kadm5.acl.man +++ b/src/man/kadm5.acl.man @@ -1,4 +1,6 @@ -.TH "KADM5.ACL" "5" " " "1.12.1" "MIT Kerberos" +.\" Man page generated from reStructuredText. +. +.TH "KADM5.ACL" "5" " " "1.12.2" "MIT Kerberos" .SH NAME kadm5.acl \- Kerberos ACL file . @@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructuredText. -. .SH DESCRIPTION .sp The Kerberos \fIkadmind(8)\fP daemon uses an Access Control List @@ -39,7 +39,7 @@ which principals can operate on which other principals. .sp The default location of the Kerberos ACL file is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP unless this is overridden by the \fIacl_file\fP -variable in \fIkdc.conf(5)\fP. +variable in \fIkdc.conf(5)\fP\&. .SH SYNTAX .sp Empty lines and lines starting with the sharp sign (\fB#\fP) are @@ -54,10 +54,14 @@ principal permissions [target_principal [restrictions] ] .fi .UNINDENT .UNINDENT -.IP Note +.sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 Line order in the ACL file is important. The first matching entry will control access for an actor principal on a target principal. -.RE +.UNINDENT +.UNINDENT .INDENT 0.0 .TP .B \fIprincipal\fP @@ -148,7 +152,7 @@ character. .sp \fItarget_principal\fP can also include back\-references to \fIprincipal\fP, in which \fB*number\fP matches the corresponding wildcard in -\fIprincipal\fP. +\fIprincipal\fP\&. .TP .B \fIrestrictions\fP (Optional) A string of flags. Allowed restrictions are: @@ -165,7 +169,7 @@ are the same as the + and \- flags for the kadmin policy is forced to be empty. .TP .B \fI\-policy pol\fP -policy is forced to be \fIpol\fP. +policy is forced to be \fIpol\fP\&. .TP .B \-{\fIexpire, pwexpire, maxlife, maxrenewlife\fP} \fItime\fP (\fIgetdate\fP string) associated value will be forced to @@ -177,13 +181,17 @@ MIN(\fItime\fP, requested value). The above flags act as restrictions on any add or modify operation which is allowed due to that ACL line. .UNINDENT -.IP Warning +.sp +\fBWARNING:\fP +.INDENT 0.0 +.INDENT 3.5 If the kadmind ACL file is modified, the kadmind daemon needs to be restarted for changes to take effect. -.RE +.UNINDENT +.UNINDENT .SH EXAMPLE .sp -Here is an example of a kadm5.acl file. +Here is an example of a kadm5.acl file: .INDENT 0.0 .INDENT 3.5 .sp @@ -230,6 +238,6 @@ longer than 9 hours. .SH AUTHOR MIT .SH COPYRIGHT -1985-2013, MIT +1985-2014, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kadmin.man b/src/man/kadmin.man index 7381300fe6..e6f731366b 100644 --- a/src/man/kadmin.man +++ b/src/man/kadmin.man @@ -1,4 +1,6 @@ -.TH "KADMIN" "1" " " "1.12.1" "MIT Kerberos" +.\" Man page generated from reStructuredText. +. +.TH "KADMIN" "1" " " "1.12.2" "MIT Kerberos" .SH NAME kadmin \- Kerberos V5 database administration program . @@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructuredText. -. .SH SYNOPSIS .sp \fBkadmin\fP @@ -54,7 +54,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] kadmin and kadmin.local are command\-line interfaces to the Kerberos V5 administration system. They provide nearly identical functionalities; the difference is that kadmin.local directly accesses the KDC -database, while kadmin performs operations using \fIkadmind(8)\fP. +database, while kadmin performs operations using \fIkadmind(8)\fP\&. Except as explicitly noted otherwise, this man page will use "kadmin" to refer to both versions. kadmin provides for the maintenance of Kerberos principals, password policies, and service key tables @@ -62,7 +62,7 @@ Kerberos principals, password policies, and service key tables .sp The remote kadmin client uses Kerberos to authenticate to kadmind using the service principal \fBkadmin/ADMINHOST\fP (where \fIADMINHOST\fP is -the fully\-qualified hostname of the admin server) or \fBkadmin/admin\fP. +the fully\-qualified hostname of the admin server) or \fBkadmin/admin\fP\&. If the credentials cache contains a ticket for one of these principals, and the \fB\-c\fP credentials_cache option is specified, that ticket is used to authenticate to kadmind. Otherwise, the \fB\-p\fP and @@ -90,7 +90,7 @@ obtained with getpwuid, in order of preference. .B \fB\-k\fP Use a keytab to decrypt the KDC response instead of prompting for a password. In this case, the default principal will be -\fBhost/hostname\fP. If there is no keytab specified with the +\fBhost/hostname\fP\&. If there is no keytab specified with the \fB\-t\fP option, then the default keytab will be used. .TP .B \fB\-t\fP \fIkeytab\fP @@ -101,7 +101,7 @@ with the \fB\-k\fP option. Requests anonymous processing. Two types of anonymous principals are supported. For fully anonymous Kerberos, configure PKINIT on the KDC and configure \fBpkinit_anchors\fP in the client\(aqs -\fIkrb5.conf(5)\fP. Then use the \fB\-n\fP option with a principal +\fIkrb5.conf(5)\fP\&. Then use the \fB\-n\fP option with a principal of the form \fB@REALM\fP (an empty principal name followed by the at\-sign and a realm name). If permitted by the KDC, an anonymous ticket will be returned. A second form of anonymous tickets is @@ -153,26 +153,40 @@ Force use of old AUTH_GSSAPI authentication flavor. Prevent fallback to AUTH_GSSAPI authentication flavor. .TP .B \fB\-x\fP \fIdb_args\fP -Specifies the database specific arguments. Options supported for -the LDAP database module are: -.INDENT 7.0 +Specifies the database specific arguments. See the next section +for supported options. +.UNINDENT +.SH DATABASE OPTIONS +.sp +Database options can be used to override database\-specific defaults. +Supported options for the DB2 module are: +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 +.TP +.B \fB\-x dbname=\fP*filename* +Specifies the base filename of the DB2 database. +.UNINDENT +.UNINDENT +.UNINDENT +.sp +Supported options for the LDAP module are: +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 .TP -.B \fB\-x host=\fP\fIhostname\fP +.B \fB\-x host=\fP\fIldapuri\fP Specifies the LDAP server to connect to by a LDAP URI. .TP .B \fB\-x binddn=\fP\fIbind_dn\fP -Specifies the DN of the object used by the administration -server to bind to the LDAP server. This object should have -the read and write privileges on the realm container, the -principal container, and the subtree that is referenced by the -realm. +Specifies the DN used to bind to the LDAP server. .TP .B \fB\-x bindpwd=\fP\fIbind_password\fP Specifies the password for the above mentioned binddn. Using this option may expose the password to other users on the system via the process list; to avoid this, instead stash the password using the \fBstashsrvpw\fP command of -\fIkdb5_ldap_util(8)\fP. +\fIkdb5_ldap_util(8)\fP\&. .TP .B \fB\-x debug=\fP\fIlevel\fP sets the OpenLDAP client library debug level. \fIlevel\fP is an @@ -180,6 +194,7 @@ integer to be interpreted by the library. Debugging messages are printed to standard error. New in release 1.12. .UNINDENT .UNINDENT +.UNINDENT .SH COMMANDS .sp When using the remote client, available commands may be restricted @@ -344,8 +359,11 @@ principal is to be created. .B \fB\-x tktpolicy=\fP\fIpolicy\fP Associates a ticket policy to the Kerberos principal. .UNINDENT -.IP Note +.sp +\fBNOTE:\fP .INDENT 7.0 +.INDENT 3.5 +.INDENT 0.0 .IP \(bu 2 The \fBcontainerdn\fP and \fBlinkdn\fP options cannot be specified with the \fBdn\fP option. @@ -358,7 +376,8 @@ container. \fIdn\fP and \fIcontainerdn\fP should be within the subtrees or principal container configured in the realm. .UNINDENT -.RE +.UNINDENT +.UNINDENT .UNINDENT .sp Example: @@ -409,7 +428,7 @@ to its password policy) so that it can successfully authenticate. .UNINDENT .UNINDENT .sp -Renames the specified \fIold_principal\fP to \fInew_principal\fP. This +Renames the specified \fIold_principal\fP to \fInew_principal\fP\&. This command prompts for confirmation, unless the \fB\-force\fP option is given. .sp @@ -436,7 +455,7 @@ Alias: \fBdelprinc\fP .UNINDENT .UNINDENT .sp -Changes the password of \fIprincipal\fP. Prompts for a new password if +Changes the password of \fIprincipal\fP\&. Prompts for a new password if neither \fB\-randkey\fP or \fB\-pw\fP is specified. .sp This command requires the \fBchangepw\fP privilege, or that the @@ -489,8 +508,8 @@ kadmin: .UNINDENT .sp Purges previously retained old keys (e.g., from \fBchange_password -\-keepold\fP) from \fIprincipal\fP. If \fB\-keepkvno\fP is specified, then -only purges keys with kvnos lower than \fIoldest_kvno_to_keep\fP. If +\-keepold\fP) from \fIprincipal\fP\&. If \fB\-keepkvno\fP is specified, then +only purges keys with kvnos lower than \fIoldest_kvno_to_keep\fP\&. If \fB\-all\fP is specified, then all keys are purged. The \fB\-all\fP option is new in release 1.12. .sp @@ -528,8 +547,8 @@ Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 2 -Key: vno 1, DES cbc mode with CRC\-32, no salt -Key: vno 1, DES cbc mode with CRC\-32, Version 4 +Key: vno 1, des\-cbc\-crc, no salt +Key: vno 1, des\-cbc\-crc, Version 4 Attributes: Policy: [none] @@ -551,7 +570,7 @@ kadmin: .sp Retrieves all or some principal names. \fIexpression\fP is a shell\-style glob expression that can contain the wild\-card characters \fB?\fP, -\fB*\fP, and \fB[]\fP. All principal names matching the expression are +\fB*\fP, and \fB[]\fP\&. All principal names matching the expression are printed. If no expression is provided, all principal names are printed. If the expression does not contain an \fB@\fP character, an \fB@\fP character followed by the local realm is appended to the @@ -584,7 +603,7 @@ kadmin: .UNINDENT .UNINDENT .sp -Displays string attributes on \fIprincipal\fP. +Displays string attributes on \fIprincipal\fP\&. .sp This command requires the \fBinquire\fP privilege. .sp @@ -596,7 +615,7 @@ Alias: \fBgetstr\fP .UNINDENT .UNINDENT .sp -Sets a string attribute on \fIprincipal\fP. String attributes are used to +Sets a string attribute on \fIprincipal\fP\&. String attributes are used to supply per\-principal configuration to the KDC and some KDC plugin modules. The following string attributes are recognized by the KDC: .INDENT 0.0 @@ -618,7 +637,7 @@ Alias: \fBsetstr\fP .UNINDENT .UNINDENT .sp -Deletes a string attribute from \fIprincipal\fP. +Deletes a string attribute from \fIprincipal\fP\&. .sp This command requires the \fBdelete\fP privilege. .sp @@ -683,7 +702,7 @@ is locked from authenticating if too many authentication failures occur without the specified failure count interval elapsing. A duration of 0 (the default) means the principal remains locked out until it is administratively unlocked with \fBmodprinc -\-unlock\fP. +\-unlock\fP\&. .TP .B \fB\-allowedkeysalts\fP Specifies the key/salt tuples supported for long\-term keys when @@ -713,8 +732,8 @@ kadmin: .UNINDENT .UNINDENT .sp -Modifies the password policy named \fIpolicy\fP. Options are as described -for \fBadd_policy\fP. +Modifies the password policy named \fIpolicy\fP\&. Options are as described +for \fBadd_policy\fP\&. .sp This command requires the \fBmodify\fP privilege. .sp @@ -726,7 +745,7 @@ Alias: \fBmodpol\fP .UNINDENT .UNINDENT .sp -Deletes the password policy named \fIpolicy\fP. Prompts for confirmation +Deletes the password policy named \fIpolicy\fP\&. Prompts for confirmation before deletion. The command will fail if the policy is in use by any principals. .sp @@ -755,7 +774,7 @@ kadmin: .UNINDENT .UNINDENT .sp -Displays the values of the password policy named \fIpolicy\fP. With the +Displays the values of the password policy named \fIpolicy\fP\&. With the \fB\-terse\fP flag, outputs the fields as quoted strings separated by tabs. .sp @@ -798,13 +817,13 @@ meaningful. .sp Retrieves all or some policy names. \fIexpression\fP is a shell\-style glob expression that can contain the wild\-card characters \fB?\fP, -\fB*\fP, and \fB[]\fP. All policy names matching the expression are +\fB*\fP, and \fB[]\fP\&. All policy names matching the expression are printed. If no expression is provided, all existing policy names are printed. .sp This command requires the \fBlist\fP privilege. .sp -Aliases: \fBlistpols\fP, \fBget_policies\fP, \fBgetpols\fP. +Aliases: \fBlistpols\fP, \fBget_policies\fP, \fBgetpols\fP\&. .sp Examples: .INDENT 0.0 @@ -953,6 +972,6 @@ interface to the OpenVision Kerberos administration program. .SH AUTHOR MIT .SH COPYRIGHT -1985-2013, MIT +1985-2014, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kadmind.man b/src/man/kadmind.man index 6e92bfd3cc..34d54a9f8c 100644 --- a/src/man/kadmind.man +++ b/src/man/kadmind.man @@ -1,4 +1,6 @@ -.TH "KADMIND" "8" " " "1.12.1" "MIT Kerberos" +.