krb5 commit: Regenerate man pages
Benjamin Kaduk
kaduk at MIT.EDU
Tue Oct 16 18:15:29 EDT 2012
https://github.com/krb5/krb5/commit/dd8c4b424d9b48a1eed3be491e5b10f81deb4dec
commit dd8c4b424d9b48a1eed3be491e5b10f81deb4dec
Author: Ben Kaduk <kaduk at mit.edu>
Date: Tue Oct 16 16:40:20 2012 -0400
Regenerate man pages
Catch up to the RST content updates.
Lots of .sp vertical space macros are removed, and the output engine
spelles "restructuredText" correctly, now.
src/man/k5identity.man | 11 +--
src/man/k5login.man | 7 +-
src/man/k5srvutil.man | 8 +-
src/man/kadmin.man | 275 ++++++++---------------------------
src/man/kadmind.man | 179 +++--------------------
src/man/kdb5_ldap_util.man | 77 ++--------
src/man/kdb5_util.man | 64 +++------
src/man/kdc.conf.man | 344 +++++++++++++++++++-------------------------
src/man/kdestroy.man | 14 +--
src/man/kinit.man | 85 +++--------
src/man/klist.man | 37 ++---
src/man/kpasswd.man | 5 +-
src/man/kprop.man | 10 +-
src/man/kpropd.man | 38 ++---
src/man/kproplog.man | 14 +-
src/man/krb5.conf.man | 285 +++++++++++++++++++------------------
src/man/krb5kdc.man | 15 +--
src/man/ksu.man | 51 ++-----
src/man/kswitch.man | 13 +--
src/man/ktutil.man | 14 +--
src/man/kvno.man | 18 +--
src/man/sclient.man | 4 +-
src/man/sserver.man | 11 +-
23 files changed, 525 insertions(+), 1054 deletions(-)
diff --git a/src/man/k5identity.man b/src/man/k5identity.man
index c4f588a..c242940 100644
--- a/src/man/k5identity.man
+++ b/src/man/k5identity.man
@@ -28,11 +28,8 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
.
-.SH SYNOPSIS
-.sp
-\fB~/.k5identity\fP
.SH DESCRIPTION
.sp
The .k5identity file, which resides in a user\(aqs home directory,
@@ -44,7 +41,6 @@ Blank lines and lines beginning with \fB#\fP are ignored. Each line has
the form:
.INDENT 0.0
.INDENT 3.5
-.sp
\fIprincipal\fP \fIfield\fP=\fIvalue\fP ...
.UNINDENT
.UNINDENT
@@ -55,7 +51,6 @@ recognized:
.INDENT 0.0
.TP
.B \fBrealm\fP
-.sp
If the realm of the server principal is known, it is matched
against \fIvalue\fP, which may be a pattern using shell wildcards.
For host\-based server principals, the realm will generally only be
@@ -63,13 +58,11 @@ known if there is a \fIdomain_realm\fP section in
\fIkrb5.conf(5)\fP with a mapping for the hostname.
.TP
.B \fBservice\fP
-.sp
If the server principal is a host\-based principal, its service
component is matched against \fIvalue\fP, which may be a pattern using
shell wildcards.
.TP
.B \fBhost\fP
-.sp
If the server principal is a host\-based principal, its hostname
component is converted to lower case and matched against \fIvalue\fP,
which may be a pattern using shell wildcards.
@@ -105,6 +98,6 @@ kerberos(1), \fIkrb5.conf(5)\fP
.SH AUTHOR
MIT
.SH COPYRIGHT
-2011, MIT
+2012, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/k5login.man b/src/man/k5login.man
index 9f82dc8..d2bcf3e 100644
--- a/src/man/k5login.man
+++ b/src/man/k5login.man
@@ -28,11 +28,8 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
.
-.SH SYNOPSIS
-.sp
-\fB~/.k5login\fP
.SH DESCRIPTION
.sp
The .k5login file, which resides in a user\(aqs home directory, contains
@@ -89,6 +86,6 @@ kerberos(1)
.SH AUTHOR
MIT
.SH COPYRIGHT
-2011, MIT
+2012, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/k5srvutil.man b/src/man/k5srvutil.man
index e20d775..083f485 100644
--- a/src/man/k5srvutil.man
+++ b/src/man/k5srvutil.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
.
.SH SYNOPSIS
.sp
@@ -44,12 +44,10 @@ a keytab or to add new keys to the keytab.
.INDENT 0.0
.TP
.B \fBlist\fP
-.sp
Lists the keys in a keytab showing version number and principal
name.
.TP
.B \fBchange\fP
-.sp
Uses the kadmin protocol to update the keys in the Kerberos
database to new randomly\-generated keys, and updates the keys in
the keytab to match. If a key\(aqs version number doesn\(aqt match the
@@ -61,7 +59,6 @@ If the \fB\-k\fP option is given, the old and new keys will be
displayed.
.TP
.B \fBdelold\fP
-.sp
Deletes keys that are not the most recent version from the keytab.
This operation should be used some time after a change operation
to remove old keys, after existing tickets issued for the service
@@ -69,7 +66,6 @@ have expired. If the \fB\-i\fP flag is given, then k5srvutil will
prompt for confirmation for each principal.
.TP
.B \fBdelete\fP
-.sp
Deletes particular keys in the keytab, interactively prompting for
each key.
.UNINDENT
@@ -85,6 +81,6 @@ place.
.SH AUTHOR
MIT
.SH COPYRIGHT
-2011, MIT
+2012, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kadmin.man b/src/man/kadmin.man
index 6ab1a18..cc2e97d 100644
--- a/src/man/kadmin.man
+++ b/src/man/kadmin.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
.
.SH SYNOPSIS
.sp
@@ -79,30 +79,25 @@ kadmin.local can be run on any host which can access the LDAP server.
.INDENT 0.0
.TP
.B \fB\-r\fP \fIrealm\fP
-.sp
Use \fIrealm\fP as the default database realm.
.TP
.B \fB\-p\fP \fIprincipal\fP
-.sp
Use \fIprincipal\fP to authenticate. Otherwise, kadmin will append
\fB/admin\fP to the primary principal name of the default ccache,
the value of the \fBUSER\fP environment variable, or the username as
obtained with getpwuid, in order of preference.
.TP
.B \fB\-k\fP
-.sp
Use a keytab to decrypt the KDC response instead of prompting for
a password. In this case, the default principal will be
\fBhost/hostname\fP. If there is no keytab specified with the
\fB\-t\fP option, then the default keytab will be used.
.TP
.B \fB\-t\fP \fIkeytab\fP
-.sp
Use \fIkeytab\fP to decrypt the KDC response. This can only be used
with the \fB\-k\fP option.
.TP
.B \fB\-n\fP
-.sp
Requests anonymous processing. Two types of anonymous principals
are supported. For fully anonymous Kerberos, configure PKINIT on
the KDC and configure \fBpkinit_anchors\fP in the client\(aqs
@@ -118,7 +113,6 @@ principal. As of release 1.8, the MIT Kerberos KDC only supports
fully anonymous operation.
.TP
.B \fB\-c\fP \fIcredentials_cache\fP
-.sp
Use \fIcredentials_cache\fP as the credentials cache. The
cache should contain a service ticket for the \fBkadmin/ADMINHOST\fP
(where \fIADMINHOST\fP is the fully\-qualified hostname of the admin
@@ -128,163 +122,67 @@ requests a new service ticket from the KDC, and stores it in its
own temporary ccache.
.TP
.B \fB\-w\fP \fIpassword\fP
-.sp
Use \fIpassword\fP instead of prompting for one. Use this option with
care, as it may expose the password to other users on the system
via the process list.
.TP
.B \fB\-q\fP \fIquery\fP
-.sp
Perform the specified query and then exit. This can be useful for
writing scripts.
.TP
.B \fB\-d\fP \fIdbname\fP
-.sp
Specifies the name of the KDC database. This option does not
apply to the LDAP database module.
.TP
.B \fB\-s\fP \fIadmin_server\fP[:\fIport\fP]
-.sp
Specifies the admin server which kadmin should contact.
.TP
.B \fB\-m\fP
-.sp
If using kadmin.local, prompt for the database master password
instead of reading it from a stash file.
.TP
.B \fB\-e\fP "\fIenc\fP:\fIsalt\fP ..."
-.sp
Sets the list of encryption types and salt types to be used for
any new keys created. See \fIEncryption_and_salt_types\fP in
\fIkdc.conf(5)\fP for a list of possible values.
.TP
.B \fB\-O\fP
-.sp
Force use of old AUTH_GSSAPI authentication flavor.
.TP
.B \fB\-N\fP
-.sp
Prevent fallback to AUTH_GSSAPI authentication flavor.
.TP
.B \fB\-x\fP \fIdb_args\fP
-.sp
Specifies the database specific arguments. Options supported for
the LDAP database module are:
.INDENT 7.0
.TP
.B \fB\-x host=\fP\fIhostname\fP
-.sp
-specifies the LDAP server to connect to by a LDAP URI.
+Specifies the LDAP server to connect to by a LDAP URI.
.TP
.B \fB\-x binddn=\fP\fIbind_dn\fP
-.sp
-specifies the DN of the object used by the administration
+Specifies the DN of the object used by the administration
server to bind to the LDAP server. This object should have
the read and write privileges on the realm container, the
principal container, and the subtree that is referenced by the
realm.
.TP
.B \fB\-x bindpwd=\fP\fIbind_password\fP
-.sp
-specifies the password for the above mentioned binddn. Using
+Specifies the password for the above mentioned binddn. Using
this option may expose the password to other users on the
system via the process list; to avoid this, instead stash the
password using the \fBstashsrvpw\fP command of
\fIkdb5_ldap_util(8)\fP.
.UNINDENT
.UNINDENT
-.SH DATE FORMAT
-.sp
-Many of the kadmin commands take a duration or time as an
-argument. The date can appear in a wide variety of formats, such as:
-.INDENT 0.0
-.INDENT 3.5
-.sp
-.nf
-.ft C
-1 month ago
-2 hours ago
-400000 seconds ago
-last year
-this Monday
-next Monday
-yesterday
-tomorrow
-now
-second Monday
-fortnight ago
-3/31/92 10:00:07 PST
-January 23, 1987 10:05pm
-22:00 GMT
-.ft P
-.fi
-.UNINDENT
-.UNINDENT
-.sp
-Dates which do not have the "ago" specifier default to being absolute
-dates, unless they appear in a field where a duration is expected. In
-that case the time specifier will be interpreted as relative.
