svn rev #25729: trunk/ doc/ doc/rst_source/krb_admins/ doc/rst_source/krb_admins/admin_commands/ ...
ghudson@MIT.EDU
ghudson at MIT.EDU
Sat Mar 3 19:38:48 EST 2012
http://src.mit.edu/fisheye/changelog/krb5/?cs=25729
Commit By: ghudson
Log Message:
Remove admin_keytab references in code and docs
The admin keytab hasn't been needed or used by kadmind since 1.4
(except possibly by legacy admin daemons which we no longer ship).
Eliminate remaining references to it in code, test cases, and
documentation.
Changed Files:
U trunk/doc/admin.texinfo
U trunk/doc/rst_source/krb_admins/admin_commands/kadmind.rst
U trunk/doc/rst_source/krb_admins/conf_files/kdc_conf.rst
U trunk/doc/rst_source/krb_admins/install_kdc.rst
U trunk/src/config-files/kdc.conf
U trunk/src/config-files/kdc.conf.M
U trunk/src/include/k5-int.h
U trunk/src/kadmin/server/kadmind.M
U trunk/src/kadmin/testing/proto/kdc.conf.proto
U trunk/src/kadmin/testing/tcl/util.t
U trunk/src/kadmin/testing/util/tcl_kadm5.c
U trunk/src/lib/kadm5/admin.h
U trunk/src/lib/kadm5/alt_prof.c
U trunk/src/lib/kadm5/clnt/client_init.c
U trunk/src/man/kadmind.8
U trunk/src/man/kdc.conf.5
U trunk/src/tests/kdc_realm/input_conf/kdc_pri_template.conf
U trunk/src/tests/kdc_realm/input_conf/kdc_ref_template.conf
U trunk/src/tests/mk_migr/ldap_backend/input_conf/kdc_template_ldap.conf
Modified: trunk/doc/admin.texinfo
===================================================================
--- trunk/doc/admin.texinfo 2012-03-03 06:17:51 UTC (rev 25728)
+++ trunk/doc/admin.texinfo 2012-03-04 00:38:48 UTC (rev 25729)
@@ -1635,11 +1635,6 @@
uses to determine which principals are allowed which permissions on the
database. The default is @code{@value{DefaultAclFile}}.
- at itemx admin_keytab
-(String.) Location of the keytab file that the legacy administration
-daemons @code{kadmind4} and @code{v5passwdd} use to authenticate to
-the database. The default is @code{@value{DefaultAdminKeytab}}.
-
@itemx default_principal_expiration
(Absolute time string.) Specifies the default expiration date of
principals created in this realm. The default value for this tag is
Modified: trunk/doc/rst_source/krb_admins/admin_commands/kadmind.rst
===================================================================
--- trunk/doc/rst_source/krb_admins/admin_commands/kadmind.rst 2012-03-03 06:17:51 UTC (rev 25728)
+++ trunk/doc/rst_source/krb_admins/admin_commands/kadmind.rst 2012-03-04 00:38:48 UTC (rev 25729)
@@ -36,14 +36,6 @@
some of which are optional. See the CONFIGURATION VALUES section
below.
-keytab
- kadmind requires a keytab containing correct entries for the
- ``kadmin/admin`` and ``kadmin/changepw`` principals for every
- realm that kadmind will answer requests for. The keytab can be
- created with the :ref:`kadmin(1)` client. The location of the
- keytab is determined by the **admin_keytab** configuration
- variable (see CONFIGURATION VALUES).
-
ACL file
kadmind's ACL (access control list) tells it which principals are
allowed to perform KADM5 administration actions. The path of the
@@ -137,12 +129,6 @@
**acl_file**
The path of kadmind's ACL file. **Mandatory**. No default.
-**admin_keytab**
- The name of the keytab containing entries for the principals
- ``kadmin/admin`` and ``kadmin/changepw`` in each realm that
- kadmind will serve. The default is the value of the KRB5_KTNAME
- environment variable, if defined. **Mandatory**.
-
**dict_file**
The path of kadmind's password dictionary. A principal with any
password policy will not be allowed to select any password in the
Modified: trunk/doc/rst_source/krb_admins/conf_files/kdc_conf.rst
===================================================================
--- trunk/doc/rst_source/krb_admins/conf_files/kdc_conf.rst 2012-03-03 06:17:51 UTC (rev 25728)
+++ trunk/doc/rst_source/krb_admins/conf_files/kdc_conf.rst 2012-03-04 00:38:48 UTC (rev 25729)
@@ -97,12 +97,6 @@
which permissions on the database. The default is
``/usr/local/var/krb5kdc/kadm5.acl``.