\" Man page generated from reStructuredText. +. +.TH "KADMIND" "8" " " "1.12.2" "MIT Kerberos" .SH NAME kadmind \- KADM5 administration server . @@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructuredText. -. .SH SYNOPSIS .sp \fBkadmind\fP @@ -66,7 +66,7 @@ settings. kadmind\(aqs ACL (access control list) tells it which principals are allowed to perform administration actions. The pathname to the ACL file can be specified with the \fBacl_file\fP \fIkdc.conf(5)\fP -variable; by default, it is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP. +variable; by default, it is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP\&. .UNINDENT .sp After the server begins running, it puts itself in the background and @@ -101,7 +101,7 @@ the server to place itself in the background. .B \fB\-port\fP \fIport\-number\fP specifies the port on which the administration server listens for connections. The default port is determined by the -\fBkadmind_port\fP configuration variable in \fIkdc.conf(5)\fP. +\fBkadmind_port\fP configuration variable in \fIkdc.conf(5)\fP\&. .TP .B \fB\-P\fP \fIpid_file\fP specifies the file to which the PID of kadmind process should be @@ -122,43 +122,7 @@ specifies the file path to be used for dumping the KDB in response to full resync requests when iprop is enabled. .TP .B \fB\-x\fP \fIdb_args\fP -specifies database\-specific arguments. -.sp -Options supported for LDAP database are: -.INDENT 7.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fB\-x nconns=\fP\fInumber_of_connections\fP -specifies the number of connections to be maintained per -LDAP server. -.TP -.B \fB\-x host=\fP\fIldapuri\fP -specifies the LDAP server to connect to by URI. -.TP -.B \fB\-x binddn=\fP\fIbinddn\fP -specifies the DN of the object used by the administration -server to bind to the LDAP server. This object should -have read and write privileges on the realm container, the -principal container, and the subtree that is referenced by -the realm. -.TP -.B \fB\-x bindpwd=\fP\fIbind_password\fP -specifies the password for the above mentioned binddn. -Using this option may expose the password to other users -on the system via the process list; to avoid this, instead -stash the password using the \fBstashsrvpw\fP command of -\fIkdb5_ldap_util(8)\fP. -.TP -.B \fB\-x debug=\fP\fIlevel\fP -sets the OpenLDAP client library debug level. \fIlevel\fP is -an integer to be interpreted by the library. Debugging -messages are printed to standard error, so this option -must be used with the \fB\-nofork\fP option to be useful. -New in release 1.12. -.UNINDENT -.UNINDENT -.UNINDENT +specifies database\-specific arguments. See \fIDatabase Options\fP in \fIkadmin(1)\fP for supported arguments. .UNINDENT .SH SEE ALSO .sp @@ -167,6 +131,6 @@ New in release 1.12. .SH AUTHOR MIT .SH COPYRIGHT -1985-2013, MIT +1985-2014, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kdb5_ldap_util.man b/src/man/kdb5_ldap_util.man index c0f6913431..7abd94c6e4 100644 --- a/src/man/kdb5_ldap_util.man +++ b/src/man/kdb5_ldap_util.man @@ -1,4 +1,6 @@ -.TH "KDB5_LDAP_UTIL" "8" " " "1.12.1" "MIT Kerberos" +.\" Man page generated from reStructuredText. +. +.TH "KDB5_LDAP_UTIL" "8" " " "1.12.2" "MIT Kerberos" .SH NAME kdb5_ldap_util \- Kerberos configuration utility . @@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructuredText. -. .SH SYNOPSIS .sp \fBkdb5_ldap_util\fP @@ -49,7 +49,7 @@ Specifies the Distinguished Name (DN) of the user who has sufficient rights to perform the operation on the LDAP server. .TP .B \fB\-w\fP \fIpasswd\fP -Specifies the password of \fIuser_dn\fP. This option is not +Specifies the password of \fIuser_dn\fP\&. This option is not recommended. .TP .B \fB\-H\fP \fIldapuri\fP @@ -97,7 +97,7 @@ realm container. .B \fB\-k\fP \fImkeytype\fP Specifies the key type of the master key in the database. The default is given by the \fBmaster_key_type\fP variable in -\fIkdc.conf(5)\fP. +\fIkdc.conf(5)\fP\&. .TP .B \fB\-kv\fP \fImkeyVNO\fP Specifies the version number of the master key in the database; @@ -131,7 +131,7 @@ tickets for principals in this realm. .B \fIticket_flags\fP Specifies global ticket flags for the realm. Allowable flags are documented in the description of the \fBadd_principal\fP command in -\fIkadmin(1)\fP. +\fIkadmin(1)\fP\&. .UNINDENT .sp Example: @@ -197,7 +197,7 @@ tickets for principals in this realm. .B \fIticket_flags\fP Specifies global ticket flags for the realm. Allowable flags are documented in the description of the \fBadd_principal\fP command in -\fIkadmin(1)\fP. +\fIkadmin(1)\fP\&. .UNINDENT .sp Example: @@ -376,7 +376,7 @@ tickets for principals. Specifies the ticket flags. If this option is not specified, by default, no restriction will be set by the policy. Allowable flags are documented in the description of the \fBadd_principal\fP -command in \fIkadmin(1)\fP. +command in \fIkadmin(1)\fP\&. .TP .B \fIpolicy_name\fP Specifies the name of the ticket policy. @@ -410,7 +410,7 @@ Password for "cn=admin,o=org": .UNINDENT .sp Modifies the attributes of a ticket policy. Options are same as for -\fBcreate_policy\fP. +\fBcreate_policy\fP\&. .sp Example: .INDENT 0.0 @@ -538,6 +538,6 @@ userpolicy .SH AUTHOR MIT .SH COPYRIGHT -1985-2013, MIT +1985-2014, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man index c0f61f820e..65bf6f274d 100644 --- a/src/man/kdb5_util.man +++ b/src/man/kdb5_util.man @@ -1,4 +1,6 @@ -.TH "KDB5_UTIL" "8" " " "1.12.1" "MIT Kerberos" +.\" Man page generated from reStructuredText. +. +.TH "KDB5_UTIL" "8" " " "1.12.2" "MIT Kerberos" .SH NAME kdb5_util \- Kerberos database maintenance utility . @@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructuredText. -. .SH SYNOPSIS .sp \fBkdb5_util\fP @@ -63,14 +63,14 @@ specifies the Kerberos realm of the database. .TP .B \fB\-d\fP \fIdbname\fP specifies the name under which the principal database is stored; -by default the database is that listed in \fIkdc.conf(5)\fP. The +by default the database is that listed in \fIkdc.conf(5)\fP\&. The password policy database and lock files are also derived from this value. .TP .B \fB\-k\fP \fImkeytype\fP specifies the key type of the master key in the database. The default is given by the \fBmaster_key_type\fP variable in -\fIkdc.conf(5)\fP. +\fIkdc.conf(5)\fP\&. .TP .B \fB\-kv\fP \fImkeyVNO\fP Specifies the version number of the master key in the database; @@ -79,7 +79,7 @@ the default is 1. Note that 0 is not allowed. .B \fB\-M\fP \fImkeyname\fP principal name for the master key in the database. If not specified, the name is determined by the \fBmaster_key_name\fP -variable in \fIkdc.conf(5)\fP. +variable in \fIkdc.conf(5)\fP\&. .TP .B \fB\-m\fP specifies that the master database password should be read from @@ -88,7 +88,7 @@ the keyboard rather than fetched from a file on disk. .B \fB\-sf\fP \fIstash_file\fP specifies the stash filename of the master database password. If not specified, the filename is determined by the -\fBkey_stash_file\fP variable in \fIkdc.conf(5)\fP. +\fBkey_stash_file\fP variable in \fIkdc.conf(5)\fP\&. .TP .B \fB\-P\fP \fIpassword\fP specifies the master database password. Using this option may @@ -126,13 +126,13 @@ the \fB\-f\fP argument, does not prompt the user. .sp Stores the master principal\(aqs keys in a stash file. The \fB\-f\fP argument can be used to override the \fIkeyfile\fP specified in -\fIkdc.conf(5)\fP. +\fIkdc.conf(5)\fP\&. .SS dump .INDENT 0.0 .INDENT 3.5 \fBdump\fP [\fB\-b7\fP|\fB\-ov\fP|\fB\-r13\fP] [\fB\-verbose\fP] [\fB\-mkey_convert\fP] [\fB\-new_mkey_file\fP \fImkey_file\fP] [\fB\-rev\fP] -[\fB\-recurse\fP] [\fIfilename\fP [\fIprincipals\fP...]] +[\fB\-recurse\fP] [\fIfilename\fP [\fIprincipals\fP\&...]] .UNINDENT .UNINDENT .sp @@ -206,7 +206,8 @@ Options: .TP .B \fB\-b7\fP requires the database to be in the Kerberos 5 Beta 7 format -("kdb5_util load_dump version 4"). +("kdb5_util load_dump version 4"). This was the dump format +produced on releases prior to 1.2.2. .TP .B \fB\-ov\fP requires the database to be in "ovsec_adm_import" format. Must be @@ -234,10 +235,7 @@ is dumped. .TP .B \fB\-update\fP records from the dump file are added to or updated in the existing -database. (This is useful in conjunction with an ovsec_adm_export -format dump if you want to preserve per\-principal policy -information, since the current default format does not contain -this data.) Otherwise, a new database is created containing only +database. Otherwise, a new database is created containing only what is in the dump file and the old one destroyed upon successful completion. .UNINDENT @@ -270,7 +268,7 @@ values. The \fB\-s\fP option stashes the new master key in the stash file, which will be created if it doesn\(aqt already exist. .sp After a new master key is added, it should be propagated to slave -servers via a manual or periodic invocation of \fIkprop(8)\fP. Then, +servers via a manual or periodic invocation of \fIkprop(8)\fP\&. Then, the stash files on the slave servers should be updated with the kdb5_util \fBstash\fP command. Once those steps are complete, the key is ready to be marked active with the kdb5_util \fBuse_mkey\fP command. @@ -281,7 +279,7 @@ is ready to be marked active with the kdb5_util \fBuse_mkey\fP command. .UNINDENT .UNINDENT .sp -Sets the activation time of the master key specified by \fImkeyVNO\fP. +Sets the activation time of the master key specified by \fImkeyVNO\fP\&. Once a master key becomes active, it will be used to encrypt newly created principal keys. If no \fItime\fP argument is given, the current time is used, causing the specified master key version to become @@ -299,7 +297,7 @@ principal keys to be encrypted in the new master key. .sp List all master keys, from most recent to earliest, in the master key principal. The output will show the kvno, enctype, and salt type for -each mkey, similar to the output of \fIkadmin(1)\fP \fBgetprinc\fP. A +each mkey, similar to the output of \fIkadmin(1)\fP \fBgetprinc\fP\&. A \fB*\fP following an mkey denotes the currently active master key. .SS purge_mkeys .INDENT 0.0 @@ -346,6 +344,6 @@ showing the actions which would have been taken. .SH AUTHOR MIT .SH COPYRIGHT -1985-2013, MIT +1985-2014, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man index 2c6d387cc3..eb59629fc3 100644 --- a/src/man/kdc.conf.man +++ b/src/man/kdc.conf.man @@ -1,4 +1,6 @@ -.TH "KDC.CONF" "5" " " "1.12.1" "MIT Kerberos" +.\" Man page generated from reStructuredText. +. +.TH "KDC.CONF" "5" " " "1.12.2" "MIT Kerberos" .SH NAME kdc.conf \- Kerberos V5 KDC configuration file . @@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructuredText. -. .sp The kdc.conf file supplements \fIkrb5.conf(5)\fP for programs which are typically only used on a KDC, such as the \fIkrb5kdc(8)\fP and @@ -39,8 +39,8 @@ KDC programs mentioned, krb5.conf and kdc.conf will be merged into a single configuration profile. .sp Normally, the kdc.conf file is found in the KDC state directory, -\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP. You can override the default location by setting the -environment variable \fBKRB5_KDC_PROFILE\fP. +\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\&. You can override the default location by setting the +environment variable \fBKRB5_KDC_PROFILE\fP\&. .sp Please note that you need to restart the KDC daemon for any configuration changes to take effect. @@ -116,6 +116,8 @@ Each tag in the [realms] section is the name of a Kerberos realm. The value of the tag is a subsection where the relations define KDC parameters for that particular realm. The following example shows how to define one parameter for the ATHENA.MIT.EDU realm: +.INDENT 0.0 +.INDENT 3.5 .sp .nf .ft C @@ -125,6 +127,8 @@ to define one parameter for the ATHENA.MIT.EDU realm: } .ft P .fi +.UNINDENT +.UNINDENT .sp The following tags may be specified in a [realms] subsection: .INDENT 0.0 @@ -133,8 +137,8 @@ The following tags may be specified in a [realms] subsection: (String.) Location of the access control list file that \fIkadmind(8)\fP uses to determine which principals are allowed which permissions on the Kerberos database. The default value is -\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP. For more information on Kerberos ACL -file see \fIkadm5.acl(5)\fP. +\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP\&. For more information on Kerberos ACL +file see \fIkadm5.acl(5)\fP\&. .TP .B \fBdatabase_module\fP (String.) This relation indicates the