-Specifying "ago" in a duration may result in unexpected behavior.
-.sp
-The following is a list of all of the allowable keywords.
-.TS
-center;
-|l|l|.
-_
-T{
-Months
-T} T{
-january, jan, february, feb, march, mar, april, apr, may,
-june, jun, july, jul, august, aug, september, sep, sept,
-october, oct, november, nov, december, dec
-T}
-_
-T{
-Days
-T} T{
-sunday, sun, monday, mon, tuesday, tues, tue, wednesday,
-wednes, wed, thursday, thurs, thur, thu, friday, fri,
-saturday, sat
-T}
-_
-T{
-Units
-T} T{
-year, month, fortnight, week, day, hour, minute, min,
-second, sec
-T}
-_
-T{
-Relative
-T} T{
-tomorrow, yesterday, today, now, last, this, next, first,
-second, third, fourth, fifth, sixth, seventh, eighth,
-ninth, tenth, eleventh, twelfth, ago
-T}
-_
-T{
-Time Zones
-T} T{
-kadmin recognizes abbreviations for most of the world\(aqs
-time zones.
-T}
-_
-T{
-Meridians
-T} T{
-am, pm
-T}
-_
-.TE
.SH COMMANDS
.sp
When using the remote client, available commands may be restricted
-according to the privileges specified in the kadm5.acl file on the
-admin server.
+according to the privileges specified in the \fIkadm5.acl(5)\fP file
+on the admin server.
.SS add_principal
.INDENT 0.0
.INDENT 3.5
-.sp
\fBadd_principal\fP [\fIoptions\fP] \fInewprinc\fP
.UNINDENT
.UNINDENT
@@ -304,76 +202,62 @@ Options:
.INDENT 0.0
.TP
.B \fB\-expire\fP \fIexpdate\fP
-.sp
-expiration date of the principal
+(\fIgetdate\fP string) The expiration date of the principal.
.TP
.B \fB\-pwexpire\fP \fIpwexpdate\fP
-.sp
-password expiration date
+(\fIgetdate\fP string) The password expiration date.
.TP
.B \fB\-maxlife\fP \fImaxlife\fP
-.sp
-maximum ticket life for the principal
+(\fIgetdate\fP string) The maximum ticket life for the principal.
.TP
.B \fB\-maxrenewlife\fP \fImaxrenewlife\fP
-.sp
-maximum renewable life of tickets for the principal
+(\fIgetdate\fP string) The maximum renewable life of tickets for
+the principal.
.TP
.B \fB\-kvno\fP \fIkvno\fP
-.sp
-initial key version number
+The initial key version number.
.TP
.B \fB\-policy\fP \fIpolicy\fP
-.sp
-password policy used by this principal. If not specified, the
+The password policy used by this principal. If not specified, the
policy \fBdefault\fP is used if it exists (unless \fB\-clearpolicy\fP
is specified).
.TP
.B \fB\-clearpolicy\fP
-.sp
-prevents any policy from being assigned when \fB\-policy\fP is not
+Prevents any policy from being assigned when \fB\-policy\fP is not
specified.
.TP
.B {\-|+}\fBallow_postdated\fP
-.sp
\fB\-allow_postdated\fP prohibits this principal from obtaining
postdated tickets. \fB+allow_postdated\fP clears this flag.
.TP
.B {\-|+}\fBallow_forwardable\fP
-.sp
\fB\-allow_forwardable\fP prohibits this principal from obtaining
forwardable tickets. \fB+allow_forwardable\fP clears this flag.
.TP
.B {\-|+}\fBallow_renewable\fP
-.sp
\fB\-allow_renewable\fP prohibits this principal from obtaining
renewable tickets. \fB+allow_renewable\fP clears this flag.
.TP
.B {\-|+}\fBallow_proxiable\fP
-.sp
\fB\-allow_proxiable\fP prohibits this principal from obtaining
proxiable tickets. \fB+allow_proxiable\fP clears this flag.
.TP
.B {\-|+}\fBallow_dup_skey\fP
-.sp
\fB\-allow_dup_skey\fP disables user\-to\-user authentication for this
principal by prohibiting this principal from obtaining a session
key for another user. \fB+allow_dup_skey\fP clears this flag.
.TP
.B {\-|+}\fBrequires_preauth\fP
-.sp
\fB+requires_preauth\fP requires this principal to preauthenticate
before being allowed to kinit. \fB\-requires_preauth\fP clears this
flag.
.TP
.B {\-|+}\fBrequires_hwauth\fP
-.sp
\fB+requires_hwauth\fP requires this principal to preauthenticate
using a hardware device before being allowed to kinit.
\fB\-requires_hwauth\fP clears this flag.
.TP
.B {\-|+}\fBok_as_delegate\fP
-.sp
\fB+ok_as_delegate\fP sets the \fBokay as delegate\fP flag on tickets
issued with this principal as the service. Clients may use this
flag as a hint that credentials should be delegated when
@@ -381,87 +265,71 @@ authenticating to the service. \fB\-ok_as_delegate\fP clears this
flag.
.TP
.B {\-|+}\fBallow_svr\fP
-.sp
\fB\-allow_svr\fP prohibits the issuance of service tickets for this
principal. \fB+allow_svr\fP clears this flag.
.TP
.B {\-|+}\fBallow_tgs_req\fP
-.sp
\fB\-allow_tgs_req\fP specifies that a Ticket\-Granting Service (TGS)
request for a service ticket for this principal is not permitted.
\fB+allow_tgs_req\fP clears this flag.
.TP
.B {\-|+}\fBallow_tix\fP
-.sp
\fB\-allow_tix\fP forbids the issuance of any tickets for this
principal. \fB+allow_tix\fP clears this flag.
.TP
.B {\-|+}\fBneedchange\fP
-.sp
\fB+needchange\fP forces a password change on the next initial
authentication to this principal. \fB\-needchange\fP clears this
flag.
.TP
.B {\-|+}\fBpassword_changing_service\fP
-.sp
\fB+password_changing_service\fP marks this principal as a password
change service principal.
.TP
.B \fB\-randkey\fP
-.sp
-sets the key of the principal to a random value
+Sets the key of the principal to a random value.
.TP
.B \fB\-pw\fP \fIpassword\fP
-.sp
-sets the password of the principal to the specified string and
+Sets the password of the principal to the specified string and
does not prompt for a password. Note: using this option in a
shell script may expose the password to other users on the system
via the process list.
.TP
.B \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
-.sp
-uses the specified list of enctype\-salttype pairs for setting the
+Uses the specified list of enctype\-salttype pairs for setting the
key of the principal.
.TP
.B \fB\-x\fP \fIdb_princ_args\fP
-.sp
-indicates database\-specific options. The options for the LDAP
+Indicates database\-specific options. The options for the LDAP
database module are:
.INDENT 7.0
.TP
.B \fB\-x dn=\fP\fIdn\fP
-.sp
-specifies the LDAP object that will contain the Kerberos
+Specifies the LDAP object that will contain the Kerberos
principal being created.
.TP
.B \fB\-x linkdn=\fP\fIdn\fP
-.sp
-specifies the LDAP object to which the newly created Kerberos
+Specifies the LDAP object to which the newly created Kerberos
principal object will point.
.TP
.B \fB\-x containerdn=\fP\fIcontainer_dn\fP
-.sp
-specifies the container object under which the Kerberos
+Specifies the container object under which the Kerberos
principal is to be created.
.TP
.B \fB\-x tktpolicy=\fP\fIpolicy\fP
-.sp
-associates a ticket policy to the Kerberos principal.
+Associates a ticket policy to the Kerberos principal.
.UNINDENT
.IP Note
.INDENT 7.0
.IP \(bu 2
-.
The \fBcontainerdn\fP and \fBlinkdn\fP options cannot be
specified with the \fBdn\fP option.
.IP \(bu 2
-.
If the \fIdn\fP or \fIcontainerdn\fP options are not specified while
adding the principal, the principals are created under the
principal container configured in the realm or the realm
container.
.IP \(bu 2
-.
\fIdn\fP and \fIcontainerdn\fP should be within the subtrees or
principal container configured in the realm.
.UNINDENT
@@ -488,7 +356,6 @@ kadmin:
.SS modify_principal
.INDENT 0.0
.INDENT 3.5
-.sp
\fBmodify_principal\fP [\fIoptions\fP] \fIprincipal\fP
.UNINDENT
.UNINDENT
@@ -506,7 +373,6 @@ Options (in addition to the \fBaddprinc\fP options):
.INDENT 0.0
.TP
.B \fB\-unlock\fP
-.sp
Unlocks a locked principal (one which has received too many failed
authentication attempts without enough time between them according
to its password policy) so that it can successfully authenticate.
@@ -514,7 +380,6 @@ to its password policy) so that it can successfully authenticate.
.SS rename_principal
.INDENT 0.0
.INDENT 3.5
-.sp
\fBrename_principal\fP [\fB\-force\fP] \fIold_principal\fP \fInew_principal\fP
.UNINDENT
.UNINDENT
@@ -529,7 +394,6 @@ Alias: \fBrenprinc\fP
.SS delete_principal
.INDENT 0.0
.INDENT 3.5
-.sp
\fBdelete_principal\fP [\fB\-force\fP] \fIprincipal\fP
.UNINDENT
.UNINDENT
@@ -543,7 +407,6 @@ Alias: \fBdelprinc\fP
.SS change_password
.INDENT 0.0
.INDENT 3.5
-.sp
\fBchange_password\fP [\fIoptions\fP] \fIprincipal\fP
.UNINDENT
.UNINDENT
@@ -561,22 +424,18 @@ The following options are available:
.INDENT 0.0
.TP
.B \fB\-randkey\fP
-.sp
-Sets the key of the principal to a random value
+Sets the key of the principal to a random value.
.TP
.B \fB\-pw\fP \fIpassword\fP
-.sp
Set the password to the specified string. Using this option in a
script may expose the password to other users on the system via
the process list.
.TP
.B \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
-.sp
Uses the specified list of enctype\-salttype pairs for setting the
key of the principal.
.TP
.B \fB\-keepold\fP
-.sp
Keeps the existing keys in the database. This flag is usually not
necessary except perhaps for \fBkrbtgt\fP principals.