-**admin_keytab**
- (String.) Location of the keytab file that the legacy
- administration daemons kadmind4 and v5passwdd use to authenticate
- to the database. The default is
- ``/usr/local/var/krb5kdc/kadm5.keytab``.
-
**database_name**
This string specifies the location of the Kerberos database for
this realm.
Modified: trunk/doc/rst_source/krb_admins/install_kdc.rst
===================================================================
--- trunk/doc/rst_source/krb_admins/install_kdc.rst 2012-03-03 06:17:51 UTC (rev 25728)
+++ trunk/doc/rst_source/krb_admins/install_kdc.rst 2012-03-04 00:38:48 UTC (rev 25729)
@@ -126,7 +126,6 @@
# explicitly configure the following four values:
# database_name = /var/krb5kdc/principal
# key_stash_file = /var/krb5kdc/.k5.ATHENA.MIT.EDU
- # admin_keytab = FILE:/var/krb5kdc/kadm5.keytab
# acl_file = /var/krb5kdc/kadm5.acl
}
@@ -142,7 +141,7 @@
.. note:: You have to have write permission on the target directories
(these directories must exist) used by **database_name**,
- **key_stash_file**, **admin_keytab**, and **acl_file**.
+ **key_stash_file**, and **acl_file**.
.. _create_db:
Modified: trunk/src/config-files/kdc.conf
===================================================================
--- trunk/src/config-files/kdc.conf 2012-03-03 06:17:51 UTC (rev 25728)
+++ trunk/src/config-files/kdc.conf 2012-03-04 00:38:48 UTC (rev 25729)
@@ -4,7 +4,6 @@
[realms]
ATHENA.MIT.EDU = {
database_name = /usr/local/var/krb5kdc/principal
- admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab
acl_file = /usr/local/var/krb5kdc/kadm5.acl
key_stash_file = /usr/local/var/krb5kdc/.k5.ATHENA.MIT.EDU
kdc_ports = 750,88
Modified: trunk/src/config-files/kdc.conf.M
===================================================================
--- trunk/src/config-files/kdc.conf.M 2012-03-03 06:17:51 UTC (rev 25728)
+++ trunk/src/config-files/kdc.conf.M 2012-03-04 00:38:48 UTC (rev 25729)
@@ -94,13 +94,6 @@
kadmin uses to determine which principals are allowed which permissions
on the database. The default value is /usr/local/var/krb5kdc/kadm5.acl.
-.IP admin_keytab
-This
-.B string
-Specifies the location of the keytab file that kadmin uses to
-authenticate to the database. The default value is
-/usr/local/var/krb5kdc/kadm5.keytab.
-
.IP database_name
This
.B string
Modified: trunk/src/include/k5-int.h
===================================================================
--- trunk/src/include/k5-int.h 2012-03-03 06:17:51 UTC (rev 25728)
+++ trunk/src/include/k5-int.h 2012-03-04 00:38:48 UTC (rev 25729)
@@ -185,7 +185,6 @@
/* cofiguration variables */
#define KRB5_CONF_ACL_FILE "acl_file"
-#define KRB5_CONF_ADMIN_KEYTAB "admin_keytab"
#define KRB5_CONF_ADMIN_SERVER "admin_server"
#define KRB5_CONF_ALLOW_WEAK_CRYPTO "allow_weak_crypto"
#define KRB5_CONF_AP_REQ_CHECKSUM_TYPE "ap_req_checksum_type"
Modified: trunk/src/kadmin/server/kadmind.M
===================================================================
--- trunk/src/kadmin/server/kadmind.M 2012-03-03 06:17:51 UTC (rev 25728)
+++ trunk/src/kadmin/server/kadmind.M 2012-03-04 00:38:48 UTC (rev 25729)
@@ -32,19 +32,6 @@
mandatory and some of which are optional. See the CONFIGURATION VALUES
section below.