name of the configuration @@ -147,7 +151,7 @@ values will be used for all database parameters. (String, deprecated.) This relation specifies the location of the Kerberos database for this realm, if the DB2 module is being used and the \fI\%[dbmodules]\fP configuration section does not specify a -database name. The default value is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/principal\fP. +database name. The default value is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/principal\fP\&. .TP .B \fBdefault_principal_expiration\fP (\fIabstime\fP string.) Specifies the default expiration date of @@ -257,8 +261,8 @@ propagation is enabled. The default value is false. .TP .B \fBiprop_master_ulogsize\fP (Integer.) Specifies the maximum number of log entries to be -retained for incremental propagation. The maximum value is 2500; -the default value is 1000. +retained for incremental propagation. The default value is 1000. +Prior to release 1.11, the maximum value was 2500. .TP .B \fBiprop_slave_poll\fP (Delta time string.) Specifies how often the slave KDC polls for @@ -280,7 +284,7 @@ minutes (\fB5m\fP). New in release 1.11. (File name.) Specifies where the update log file for the realm database is to be stored. The default is to use the \fBdatabase_name\fP entry from the realms section of the krb5 config -file, with \fB.ulog\fP appended. (NOTE: If \fBdatabase_name\fP isn\(aqt +file, with \fB\&.ulog\fP appended. (NOTE: If \fBdatabase_name\fP isn\(aqt specified in the realms section, perhaps because the LDAP database back end is being used, or the file name is specified in the [dbmodules] section, then the hard\-coded default for @@ -316,12 +320,12 @@ standard port number assigned for Kerberos TCP traffic is port 88. .TP .B \fBmaster_key_name\fP (String.) Specifies the name of the principal associated with the -master key. The default is \fBK/M\fP. +master key. The default is \fBK/M\fP\&. .TP .B \fBmaster_key_type\fP (Key type string.) Specifies the master key\(aqs key type. The -default value for this is \fBaes256\-cts\-hmac\-sha1\-96\fP. For a list of all possible -values, see \fI\%Encryption types\fP. +default value for this is \fBaes256\-cts\-hmac\-sha1\-96\fP\&. For a list of all possible +values, see \fI\%Encryption types\fP\&. .TP .B \fBmax_life\fP (\fIduration\fP string.) Specifies the maximum time period for @@ -337,7 +341,7 @@ The default value is 0. (Whitespace\- or comma\-separated list.) Lists services to block from getting host\-based referral processing, even if the client marks the server principal as host\-based or the service is also -listed in \fBhost_based_services\fP. \fBno_host_referral = *\fP will +listed in \fBhost_based_services\fP\&. \fBno_host_referral = *\fP will disable referral processing altogether. .TP .B \fBdes_crc_session_supported\fP @@ -380,8 +384,8 @@ default value is false. New in release 1.9. (List of \fIkey\fP:\fIsalt\fP strings.) Specifies the default key/salt combinations of principals for this realm. Any principals created through \fIkadmin(1)\fP will have keys of these types. The -default value for this tag is \fBaes256\-cts\-hmac\-sha1\-96:normal aes128\-cts\-hmac\-sha1\-96:normal des3\-cbc\-sha1:normal arcfour\-hmac\-md5:normal\fP. For lists of -possible values, see \fI\%Keysalt lists\fP. +default value for this tag is \fBaes256\-cts\-hmac\-sha1\-96:normal aes128\-cts\-hmac\-sha1\-96:normal des3\-cbc\-sha1:normal arcfour\-hmac\-md5:normal\fP\&. For lists of +possible values, see \fI\%Keysalt lists\fP\&. .UNINDENT .SS [dbdefaults] .sp @@ -410,6 +414,8 @@ library and database modules. Each tag in the [dbmodules] section is the name of a Kerberos realm or a section name specified by a realm\(aqs \fBdatabase_module\fP parameter. The following example shows how to define one database parameter for the ATHENA.MIT.EDU realm: +.INDENT 0.0 +.INDENT 3.5 .sp .nf .ft C @@ -419,13 +425,15 @@ define one database parameter for the ATHENA.MIT.EDU realm: } .ft P .fi +.UNINDENT +.UNINDENT .sp The following tags may be specified in a [dbmodules] subsection: .INDENT 0.0 .TP .B \fBdatabase_name\fP This DB2\-specific tag indicates the location of the database in -the filesystem. The default is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/principal\fP. +the filesystem. The default is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/principal\fP\&. .TP .B \fBdb_library\fP This tag indicates the name of the loadable database module. The @@ -513,7 +521,7 @@ Values are of the following forms: .TP .B \fBFILE=\fP\fIfilename\fP or \fBFILE:\fP\fIfilename\fP This value causes the daemon\(aqs logging messages to go to the -\fIfilename\fP. If the \fB=\fP form is used, the file is overwritten. +\fIfilename\fP\&. If the \fB=\fP form is used, the file is overwritten. If the \fB:\fP form is used, the file is appended to. .TP .B \fBSTDERR\fP @@ -535,23 +543,23 @@ The severity argument specifies the default severity of system log messages. This may be any of the following severities supported by the syslog(3) call, minus the \fBLOG_\fP prefix: \fBEMERG\fP, \fBALERT\fP, \fBCRIT\fP, \fBERR\fP, \fBWARNING\fP, \fBNOTICE\fP, \fBINFO\fP, -and \fBDEBUG\fP. +and \fBDEBUG\fP\&. .sp The facility argument specifies the facility under which the messages are logged. This may be any of the following facilities supported by the syslog(3) call minus the LOG_ prefix: \fBKERN\fP, \fBUSER\fP, \fBMAIL\fP, \fBDAEMON\fP, \fBAUTH\fP, \fBLPR\fP, \fBNEWS\fP, -\fBUUCP\fP, \fBCRON\fP, and \fBLOCAL0\fP through \fBLOCAL7\fP. +\fBUUCP\fP, \fBCRON\fP, and \fBLOCAL0\fP through \fBLOCAL7\fP\&. .sp -If no severity is specified, the default is \fBERR\fP. If no -facility is specified, the default is \fBAUTH\fP. +If no severity is specified, the default is \fBERR\fP\&. If no +facility is specified, the default is \fBAUTH\fP\&. .UNINDENT .sp In the following example, the logging messages from the KDC will go to the console and to the system log under the facility LOG_DAEMON with default severity of LOG_INFO; and the logging messages from the administrative server will be appended to the file -\fB/var/adm/kadmin.log\fP and sent to the device \fB/dev/tty04\fP. +\fB/var/adm/kadmin.log\fP and sent to the device \fB/dev/tty04\fP\&. .INDENT 0.0 .INDENT 3.5 .sp @@ -579,7 +587,7 @@ For each token type, the following tags may be specified: This is the server to send the RADIUS request to. It can be a hostname with optional port, an ip address with optional port, or a Unix domain socket address. The default is -\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/.socket\fP. +\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/.socket\fP\&. .TP .B \fBsecret\fP This tag indicates a filename (which may be relative to \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP) @@ -603,10 +611,10 @@ server. The default is 3 retries (4 tries). .B \fBstrip_realm\fP If this tag is \fBtrue\fP, the principal without the realm will be passed to the RADIUS server. Otherwise, the realm will be -included. The default value is \fBtrue\fP. +included. The default value is \fBtrue\fP\&. .UNINDENT .sp -In the following example, requests are sent to a remote server via UDP. +In the following example, requests are sent to a remote server via UDP: .INDENT 0.0 .INDENT 3.5 .sp @@ -628,7 +636,7 @@ In the following example, requests are sent to a remote server via UDP. An implicit default token type named \fBDEFAULT\fP is defined for when the per\-principal configuration does not specify a token type. Its configuration is shown below. You may override this token type to -something applicable for your situation. +something applicable for your situation: .INDENT 0.0 .INDENT 3.5 .sp @@ -643,16 +651,20 @@ something applicable for your situation. .UNINDENT .UNINDENT .SH PKINIT OPTIONS -.IP Note +.sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 The following are pkinit\-specific options. These values may be specified in [kdcdefaults] as global defaults, or within a realm\-specific subsection of [realms]. Also note that a realm\-specific value over\-rides, does not add to, a generic [kdcdefaults] specification. The search order is: -.RE +.UNINDENT +.UNINDENT .INDENT 0.0 .IP 1. 3 -realm\-specific subsection of [realms], +realm\-specific subsection of [realms]: .INDENT 3.0 .INDENT 3.5 .sp @@ -667,7 +679,7 @@ realm\-specific subsection of [realms], .UNINDENT .UNINDENT .IP 2. 3 -generic value in the [kdcdefaults] section. +generic value in the [kdcdefaults] section: .INDENT 3.0 .INDENT 3.5 .sp @@ -683,7 +695,7 @@ generic value in the [kdcdefaults] section. .sp For information about the syntax of some of these options, see \fISpecifying PKINIT identity information\fP in -\fIkrb5.conf(5)\fP. +\fIkrb5.conf(5)\fP\&. .INDENT 0.0 .TP .B \fBpkinit_anchors\fP @@ -704,7 +716,7 @@ the certificate to the Kerberos principal name. The default value is false. .sp Without this option, the KDC will only accept certificates with -the id\-pkinit\-san as defined in \fI\%RFC 4556\fP. There is currently +the id\-pkinit\-san as defined in \fI\%RFC 4556\fP\&. There is currently no option to disable SAN checking in the KDC. .TP .B \fBpkinit_eku_checking\fP @@ -716,7 +728,7 @@ recognized in the kdc.conf file are: .B \fBkpClientAuth\fP This is the default value and specifies that client certificates must have the id\-pkinit\-KPClientAuth EKU as -defined in \fI\%RFC 4556\fP. +defined in \fI\%RFC 4556\fP\&. .TP .B \fBscLogin\fP If scLogin is specified, client certificates with the @@ -736,10 +748,6 @@ This option is required if pkinit is to be supported by the KDC. .B \fBpkinit_kdc_ocsp\fP Specifies the location of the KDC\(aqs OCSP. .TP -.B \fBpkinit_mapping_file\fP -Specifies the name of the ACL pkinit mapping file. This file maps -principals to the certificates that they can use. -.TP .B \fBpkinit_pool\fP Specifies the location of intermediate certificates which may be used by the KDC to complete the trust chain between a client\(aqs @@ -907,8 +915,8 @@ database. Kerberos keys for users are usually derived from passwords. Kerberos commands and configuration parameters that affect generation of keys take lists of enctype\-salttype ("keysalt") pairs, known as \fIkeysalt -lists\fP. Each keysalt pair is an enctype name followed by a salttype -name, in the format \fIenc\fP:\fIsalt\fP. Individual keysalt list members are +lists\fP\&. Each keysalt pair is an enctype name followed by a salttype +name, in the format \fIenc\fP:\fIsalt\fP\&. Individual keysalt list members are separated by comma (",") characters or space characters. For example: .INDENT 0.0 .INDENT 3.5 @@ -1025,6 +1033,6 @@ Here\(aqs an example of a kdc.conf file: .SH AUTHOR MIT .SH COPYRIGHT -1985-2013, MIT +1985-2014, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kdestroy.man b/src/man/kdestroy.man index c280fbdf9a..af214ca09e 100644 --- a/src/man/kdestroy.man +++ b/src/man/kdestroy.man @@ -1,4 +1,6 @@ -.TH "KDESTROY" "1" " " "1.12.1" "MIT Kerberos" +.\" Man page generated from reStructuredText. +. +.TH "KDESTROY" "1" " " "1.12.2" "MIT Kerberos" .SH NAME kdestroy \- destroy Kerberos tickets . @@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructuredText. -. .SH SYNOPSIS .sp \fBkdestroy\fP @@ -74,7 +74,7 @@ kdestroy uses the following environment variable: .TP .B \fBKRB5CCNAME\fP Location of the default Kerberos 5 credentials (ticket) cache, in -the form \fItype\fP:\fIresidual\fP. If no \fItype\fP prefix is present, the +the form \fItype\fP:\fIresidual\fP\&. If no \fItype\fP prefix is present, the \fBFILE\fP type is assumed. The type of the default cache may determine the availability of a cache collection; for instance, a default cache of type \fBDIR\fP causes caches within the directory @@ -92,6 +92,6 @@ Default location of Kerberos 5 credentials cache .SH AUTHOR MIT .SH COPYRIGHT -1985-2013, MIT +1985-2014, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kinit.man b/src/man/kinit.man index 505839e3ce..f4f0357f60 100644 --- a/src/man/kinit.man +++ b/src/man/kinit.man @@ -1,4 +1,6 @@ -.TH "KINIT" "1" " " "1.12.1" "MIT Kerberos" +.