.UNINDENT
@@ -599,7 +458,6 @@ kadmin:
.SS purgekeys
.INDENT 0.0
.INDENT 3.5
-.sp
\fBpurgekeys\fP [\fB\-keepkvno\fP \fIoldest_kvno_to_keep\fP] \fIprincipal\fP
.UNINDENT
.UNINDENT
@@ -612,7 +470,6 @@ This command requires the \fBmodify\fP privilege.
.SS get_principal
.INDENT 0.0
.INDENT 3.5
-.sp
\fBget_principal\fP [\fB\-terse\fP] \fIprincipal\fP
.UNINDENT
.UNINDENT
@@ -660,7 +517,6 @@ kadmin:
.SS list_principals
.INDENT 0.0
.INDENT 3.5
-.sp
\fBlist_principals\fP [\fIexpression\fP]
.UNINDENT
.UNINDENT
@@ -696,13 +552,11 @@ kadmin:
.SS get_strings
.INDENT 0.0
.INDENT 3.5
-.sp
\fBget_strings\fP \fIprincipal\fP
.UNINDENT
.UNINDENT
.sp
-Displays string attributes on \fIprincipal\fP. String attributes are used
-to supply per\-principal configuration to some KDC plugin modules.
+Displays string attributes on \fIprincipal\fP.
.sp
This command requires the \fBinquire\fP privilege.
.sp
@@ -710,12 +564,21 @@ Alias: \fBgetstr\fP
.SS set_string
.INDENT 0.0
.INDENT 3.5
-.sp
\fBset_string\fP \fIprincipal\fP \fIkey\fP \fIvalue\fP
.UNINDENT
.UNINDENT
.sp
-Sets a string attribute on \fIprincipal\fP.
+Sets a string attribute on \fIprincipal\fP. String attributes are used to
+supply per\-principal configuration to the KDC and some KDC plugin
+modules. The following string attributes are recognized by the KDC:
+.INDENT 0.0
+.TP
+.B \fBsession_enctypes\fP
+Specifies the encryption types supported for session keys when the
+principal is authenticated to as a server. See
+\fIEncryption_and_salt_types\fP in \fIkdc.conf(5)\fP for a list
+of the accepted values.
+.UNINDENT
.sp
This command requires the \fBmodify\fP privilege.
.sp
@@ -723,7 +586,6 @@ Alias: \fBsetstr\fP
.SS del_string
.INDENT 0.0
.INDENT 3.5
-.sp
\fBdel_string\fP \fIprincipal\fP \fIkey\fP
.UNINDENT
.UNINDENT
@@ -736,7 +598,6 @@ Alias: \fBdelstr\fP
.SS add_policy
.INDENT 0.0
.INDENT 3.5
-.sp
\fBadd_policy\fP [\fIoptions\fP] \fIpolicy\fP
.UNINDENT
.UNINDENT
@@ -751,47 +612,47 @@ The following options are available:
.INDENT 0.0
.TP
.B \fB\-maxlife\fP \fItime\fP
-.sp
-sets the maximum lifetime of a password
+(\fIgetdate\fP string) Sets the maximum lifetime of a password.
.TP
.B \fB\-minlife\fP \fItime\fP
-.sp
-sets the minimum lifetime of a password
+(\fIgetdate\fP string) Sets the minimum lifetime of a password.
.TP
.B \fB\-minlength\fP \fIlength\fP
-.sp
-sets the minimum length of a password
+Sets the minimum length of a password.
.TP
.B \fB\-minclasses\fP \fInumber\fP
-.sp
-sets the minimum number of character classes required in a
+Sets the minimum number of character classes required in a
password. The five character classes are lower case, upper case,
numbers, punctuation, and whitespace/unprintable characters.
.TP
.B \fB\-history\fP \fInumber\fP
-.sp
-sets the number of past keys kept for a principal. This option is
+Sets the number of past keys kept for a principal. This option is
not supported with the LDAP KDC database module.
.TP
.B \fB\-maxfailure\fP \fImaxnumber\fP
-.sp
-sets the maximum number of authentication failures before the
+Sets the maximum number of authentication failures before the
principal is locked. Authentication failures are only tracked for
principals which require preauthentication.
.TP
.B \fB\-failurecountinterval\fP \fIfailuretime\fP
-.sp
-sets the allowable time between authentication failures. If an
-authentication failure happens after \fIfailuretime\fP has elapsed
-since the previous failure, the number of authentication failures
-is reset to 1.
+(\fIgetdate\fP string) Sets the allowable time between
+authentication failures. If an authentication failure happens
+after \fIfailuretime\fP has elapsed since the previous failure,
+the number of authentication failures is reset to 1.
.TP
.B \fB\-lockoutduration\fP \fIlockouttime\fP
-.sp
-sets the duration for which the principal is locked from
-authenticating if too many authentication failures occur without
-the specified failure count interval elapsing. A duration of 0
-means forever.
+(\fIgetdate\fP string) Sets the duration for which the principal
+is locked from authenticating if too many authentication failures
+occur without the specified failure count interval elapsing.
+A duration of 0 means forever.
+.TP
+.B \fB\-allowedkeysalts\fP
+Specifies the key/salt tuples supported for long\-term keys when
+setting or changing a principal\(aqs password/keys. See
+\fIEncryption_and_salt_types\fP in \fIkdc.conf(5)\fP for a list
+of the accepted values, but note that key/salt tuples must be
+separated with commas (\(aq,\(aq) only. To clear the allowed key/salt
+policy use a value of \(aq\-\(aq.
.UNINDENT
.sp
Example:
@@ -809,7 +670,6 @@ kadmin:
.SS modify_policy
.INDENT 0.0
.INDENT 3.5
-.sp
\fBmodify_policy\fP [\fIoptions\fP] \fIpolicy\fP
.UNINDENT
.UNINDENT
@@ -823,7 +683,6 @@ Alias: \fBmodpol\fP
.SS delete_policy
.INDENT 0.0
.INDENT 3.5
-.sp
\fBdelete_policy\fP [\fB\-force\fP] \fIpolicy\fP
.UNINDENT
.UNINDENT
@@ -853,7 +712,6 @@ kadmin:
.SS get_policy
.INDENT 0.0
.INDENT 3.5
-.sp
\fBget_policy\fP [ \fB\-terse\fP ] \fIpolicy\fP
.UNINDENT
.UNINDENT
@@ -895,7 +753,6 @@ meaningful.
.SS list_policies
.INDENT 0.0
.INDENT 3.5
-.sp
\fBlist_policies\fP [\fIexpression\fP]
.UNINDENT
.UNINDENT
@@ -933,8 +790,11 @@ kadmin:
.SS ktadd
.INDENT 0.0
.INDENT 3.5
+.nf
+\fBktadd\fP [options] \fIprincipal\fP
+\fBktadd\fP [options] \fB\-glob\fP \fIprinc\-exp\fP
+.fi
.sp
-\fBktadd\fP [[\fIprincipal\fP|\fB\-glob\fP \fIprinc\-exp\fP]
.UNINDENT
.UNINDENT
.sp
@@ -944,27 +804,23 @@ The rules for \fIprinc\-exp\fP are described in the \fBlist_principals\fP
command.
.sp
This command requires the \fBinquire\fP and \fBchangepw\fP privileges.
-With the \fB\-glob\fP option, it also requires the \fBlist\fP privilege.
+With the \fB\-glob\fP form, it also requires the \fBlist\fP privilege.
.sp
The options are:
.INDENT 0.0
.TP
.B \fB\-k[eytab]\fP \fIkeytab\fP
-.sp
Use \fIkeytab\fP as the keytab file. Otherwise, the default keytab is
used.
.TP
.B \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
-.sp
Use the specified list of enctype\-salttype pairs for setting the
new keys of the principal.
.TP
.B \fB\-q\fP
-.sp
Display less verbose information.
.TP
.B \fB\-norandkey\fP
-.sp
Do not randomize the keys. The keys and their version numbers stay
unchanged. This option is only available in kadmin.local, and
cannot be specified in combination with the \fB\-e\fP option.
@@ -992,8 +848,7 @@ kadmin:
.SS ktremove
.INDENT 0.0
.INDENT 3.5
-.sp
-\fBktremove\fP \fIprincipal\fP [\fIkvno\fP|\fIall\fP| \fIold\fP]
+\fBktremove\fP [options] \fIprincipal\fP [\fIkvno\fP | \fIall\fP | \fIold\fP]
.UNINDENT
.UNINDENT
.sp
@@ -1010,12 +865,10 @@ The options are:
.INDENT 0.0
.TP
.B \fB\-k[eytab]\fP \fIkeytab\fP
-.sp
Use \fIkeytab\fP as the keytab file. Otherwise, the default keytab is
used.
.TP
.B \fB\-q\fP
-.sp
Display less verbose information.
.UNINDENT
.sp
@@ -1060,6 +913,6 @@ interface to the OpenVision Kerberos administration program.
.SH AUTHOR
MIT
.SH COPYRIGHT
-2011, MIT
+2012, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kadmind.man b/src/man/kadmind.man
index 8316799..51bcaeb 100644
--- a/src/man/kadmind.man
+++ b/src/man/kadmind.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
.
.SH SYNOPSIS
.sp
@@ -39,6 +39,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
[\fB\-nofork\fP]
[\fB\-port\fP \fIport\-number\fP]
[\fB\-P\fP \fIpid_file\fP]
+[\fB\-p\fP \fIkdb5_util_path\fP]
+[\fB\-K\fP \fIkprop_path\fP]
+[\fB\-F\fP \fIdump_file\fP]
.SH DESCRIPTION
.sp
kadmind starts the Kerberos administration server. kadmind typically
@@ -53,23 +56,17 @@ for it to work:
.INDENT 0.0
.TP
.B \fIkdc.conf(5)\fP
-.sp
The KDC configuration file contains configuration information for
the KDC and admin servers. kadmind uses settings in this file to
locate the Kerberos database, and is also affected by the
\fBacl_file\fP, \fBdict_file\fP, \fBkadmind_port\fP, and iprop\-related
settings.
.TP
-.B ACL file
-.