.TP
-keytab
-.B Kadmind
-requires a keytab containing correct entries for the
-.I kadmin/admin
-and
-.I kadmin/changepw
-principals for every realm that kadmind will answer requests for. The
-keytab can be created with the
-.IR kadmin (8)
-client. The location of the keytab is determined by the
-.I admin_keytab
-configuration variable (see CONFIGURATION VALUES).
-.TP
ACL file
.BR Kadmind 's
ACL (access control list) tells it which principals are allowed to
@@ -145,17 +132,6 @@
password policy will not be allowed to select any password in the
dictionary. Optional. No default.
.TP
-admin_keytab
-The name of the keytab containing entries for the principals
-.I kadmin/admin
-and
-.I kadmin/changepw
-in each realm that
-.B kadmind
-will serve. The default is the value of the
-.SM KRB5_KTNAME
-environment variable, if defined. Mandatory.
-.TP
kadmind_port
The
.SM TCP
Modified: trunk/src/kadmin/testing/proto/kdc.conf.proto
===================================================================
--- trunk/src/kadmin/testing/proto/kdc.conf.proto 2012-03-03 06:17:51 UTC (rev 25728)
+++ trunk/src/kadmin/testing/proto/kdc.conf.proto 2012-03-04 00:38:48 UTC (rev 25729)
@@ -5,7 +5,6 @@
__REALM__ = {
profile = __K5ROOT__/krb5.conf
database_name = __K5ROOT__/kdb5
- admin_keytab = __K5ROOT__/ovsec_adm.srvtab
key_stash_file = __K5ROOT__/.k5.__REALM__
acl_file = __K5ROOT__/ovsec_adm.acl
dict_file = __K5ROOT__/ovsec_adm.dict
Modified: trunk/src/kadmin/testing/tcl/util.t
===================================================================
--- trunk/src/kadmin/testing/tcl/util.t 2012-03-03 06:17:51 UTC (rev 25728)
+++ trunk/src/kadmin/testing/tcl/util.t 2012-03-04 00:38:48 UTC (rev 25729)
@@ -29,8 +29,6 @@
"KADM5_CONFIG_ADBNAME" {set params [lreplace $params 5 5 $value]}
"KADM5_CONFIG_ADB_LOCKFILE" {
set params [lreplace $params 6 6 $value]}
- "KADM5_CONFIG_ADMIN_KEYTAB" {
- set params [lreplace $params 7 7 $value]}
"KADM5_CONFIG_ACL_FILE" {set params [lreplace $params 8 8 $value]}
"KADM5_CONFIG_DICT_FILE" {
set params [lreplace $params 9 9 $value]}
Modified: trunk/src/kadmin/testing/util/tcl_kadm5.c
===================================================================
--- trunk/src/kadmin/testing/util/tcl_kadm5.c 2012-03-03 06:17:51 UTC (rev 25728)
+++ trunk/src/kadmin/testing/util/tcl_kadm5.c 2012-03-04 00:38:48 UTC (rev 25729)
@@ -86,7 +86,6 @@
{"KADM5_CONFIG_MAX_RLIFE", KADM5_CONFIG_MAX_RLIFE},
{"KADM5_CONFIG_EXPIRATION", KADM5_CONFIG_EXPIRATION},
{"KADM5_CONFIG_FLAGS", KADM5_CONFIG_FLAGS},
- {"KADM5_CONFIG_ADMIN_KEYTAB", KADM5_CONFIG_ADMIN_KEYTAB},
{"KADM5_CONFIG_STASH_FILE", KADM5_CONFIG_STASH_FILE},
{"KADM5_CONFIG_ENCTYPE", KADM5_CONFIG_ENCTYPE},
{"KADM5_CONFIG_ADBNAME", KADM5_CONFIG_ADBNAME},
@@ -1033,11 +1032,7 @@
}
/* Ignore argv[5], which used to set the admin_dbname field. */
/* Ignore argv[6], which used to set the admin_lockfile field. */
- if ((retcode = parse_str(interp, argv[7], ¶ms->admin_keytab)) != TCL_OK) {
- Tcl_AppendElement(interp, "while parsing admin_keytab name");
- retcode = TCL_ERROR;
- goto finished;
- }
+ /* Ignore argv[7], which used to set the admin_keytab field. */