\" Man page generated from reStructuredText. +. +.TH "KINIT" "1" " " "1.12.2" "MIT Kerberos" .SH NAME kinit \- obtain and cache Kerberos ticket-granting ticket . @@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructuredText. -. .SH SYNOPSIS .sp \fBkinit\fP @@ -56,7 +56,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .SH DESCRIPTION .sp kinit obtains and caches an initial ticket\-granting ticket for -\fIprincipal\fP. +\fIprincipal\fP\&. .SH OPTIONS .INDENT 0.0 .TP @@ -65,9 +65,9 @@ display verbose output. .TP .B \fB\-l\fP \fIlifetime\fP (\fIduration\fP string.) Requests a ticket with the lifetime -\fIlifetime\fP. +\fIlifetime\fP\&. .sp -For example, \fBkinit \-l 5:30\fP or \fBkinit \-l 5h30m\fP. +For example, \fBkinit \-l 5:30\fP or \fBkinit \-l 5h30m\fP\&. .sp If the \fB\-l\fP option is not specified, the default ticket lifetime (configured by each site) is used. Specifying a ticket lifetime @@ -84,7 +84,7 @@ can become valid. .TP .B \fB\-r\fP \fIrenewable_life\fP (\fIduration\fP string.) Requests renewable tickets, with a total -lifetime of \fIrenewable_life\fP. +lifetime of \fIrenewable_life\fP\&. .TP .B \fB\-f\fP requests forwardable tickets. @@ -141,7 +141,7 @@ Requests anonymous processing. Two types of anonymous principals are supported. .sp For fully anonymous Kerberos, configure pkinit on the KDC and -configure \fBpkinit_anchors\fP in the client\(aqs \fIkrb5.conf(5)\fP. +configure \fBpkinit_anchors\fP in the client\(aqs \fIkrb5.conf(5)\fP\&. Then use the \fB\-n\fP option with a principal of the form \fB@REALM\fP (an empty principal name followed by the at\-sign and a realm name). If permitted by the KDC, an anonymous ticket will be @@ -224,7 +224,7 @@ kinit uses the following environment variables: .TP .B \fBKRB5CCNAME\fP Location of the default Kerberos 5 credentials cache, in the form -\fItype\fP:\fIresidual\fP. If no \fItype\fP prefix is present, the \fBFILE\fP +\fItype\fP:\fIresidual\fP\&. If no \fItype\fP prefix is present, the \fBFILE\fP type is assumed. The type of the default cache may determine the availability of a cache collection; for instance, a default cache of type \fBDIR\fP causes caches within the directory to be present @@ -245,6 +245,6 @@ default location for the local host\(aqs keytab. .SH AUTHOR MIT .SH COPYRIGHT -1985-2013, MIT +1985-2014, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/klist.man b/src/man/klist.man index 8d2ccb4fe4..1f6c32d2f8 100644 --- a/src/man/klist.man +++ b/src/man/klist.man @@ -1,4 +1,6 @@ -.TH "KLIST" "1" " " "1.12.1" "MIT Kerberos" +.\" Man page generated from reStructuredText. +. +.TH "KLIST" "1" " " "1.12.2" "MIT Kerberos" .SH NAME klist \- list cached Kerberos tickets . @@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructuredText. -. .SH SYNOPSIS .sp \fBklist\fP @@ -137,7 +137,7 @@ klist uses the following environment variable: .TP .B \fBKRB5CCNAME\fP Location of the default Kerberos 5 credentials (ticket) cache, in -the form \fItype\fP:\fIresidual\fP. If no \fItype\fP prefix is present, the +the form \fItype\fP:\fIresidual\fP\&. If no \fItype\fP prefix is present, the \fBFILE\fP type is assumed. The type of the default cache may determine the availability of a cache collection; for instance, a default cache of type \fBDIR\fP causes caches within the directory @@ -158,6 +158,6 @@ Default location for the local host\(aqs keytab file. .SH AUTHOR MIT .SH COPYRIGHT -1985-2013, MIT +1985-2014, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kpasswd.man b/src/man/kpasswd.man index 761be30144..ac70d30c96 100644 --- a/src/man/kpasswd.man +++ b/src/man/kpasswd.man @@ -1,4 +1,6 @@ -.TH "KPASSWD" "1" " " "1.12.1" "MIT Kerberos" +.\" Man page generated from reStructuredText. +. +.TH "KPASSWD" "1" " " "1.12.2" "MIT Kerberos" .SH NAME kpasswd \- change a user's Kerberos password . @@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructuredText. -. .SH SYNOPSIS .sp \fBkpasswd\fP [\fIprincipal\fP] @@ -59,6 +59,6 @@ identity of the user invoking the kpasswd command. .SH AUTHOR MIT .SH COPYRIGHT -1985-2013, MIT +1985-2014, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kprop.man b/src/man/kprop.man index 9c12bc0d6a..4d5b3810a7 100644 --- a/src/man/kprop.man +++ b/src/man/kprop.man @@ -1,4 +1,6 @@ -.TH "KPROP" "8" " " "1.12.1" "MIT Kerberos" +.\" Man page generated from reStructuredText. +. +.TH "KPROP" "8" " " "1.12.2" "MIT Kerberos" .SH NAME kprop \- propagate a Kerberos V5 principal database to a slave server . @@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructuredText. -. .SH SYNOPSIS .sp \fBkprop\fP @@ -43,8 +43,8 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .sp kprop is used to securely propagate a Kerberos V5 database dump file from the master Kerberos server to a slave Kerberos server, which is -specified by \fIslave_host\fP. The dump file must be created by -\fIkdb5_util(8)\fP. +specified by \fIslave_host\fP\&. The dump file must be created by +\fIkdb5_util(8)\fP\&. .SH OPTIONS .INDENT 0.0 .TP @@ -54,7 +54,7 @@ Specifies the realm of the master server. .B \fB\-f\fP \fIfile\fP Specifies the filename where the dumped principal database file is to be found; by default the dumped database file is normally -\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/slave_datatrans\fP. +\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/slave_datatrans\fP\&. .TP .B \fB\-P\fP \fIport\fP Specifies the port to use to contact the \fIkpropd(8)\fP server @@ -79,6 +79,6 @@ Specifies the location of the keytab file. .SH AUTHOR MIT .SH COPYRIGHT -1985-2013, MIT +1985-2014, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kpropd.man b/src/man/kpropd.man index 96dcfb5c73..f054f9d08d 100644 --- a/src/man/kpropd.man +++ b/src/man/kpropd.man @@ -1,4 +1,6 @@ -.TH "KPROPD" "8" " " "1.12.1" "MIT Kerberos" +.\" Man page generated from reStructuredText. +. +.TH "KPROPD" "8" " " "1.12.2" "MIT Kerberos" .SH NAME kpropd \- Kerberos V5 slave KDC update server . @@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructuredText. -. .SH SYNOPSIS .sp \fBkpropd\fP @@ -50,7 +50,7 @@ from the master KDC. When the slave receives a kprop request from the master, kpropd accepts the dumped KDC database and places it in a file, and then runs \fIkdb5_util(8)\fP to load the dumped database into the active -database which is used by \fIkrb5kdc(8)\fP. This allows the master +database which is used by \fIkrb5kdc(8)\fP\&. This allows the master Kerberos server to use \fIkprop(8)\fP to propagate its database to the slave servers. Upon a successful download of the KDC database file, the slave Kerberos server will have an up\-to\-date KDC database. @@ -79,7 +79,7 @@ kpropd in standalone mode; this option is now accepted for backward compatibility but does nothing. .sp Incremental propagation may be enabled with the \fBiprop_enable\fP -variable in \fIkdc.conf(5)\fP. If incremental propagation is +variable in \fIkdc.conf(5)\fP\&. If incremental propagation is enabled, the slave periodically polls the master KDC for updates, at an interval determined by the \fBiprop_slave_poll\fP variable. If the slave receives updates, kpropd updates its log file with any updates @@ -100,11 +100,11 @@ Specifies the realm of the master server. .TP .B \fB\-f\fP \fIfile\fP Specifies the filename where the dumped principal database file is -to be stored; by default the dumped database file is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/from_master\fP. +to be stored; by default the dumped database file is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/from_master\fP\&. .TP .B \fB\-p\fP Allows the user to specify the pathname to the \fIkdb5_util(8)\fP -program; by default the pathname used is \fB@SBINDIR@\fP\fB/kdb5_util\fP. +program; by default the pathname used is \fB@SBINDIR@\fP\fB/kdb5_util\fP\&. .TP .B \fB\-d\fP Turn on debug mode. In this mode, kpropd will not detach @@ -118,7 +118,7 @@ is only useful in combination with the \fB\-S\fP option. .TP .B \fB\-a\fP \fIacl_file\fP Allows the user to specify the path to the kpropd.acl file; by -default the path used is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kpropd.acl\fP. +default the path used is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kpropd.acl\fP\&. .UNINDENT .SH ENVIRONMENT .sp @@ -134,9 +134,9 @@ kpropd uses the following environment variables: .TP .B kpropd.acl Access file for kpropd; the default location is -\fB/usr/local/var/krb5kdc/kpropd.acl\fP. Each entry is a line +\fB/usr/local/var/krb5kdc/kpropd.acl\fP\&. Each entry is a line containing the principal of a host from which the local machine -will allow Kerberos database propagation via \fIkprop(8)\fP. +will allow Kerberos database propagation via \fIkprop(8)\fP\&. .UNINDENT .SH SEE ALSO .sp @@ -144,6 +144,6 @@ will allow Kerberos database propagation via \fIkprop(8)\fP. .SH AUTHOR MIT .SH COPYRIGHT -1985-2013, MIT +1985-2014, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kproplog.man b/src/man/kproplog.man index 0418c64334..d2479e5989 100644 --- a/src/man/kproplog.man +++ b/src/man/kproplog.man @@ -1,4 +1,6 @@ -.TH "KPROPLOG" "8" " " "1.12.1" "MIT Kerberos" +.\" Man page generated from reStructuredText. +. +.TH "KPROPLOG" "8" " " "1.12.2" "MIT Kerberos" .SH NAME kproplog \- display the contents of the Kerberos principal update log . @@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructuredText. -. .SH SYNOPSIS .sp \fBkproplog\fP [\fB\-h\fP] [\fB\-e\fP \fInum\fP] [\-v] @@ -112,6 +112,6 @@ kproplog uses the following environment variables: .SH AUTHOR MIT .SH COPYRIGHT -1985-2013, MIT +1985-2014, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/krb5-config.man b/src/man/krb5-config.man index 0c8cc3df9a..4fc22c9b8b 100644 --- a/src/man/krb5-config.man +++ b/src/man/krb5-config.man @@ -1,4 +1,6 @@ -.TH "KRB5-CONFIG" "1" " " "1.12.1" "MIT Kerberos" +.\" Man page generated from reStructuredText. +. +.TH "KRB5-CONFIG" "1" " " "1.12.2" "MIT Kerberos" .SH NAME krb5-config \- tool for linking against MIT Kerberos libraries . @@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructuredText. -. .SH SYNOPSIS .sp \fBkrb5\-config\fP @@ -74,7 +74,7 @@ prints the built\-in default client (initiator) keytab location. prints the compilation flags used to build the Kerberos installation. .TP .B \fB\-\fP\fB\-libs\fP [\fIlibrary\fP] -prints the compiler options needed to link against \fIlibrary\fP. +prints the compiler options needed to link against \fIlibrary\fP\&. Allowed values for \fIlibrary\fP are: .TS center; @@ -136,6 +136,6 @@ kerberos(1), cc(1) .SH AUTHOR MIT .SH COPYRIGHT -1985-2013, MIT +1985-2014, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man index 9784445850..9a5b0e9d44 100644 --- a/src/man/krb5.conf.man +++ b/src/man/krb5.conf.man @@ -1,4 +1,6 @@ -.TH "KRB5.CONF" "5" " " "1.12.1" "MIT Kerberos" +.\" Man page generated from reStructuredText. +. +.TH "KRB5.CONF" "5" " " "1.12.2" "MIT Kerberos" .SH NAME krb5.conf \- Kerberos configuration file . @@ -28,16 +30,14 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructuredText. -. .sp The krb5.conf file contains Kerberos configuration information, including the locations of KDCs and admin servers for the Kerberos realms of interest, defaults for the current realm and for Kerberos applications, and mappings of hostnames onto Kerberos realms. Normally, you should install your krb5.conf file in the directory -\fB/etc\fP. You can override the default location by setting the -environment variable \fBKRB5_CONFIG\fP. +\fB/etc\fP\&. You can override the default location by setting the +environment variable \fBKRB5_CONFIG\fP\&. .SH STRUCTURE .sp The krb5.conf file is set up in the style of a Windows INI file. @@ -53,9 +53,10 @@ foo = bar .fi .UNINDENT .UNINDENT +.sp +or: .INDENT 0.0 -.TP -.B or +.INDENT 3.5 .sp .nf .ft C @@ -66,14 +67,16 @@ fubar = { .ft P .fi .UNINDENT +.UNINDENT .sp Placing a \(aq*\(aq at the end of a line indicates that this is the \fIfinal\fP value for the tag. This means that neither the remainder of this configuration file nor any other configuration file will be checked for any other values for this tag. +.sp +For example, if you have the following lines: .INDENT 0.0 -.TP -.B For example, if you have the following lines: +.INDENT 3.5 .sp .nf .ft C @@ -82,6 +85,7 @@ foo = baz .ft P .fi .UNINDENT +.UNINDENT .sp then the second value of \fBfoo\fP (\fBbaz\fP) would never be read. .sp @@ -181,7 +185,7 @@ The libdefaults section may contain any of the following relations: If this flag is set to false, then weak encryption types (as noted in \fIEncryption_types\fP in \fIkdc.conf(5)\fP) will be filtered out of the lists \fBdefault_tgs_enctypes\fP, -\fBdefault_tkt_enctypes\fP, and \fBpermitted_enctypes\fP. The default +\fBdefault_tkt_enctypes\fP, and \fBpermitted_enctypes\fP\&. The default value for this tag is false, which may cause authentication failures in existing Kerberos infrastructures that do not support strong