+.B \fIkadm5.acl(5)\fP
kadmind\(aqs ACL (access control list) tells it which principals are
allowed to perform administration actions. The pathname to the
-ACL file can be specified with the \fBacl_file\fP kdc.conf variable;
-by default, it is \fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP. The syntax of the ACL
-file is specified in the ACL FILE SYNTAX section below.
-.sp
-If the kadmind ACL file is modified, the kadmind daemon needs to
-be restarted for changes to take effect.
+ACL file can be specified with the \fBacl_file\fP \fIkdc.conf(5)\fP
+variable; by default, it is \fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP.
.UNINDENT
.sp
After the server begins running, it puts itself in the background and
@@ -87,38 +84,44 @@ registered in the database.
.INDENT 0.0
.TP
.B \fB\-r\fP \fIrealm\fP
-.sp
specifies the realm that kadmind will serve; if it is not
specified, the default realm of the host is used.
.TP
.B \fB\-m\fP
-.sp
causes the master database password to be fetched from the
keyboard (before the server puts itself in the background, if not
invoked with the \fB\-nofork\fP option) rather than from a file on
disk.
.TP
.B \fB\-nofork\fP
-.sp
causes the server to remain in the foreground and remain
associated to the terminal. In normal operation, you should allow
the server to place itself in the background.
.TP
.B \fB\-port\fP \fIport\-number\fP
-.sp
specifies the port on which the administration server listens for
connections. The default port is determined by the
\fBkadmind_port\fP configuration variable in \fIkdc.conf(5)\fP.
.TP
.B \fB\-P\fP \fIpid_file\fP
-.sp
specifies the file to which the PID of kadmind process should be
written after it starts up. This file can be used to identify
whether kadmind is still running and to allow init scripts to stop
the correct process.
.TP
+.B \fB\-p\fP \fIkdb5_util_path\fP
+specifies the path to the kdb5_util command to use when dumping the
+KDB in response to full resync requests when iprop is enabled.
+.TP
+.B \fB\-K\fP \fIkprop_path\fP
+specifies the path to the kprop command to use to send full dumps
+to slaves in response to full resync requests.
+.TP
+.B \fB\-F\fP \fIdump_file\fP
+specifies the file path to be used for dumping the KDB in response
+to full resync requests when iprop is enabled.
+.TP
.B \fB\-x\fP \fIdb_args\fP
-.sp
specifies database\-specific arguments.
.sp
Options supported for LDAP database are:
@@ -127,16 +130,13 @@ Options supported for LDAP database are:
.INDENT 0.0
.TP
.B \fB\-x nconns=\fP\fInumber_of_connections\fP
-.sp
specifies the number of connections to be maintained per
LDAP server.
.TP
.B \fB\-x host=\fP\fIldapuri\fP
-.sp
specifies the LDAP server to connect to by URI.
.TP
.B \fB\-x binddn=\fP\fIbinddn\fP
-.sp
specifies the DN of the object used by the administration
server to bind to the LDAP server. This object should
have read and write privileges on the realm container, the
@@ -144,7 +144,6 @@ principal container, and the subtree that is referenced by
the realm.
.TP
.B \fB\-x bindpwd=\fP\fIbind_password\fP
-.sp
specifies the password for the above mentioned binddn.
Using this option may expose the password to other users
on the system via the process list; to avoid this, instead
@@ -154,149 +153,13 @@ stash the password using the \fBstashsrvpw\fP command of
.UNINDENT
.UNINDENT
.UNINDENT
-.SH ACL FILE SYNTAX
-.sp
-The ACL file controls which principals can or cannot perform which
-administrative functions. For operations that affect principals, the
-ACL file also controls which principals can operate on which other
-principals. Empty lines and lines starting with the sharp sign
-(\fB#\fP) are ignored. Lines containing ACL entries have the format:
-.INDENT 0.0
-.INDENT 3.5
-.sp
-.nf
-.ft C
-principal operation\-mask [operation\-target]
-.ft P
-.fi
-.UNINDENT
-.UNINDENT
-.sp
-Ordering is important. The first matching entry will control access
-for an actor principal on a target principal.
-.INDENT 0.0
-.TP
-.B \fIprincipal\fP
-.sp
-may specify a partially or fully qualified Kerberos version 5
-principal name. Each component of the name may be wildcarded
-using the \fB*\fP character.
-.TP
-.B \fIoperation\-target\fP
-.sp
-[Optional] may specify a partially or fully qualified Kerberos
-version 5 principal name. Each component of the name may be
-wildcarded using the \fB*\fP character.
-.TP
-.B \fIoperation\-mask\fP
-.sp
-Specifies what operations may or may not be performed by a
-principal matching a particular entry. This is a string of one or
-more of the following list of characters or their upper\-case
-counterparts. If the character is upper\-case, then the operation
-is disallowed. If the character is lower\-case, then the operation
-is permitted.
-.TS
-center;
-|l|l|.
-_
-T{
-a
-T} T{
-[Dis]allows the addition of principals or policies
-T}
-_
-T{
-d
-T} T{
-[Dis]allows the deletion of principals or policies
-T}
-_
-T{
-m
-T} T{
-[Dis]allows the modification of principals or policies
-T}
-_
-T{
-c
-T} T{
-[Dis]allows the changing of passwords for principals
-T}
-_
-T{
-i
-T} T{
-[Dis]allows inquiries about principals or policies
-T}
-_
-T{
-l
-T} T{
-[Dis]allows the listing of principals or policies
-T}
-_
-T{
-p
-T} T{
-[Dis]allows the propagation of the principal database
-T}
-_
-T{
-x
-T} T{
-Short for admcil.
-T}
-_
-T{
-*
-T} T{
-Same as x.
-T}
-_
-.TE
-.sp
-Some examples of valid entries here are:
-.INDENT 7.0
-.TP
-.B \fBuser/instance at realm adm\fP
-.sp
-A standard fully qualified name. The \fIoperation\-mask\fP only
-applies to this principal and specifies that [s]he may add,
-delete, or modify principals and policies, but not change
-anybody else\(aqs password.
-.TP
-.B \fBuser/instance at realm cim service/instance at realm\fP
-.sp
-A standard fully qualified name and a standard fully qualified
-target. The \fIoperation\-mask\fP only applies to this principal
-operating on this target and specifies that [s]he may change
-the target\(aqs password, request information about the target,
-and modify it.
-.TP
-.B \fBuser/*@realm ac\fP
-.sp
-A wildcarded name. The \fIoperation\-mask\fP applies to all
-principals in realm \fBrealm\fP whose first component is
-\fBuser\fP and specifies that [s]he may add principals and
-change anybody\(aqs password.
-.TP
-.B \fBuser/*@realm i */instance at realm\fP
-.sp
-A wildcarded name and target. The \fIoperation\-mask\fP applies to
-all principals in realm \fBrealm\fP whose first component is
-\fBuser\fP and specifies that [s]he may perform inquiries on
-principals whose second component is \fBinstance\fP and realm is
-\fBrealm\fP.
-.UNINDENT
-.UNINDENT
.SH SEE ALSO
.sp
\fIkpasswd(1)\fP, \fIkadmin(1)\fP, \fIkdb5_util(8)\fP,
-\fIkdb5_ldap_util(8)\fP
+\fIkdb5_ldap_util(8)\fP, \fIkadm5.acl(5)\fP
.SH AUTHOR
MIT
.SH COPYRIGHT
-2011, MIT
+2012, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kdb5_ldap_util.man b/src/man/kdb5_ldap_util.man
index 043d768..4f1e6ba 100644
--- a/src/man/kdb5_ldap_util.man
+++ b/src/man/kdb5_ldap_util.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
.
.SH SYNOPSIS
.sp
@@ -45,17 +45,14 @@ services and ticket policies.
.INDENT 0.0
.TP
.B \fB\-D\fP \fIuser_dn\fP
-.sp
Specifies the Distinguished Name (DN) of the user who has
sufficient rights to perform the operation on the LDAP server.
.TP
.B \fB\-w\fP \fIpasswd\fP
-.sp
Specifies the password of \fIuser_dn\fP. This option is not
recommended.
.TP
.B \fB\-H\fP \fIldapuri\fP
-.sp
Specifies the URI of the LDAP server. It is recommended to use
\fBldapi://\fP or \fBldaps://\fP to connect to the LDAP server.
.UNINDENT
@@ -63,7 +60,6 @@ Specifies the URI of the LDAP server. It is recommended to use
.SS create
.INDENT 0.0
.INDENT 3.5
-.sp
\fBcreate\fP
[\fB\-subtrees\fP \fIsubtree_dn_list\fP]
[\fB\-sscope\fP \fIsearch_scope\fP]
@@ -73,8 +69,6 @@ Specifies the URI of the LDAP server. It is recommended to use
[\fB\-m|\-P\fP \fIpassword\fP|\fB\-sf\fP \fIstashfilename\fP]
[\fB\-s\fP]
[\fB\-r\fP \fIrealm\fP]
-[\fB\-kdcdn\fP \fIkdc_service_list\fP]
-[\fB\-admindn\fP \fIadmin_service_list\fP]
[\fB\-maxtktlife\fP \fImax_ticket_life\fP]
[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP]
[\fIticket_flags\fP]
@@ -85,68 +79,56 @@ Creates realm in directory. Options:
.INDENT 0.0
.TP
.B \fB\-subtrees\fP \fIsubtree_dn_list\fP
-.sp
Specifies the list of subtrees containing the principals of a
realm. The list contains the DNs of the subtree objects separated
by colon (\fB:\fP).
.TP
.B \fB\-sscope\fP \fIsearch_scope\fP
-.sp
Specifies the scope for searching the principals under the
subtree. The possible values are 1 or one (one level), 2 or sub
(subtrees).
.TP
.B \fB\-containerref\fP \fIcontainer_reference_dn\fP
-.sp
Specifies the DN of the container object in which the principals
of a realm will be created. If the container reference is not
configured for a realm, the principals will be created in the
realm container.
.TP
.B \fB\-k\fP \fImkeytype\fP
-.sp
Specifies the key type of the master key in the database. The
default is given by the \fBmaster_key_type\fP variable in
\fIkdc.conf(5)\fP.
.TP
.B \fB\-kv\fP \fImkeyVNO\fP
-.sp
Specifies the version number of the master key in the database;
the default is 1. Note that 0 is not allowed.
.TP
.B \fB\-m\fP
-.sp
Specifies that the master database password should be read from
the TTY rather than fetched from a file on the disk.