if ((retcode = parse_str(interp, argv[8], ¶ms->acl_file)) != TCL_OK) {
Tcl_AppendElement(interp, "while parsing acl_file name");
retcode = TCL_ERROR;
Modified: trunk/src/lib/kadm5/admin.h
===================================================================
--- trunk/src/lib/kadm5/admin.h 2012-03-03 06:17:51 UTC (rev 25728)
+++ trunk/src/lib/kadm5/admin.h 2012-03-04 00:38:48 UTC (rev 25729)
@@ -134,7 +134,7 @@
#define KADM5_CONFIG_MAX_RLIFE 0x00000010
#define KADM5_CONFIG_EXPIRATION 0x00000020
#define KADM5_CONFIG_FLAGS 0x00000040
-#define KADM5_CONFIG_ADMIN_KEYTAB 0x00000080
+/*#define KADM5_CONFIG_ADMIN_KEYTAB 0x00000080*/
#define KADM5_CONFIG_STASH_FILE 0x00000100
#define KADM5_CONFIG_ENCTYPE 0x00000200
#define KADM5_CONFIG_ADBNAME 0x00000400
@@ -240,7 +240,6 @@
file. */
char * dbname;
- char * admin_keytab;
char * acl_file;
char * dict_file;
Modified: trunk/src/lib/kadm5/alt_prof.c
===================================================================
--- trunk/src/lib/kadm5/alt_prof.c 2012-03-03 06:17:51 UTC (rev 25728)
+++ trunk/src/lib/kadm5/alt_prof.c 2012-03-04 00:38:48 UTC (rev 25729)
@@ -616,17 +616,6 @@
GET_STRING_PARAM(dbname, KADM5_CONFIG_DBNAME, KRB5_CONF_DATABASE_NAME,
DEFAULT_KDB_FILE);
- /* Get the value for the admin (policy) database lock file*/
- if (!GET_STRING_PARAM(admin_keytab, KADM5_CONFIG_ADMIN_KEYTAB,
- KRB5_CONF_ADMIN_KEYTAB, NULL)) {
- const char *s = getenv("KRB5_KTNAME");
- if (s == NULL)
- s = DEFAULT_KADM5_KEYTAB;
- params.admin_keytab = strdup(s);
- if (params.admin_keytab)
- params.mask |= KADM5_CONFIG_ADMIN_KEYTAB;
- }
-
/* Get the name of the acl file */
GET_STRING_PARAM(acl_file, KADM5_CONFIG_ACL_FILE, KRB5_CONF_ACL_FILE,
DEFAULT_KADM5_ACL_FILE);
@@ -862,7 +851,6 @@
free(params->stash_file);
free(params->keysalts);
free(params->admin_server);
- free(params->admin_keytab);
free(params->dict_file);
free(params->acl_file);
free(params->realm);
Modified: trunk/src/lib/kadm5/clnt/client_init.c
===================================================================
--- trunk/src/lib/kadm5/clnt/client_init.c 2012-03-03 06:17:51 UTC (rev 25728)
+++ trunk/src/lib/kadm5/clnt/client_init.c 2012-03-04 00:38:48 UTC (rev 25729)
@@ -236,8 +236,7 @@
#define ILLEGAL_PARAMS (KADM5_CONFIG_DBNAME | KADM5_CONFIG_ADBNAME | \
KADM5_CONFIG_ADB_LOCKFILE | \
KADM5_CONFIG_ACL_FILE | KADM5_CONFIG_DICT_FILE \
- | KADM5_CONFIG_ADMIN_KEYTAB | \
- KADM5_CONFIG_STASH_FILE | \
+ | KADM5_CONFIG_STASH_FILE | \
KADM5_CONFIG_MKEY_NAME | KADM5_CONFIG_ENCTYPE \
| KADM5_CONFIG_MAX_LIFE | \
KADM5_CONFIG_MAX_RLIFE | \
Modified: trunk/src/man/kadmind.8
===================================================================
--- trunk/src/man/kadmind.8 2012-03-03 06:17:51 UTC (rev 25728)
+++ trunk/src/man/kadmind.8 2012-03-04 00:38:48 UTC (rev 25729)
@@ -49,12 +49,6 @@
of variable settings in this file, some of which are mandatory and some of which are optional.
See the CONFIGURATION VALUES section below.
.TP
-.B \fIkeytab\fP
-.sp
-Kadmind requires a keytab containing correct entries for the kadmin/admin and kadmin/changepw principals for every realm that
-\fIkadmind\fP will answer requests for. The keytab can be created with the kadmin(8) client.