crypto. Users in affected environments should set this tag @@ -215,25 +219,25 @@ invalid. The default value is 300 seconds, or five minutes. .TP .B \fBdefault_ccache_name\fP This relation specifies the name of the default credential cache. -The default is \fB@CCNAME@\fP. This relation is subject to parameter +The default is \fB@CCNAME@\fP\&. This relation is subject to parameter expansion (see below). New in release 1.11. .TP .B \fBdefault_client_keytab_name\fP This relation specifies the name of the default keytab for -obtaining client credentials. The default is \fB@CKTNAME@\fP. This +obtaining client credentials. The default is \fB@CKTNAME@\fP\&. This relation is subject to parameter expansion (see below). New in release 1.11. .TP .B \fBdefault_keytab_name\fP This relation specifies the default keytab name to be used by -application servers such as sshd. The default is \fB@KTNAME@\fP. This +application servers such as sshd. The default is \fB@KTNAME@\fP\&. This relation is subject to parameter expansion (see below). .TP .B \fBdefault_realm\fP Identifies the default Kerberos realm for the client. Set its value to your Kerberos realm. If this value is not set, then a realm must be specified with every Kerberos principal when -invoking programs such as \fIkinit(1)\fP. +invoking programs such as \fIkinit(1)\fP\&. .TP .B \fBdefault_tgs_enctypes\fP Identifies the supported list of session key encryption types that @@ -310,7 +314,7 @@ default value is false. New in release 1.10. .TP .B \fBk5login_authoritative\fP If this flag is true, principals must be listed in a local user\(aqs -k5login file to be granted login access, if a \fI.k5login(5)\fP +k5login file to be granted login access, if a \fI\&.k5login(5)\fP file exists. If this flag is false, a principal may still be granted login access through other mechanisms even if a k5login file exists but does not list the principal. The default value is @@ -468,7 +472,7 @@ ticket requests. The default value is 1 day. .B \fBudp_preference_limit\fP When sending a message to the KDC, the library will try using TCP before UDP if the size of the message is above -\fBudp_preference_limit\fP. If the message is smaller than +\fBudp_preference_limit\fP\&. If the message is smaller than \fBudp_preference_limit\fP, then UDP will be tried before TCP. Regardless of the size, both protocols will be tried if the first attempt fails. @@ -500,9 +504,9 @@ translated. The possible values are: .INDENT 7.0 .TP .B \fBRULE:\fP\fIexp\fP -The local name will be formulated from \fIexp\fP. +The local name will be formulated from \fIexp\fP\&. .sp -The format for \fIexp\fP is \fB[\fP\fIn\fP\fB:\fP\fIstring\fP\fB](\fP\fIregexp\fP\fB)s/\fP\fIpattern\fP\fB/\fP\fIreplacement\fP\fB/g\fP. +The format for \fIexp\fP is \fB[\fP\fIn\fP\fB:\fP\fIstring\fP\fB](\fP\fIregexp\fP\fB)s/\fP\fIpattern\fP\fB/\fP\fIreplacement\fP\fB/g\fP\&. The integer \fIn\fP indicates how many components the target principal should have. If this matches, then a string will be formed from \fIstring\fP, substituting the realm of the principal @@ -513,15 +517,18 @@ for \fB$0\fP and the \fIn\fP\(aqth component of the principal for the \fBs//[g]\fP substitution command will be run over the string. The optional \fBg\fP will cause the substitution to be global over the \fIstring\fP, instead of replacing only the first -match in the \fIstring\fP. +match in the \fIstring\fP\&. .TP .B \fBDEFAULT\fP The principal name will be used as the local user name. If the principal has more than one component or is not in the default realm, this rule is not applicable and the conversion will fail. -.TP -.B For example: +.UNINDENT +.sp +For example: +.INDENT 7.0 +.INDENT 3.5 .sp .nf .ft C @@ -535,14 +542,15 @@ will fail. .ft P .fi .UNINDENT +.UNINDENT .sp would result in any principal without \fBroot\fP or \fBadmin\fP as the second component to be translated with the default rule. A principal with a second component of \fBadmin\fP will become its first component. \fBroot\fP will be used as the local name for any -principal with a second component of \fBroot\fP. The exception to +principal with a second component of \fBroot\fP\&. The exception to these two rules are any principals \fBjohndoe/*\fP, which will -always get the local name \fBguest\fP. +always get the local name \fBguest\fP\&. .TP .B \fBauth_to_local_names\fP This subsection allows you to set explicit mappings from principal @@ -597,7 +605,7 @@ is the Kerberos V4 realm name. The [domain_realm] section provides a translation from a domain name or hostname to a Kerberos realm name. The tag name can be a host name or domain name, where domain names are indicated by a prefix of a -period (\fB.\fP). The value of the relation is the Kerberos realm name +period (\fB\&.\fP). The value of the relation is the Kerberos realm name for that particular host or domain. A host name relation implicitly provides the corresponding domain name relation, unless an explicit domain name relation is provided. The Kerberos realm may be @@ -620,10 +628,10 @@ Host names and domain names should be in lower case. For example: maps the host with the name \fBcrash.mit.edu\fP into the \fBTEST.ATHENA.MIT.EDU\fP realm. The second entry maps all hosts under the domain \fBdev.mit.edu\fP into the \fBTEST.ATHENA.MIT.EDU\fP realm, but not -the host with the name \fBdev.mit.edu\fP. That host is matched +the host with the name \fBdev.mit.edu\fP\&. That host is matched by the third entry, which maps the host \fBmit.edu\fP and all hosts under the domain \fBmit.edu\fP that do not match a preceding rule -into the realm \fBATHENA.MIT.EDU\fP. +into the realm \fBATHENA.MIT.EDU\fP\&. .sp If no translation entry applies to a hostname used for a service principal for a service ticket request, the library will try to get a @@ -660,7 +668,7 @@ a subtag of the server realm. For example, \fBANL.GOV\fP, \fBPNL.GOV\fP, and \fBNERSC.GOV\fP all wish to use the \fBES.NET\fP realm as an intermediate realm. ANL has a sub realm of \fBTEST.ANL.GOV\fP which will authenticate with \fBNERSC.GOV\fP -but not \fBPNL.GOV\fP. The [capaths] section for \fBANL.GOV\fP systems +but not \fBPNL.GOV\fP\&. The [capaths] section for \fBANL.GOV\fP systems would look like this: .INDENT 0.0 .INDENT 3.5 @@ -732,9 +740,10 @@ important to servers. Each tag in the [appdefaults] section names a Kerberos V5 application or an option that is used by some Kerberos V5 application[s]. The value of the tag defines the default behaviors for that application. +.sp +For example: .INDENT 0.0 -.TP -.B For example: +.INDENT 3.5 .sp .nf .ft C @@ -755,6 +764,7 @@ value of the tag defines the default behaviors for that application. .ft P .fi .UNINDENT +.UNINDENT .sp The above four ways of specifying the value of an option are shown in order of decreasing precedence. In this example, if telnet is running @@ -809,7 +819,7 @@ form \fBmodulename:pathname\fP, which causes the shared object located at \fIpathname\fP to be registered as a dynamic module named \fImodulename\fP for the pluggable interface. If \fIpathname\fP is not an absolute path, it will be treated as relative to the -\fBplugin_base_dir\fP value from \fI\%[libdefaults]\fP. +\fBplugin_base_dir\fP value from \fI\%[libdefaults]\fP\&. .UNINDENT .sp For pluggable interfaces where module order matters, modules @@ -930,21 +940,25 @@ realm\(aqs section, and applies the default method if no .TP .B \fBk5login\fP This module authorizes a principal to a local account according to -the account\(aqs \fI.k5login(5)\fP file. +the account\(aqs \fI\&.k5login(5)\fP file. .TP .B \fBan2ln\fP This module authorizes a principal to a local account if the principal name maps to the local account name. .UNINDENT .SH PKINIT OPTIONS -.IP Note +.sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 The following are PKINIT\-specific options. These values may be specified in [libdefaults] as global defaults, or within a realm\-specific subsection of [libdefaults], or may be specified as realm\-specific values in the [realms] section. A realm\-specific value overrides, not adds to, a generic [libdefaults] specification. The search order is: -.RE +.UNINDENT +.UNINDENT .INDENT 0.0 .IP 1. 3 realm\-specific subsection of [libdefaults]: @@ -962,7 +976,7 @@ realm\-specific subsection of [libdefaults]: .UNINDENT .UNINDENT .IP 2. 3 -realm\-specific value in the [realms] section, +realm\-specific value in the [realms] section: .INDENT 3.0 .INDENT 3.5 .sp @@ -977,7 +991,7 @@ realm\-specific value in the [realms] section, .UNINDENT .UNINDENT .IP 3. 3 -generic value in the [libdefaults] section. +generic value in the [libdefaults] section: .INDENT 3.0 .INDENT 3.5 .sp @@ -1015,19 +1029,19 @@ In \fBpkinit_identity\fP or \fBpkinit_identities\fP, \fIdirname\fP specifies a directory with files named \fB*.crt\fP and \fB*.key\fP where the first part of the file name is the same for matching pairs of certificate and private key files. When a file with a -name ending with \fB.crt\fP is found, a matching file ending with -\fB.key\fP is assumed to contain the private key. If no such file -is found, then the certificate in the \fB.crt\fP is not used. +name ending with \fB\&.crt\fP is found, a matching file ending with +\fB\&.key\fP is assumed to contain the private key. If no such file +is found, then the certificate in the \fB\&.crt\fP is not used. .sp In \fBpkinit_anchors\fP or \fBpkinit_pool\fP, \fIdirname\fP is assumed to be an OpenSSL\-style hashed CA directory where each CA cert is -stored in a file named \fBhash\-of\-ca\-cert.#\fP. This infrastructure +stored in a file named \fBhash\-of\-ca\-cert.#\fP\&. This infrastructure is encouraged, but all files in the directory will be examined and if they contain certificates (in PEM format), they will be used. .sp In \fBpkinit_revoke\fP, \fIdirname\fP is assumed to be an OpenSSL\-style hashed CA directory where each revocation list is stored in a file -named \fBhash\-of\-ca\-cert.r#\fP. This infrastructure is encouraged, +named \fBhash\-of\-ca\-cert.r#\fP\&. This infrastructure is encouraged, but all files in the directory will be examined and if they contain a revocation list (in PEM format), they will be used. .TP @@ -1038,8 +1052,8 @@ user\(aqs certificate and private key. .B \fBPKCS11:\fP[\fBmodule_name=\fP]\fImodname\fP[\fB:slotid=\fP\fIslot\-id\fP][\fB:token=\fP\fItoken\-label\fP][\fB:certid=\fP\fIcert\-id\fP][\fB:certlabel=\fP\fIcert\-label\fP] All keyword/values are optional. \fImodname\fP specifies the location of a library implementing PKCS #11. If a value is encountered -with no keyword, it is assumed to be the \fImodname\fP. If no -module\-name is specified, the default is \fBopensc\-pkcs11.so\fP. +with no keyword, it is assumed to be the \fImodname\fP\&. If no +module\-name is specified, the default is \fBopensc\-pkcs11.so\fP\&. \fBslotid=\fP and/or \fBtoken=\fP may be specified to force the use of a particular smard card reader or token if there is more than one available. \fBcertid=\fP and/or \fBcertlabel=\fP may be specified to @@ -1051,7 +1065,7 @@ to select a particular certificate to use for PKINIT. \fIenvvar\fP specifies the name of an environment variable which has been set to a value conforming to one of the previous values. For example, \fBENV:X509_PROXY\fP, where environment variable -\fBX509_PROXY\fP has been set to \fBFILE:/tmp/my_proxy.pem\fP. +\fBX509_PROXY\fP has been set to \fBFILE:/tmp/my_proxy.pem\fP\&. .UNINDENT .SS PKINIT krb5.conf options .INDENT 0.0 @@ -1089,7 +1103,7 @@ where: .B \fIrelation\-operator\fP can be either \fB&&\fP, meaning all component rules must match, or \fB||\fP, meaning only one component rule must match. The -default is \fB&&\fP. +default is \fB&&\fP\&. .TP .B \fIcomponent\-rule\fP can be one of the following. Note that there is no @@ -1158,11 +1172,12 @@ recognized in the krb5.conf file are: .TP .B \fBkpKDC\fP This is the default value and specifies that the KDC must have -the id\-pkinit\-KPKdc EKU as defined in \fI\%RFC 4556\fP. +the id\-pkinit\-KPKdc EKU as defined in \fI\%RFC 4556\fP\&. .TP .B \fBkpServerAuth\fP If \fBkpServerAuth\fP is specified, a KDC certificate with the -id\-kp\-serverAuth EKU as used by Microsoft will be accepted. +id\-kp\-serverAuth EKU will be accepted. This key usage value +is used in most commercially issued server certificates. .TP .B \fBnone\fP If \fBnone\fP is specified, then the KDC certificate will not be @@ -1187,7 +1202,7 @@ these values are not used if the user specifies The presense of this option indicates that the client is willing to accept a KDC certificate with a dNSName SAN (Subject Alternative Name) rather than requiring the id\-pkinit\-san as -defined in \fI\%RFC 4556\fP. This option may be specified multiple +defined in \fI\%RFC 4556\fP\&. This option may be specified multiple times. Its value should contain the acceptable hostname for the KDC (as contained in its certificate). .TP @@ -1222,11 +1237,6 @@ information to be used by the client when verifying the validity of the KDC certificate presented. This option may be specified multiple times. .TP -.B \fBpkinit_win2k\fP -This flag specifies whether the target realm is assumed to support -only the old, pre\-RFC version of the protocol. The default is -false. -.TP .B \fBpkinit_win2k_require_binding\fP If this flag is set to true, it expects that the target KDC is patched to return a reply with a checksum rather than a nonce. @@ -1396,6 +1406,6 @@ syslog(3) .SH AUTHOR MIT .SH COPYRIGHT -1985-2013, MIT +1985-2014, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/krb5kdc.man b/src/man/krb5kdc.man index c456b1bee7..7e4070036e 100644 --- a/src/man/krb5kdc.man +++ b/src/man/krb5kdc.man @@ -1,4 +1,6 @@ -.TH "KRB5KDC" "8" " " "1.12.1" "MIT Kerberos" +.