.TP
.B \fB\-P\fP \fIpassword\fP
-.sp
Specifies the master database password. This option is not
recommended.
.TP
.B \fB\-r\fP \fIrealm\fP
-.sp
Specifies the Kerberos realm of the database.
.TP
.B \fB\-sf\fP \fIstashfilename\fP
-.sp
Specifies the stash file of the master database password.
.TP
.B \fB\-s\fP
-.sp
Specifies that the stash file is to be created.
.TP
.B \fB\-maxtktlife\fP \fImax_ticket_life\fP
-.sp
-Specifies maximum ticket life for principals in this realm.
+(\fIgetdate\fP string) Specifies maximum ticket life for
+principals in this realm.
.TP
.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
-.sp
-Specifies maximum renewable life of tickets for principals in this
-realm.
+(\fIgetdate\fP string) Specifies maximum renewable life of
+tickets for principals in this realm.
.TP
.B \fIticket_flags\fP
-.sp
Specifies global ticket flags for the realm. Allowable flags are
documented in the description of the \fBadd_principal\fP command in
\fIkadmin(1)\fP.
@@ -173,14 +155,11 @@ Re\-enter KDC database master key to verify:
.SS modify
.INDENT 0.0
.INDENT 3.5
-.sp
\fBmodify\fP
[\fB\-subtrees\fP \fIsubtree_dn_list\fP]
[\fB\-sscope\fP \fIsearch_scope\fP]
[\fB\-containerref\fP \fIcontainer_reference_dn\fP]
[\fB\-r\fP \fIrealm\fP]
-[\fB\-kdcdn\fP \fIkdc_service_list\fP | [\fB\-clearkdcdn\fP \fIkdc_service_list\fP] [\fB\-addkdcdn\fP \fIkdc_service_list\fP]]
-[\fB\-admindn\fP \fIadmin_service_list\fP | [\fB\-clearadmindn\fP \fIadmin_service_list\fP] [\fB\-addadmindn\fP \fIadmin_service_list\fP]]
[\fB\-maxtktlife\fP \fImax_ticket_life\fP]
[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP]
[\fIticket_flags\fP]
@@ -191,37 +170,31 @@ Modifies the attributes of a realm. Options:
.INDENT 0.0
.TP
.B \fB\-subtrees\fP \fIsubtree_dn_list\fP
-.sp
Specifies the list of subtrees containing the principals of a
realm. The list contains the DNs of the subtree objects separated
by colon (\fB:\fP). This list replaces the existing list.
.TP
.B \fB\-sscope\fP \fIsearch_scope\fP
-.sp
Specifies the scope for searching the principals under the
subtrees. The possible values are 1 or one (one level), 2 or sub
(subtrees).
.TP
.B \fB\-containerref\fP \fIcontainer_reference_dn\fP Specifies the DN of the
-.sp
container object in which the principals of a realm will be
created.
.TP
.B \fB\-r\fP \fIrealm\fP
-.sp
Specifies the Kerberos realm of the database.
.TP
.B \fB\-maxtktlife\fP \fImax_ticket_life\fP
-.sp
-Specifies maximum ticket life for principals in this realm.
+(\fIgetdate\fP string) Specifies maximum ticket life for
+principals in this realm.
.TP
.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
-.sp
-Specifies maximum renewable life of tickets for principals in this
-realm.
+(\fIgetdate\fP string) Specifies maximum renewable life of
+tickets for principals in this realm.
.TP
.B \fIticket_flags\fP
-.sp
Specifies global ticket flags for the realm. Allowable flags are
documented in the description of the \fBadd_principal\fP command in
\fIkadmin(1)\fP.
@@ -245,7 +218,6 @@ shell%
.SS view
.INDENT 0.0
.INDENT 3.5
-.sp
\fBview\fP [\fB\-r\fP \fIrealm\fP]
.UNINDENT
.UNINDENT
@@ -254,7 +226,6 @@ Displays the attributes of a realm. Options:
.INDENT 0.0
.TP
.B \fB\-r\fP \fIrealm\fP
-.sp
Specifies the Kerberos realm of the database.
.UNINDENT
.sp
@@ -281,7 +252,6 @@ Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
.SS destroy
.INDENT 0.0
.INDENT 3.5
-.sp
\fBdestroy\fP [\fB\-f\fP] [\fB\-r\fP \fIrealm\fP]
.UNINDENT
.UNINDENT
@@ -290,11 +260,9 @@ Destroys an existing realm. Options:
.INDENT 0.0
.TP
.B \fB\-f\fP
-.sp
If specified, will not prompt the user for confirmation.
.TP
.B \fB\-r\fP \fIrealm\fP
-.sp
Specifies the Kerberos realm of the database.
.UNINDENT
.sp
@@ -318,7 +286,6 @@ shell%
.SS list
.INDENT 0.0
.INDENT 3.5
-.sp
\fBlist\fP
.UNINDENT
.UNINDENT
@@ -345,7 +312,6 @@ shell%
.SS stashsrvpw
.INDENT 0.0
.INDENT 3.5
-.sp
\fBstashsrvpw\fP
[\fB\-f\fP \fIfilename\fP]
\fIservicedn\fP
@@ -358,12 +324,10 @@ to the LDAP server. Options:
.INDENT 0.0
.TP
.B \fB\-f\fP \fIfilename\fP
-.sp
Specifies the complete path of the service password file. By
default, \fB/usr/local/var/service_passwd\fP is used.
.TP
.B \fIservicedn\fP
-.sp
Specifies Distinguished Name (DN) of the service object whose
password is to be stored in file.
.UNINDENT
@@ -385,7 +349,6 @@ Re\-enter password for "cn=service\-kdc,o=org":
.SS create_policy
.INDENT 0.0
.INDENT 3.5
-.sp
\fBcreate_policy\fP
[\fB\-r\fP \fIrealm\fP]
[\fB\-maxtktlife\fP \fImax_ticket_life\fP]
@@ -399,26 +362,23 @@ Creates a ticket policy in the directory. Options:
.INDENT 0.0
.TP
.B \fB\-r\fP \fIrealm\fP
-.sp
Specifies the Kerberos realm of the database.
.TP
.B \fB\-maxtktlife\fP \fImax_ticket_life\fP
-.sp
-Specifies maximum ticket life for principals.
+(\fIgetdate\fP string) Specifies maximum ticket life for
+principals.
.TP
.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
-.sp
-Specifies maximum renewable life of tickets for principals.
+(\fIgetdate\fP string) Specifies maximum renewable life of
+tickets for principals.
.TP
.B \fIticket_flags\fP
-.sp
Specifies the ticket flags. If this option is not specified, by
default, no restriction will be set by the policy. Allowable
flags are documented in the description of the \fBadd_principal\fP
command in \fIkadmin(1)\fP.
.TP
.B \fIpolicy_name\fP
-.sp
Specifies the name of the ticket policy.
.UNINDENT
.sp
@@ -440,7 +400,6 @@ Password for "cn=admin,o=org":
.SS modify_policy
.INDENT 0.0
.INDENT 3.5
-.sp
\fBmodify_policy\fP
[\fB\-r\fP \fIrealm\fP]
[\fB\-maxtktlife\fP \fImax_ticket_life\fP]
@@ -471,7 +430,6 @@ Password for "cn=admin,o=org":
.SS view_policy
.INDENT 0.0
.INDENT 3.5
-.sp
\fBview_policy\fP
[\fB\-r\fP \fIrealm\fP]
\fIpolicy_name\fP
@@ -482,7 +440,6 @@ Displays the attributes of a ticket policy. Options:
.INDENT 0.0
.TP
.B \fIpolicy_name\fP
-.sp
Specifies the name of the ticket policy.
.UNINDENT
.sp
@@ -506,7 +463,6 @@ Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
.SS destroy_policy
.INDENT 0.0
.INDENT 3.5
-.sp
\fBdestroy_policy\fP
[\fB\-r\fP \fIrealm\fP]
[\fB\-force\fP]
@@ -518,16 +474,13 @@ Destroys an existing ticket policy. Options:
.INDENT 0.0
.TP
.B \fB\-r\fP \fIrealm\fP
-.sp
Specifies the Kerberos realm of the database.
.TP
.B \fB\-force\fP
-.sp
Forces the deletion of the policy object. If not specified, the
user will be prompted for confirmation before deleting the policy.
.TP
.B \fIpolicy_name\fP
-.sp
Specifies the name of the ticket policy.
.UNINDENT
.sp
@@ -550,7 +503,6 @@ This will delete the policy object \(aqtktpolicy\(aq, are you sure?
.SS list_policy
.INDENT 0.0
.INDENT 3.5
-.sp
\fBlist_policy\fP
[\fB\-r\fP \fIrealm\fP]
.UNINDENT
@@ -561,7 +513,6 @@ realm. Options:
.INDENT 0.0
.TP
.B \fB\-r\fP \fIrealm\fP
-.sp
Specifies the Kerberos realm of the database.
.UNINDENT
.sp
@@ -587,6 +538,6 @@ userpolicy
.SH AUTHOR
MIT
.SH COPYRIGHT
-2011, MIT
+2012, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man
index b355138..b89ed00 100644
--- a/src/man/kdb5_util.man
+++ b/src/man/kdb5_util.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
.
.SH SYNOPSIS
.sp
@@ -59,46 +59,38 @@ commands.
.INDENT 0.0
.TP
.B \fB\-r\fP \fIrealm\fP
-.sp
specifies the Kerberos realm of the database.
.TP
.B \fB\-d\fP \fIdbname\fP
-.sp
specifies the name under which the principal database is stored;
by default the database is that listed in \fIkdc.conf(5)\fP. The
password policy database and lock files are also derived from this
value.
.TP
.B \fB\-k\fP \fImkeytype\fP
-.sp
specifies the key type of the master key in the database. The
default is given by the \fBmaster_key_type\fP variable in
\fIkdc.conf(5)\fP.
.TP
.B \fB\-kv\fP \fImkeyVNO\fP
-.sp
Specifies the version number of the master key in the database;
the default is 1. Note that 0 is not allowed.
.TP
.B \fB\-M\fP \fImkeyname\fP
-.sp
principal name for the master key in the database. If not
specified, the name is determined by the \fBmaster_key_name\fP
variable in \fIkdc.conf(5)\fP.
.TP
.B \fB\-m\fP
-.sp
specifies that the master database password should be read from
the keyboard rather than fetched from a file on disk.