-The location of the keytab is determined by the \fIadmin_keytab\fP configuration variable (see CONFIGURATION VALUES).
-.TP
.B \fIACL\fP file
.sp
\fIkadmind\fP\(aqs \fIACL\fP (access control list) tells it which principals are allowed to perform KADM5 administration actions.
@@ -146,11 +140,6 @@
.sp
The path of \fIkadmind\fP\(aqs \fIACL\fP file. \fBMandatory\fP. No default.
.TP
-.B \fBadmin_keytab\fP
-.sp
-The name of the keytab containing entries for the principals kadmin/admin and kadmin/changepw in each realm that \fIkadmind\fP will
-serve. The default is the value of the KRB5_KTNAME environment variable, if defined. \fBMandatory\fP.
-.TP
.B \fBdict_file\fP
.sp
The path of \fIkadmind\fP\(aqs password dictionary. A principal with any password policy will not be allowed to select any password in
Modified: trunk/src/man/kdc.conf.5
===================================================================
--- trunk/src/man/kdc.conf.5 2012-03-03 06:17:51 UTC (rev 25728)
+++ trunk/src/man/kdc.conf.5 2012-03-04 00:38:48 UTC (rev 25729)
@@ -101,10 +101,6 @@
.sp
(String.) Location of the access control list (acl) file that kadmin uses to determine which principals are allowed which permissions on the database. The default is \fI/usr/local/var/krb5kdc/kadm5.acl\fP.
.TP
-.B \fBadmin_keytab\fP
-.sp
-(String.) Location of the keytab file that the legacy administration daemons kadmind4 and v5passwdd use to authenticate to the database. The default is \fI/usr/local/var/krb5kdc/kadm5.keytab\fP.
-.TP
.B \fBdatabase_name\fP
.sp
This string specifies the location of the Kerberos database for this realm.
Modified: trunk/src/tests/kdc_realm/input_conf/kdc_pri_template.conf
===================================================================
--- trunk/src/tests/kdc_realm/input_conf/kdc_pri_template.conf 2012-03-03 06:17:51 UTC (rev 25728)
+++ trunk/src/tests/kdc_realm/input_conf/kdc_pri_template.conf 2012-03-04 00:38:48 UTC (rev 25729)
@@ -4,7 +4,6 @@
[realms]
Y.COM = {
database_name = %(tier2)s/principal
- admin_keytab = FILE:%(tier2)s/kadm5.keytab
acl_file = %(tier2)s/kadm5.acl
key_stash_file = %(tier2)s/.k5.ATHENA.MIT.EDU
kdc_ports = 7777
Modified: trunk/src/tests/kdc_realm/input_conf/kdc_ref_template.conf
===================================================================
--- trunk/src/tests/kdc_realm/input_conf/kdc_ref_template.conf 2012-03-03 06:17:51 UTC (rev 25728)
+++ trunk/src/tests/kdc_realm/input_conf/kdc_ref_template.conf 2012-03-04 00:38:48 UTC (rev 25729)
@@ -4,7 +4,6 @@
[realms]
Z.COM = {
database_name = %(tier1)s/principal
- admin_keytab = FILE:%(tier1)s/kadm5.keytab
acl_file = %(tier1)s/kadm5.acl
key_stash_file = %(tier1)s/.k5.ATHENA.MIT.EDU
kdc_ports = 7778
Modified: trunk/src/tests/mk_migr/ldap_backend/input_conf/kdc_template_ldap.conf
===================================================================
--- trunk/src/tests/mk_migr/ldap_backend/input_conf/kdc_template_ldap.conf 2012-03-03 06:17:51 UTC (rev 25728)
+++ trunk/src/tests/mk_migr/ldap_backend/input_conf/kdc_template_ldap.conf 2012-03-04 00:38:48 UTC (rev 25729)
@@ -6,7 +6,6 @@
database_name = %(sandir)s/krb5kdc/principal
acl_file = %(sandir)s/kadm5.acl
key_stash_file = %(sandir)s/krb5kdc/.k5.EXAMPLE.ORG
- admin_keytab = FILE:%(sandir)s/krb5kdc/kadm5.keytab
kdc_ports = 8888
kpasswd_port = 8887
kadmind_port = 8886
More information about the cvs-krb5
mailing list