\" Man page generated from reStructuredText. +. +.TH "KRB5KDC" "8" " " "1.12.2" "MIT Kerberos" .SH NAME krb5kdc \- Kerberos V5 KDC . @@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructuredText. -. .SH SYNOPSIS .sp \fBkrb5kdc\fP @@ -59,7 +59,7 @@ LDAP database. .sp The \fB\-k\fP \fIkeytype\fP option specifies the key type of the master key to be entered manually as a password when \fB\-m\fP is given; the default -is \fBdes\-cbc\-crc\fP. +is \fBdes\-cbc\-crc\fP\&. .sp The \fB\-M\fP \fImkeyname\fP option specifies the principal name for the master key in the database (usually \fBK/M\fP in the KDC\(aqs realm). @@ -91,48 +91,21 @@ the \fB\-P\fP option is also given) acts as a supervisor. The supervisor will relay SIGHUP signals to the worker subprocesses, and will terminate the worker subprocess if the it is itself terminated or if any other worker process exits. -.IP Note +.sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 On operating systems which do not have \fIpktinfo\fP support, using worker processes will prevent the KDC from listening for UDP packets on network interfaces created after the KDC starts. -.RE -.sp -The \fB\-x\fP \fIdb_args\fP option specifies database\-specific arguments. -Options supported for the LDAP database module are: -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fB\-x\fP nconns= -Specifies the number of connections to be maintained per -LDAP server. -.TP -.B \fB\-x\fP host= -Specifies the LDAP server to connect to by URI. -.TP -.B \fB\-x\fP binddn= -Specifies the DN of the object used by the KDC server to bind -to the LDAP server. This object should have read and write -privileges to the realm container, the principal container, -and the subtree that is referenced by the realm. -.TP -.B \fB\-x\fP bindpwd= -Specifies the password for the above mentioned binddn. Using -this option may expose the password to other users on the -system via the process list; to avoid this, instead stash the -password using the \fBstashsrvpw\fP command of -\fIkdb5_ldap_util(8)\fP. -.TP -.B \fB\-x debug=\fP\fIlevel\fP -sets the OpenLDAP client library debug level. \fIlevel\fP is an -integer to be interpreted by the library. Debugging messages -are printed to standard error, so this option must be used -with the \fB\-n\fP option to be useful. New in release 1.12. -.UNINDENT .UNINDENT .UNINDENT .sp +The \fB\-x\fP \fIdb_args\fP option specifies database\-specific arguments. +See \fIDatabase Options\fP in \fIkadmin(1)\fP for +supported arguments. +.sp The \fB\-T\fP \fIoffset\fP option specifies a time offset, in seconds, which the KDC will operate under. It is intended only for testing purposes. .SH EXAMPLE @@ -177,6 +150,6 @@ krb5kdc uses the following environment variables: .SH AUTHOR MIT .SH COPYRIGHT -1985-2013, MIT +1985-2014, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/ksu.man b/src/man/ksu.man index 0b45bde7c7..5872ecd0c9 100644 --- a/src/man/ksu.man +++ b/src/man/ksu.man @@ -1,4 +1,6 @@ -.TH "KSU" "1" " " "1.12.1" "MIT Kerberos" +.\" Man page generated from reStructuredText. +. +.TH "KSU" "1" " " "1.12.2" "MIT Kerberos" .SH NAME ksu \- Kerberized super-user . @@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructuredText. -. .SH SYNOPSIS .sp \fBksu\fP @@ -53,14 +53,18 @@ Kerberos version 5 server running to use ksu. ksu is a Kerberized version of the su program that has two missions: one is to securely change the real and effective user ID to that of the target user, and the other is to create a new security context. -.IP Note +.sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 For the sake of clarity, all references to and attributes of the user invoking the program will start with "source" (e.g., "source user", "source cache", etc.). .sp Likewise, all references to and attributes of the target account will start with "target". -.RE +.UNINDENT +.UNINDENT .SH AUTHENTICATION .sp To fulfill the first mission, ksu operates in two phases: @@ -70,7 +74,7 @@ principal name with the \fB\-n\fP option (e.g., \fB\-n jqpublic@USC.EDU\fP) or a default principal name will be assigned using a heuristic described in the OPTIONS section (see \fB\-n\fP option). The target user name must be the first argument to ksu; if not specified root is the -default. If \fB.\fP is specified then the target user will be the +default. If \fB\&.\fP is specified then the target user will be the source user (e.g., \fBksu .\fP). If the source user is root or the target user is the source user, no authentication or authorization takes place. Otherwise, ksu looks for an appropriate Kerberos ticket @@ -96,12 +100,13 @@ option, see the OPTIONS section. Upon successful authentication, ksu checks whether the target principal is authorized to access the target account. In the target user\(aqs home directory, ksu attempts to access two authorization files: -\fI.k5login(5)\fP and .k5users. In the .k5login file each line +\fI\&.k5login(5)\fP and .k5users. In the .k5login file each line contains the name of a principal that is authorized to access the account. +.sp +For example: .INDENT 0.0 -.TP -.B For example: +.INDENT 3.5 .sp .nf .ft C @@ -111,6 +116,7 @@ jqpublic/admin@USC.EDU .ft P .fi .UNINDENT +.UNINDENT .sp The format of .k5users is the same, except the principal name may be followed by a list of commands that the principal is authorized to @@ -165,11 +171,15 @@ server and stored in the target cache. Otherwise, if a password is not provided (user hit return) ksu continues in a normal mode of operation (the target cache will not contain the desired TGT). If the wrong password is typed in, ksu fails. -.IP Note +.sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 During authentication, only the tickets that could be obtained without providing a password are cached in in the source cache. -.RE +.UNINDENT +.UNINDENT .SH OPTIONS .INDENT 0.0 .TP @@ -186,10 +196,10 @@ Case 1: source user is non\-root. If the target user is the source user the default principal name is set to the default principal of the source cache. If the cache does not exist then the default principal name is set to -\fBtarget_user@local_realm\fP. If the source and target users are +\fBtarget_user@local_realm\fP\&. If the source and target users are different and neither \fB~target_user/.k5users\fP nor \fB~target_user/.k5login\fP exist then the default principal name -is \fBtarget_user_login_name@local_realm\fP. Otherwise, starting +is \fBtarget_user_login_name@local_realm\fP\&. Otherwise, starting with the first principal listed below, ksu checks if the principal is authorized to access the target account and whether there is a legitimate ticket for that principal in the source @@ -218,15 +228,15 @@ principal name equal to the prefix of the candidate. For example if candidate a) is \fBjqpublic@ISI.EDU\fP and \fBjqpublic/secure@ISI.EDU\fP is authorized to access the target account then the default principal is set to -\fBjqpublic/secure@ISI.EDU\fP. +\fBjqpublic/secure@ISI.EDU\fP\&. .IP \(bu 2 Case 2: source user is root. .sp If the target user is non\-root then the default principal name -is \fBtarget_user@local_realm\fP. Else, if the source cache +is \fBtarget_user@local_realm\fP\&. Else, if the source cache exists the default principal name is set to the default principal of the source cache. If the source cache does not -exist, default principal name is set to \fBroot\e@local_realm\fP. +exist, default principal name is set to \fBroot\e@local_realm\fP\&. .UNINDENT .UNINDENT .sp @@ -236,7 +246,7 @@ exist, default principal name is set to \fBroot\e@local_realm\fP. Specify source cache name (e.g., \fB\-c FILE:/tmp/my_cache\fP). If \fB\-c\fP option is not used then the name is obtained from \fBKRB5CCNAME\fP environment variable. If \fBKRB5CCNAME\fP is not -defined the source cache name is set to \fBkrb5cc_\fP. +defined the source cache name is set to \fBkrb5cc_\fP\&. The target cache name is automatically set to \fBkrb5cc_.(gen_sym())\fP, where gen_sym generates a new number such that the resulting cache does not already exist. For example: @@ -376,7 +386,7 @@ full path or just the program name. .B \fB\-a\fP \fIargs\fP Specify arguments to be passed to the target shell. Note that all flags and parameters following \-a will be passed to the shell, -thus all options intended for ksu must precede \fB\-a\fP. +thus all options intended for ksu must precede \fB\-a\fP\&. .sp The \fB\-a\fP option can be used to simulate the \fB\-e\fP option if used as follows: @@ -421,8 +431,11 @@ If the source user is non\-root, ksu insists that the target user\(aqs shell to be invoked is a "legal shell". \fIgetusershell(3)\fP is called to obtain the names of "legal shells". Note that the target user\(aqs shell is obtained from the passwd file. -.TP -.B Sample configuration: +.UNINDENT +.sp +Sample configuration: +.INDENT 0.0 +.INDENT 3.5 .sp .nf .ft C @@ -430,6 +443,7 @@ KSU_OPTS = \-DGET_TGT_VIA_PASSWD \-DPRINC_LOOK_AHEAD \-DCMD_PATH=\(aq"/bin /usr/ .ft P .fi .UNINDENT +.UNINDENT .sp ksu should be owned by root and have the set user id bit turned on. .sp @@ -446,6 +460,6 @@ GENNADY (ARI) MEDVINSKY .SH AUTHOR MIT .SH COPYRIGHT -1985-2013, MIT +1985-2014, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kswitch.man b/src/man/kswitch.man index 08dbc589f7..d93a1dddfb 100644 --- a/src/man/kswitch.man +++ b/src/man/kswitch.man @@ -1,4 +1,6 @@ -.TH "KSWITCH" "1" " " "1.12.1" "MIT Kerberos" +.\" Man page generated from reStructuredText. +. +.TH "KSWITCH" "1" " " "1.12.2" "MIT Kerberos" .SH NAME kswitch \- switch primary ticket cache . @@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructuredText. -. .SH SYNOPSIS .sp \fBkswitch\fP @@ -46,7 +46,7 @@ Directly specifies the credential cache to be made primary. .TP .B \fB\-p\fP \fIprincipal\fP Causes the cache collection to be searched for a cache containing -credentials for \fIprincipal\fP. If one is found, that collection is +credentials for \fIprincipal\fP\&. If one is found, that collection is made primary. .UNINDENT .SH ENVIRONMENT @@ -56,7 +56,7 @@ kswitch uses the following environment variables: .TP .B \fBKRB5CCNAME\fP Location of the default Kerberos 5 credentials (ticket) cache, in -the form \fItype\fP:\fIresidual\fP. If no \fItype\fP prefix is present, the +the form \fItype\fP:\fIresidual\fP\&. If no \fItype\fP prefix is present, the \fBFILE\fP type is assumed. The type of the default cache may determine the availability of a cache collection; for instance, a default cache of type \fBDIR\fP causes caches within the directory @@ -74,6 +74,6 @@ Default location of Kerberos 5 credentials cache .SH AUTHOR MIT .SH COPYRIGHT -1985-2013, MIT +1985-2014, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/ktutil.man b/src/man/ktutil.man index 9f73c242cd..293295f38b 100644 --- a/src/man/ktutil.man +++ b/src/man/ktutil.man @@ -1,4 +1,6 @@ -.TH "KTUTIL" "1" " " "1.12.1" "MIT Kerberos" +.