.TP
.B \fB\-sf\fP \fIstash_file\fP
-.sp
specifies the stash filename of the master database password. If
not specified, the filename is determined by the
\fBkey_stash_file\fP variable in \fIkdc.conf(5)\fP.
.TP
.B \fB\-P\fP \fIpassword\fP
-.sp
specifies the master database password. Using this option may
expose the password to other users on the system via the process
list.
@@ -107,7 +99,6 @@ list.
.SS create
.INDENT 0.0
.INDENT 3.5
-.sp
\fBcreate\fP [\fB\-s\fP]
.UNINDENT
.UNINDENT
@@ -119,7 +110,6 @@ if it had already existed when the program was first run.
.SS destroy
.INDENT 0.0
.INDENT 3.5
-.sp
\fBdestroy\fP [\fB\-f\fP]
.UNINDENT
.UNINDENT
@@ -130,17 +120,16 @@ the \fB\-f\fP argument, does not prompt the user.
.SS stash
.INDENT 0.0
.INDENT 3.5
-.sp
\fBstash\fP [\fB\-f\fP \fIkeyfile\fP]
.UNINDENT
.UNINDENT
.sp
Stores the master principal\(aqs keys in a stash file. The \fB\-f\fP
-argument can be used to override the \fIkeyfile\fP specified at startup.
+argument can be used to override the \fIkeyfile\fP specified in
+\fIkdc.conf(5)\fP.
.SS dump
.INDENT 0.0
.INDENT 3.5
-.sp
\fBdump\fP [\fB\-old\fP|\fB\-b6\fP|\fB\-b7\fP|\fB\-ov\fP|\fB\-r13\fP]
[\fB\-verbose\fP] [\fB\-mkey_convert\fP] [\fB\-new_mkey_file\fP \fImkey_file\fP]
[\fB\-rev\fP] [\fB\-recurse\fP] [\fIfilename\fP [\fIprincipals\fP...]]
@@ -154,55 +143,50 @@ load_dump version 6". If filename is not specified, or is the string
.INDENT 0.0
.TP
.B \fB\-old\fP
-.sp
causes the dump to be in the Kerberos 5 Beta 5 and earlier dump
format ("kdb5_edit load_dump version 2.0").
.TP
.B \fB\-b6\fP
-.sp
causes the dump to be in the Kerberos 5 Beta 6 format ("kdb5_edit
load_dump version 3.0").
.TP
.B \fB\-b7\fP
-.sp
causes the dump to be in the Kerberos 5 Beta 7 format ("kdb5_util
load_dump version 4"). This was the dump format produced on
releases prior to 1.2.2.
.TP
.B \fB\-ov\fP
-.sp
causes the dump to be in "ovsec_adm_export" format.
.TP
.B \fB\-r13\fP
-.sp
causes the dump to be in the Kerberos 5 1.3 format ("kdb5_util
load_dump version 5"). This was the dump format produced on
releases prior to 1.8.
.TP
+.B \fB\-r18\fP
+causes the dump to be in the Kerberos 5 1.8 format ("kdb5_util
+load_dump version 6"). This was the dump format produced on
+releases prior to 1.11.
+.TP
.B \fB\-verbose\fP
-.sp
causes the name of each principal and policy to be printed as it
is dumped.
.TP
.B \fB\-mkey_convert\fP
-.sp
prompts for a new master key. This new master key will be used to
re\-encrypt principal key data in the dumpfile. The principal keys
themselves will not be changed.
.TP
.B \fB\-new_mkey_file\fP \fImkey_file\fP
-.sp
the filename of a stash file. The master key in this stash file
will be used to re\-encrypt the key data in the dumpfile. The key
data in the database will not be changed.
.TP
.B \fB\-rev\fP
-.sp
dumps in reverse order. This may recover principals that do not
dump normally, in cases where database corruption has occurred.
.TP
.B \fB\-recurse\fP
-.sp
causes the dump to walk the database recursively (btree only).
This may recover principals that do not dump normally, in cases
where database corruption has occurred. In cases of such
@@ -212,7 +196,6 @@ than the \fB\-rev\fP option will.
.SS load
.INDENT 0.0
.INDENT 3.5
-.sp
\fBload\fP [\fB\-old\fP|\fB\-b6\fP|\fB\-b7\fP|\fB\-ov\fP|\fB\-r13\fP]
[\fB\-hash\fP] [\fB\-verbose\fP] [\fB\-update\fP] \fIfilename\fP [\fIdbname\fP]
.UNINDENT
@@ -230,39 +213,42 @@ Options:
.INDENT 0.0
.TP
.B \fB\-old\fP
-.sp
requires the database to be in the Kerberos 5 Beta 5 and earlier
format ("kdb5_edit load_dump version 2.0").
.TP
.B \fB\-b6\fP
-.sp
requires the database to be in the Kerberos 5 Beta 6 format
("kdb5_edit load_dump version 3.0").
.TP
.B \fB\-b7\fP
-.sp
requires the database to be in the Kerberos 5 Beta 7 format
("kdb5_util load_dump version 4").
.TP
.B \fB\-ov\fP
-.sp
requires the database to be in "ovsec_adm_import" format. Must be
used with the \fB\-update\fP option.
.TP
+.B \fB\-r13\fP
+requires the database to be in Kerberos 5 1.3 format ("kdb5_util
+load_dump version 5"). This was the dump format produced on
+releases prior to 1.8.
+.TP
+.B \fB\-r18\fP
+requires the database to be in Kerberos 5 1.8 format ("kdb5_util
+load_dump version 6"). This was the dump format produced on
+releases prior to 1.11.
+.TP
.B \fB\-hash\fP
-.sp
requires the database to be stored as a hash. If this option is
not specified, the database will be stored as a btree. This
option is not recommended, as databases stored in hash format are
known to corrupt data and lose principals.
.TP
.B \fB\-verbose\fP
-.sp
causes the name of each principal and policy to be printed as it
is dumped.
.TP
.B \fB\-update\fP
-.sp
records from the dump file are added to or updated in the existing
database. (This is useful in conjunction with an ovsec_adm_export
format dump if you want to preserve per\-principal policy
@@ -277,7 +263,6 @@ line or the default.
.SS ark
.INDENT 0.0
.INDENT 3.5
-.sp
\fBark\fP [\fB\-e\fP \fIenc\fP:\fIsalt\fP,...] \fIprincipal\fP
.UNINDENT
.UNINDENT
@@ -289,7 +274,6 @@ salt types to be used for the new keys.
.SS add_mkey
.INDENT 0.0
.INDENT 3.5
-.sp
\fBadd_mkey\fP [\fB\-e\fP \fIetype\fP] [\fB\-s\fP]
.UNINDENT
.UNINDENT
@@ -309,7 +293,6 @@ is ready to be marked active with the kdb5_util \fBuse_mkey\fP command.
.SS use_mkey
.INDENT 0.0
.INDENT 3.5
-.sp
\fBuse_mkey\fP \fImkeyVNO\fP [\fItime\fP]
.UNINDENT
.UNINDENT
@@ -318,8 +301,7 @@ Sets the activation time of the master key specified by \fImkeyVNO\fP.
Once a master key becomes active, it will be used to encrypt newly
created principal keys. If no \fItime\fP argument is given, the current
time is used, causing the specified master key version to become
-active immediately. The format of \fItime\fP is specified in the
-\fIdate_format\fP section of the \fIkadmin(1)\fP man page.
+active immediately. The format for \fItime\fP is \fIgetdate\fP string.
.sp
After a new master key becomes active, the kdb5_util
\fBupdate_princ_encryption\fP command can be used to update all
@@ -327,7 +309,6 @@ principal keys to be encrypted in the new master key.
.SS list_mkeys
.INDENT 0.0
.INDENT 3.5
-.sp
\fBlist_mkeys\fP
.UNINDENT
.UNINDENT
@@ -339,7 +320,6 @@ each mkey, similar to the output of \fIkadmin(1)\fP \fBgetprinc\fP. A
.SS purge_mkeys
.INDENT 0.0
.INDENT 3.5
-.sp
\fBpurge_mkeys\fP [\fB\-f\fP] [\fB\-n\fP] [\fB\-v\fP]
.UNINDENT
.UNINDENT
@@ -350,22 +330,18 @@ keys all principal keys are protected by a newer master key.
.INDENT 0.0
.TP
.B \fB\-f\fP
-.sp
does not prompt for confirmation.
.TP
.B \fB\-n\fP
-.sp
performs a dry run, showing master keys that would be purged, but
not actually purging any keys.
.TP
.B \fB\-v\fP
-.sp
gives more verbose output.
.UNINDENT
.SS update_princ_encryption
.INDENT 0.0
.INDENT 3.5
-.sp
\fBupdate_princ_encryption\fP [\fB\-f\fP] [\fB\-n\fP] [\fB\-v\fP]
[\fIprinc\-pattern\fP]
.UNINDENT
@@ -386,6 +362,6 @@ showing the actions which would have been taken.
.SH AUTHOR
MIT
.SH COPYRIGHT
-2011, MIT
+2012, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
index 9cbf09b..c821190 100644
--- a/src/man/kdc.conf.man
+++ b/src/man/kdc.conf.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
.
.sp
The kdc.conf file supplements \fIkrb5.conf(5)\fP for programs which
@@ -39,6 +39,9 @@ Relations documented here may also be specified in krb5.conf.
Normally, the kdc.conf file is found in the KDC state directory,
\fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP. You can override the default location by setting the
environment variable \fBKRB5_KDC_PROFILE\fP.
+.sp
+Please note that you need to restart the KDC daemon for any configuration
+changes to take effect.
.SH STRUCTURE
.sp
The kdc.conf file is set up in the same format as the
@@ -63,12 +66,6 @@ Realm\-specific database configuration and settings
T}
_
T{
-\fI\%[logging]\fP
-T} T{
-Controls how Kerberos daemons perform logging
-T}
-_
-T{
\fI\%[dbdefaults]\fP
T} T{
Default database settings
@@ -80,6 +77,12 @@ T} T{
Per\-database settings
T}
_
+T{
+\fI\%[logging]\fP
+T} T{
+Controls how Kerberos daemons perform logging
+T}
+_
.TE
.SS [kdcdefaults]
.sp
@@ -89,53 +92,44 @@ subsection does not contain a relation for the tag. See the
\fI\%[realms]\fP section for the definitions of these relations.