\" Man page generated from reStructuredText. +. +.TH "KTUTIL" "1" " " "1.12.2" "MIT Kerberos" .SH NAME ktutil \- Kerberos keytab file maintenance utility . @@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructuredText. -. .SH SYNOPSIS .sp \fBktutil\fP @@ -76,7 +76,7 @@ Alias: \fBrst\fP .UNINDENT .UNINDENT .sp -Write the current keylist into the Kerberos V5 keytab file \fIkeytab\fP. +Write the current keylist into the Kerberos V5 keytab file \fIkeytab\fP\&. .sp Alias: \fBwkt\fP .SS write_st @@ -86,7 +86,7 @@ Alias: \fBwkt\fP .UNINDENT .UNINDENT .sp -Write the current keylist into the Kerberos V4 srvtab file \fIsrvtab\fP. +Write the current keylist into the Kerberos V4 srvtab file \fIsrvtab\fP\&. .sp Alias: \fBwst\fP .SS clear_list @@ -143,6 +143,8 @@ Aliases: \fBexit\fP, \fBq\fP .SH EXAMPLE .INDENT 0.0 .INDENT 3.5 +.INDENT 0.0 +.INDENT 3.5 .sp .nf .ft C @@ -158,12 +160,14 @@ ktutil: .fi .UNINDENT .UNINDENT +.UNINDENT +.UNINDENT .SH SEE ALSO .sp \fIkadmin(1)\fP, \fIkdb5_util(8)\fP .SH AUTHOR MIT .SH COPYRIGHT -1985-2013, MIT +1985-2014, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kvno.man b/src/man/kvno.man index 90ee497634..304d5f20d4 100644 --- a/src/man/kvno.man +++ b/src/man/kvno.man @@ -1,4 +1,6 @@ -.TH "KVNO" "1" " " "1.12.1" "MIT Kerberos" +.\" Man page generated from reStructuredText. +. +.TH "KVNO" "1" " " "1.12.2" "MIT Kerberos" .SH NAME kvno \- print key version numbers of Kerberos principals . @@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructuredText. -. .SH SYNOPSIS .sp \fBkvno\fP @@ -74,13 +74,13 @@ conjunction with protocol transition. .B \fB\-S\fP \fIsname\fP Specifies that the \fIservice1 service2\fP ... arguments are interpreted as hostnames, and the service principals are to be -constructed from those hostnames and the service name \fIsname\fP. +constructed from those hostnames and the service name \fIsname\fP\&. The service hostnames will be canonicalized according to the usual rules for constructing service principals. .TP .B \fB\-U\fP \fIfor_user\fP Specifies that protocol transition (S4U2Self) is to be used to -acquire a ticket on behalf of \fIfor_user\fP. If constrained +acquire a ticket on behalf of \fIfor_user\fP\&. If constrained delegation is not requested, the service name must match the credentials cache client principal. .UNINDENT @@ -104,6 +104,6 @@ Default location of the credentials cache .SH AUTHOR MIT .SH COPYRIGHT -1985-2013, MIT +1985-2014, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/sclient.man b/src/man/sclient.man index 3133742b10..d9b93b88e6 100644 --- a/src/man/sclient.man +++ b/src/man/sclient.man @@ -1,4 +1,6 @@ -.TH "SCLIENT" "1" " " "1.12.1" "MIT Kerberos" +.\" Man page generated from reStructuredText. +. +.TH "SCLIENT" "1" " " "1.12.2" "MIT Kerberos" .SH NAME sclient \- sample Kerberos version 5 client . @@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructuredText. -. .SH SYNOPSIS .sp \fBsclient\fP \fIremotehost\fP @@ -45,6 +45,6 @@ the server\(aqs response. .SH AUTHOR MIT .SH COPYRIGHT -1985-2013, MIT +1985-2014, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/sserver.man b/src/man/sserver.man index 515c827272..c7a971f688 100644 --- a/src/man/sserver.man +++ b/src/man/sserver.man @@ -1,4 +1,6 @@ -.TH "SSERVER" "8" " " "1.12.1" "MIT Kerberos" +.\" Man page generated from reStructuredText. +. +.TH "SSERVER" "8" " " "1.12.2" "MIT Kerberos" .SH NAME sserver \- sample Kerberos version 5 server . @@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructuredText. -. .SH SYNOPSIS .sp \fBsserver\fP @@ -46,9 +46,9 @@ good test that Kerberos has been successfully installed on a machine. .sp The service name used by sserver and sclient is sample. Hence, sserver will require that there be a keytab entry for the service -\fBsample/hostname.domain.name@REALM.NAME\fP. This keytab is generated +\fBsample/hostname.domain.name@REALM.NAME\fP\&. This keytab is generated using the \fIkadmin(1)\fP program. The keytab file is usually -installed as \fB@KTNAME@\fP. +installed as \fB@KTNAME@\fP\&. .sp The \fB\-S\fP option allows for a different keytab than the default. .sp @@ -81,7 +81,7 @@ sample 13135/tcp .sp When using sclient, you will first have to have an entry in the Kerberos database, by using \fIkadmin(1)\fP, and then you have to get -Kerberos tickets, by using \fIkinit(1)\fP. Also, if you are running +Kerberos tickets, by using \fIkinit(1)\fP\&. Also, if you are running the sclient program on a different host than the sserver it will be connecting to, be sure that both hosts have an entry in /etc/services for the sample tcp port, and that the same port number is in both @@ -110,7 +110,7 @@ kinit returns the error: .nf .ft C kinit: Client not found in Kerberos database while getting - initial credentials + initial credentials .ft P .fi .UNINDENT @@ -156,7 +156,7 @@ sclient returns the error: .nf .ft C sclient: Server not found in Kerberos database while using - sendauth + sendauth .ft P .fi .UNINDENT @@ -189,6 +189,6 @@ probably not installed in the proper directory. .SH AUTHOR MIT .SH COPYRIGHT -1985-2013, MIT +1985-2014, MIT .\" Generated by docutils manpage writer. . diff --git a/src/patchlevel.h b/src/patchlevel.h index c8ea0bb703..332fc53245 100644 --- a/src/patchlevel.h +++ b/src/patchlevel.h @@ -51,7 +51,7 @@ */ #define KRB5_MAJOR_RELEASE 1 #define KRB5_MINOR_RELEASE 12 -#define KRB5_PATCHLEVEL 1 -#define KRB5_RELTAIL "postrelease" +#define KRB5_PATCHLEVEL 2 +/* #undef KRB5_RELTAIL */ /* #undef KRB5_RELDATE */ -#define KRB5_RELTAG "krb5-1.12" +#define KRB5_RELTAG "krb5-1.12.2-final" diff --git a/src/po/mit-krb5.pot b/src/po/mit-krb5.pot index 1ca3551f4d..c2019e0c01 100644 --- a/src/po/mit-krb5.pot +++ b/src/po/mit-krb5.pot @@ -6,9 +6,9 @@ #, fuzzy msgid "" msgstr "" -"Project-Id-Version: mit-krb5 1.12.1\n" +"Project-Id-Version: mit-krb5 1.12.2\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2014-01-15 19:18-0500\n" +"POT-Creation-Date: 2014-08-11 17:02-0400\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -54,7 +54,7 @@ msgstr "" #: ../../src/clients/kdestroy/kdestroy.c:126 #: ../../src/clients/klist/klist.c:253 ../../src/clients/ksu/main.c:134 #: ../../src/clients/kswitch/kswitch.c:97 ../../src/kadmin/ktutil/ktutil.c:52 -#: ../../src/kdc/main.c:926 ../../src/slave/kprop.c:104 +#: ../../src/kdc/main.c:928 ../../src/slave/kprop.c:104 #: ../../src/slave/kpropd.c:1090 msgid "while initializing krb5" msgstr "" @@ -605,7 +605,7 @@ msgid "while retrieving a ticket" msgstr "" #: ../../src/clients/klist/klist.c:667 ../../src/clients/ksu/ccache.c:466 -#: ../../src/slave/kpropd.c:1298 ../../src/slave/kpropd.c:1361 +#: ../../src/slave/kpropd.c:1299 ../../src/slave/kpropd.c:1362 msgid "while unparsing client name" msgstr "" @@ -2326,21 +2326,25 @@ msgstr "" msgid "while initializing the Kerberos admin interface" msgstr "" -#: ../../src/kadmin/dbutil/kadm5_create.c:197 +#: ../../src/kadmin/dbutil/kadm5_create.c:172 #, c-format msgid "getaddrinfo(%s): Cannot determine canonical hostname.\n" msgstr "" -#: ../../src/kadmin/dbutil/kadm5_create.c:218 +#: ../../src/kadmin/dbutil/kadm5_create.c:193 #, c-format msgid "Out of memory\n" msgstr "" -#: ../../src/kadmin/dbutil/kadm5_create.c:290 +#: ../../src/kadmin/dbutil/kadm5_create.c:263 +msgid "while appending realm to principal" +msgstr "" + +#: ../../src/kadmin/dbutil/kadm5_create.c:268 msgid "while parsing admin principal name" msgstr "" -#: ../../src/kadmin/dbutil/kadm5_create.c:300 +#: ../../src/kadmin/dbutil/kadm5_create.c:278 #, c-format msgid "while creating principal %s" msgstr "" @@ -3357,7 +3361,7 @@ msgstr "" msgid "starting" msgstr "" -#: ../../src/kadmin/server/ovsec_kadmd.c:659 ../../src/kdc/main.c:1061 +#: ../../src/kadmin/server/ovsec_kadmd.c:659 ../../src/kdc/main.c:1063 #, c-format msgid "%s: starting...\n" msgstr "" @@ -3409,7 +3413,7 @@ msgstr "" msgid "chpw request from %s for %.*s%s: %s" msgstr "" -#: ../../src/kadmin/server/schpw.c:463 +#: ../../src/kadmin/server/schpw.c:464 #, c-format msgid "chpw: Couldn't open admin keytab %s" msgstr "" @@ -3678,90 +3682,90 @@ msgid "" "arguments\n" msgstr "" -#: ../../src/kdc/main.c:655 ../../src/kdc/main.c:662 ../../src/kdc/main.c:774 +#: ../../src/kdc/main.c:655 ../../src/kdc/main.c:662 ../../src/kdc/main.c:776 #, c-format msgid " KDC cannot initialize. Not enough memory\n" msgstr "" -#: ../../src/kdc/main.c:679 ../../src/kdc/main.c:722 ../../src/kdc/main.c:733 +#: ../../src/kdc/main.c:681 ../../src/kdc/main.c:724 ../../src/kdc/main.c:735 #, c-format msgid "%s: KDC cannot initialize. Not enough memory\n" msgstr "" -#: ../../src/kdc/main.c:699 ../../src/kdc/main.c:816 +#: ../../src/kdc/main.c:701 ../../src/kdc/main.c:818 #, c-format msgid "%s: cannot initialize realm %s - see log file for details\n" msgstr "" -#: ../../src/kdc/main.c:710 +#: ../../src/kdc/main.c:712 #, c-format msgid "%s: cannot initialize realm %s. Not enough memory\n" msgstr "" -#: ../../src/kdc/main.c:761 +#: ../../src/kdc/main.c:763 #, c-format msgid "invalid enctype %s" msgstr "" -#: ../../src/kdc/main.c:804 +#: ../../src/kdc/main.c:806 msgid "while attempting to retrieve default realm" msgstr "" -#: ../../src/kdc/main.c:806 +#: ../../src/kdc/main.c:808 #, c-format msgid "%s: %s, attempting to retrieve default realm\n" msgstr "" -#: ../../src/kdc/main.c:912 +#: ../../src/kdc/main.c:914 #, c-format msgid "%s: cannot get memory for realm list\n" msgstr "" -#: ../../src/kdc/main.c:947 +#: ../../src/kdc/main.c:949 msgid "while initializing lookaside cache" msgstr "" -#: ../../src/kdc/main.c:955 +#: ../../src/kdc/main.c:957 msgid "while creating main loop" msgstr "" -#: ../../src/kdc/main.c:965 +#: ../../src/kdc/main.c:967 msgid "while initializing SAM" msgstr "" -#: ../../src/kdc/main.c:1011 +#: ../../src/kdc/main.c:1013 msgid "while initializing routing socket" msgstr "" -#: ../../src/kdc/main.c:1017 +#: ../../src/kdc/main.c:1019 msgid "while initializing signal handlers" msgstr "" -#: ../../src/kdc/main.c:1024 +#: ../../src/kdc/main.c:1026 msgid "while initializing network" msgstr "" -#: ../../src/kdc/main.c:1029 +#: ../../src/kdc/main.c:1031 msgid "while detaching from tty" msgstr "" -#: ../../src/kdc/main.c:1036 +#: ../../src/kdc/main.c:1038 msgid "while creating PID file" msgstr "" -#: ../../src/kdc/main.c:1045 +#: ../../src/kdc/main.c:1047 msgid "creating worker processes" msgstr "" -#: ../../src/kdc/main.c:1055 +#: ../../src/kdc/main.c:1057 msgid "while loading audit plugin module(s)" msgstr "" -#: ../../src/kdc/main.c:1059 +#: ../../src/kdc/main.c:1061 msgid "commencing operation" msgstr "" -#: ../../src/kdc/main.c:1067 +#: ../../src/kdc/main.c:1069 msgid "shutting down" msgstr "" @@ -3894,107 +3898,107 @@ msgstr "" msgid "Failed to reconfigure network, exiting" msgstr "" -#: ../../src/lib/apputils/net-server.c:1077 +#: ../../src/lib/apputils/net-server.c:1081 #, c-format msgid "" "unhandled routing message type %d, will reconfigure just for the fun of it" msgstr "" -#: ../../src/lib/apputils/net-server.c:1111 +#: ../../src/lib/apputils/net-server.c:1115 #, c-format msgid "short read (%d/%d) from routing socket" msgstr "" -#: ../../src/lib/apputils/net-server.c:1118 +#: ../../src/lib/apputils/net-server.c:1122 #, c-format msgid "got routing msg type %d(%s) v%d" msgstr "" -#: ../../src/lib/apputils/net-server.c:1127 +#: ../../src/lib/apputils/net-server.c:1131 #, c-format msgid "read %d from routing socket but msglen is %d" msgstr "" -#: ../../src/lib/apputils/net-server.c:1159 +#: ../../src/lib/apputils/net-server.c:1163 #, c-format msgid "couldn't set up routing socket: %s" msgstr "" -#: ../../src/lib/apputils/net-server.c:1162 +#: ../../src/lib/apputils/net-server.c:1166 #, c-format msgid "routing socket is fd %d" msgstr "" -#: ../../src/lib/apputils/net-server.c:1188 +#: ../../src/lib/apputils/net-server.c:1192 msgid "setting up network..." msgstr "" -#: ../../src/lib/apputils/net-server.c:1205 +#: ../../src/lib/apputils/net-server.c:1209 #, c-format msgid "set up %d sockets" msgstr "" -#: ../../src/lib/apputils/net-server.c:1207 +#: ../../src/lib/apputils/net-server.c:1211 msgid "no sockets set up?" msgstr "" -#: ../../src/lib/apputils/net-server.c:1455 -#: ../../src/lib/apputils/net-server.c:1509 +#: ../../src/lib/apputils/net-server.c:1459 +#: ../../src/lib/apputils/net-server.c:1513 msgid "while dispatching (udp)" msgstr "" -#: ../../src/lib/apputils/net-server.c:1484 +#: ../../src/lib/apputils/net-server.c:1488 #, c-format msgid "while sending reply to %s/%s from %s" msgstr "" -#: ../../src/lib/apputils/net-server.c:1489 +#: ../../src/lib/apputils/net-server.c:1493 #, c-format msgid "short reply write %d vs %d\n" msgstr "" -#: ../../src/lib/apputils/net-server.c:1534 +#: ../../src/lib/apputils/net-server.c:1538 msgid "while receiving from network" msgstr "" -#: ../../src/lib/apputils/net-server.c:1550 +#: ../../src/lib/apputils/net-server.c:1554 #, c-format msgid "pktinfo says local addr is %s" msgstr "" -#: ../../src/lib/apputils/net-server.c:1583 +#: ../../src/lib/apputils/net-server.c:1587 msgid "too many connections" msgstr "" -#: ../../src/lib/apputils/net-server.c:1606 +#: ../../src/lib/apputils/net-server.c:1610 #, c-format msgid "dropping %s fd %d from %s" msgstr "" -#: ../../src/lib/apputils/net-server.c:1684 +#: ../../src/lib/apputils/net-server.c:1688 #, c-format msgid "allocating buffer for new TCP session from %s" msgstr "" -#: ../../src/lib/apputils/net-server.c:1714 +#: ../../src/lib/apputils/net-server.c:1718 msgid "while dispatching (tcp)" msgstr "" -#: ../../src/lib/apputils/net-server.c:1746 +#: ../../src/lib/apputils/net-server.c:1750 msgid "error allocating tcp dispatch private!" msgstr "" -#: ../../src/lib/apputils/net-server.c:1793 +#: ../../src/lib/apputils/net-server.c:1797 #, c-format msgid "TCP client %s wants %lu bytes, cap is %lu" msgstr "" -#: ../../src/lib/apputils/net-server.c:1801 +#: ../../src/lib/apputils/net-server.c:1805 #, c-format msgid "error constructing KRB_ERR_FIELD_TOOLONG error! %s" msgstr "" -#: ../../src/lib/apputils/net-server.c:1980 +#: ../../src/lib/apputils/net-server.c:1984 #, c-format msgid "accepted RPC connection on socket %d from %s" msgstr "" @@ -4199,23 +4203,23 @@ msgstr "" msgid "An expected per-message token was not received" msgstr "" -#: ../../src/lib/gssapi/spnego/spnego_mech.c:1826 +#: ../../src/lib/gssapi/spnego/spnego_mech.c:1825 msgid "SPNEGO cannot find mechanisms to negotiate" msgstr "" -#: ../../src/lib/gssapi/spnego/spnego_mech.c:1831 +#: ../../src/lib/gssapi/spnego/spnego_mech.c:1830 msgid "SPNEGO failed to acquire creds" msgstr "" -#: ../../src/lib/gssapi/spnego/spnego_mech.c:1836 +#: ../../src/lib/gssapi/spnego/spnego_mech.c:1835 msgid "SPNEGO acceptor did not select a mechanism" msgstr "" -#: ../../src/lib/gssapi/spnego/spnego_mech.c:1841 +#: ../../src/lib/gssapi/spnego/spnego_mech.c:1840 msgid "SPNEGO failed to negotiate a mechanism" msgstr "" -#: ../../src/lib/gssapi/spnego/spnego_mech.c:1846 +#: ../../src/lib/gssapi/spnego/spnego_mech.c:1845 msgid "SPNEGO acceptor did not return a valid token" msgstr "" @@ -4459,7 +4463,7 @@ msgstr "" msgid "Unable to decrypt latest master key with the provided master key\n" msgstr "" -#: ../../src/lib/kdb/kdb_log.c:101 +#: ../../src/lib/kdb/kdb_log.c:102 msgid "ulog_sync_header: could not sync to disk" msgstr "" @@ -4504,13 +4508,13 @@ msgstr "" msgid "Credentials cache I/O operation failed (%s)" msgstr "" -#: ../../src/lib/krb5/ccache/cc_keyring.c:1421 +#: ../../src/lib/krb5/ccache/cc_keyring.c:1423 msgid "" "Can't create new subsidiary cache because default cache is already a " "subsdiary" msgstr "" -#: ../../src/lib/krb5/ccache/cc_keyring.c:1731 +#: ../../src/lib/krb5/ccache/cc_keyring.c:1733 #, c-format msgid "Credentials cache keyring '%s' not found" msgstr "" @@ -4651,12 +4655,12 @@ msgstr "" msgid "Reply has wrong form of session key for anonymous request" msgstr "" -#: ../../src/lib/krb5/krb/get_in_tkt.c:1631 +#: ../../src/lib/krb5/krb/get_in_tkt.c:1661 #, c-format msgid "%s while storing credentials" msgstr "" -#: ../../src/lib/krb5/krb/get_in_tkt.c:1719 +#: ../../src/lib/krb5/krb/get_in_tkt.c:1749 #, c-format msgid "Client '%s' not found in Kerberos database" msgstr "" @@ -4795,7 +4799,7 @@ msgstr "" msgid "Challenge from authentication server" msgstr "" -#: ../../src/lib/krb5/krb/preauth_sam2.c:165 +#: ../../src/lib/krb5/krb/preauth_sam2.c:166 msgid "SAM Authentication" msgstr "" @@ -4823,7 +4827,7 @@ msgstr "" msgid "Cannot find KDC for realm \"%.*s\"" msgstr "" -#: ../../src/lib/krb5/os/sendto_kdc.c:225 +#: ../../src/lib/krb5/os/sendto_kdc.c:226 #, c-format msgid "Cannot contact any KDC for realm '%.*s'" msgstr "" @@ -5314,7 +5318,7 @@ msgstr "" msgid "Default realm not set" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c:259 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c:262 msgid "DN information missing" msgstr "" @@ -5340,72 +5344,72 @@ msgstr "" msgid "%s option value missing" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:525 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:549 msgid "Principal does not belong to the default realm" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:596 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:618 #, c-format msgid "" "operation can not continue, more than one entry with principal name \"%s\" " "found" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:661 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:682 #, c-format msgid "'%s' not found: " msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:743 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:761 msgid "DN is out of the realm subtree" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:798 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:817 #, c-format msgid "ldap object is already kerberized" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:818 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:837 #, c-format msgid "" "link information can not be set/updated as the kerberos principal belongs to " "an ldap object" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:833 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:852 #, c-format msgid "Failed getting object references" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:840 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:859 #, c-format msgid "kerberos principal is already linked to a ldap object" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1148 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1167 msgid "ticket policy object value: " msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1196 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1215 #, c-format msgid "Principal delete failed (trying to replace entry): %s" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1206 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1225 #, c-format msgid "Principal add failed: %s" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1244 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1263 #, c-format msgid "User modification failed: %s" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1311 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1336 msgid "Error reading ticket policy. " msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1376 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1401 #, c-format msgid "unable to decode stored principal key data (%s)" msgstr "" @@ -5414,43 +5418,43 @@ msgstr "" msgid "Realm information not available" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:296 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:295 msgid "Error reading ticket policy: " msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:309 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:308 #, c-format msgid "Realm Delete FAILED: %s" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:383 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:388 msgid "subtree value: " msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:400 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:405 msgid "container reference value: " msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:484 -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:550 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:489 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:555 msgid "Kerberos Container information is missing" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:497 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:502 msgid "Invalid Kerberos container DN" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:514 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:519 #, c-format msgid "Kerberos Container create FAILED: %s" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:559 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:564 #, c-format msgid "Kerberos Container delete FAILED: %s" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:635 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:640 msgid "realm object value: " msgstr "" @@ -5505,7 +5509,7 @@ msgstr "" #: ../../src/plugins/preauth/pkinit/pkinit_crypto_nss.c:667 #: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:691 -#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4332 +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4339 msgid "Pass phrase for" msgstr "" @@ -5522,7 +5526,7 @@ msgstr "" msgid "wrong oid\n" msgstr "" -#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:6186 +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:6190 #, c-format msgid "unknown code 0x%x" msgstr "" @@ -5620,7 +5624,7 @@ msgstr "" msgid "while connecting to server" msgstr "" -#: ../../src/slave/kprop.c:373 ../../src/slave/kpropd.c:1286 +#: ../../src/slave/kprop.c:373 ../../src/slave/kpropd.c:1287 msgid "while getting local socket address" msgstr "" @@ -5637,7 +5641,7 @@ msgid "while authenticating to server" msgstr "" #: ../../src/slave/kprop.c:418 ../../src/slave/kprop.c:638 -#: ../../src/slave/kpropd.c:1622 +#: ../../src/slave/kpropd.c:1623 #, c-format msgid "Generic remote error: %s\n" msgstr "" @@ -6097,121 +6101,121 @@ msgstr "" msgid "copying db args" msgstr "" -#: ../../src/slave/kpropd.c:1221 +#: ../../src/slave/kpropd.c:1222 msgid "while trying to construct my service name" msgstr "" -#: ../../src/slave/kpropd.c:1228 +#: ../../src/slave/kpropd.c:1229 msgid "while constructing my service realm" msgstr "" -#: ../../src/slave/kpropd.c:1237 +#: ../../src/slave/kpropd.c:1238 msgid "while allocating filename for temp file" msgstr "" -#: ../../src/slave/kpropd.c:1243 +#: ../../src/slave/kpropd.c:1244 msgid "while initializing" msgstr "" -#: ../../src/slave/kpropd.c:1252 +#: ../../src/slave/kpropd.c:1253 msgid "Unable to map log!\n" msgstr "" -#: ../../src/slave/kpropd.c:1308 +#: ../../src/slave/kpropd.c:1309 #, c-format msgid "Error in krb5_auth_con_ini: %s" msgstr "" -#: ../../src/slave/kpropd.c:1316 +#: ../../src/slave/kpropd.c:1317 #, c-format msgid "Error in krb5_auth_con_setflags: %s" msgstr "" -#: ../../src/slave/kpropd.c:1324 +#: ../../src/slave/kpropd.c:1325 #, c-format msgid "Error in krb5_auth_con_setaddrs: %s" msgstr "" -#: ../../src/slave/kpropd.c:1332 +#: ../../src/slave/kpropd.c:1333 #, c-format msgid "Error in krb5_kt_resolve: %s" msgstr "" -#: ../../src/slave/kpropd.c:1341 +#: ../../src/slave/kpropd.c:1342 #, c-format msgid "Error in krb5_recvauth: %s" msgstr "" -#: ../../src/slave/kpropd.c:1348 +#: ../../src/slave/kpropd.c:1349 #, c-format msgid "Error in krb5_copy_prinicpal: %s" msgstr "" -#: ../../src/slave/kpropd.c:1367 +#: ../../src/slave/kpropd.c:1368 msgid "while unparsing ticket etype" msgstr "" -#: ../../src/slave/kpropd.c:1371 +#: ../../src/slave/kpropd.c:1372 #, c-format msgid "authenticated client: %s (etype == %s)\n" msgstr "" -#: ../../src/slave/kpropd.c:1457 +#: ../../src/slave/kpropd.c:1458 msgid "while reading size of database from client" msgstr "" -#: ../../src/slave/kpropd.c:1468 +#: ../../src/slave/kpropd.c:1469 msgid "while decoding database size from client" msgstr "" -#: ../../src/slave/kpropd.c:1483 +#: ../../src/slave/kpropd.c:1484 msgid "while initializing i_vector" msgstr "" -#: ../../src/slave/kpropd.c:1488 +#: ../../src/slave/kpropd.c:1489 #, c-format msgid "Full propagation transfer started.\n" msgstr "" -#: ../../src/slave/kpropd.c:1544 +#: ../../src/slave/kpropd.c:1545 #, c-format msgid "Full propagation transfer finished.\n" msgstr "" -#: ../../src/slave/kpropd.c:1617 +#: ../../src/slave/kpropd.c:1618 msgid "while decoding error packet from client" msgstr "" -#: ../../src/slave/kpropd.c:1626 +#: ../../src/slave/kpropd.c:1627 msgid "signaled from server" msgstr "" -#: ../../src/slave/kpropd.c:1628 +#: ../../src/slave/kpropd.c:1629 #, c-format msgid "Error text from client: %s\n" msgstr "" -#: ../../src/slave/kpropd.c:1683 +#: ../../src/slave/kpropd.c:1684 #, c-format msgid "while trying to fork %s" msgstr "" -#: ../../src/slave/kpropd.c:1687 +#: ../../src/slave/kpropd.c:1688 #, c-format msgid "while trying to exec %s" msgstr "" -#: ../../src/slave/kpropd.c:1694 +#: ../../src/slave/kpropd.c:1695 #, c-format msgid "while waiting for %s" msgstr "" -#: ../../src/slave/kpropd.c:1700 +#: ../../src/slave/kpropd.c:1701 #, c-format msgid "%s load terminated" msgstr "" -#: ../../src/slave/kpropd.c:1706 +#: ../../src/slave/kpropd.c:1707 #, c-format msgid "%s returned a bad exit status (%d)" msgstr ""