.INDENT 0.0
.IP \(bu 2
-.
\fBhost_based_services\fP
.IP \(bu 2
-.
\fBkdc_ports\fP
.IP \(bu 2
-.
\fBkdc_tcp_ports\fP
.IP \(bu 2
-.
\fBno_host_referral\fP
.IP \(bu 2
-.
\fBrestrict_anonymous_to_tgt\fP
.UNINDENT
.INDENT 0.0
.TP
.B \fBkdc_max_dgram_reply_size\fP
-.sp
Specifies the maximum packet size that can be sent over UDP. The
default value is 4096 bytes.
.UNINDENT
.SS [realms]
.sp
-Each tag in the [realms] section of the file names a Kerberos realm.
-The value of the tag is a subsection where the relations in that
-subsection define KDC parameters for that particular realm.
+Each tag in the [realms] section is the name of a Kerberos realm.
+The value of the tag is a subsection where the relations define KDC
+parameters for that particular realm.
.sp
-For each realm, the following tags may be specified in the [realms]
-subsection:
+For each realm, the following tags may be specified:
.INDENT 0.0
.TP
.B \fBacl_file\fP
-.sp
(String.) Location of the access control list file that
\fIkadmind(8)\fP uses to determine which principals are allowed
-which permissions on the database. The default value is
-\fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP.
+which permissions on the Kerberos database. The default value is
+\fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP. For more information on Kerberos ACL
+file see \fIkadm5.acl(5)\fP.
.TP
.B \fBdatabase_module\fP
-.sp
This relation indicates the name of the configuration section
under \fI\%[dbmodules]\fP for database specific parameters used by
the loadable database library.
.TP
.B \fBdatabase_name\fP
-.sp
(String.) This string specifies the location of the Kerberos
database for this realm, if the DB2 back\-end is being used. If a
\fBdatabase_module\fP is specified for the realm and the
@@ -144,13 +138,11 @@ value will take precedence over this one. The default value is
\fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/principal\fP.
.TP
.B \fBdefault_principal_expiration\fP
-.sp
-(Absolute time string.) Specifies the default expiration date of
+(\fIabstime\fP string.) Specifies the default expiration date of
principals created in this realm. The default value is 0, which
means no expiration date.
.TP
.B \fBdefault_principal_flags\fP
-.sp
(Flag string.) Specifies the default attributes of principals
created in this realm. The format for this string is a
comma\-separated list of flags, with \(aq+\(aq before each flag that
@@ -163,69 +155,57 @@ There are a number of possible flags:
.INDENT 7.0
.TP
.B \fBallow\-tickets\fP
-.sp
Enabling this flag means that the KDC will issue tickets for
this principal. Disabling this flag essentially deactivates
the principal within this realm.
.TP
.B \fBdup\-skey\fP
-.sp
Enabling this flag allows the principal to obtain a session
key for another user, permitting user\-to\-user authentication
for this principal.
.TP
.B \fBforwardable\fP
-.sp
Enabling this flag allows the principal to obtain forwardable
tickets.
.TP
.B \fBhwauth\fP
-.sp
If this flag is enabled, then the principal is required to
preauthenticate using a hardware device before receiving any
tickets.
.TP
.B \fBno\-auth\-data\-required\fP
-.sp
-Enabling this flag prvents PAC data from being added to the
-service tickets.
+Enabling this flag prevents PAC data from being added to
+service tickets for the principal.
.TP
.B \fBok\-as\-delegate\fP
-.sp
If this flag is enabled, it hints the client that credentials
can and should be delegated when authenticating to the
service.
.TP
.B \fBok\-to\-auth\-as\-delegate\fP
-.sp
-Enabling this flag allows the principal to use S4USelf ticket.
+Enabling this flag allows the principal to use S4USelf tickets.
.TP
.B \fBpostdateable\fP
-.sp
Enabling this flag allows the principal to obtain postdateable
tickets.
.TP
.B \fBpreauth\fP
-.sp
If this flag is enabled on a client principal, then that
principal is required to preauthenticate to the KDC before
receiving any tickets. On a service principal, enabling this
flag means that service tickets for this principal will only
be issued to clients with a TGT that has the preauthenticated
-ticket set.
+bit set.
.TP
.B \fBproxiable\fP
-.sp
Enabling this flag allows the principal to obtain proxy
tickets.
.TP
.B \fBpwchange\fP
-.sp
Enabling this flag forces a password change for this
principal.
.TP
.B \fBpwservice\fP
-.sp
If this flag is enabled, it marks this principal as a password
change service. This should only be used in special cases,
for example, if a user\(aqs password has expired, then the user
@@ -234,60 +214,56 @@ the normal password authentication in order to be able to
change the password.
.TP
.B \fBrenewable\fP
-.sp
Enabling this flag allows the principal to obtain renewable
tickets.
.TP
.B \fBservice\fP
-.sp
Enabling this flag allows the the KDC to issue service tickets
for this principal.
.TP
.B \fBtgt\-based\fP
-.sp
Enabling this flag allows a principal to obtain tickets based
on a ticket\-granting\-ticket, rather than repeating the
authentication process that was used to obtain the TGT.
.UNINDENT
.TP
.B \fBdict_file\fP
-.sp
(String.) Location of the dictionary file containing strings that
are not allowed as passwords. If none is specified or if there is
no policy assigned to the principal, no dictionary checks of
passwords will be performed.
.TP
.B \fBhost_based_services\fP
-.sp
(Whitespace\- or comma\-separated list.) Lists services which will
get host\-based referral processing even if the server principal is
not marked as host\-based by the client.
.TP
.B \fBiprop_enable\fP
-.sp
(Boolean value.) Specifies whether incremental database
propagation is enabled. The default value is false.
.TP
.B \fBiprop_master_ulogsize\fP
-.sp
(Integer.) Specifies the maximum number of log entries to be
retained for incremental propagation. The maximum value is 2500;
the default value is 1000.
.TP
.B \fBiprop_slave_poll\fP
-.sp
(Delta time string.) Specifies how often the slave KDC polls for
new updates from the master. The default value is \fB2m\fP (that
is, two minutes).
.TP
.B \fBiprop_port\fP
-.sp
(Port number.) Specifies the port number to be used for
incremental propagation. This is required in both master and
slave configuration files.
.TP
+.B \fBiprop_resync_timeout\fP
+(Delta time string.) Specifies the amount of time to wait for a
+full propagation to complete. This is optional in configuration
+files, and is used by slave KDCs only. The default value is 5
+minutes (\fB5m\fP).
+.TP
.B \fBiprop_logfile\fP
-.sp
(File name.) Specifies where the update log file for the realm
database is to be stored. The default is to use the
\fBdatabase_name\fP entry from the realms section of the krb5 config
@@ -299,18 +275,15 @@ back end is being used, or the file name is specified in the
default value will not use values from the [dbmodules] section.)
.TP
.B \fBkadmind_port\fP
-.sp
(Port number.) Specifies the port on which the \fIkadmind(8)\fP
daemon is to listen for this realm. The assigned port for kadmind
-is 749.
+is 749, which is used by default.
.TP
.B \fBkey_stash_file\fP
-.sp
(String.) Specifies the location where the master key has been
stored (via kdb5_util stash). The default is \fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/.k5.REALM\fP, where \fIREALM\fP is the Kerberos realm.
.TP
.B \fBkdc_ports\fP
-.sp
(Whitespace\- or comma\-separated list.) Lists the ports on which
the Kerberos server should listen for UDP requests, as a
comma\-separated list of integers. The default value is
@@ -318,7 +291,6 @@ comma\-separated list of integers. The default value is
historically used by Kerberos V4.
.TP
.B \fBkdc_tcp_ports\fP
-.sp
(Whitespace\- or comma\-separated list.) Lists the ports on which
the Kerberos server should listen for TCP connections, as a
comma\-separated list of integers. If this relation is not
@@ -330,38 +302,39 @@ has little protection against denial\-of\-service attacks), the
standard port number assigned for Kerberos TCP traffic is port 88.
.TP
.B \fBmaster_key_name\fP
-.sp
(String.) Specifies the name of the principal associated with the
master key. The default is \fBK/M\fP.
.TP
.B \fBmaster_key_type\fP
-.sp
(Key type string.) Specifies the master key\(aqs key type. The
default value for this is \fBaes256\-cts\-hmac\-sha1\-96\fP. For a list of all possible
values, see \fI\%Encryption and salt types\fP.
.TP
.B \fBmax_life\fP
-.sp
-(Delta time string.) Specifies the maximum time period for which
-a ticket may be valid in this realm. The default value is 24
-hours.
+(\fIduration\fP string.) Specifies the maximum time period for
+which a ticket may be valid in this realm. The default value is
+24 hours.
.TP
.B \fBmax_renewable_life\fP
-.sp
-(Delta time string.) Specifies the maximum time period during
-which a valid ticket may be renewed in this realm. The default
-value is 0.
+(\fIduration\fP string.) Specifies the maximum time period
+during which a valid ticket may be renewed in this realm.
+The default value is 0.
.TP
.B \fBno_host_referral\fP
-.sp
(Whitespace\- or comma\-separated list.) Lists services to block
from getting host\-based referral processing, even if the client
marks the server principal as host\-based or the service is also
listed in \fBhost_based_services\fP. \fBno_host_referral = *\fP will
disable referral processing altogether.
.TP
+.B \fBdes_crc_session_supported\fP
+(Boolean value). If set to true, the KDC will assume that service
+principals support des\-cbc\-crc for session key enctype negotiation
+purposes. If \fBallow_weak_crypto\fP in \fIlibdefaults\fP is
+false, or if des\-cbc\-crc is not a permitted enctype, then this
+variable has no effect. Defaults to true.
+.TP
.B \fBreject_bad_transit\fP
-.sp
(Boolean value.) If set to true, the KDC will check the list of
transited realms for cross\-realm tickets against the transit path
computed from the realm names and the capaths section of its
@@ -383,7 +356,6 @@ only to TGS requests.
The default value is true.
.TP
.B \fBrestrict_anonymous_to_tgt\fP
-.sp
(Boolean value.) If set to true, the KDC will reject ticket
requests from anonymous principals to service principals other
than the realm\(aqs ticket\-granting service. This option allows
@@ -392,97 +364,12 @@ without allowing anonymous authentication to services. The
default value is false.
.TP
.B \fBsupported_enctypes\fP
-.sp
(List of \fIkey\fP:\fIsalt\fP strings.) Specifies the default key/salt
combinations of principals for this realm. Any principals created
through \fIkadmin(1)\fP will have keys of these types. The
default value for this tag is \fBaes256\-cts\-hmac\-sha1\-96:normal aes128\-cts\-hmac\-sha1\-96:normal des3\-cbc\-sha1:normal arcfour\-hmac\-md5:normal\fP. For lists of
possible values, see \fI\%Encryption and salt types\fP.
.UNINDENT
-.SS [logging]
-.sp
-The [logging] section indicates how \fIkrb5kdc(8)\fP and
-\fIkadmind(8)\fP perform logging. The keys in this section are
-daemon names, which may be one of:
-.INDENT 0.0
-.TP
-.B \fBadmin_server\fP
-.sp
-Specifies how \fIkadmind(8)\fP performs logging.
-.TP
-.B \fBkdc\fP
-.sp
-Specifies how \fIkrb5kdc(8)\fP performs logging.
-.TP
-.B \fBdefault\fP
-.sp
-Specifies how either daemon performs logging in the absence of
-relations specific to the daemon.
-.UNINDENT
-.sp
-Values are of the following forms:
-.INDENT 0.0
-.TP
-.B \fBFILE=\fP\fIfilename\fP or \fBFILE:\fP\fIfilename\fP
-.sp
-This value causes the daemon\(aqs logging messages to go to the
-\fIfilename\fP. If the \fB=\fP form is used, the file is overwritten.
-If the \fB:\fP form is used, the file is appended to.
-.TP
-.B \fBSTDERR\fP
-.sp
-This value causes the daemon\(aqs logging messages to go to its
-standard error stream.
-.TP
-.B \fBCONSOLE\fP
-.sp
-This value causes the daemon\(aqs logging messages to go to the
-console, if the system supports it.
-.TP
-.B \fBDEVICE=\fP\fI<devicename>\fP
-.sp
-This causes the daemon\(aqs logging messages to go to the specified
-device.
-.TP
-.B \fBSYSLOG\fP[\fB:\fP\fIseverity\fP[\fB:\fP\fIfacility\fP]]
-.sp
-This causes the daemon\(aqs logging messages to go to the system log.
-.sp
-The severity argument specifies the default severity of system log
-messages. This may be any of the following severities supported
-by the syslog(3) call, minus the \fBLOG_\fP prefix: \fBEMERG\fP,
-\fBALERT\fP, \fBCRIT\fP, \fBERR\fP, \fBWARNING\fP, \fBNOTICE\fP, \fBINFO\fP,
-and \fBDEBUG\fP.
-.sp
-The facility argument specifies the facility under which the
-messages are logged. This may be any of the following facilities
-supported by the syslog(3) call minus the LOG_ prefix: \fBKERN\fP,
-\fBUSER\fP, \fBMAIL\fP, \fBDAEMON\fP, \fBAUTH\fP, \fBLPR\fP, \fBNEWS\fP,
-\fBUUCP\fP, \fBCRON\fP, and \fBLOCAL0\fP through \fBLOCAL7\fP.
-.sp
-If no severity is specified, the default is \fBERR\fP. If no
-facility is specified, the default is \fBAUTH\fP.
-.UNINDENT
-.sp
-In the following example, the logging messages from the KDC will go to
-the console and to the system log under the facility LOG_DAEMON with
-default severity of LOG_INFO; and the logging messages from the
-administrative server will be appended to the file
-\fB/var/adm/kadmin.log\fP and sent to the device \fB/dev/tty04\fP.
-.INDENT 0.0
-.INDENT 3.5
-.sp
-.nf
-.ft C
-[logging]
- kdc = CONSOLE
- kdc = SYSLOG:INFO:DAEMON
- admin_server = FILE:/var/adm/kadmin.log
- admin_server = DEVICE=/dev/tty04
-.ft P
-.fi
-.UNINDENT
-.UNINDENT
.SS [dbdefaults]
.sp
The [dbdefaults] section specifies default values for some database
@@ -491,33 +378,27 @@ a relation for the tag. See the \fI\%[dbmodules]\fP section for the
definitions of these relations.
.INDENT 0.0
.IP \(bu 2
-.
\fBldap_kerberos_container_dn\fP
.IP \(bu 2
-.
\fBldap_kdc_dn\fP
.IP \(bu 2
-.
\fBldap_kadmind_dn\fP
.IP \(bu 2
-.
\fBldap_service_password_file\fP
.IP \(bu 2
-.
\fBldap_servers\fP
.IP \(bu 2
-.
\fBldap_conns_per_server\fP
.UNINDENT
.SS [dbmodules]
.sp
The [dbmodules] section contains parameters used by the KDC database
-library and database modules. The following tag may be specified
-in the [dbmodules] section:
+library and database modules.
+.sp
+The following tag may be specified in the [dbmodules] section:
.INDENT 0.0
.TP
.B \fBdb_module_dir\fP
-.sp
This tag controls where the plugin system looks for modules. The
value should be an absolute path.
.UNINDENT
@@ -529,45 +410,40 @@ the subsection:
.INDENT 0.0
.TP
.B \fBdatabase_name\fP
-.sp
This DB2\-specific tag indicates the location of the database in
the filesystem. The default is \fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/principal\fP.
.TP
.B \fBdb_library\fP
-.sp
This tag indicates the name of the loadable database module. The
value should be \fBdb2\fP for the DB2 module and \fBkldap\fP for the
LDAP module.
.TP
.B \fBdisable_last_success\fP
-.sp
If set to \fBtrue\fP, suppresses KDC updates to the "Last successful
authentication" field of principal entries requiring
preauthentication. Setting this flag may improve performance.
(Principal entries which do not require preauthentication never
-update the "Last successful authentication" field.).
+update the "Last successful authentication" field.). First
+introduced in version 1.9.
.TP
.B \fBdisable_lockout\fP
-.sp
If set to \fBtrue\fP, suppresses KDC updates to the "Last failed
authentication" and "Failed password attempts" fields of principal
entries requiring preauthentication. Setting this flag may
-improve performance, but also disables account lockout.
+improve performance, but also disables account lockout. First
+introduced in version 1.9.
.TP
.B \fBldap_conns_per_server\fP
-.sp
This LDAP\-specific tag indicates the number of connections to be
maintained per LDAP server.
.TP
.B \fBldap_kadmind_dn\fP
-.sp
This LDAP\-specific tag indicates the default bind DN for the
\fIkadmind(8)\fP daemon. kadmind does a login to the directory
as this object. This object should have the rights to read and
write the Kerberos data in the LDAP database.
.TP
.B \fBldap_kdc_dn\fP
-.sp
This LDAP\-specific tag indicates the default bind DN for the
\fIkrb5kdc(8)\fP daemon. The KDC does a login to the directory
as this object. This object should have the rights to read the
@@ -575,12 +451,10 @@ Kerberos data in the LDAP database, and to write data unless
\fBdisable_lockout\fP and \fBdisable_last_success\fP are true.
.TP
.B \fBldap_kerberos_container_dn\fP
-.sp
This LDAP\-specific tag indicates the DN of the container object
where the realm objects will be located.
.TP
.B \fBldap_servers\fP
-.sp
This LDAP\-specific tag indicates the list of LDAP servers that the
Kerberos servers can connect to. The list of LDAP servers is
whitespace\-separated. The LDAP server is specified by a LDAP URI.
@@ -588,15 +462,89 @@ It is recommended to use \fBldapi:\fP or \fBldaps:\fP URLs to connect
to the LDAP server.
.TP
.B \fBldap_service_password_file\fP
-.sp
This LDAP\-specific tag indicates the file containing the stashed
passwords (created by \fBkdb5_ldap_util stashsrvpw\fP) for the
\fBldap_kadmind_dn\fP and \fBldap_kdc_dn\fP objects. This file must
be kept secure.
.UNINDENT
+.SS [logging]
+.sp
+The [logging] section indicates how \fIkrb5kdc(8)\fP and
+\fIkadmind(8)\fP perform logging. The keys in this section are
+daemon names, which may be one of:
+.INDENT 0.0
+.TP
+.B \fBadmin_server\fP
+Specifies how \fIkadmind(8)\fP performs logging.
+.TP
+.B \fBkdc\fP
+Specifies how \fIkrb5kdc(8)\fP performs logging.
+.TP
+.B \fBdefault\fP
+Specifies how either daemon performs logging in the absence of
+relations specific to the daemon.
+.UNINDENT
+.sp
+Values are of the following forms:
+.INDENT 0.0
+.TP
+.B \fBFILE=\fP\fIfilename\fP or \fBFILE:\fP\fIfilename\fP
+This value causes the daemon\(aqs logging messages to go to the
+\fIfilename\fP. If the \fB=\fP form is used, the file is overwritten.
+If the \fB:\fP form is used, the file is appended to.
+.TP
+.B \fBSTDERR\fP
+This value causes the daemon\(aqs logging messages to go to its
+standard error stream.
+.TP
+.B \fBCONSOLE\fP
+This value causes the daemon\(aqs logging messages to go to the
+console, if the system supports it.
+.TP
+.B \fBDEVICE=\fP\fI<devicename>\fP
+This causes the daemon\(aqs logging messages to go to the specified
+device.
+.TP
+.B \fBSYSLOG\fP[\fB:\fP\fIseverity\fP[\fB:\fP\fIfacility\fP]]
+This causes the daemon\(aqs logging messages to go to the system log.
+.sp
+The severity argument specifies the default severity of system log
+messages. This may be any of the following severities supported
+by the syslog(3) call, minus the \fBLOG_\fP prefix: \fBEMERG\fP,
+\fBALERT\fP, \fBCRIT\fP, \fBERR\fP, \fBWARNING\fP, \fBNOTICE\fP, \fBINFO\fP,
+and \fBDEBUG\fP.
+.sp
+The facility argument specifies the facility under which the
+messages are logged. This may be any of the following facilities
+supported by the syslog(3) call minus the LOG_ prefix: \fBKERN\fP,
+\fBUSER\fP, \fBMAIL\fP, \fBDAEMON\fP, \fBAUTH\fP, \fBLPR\fP, \fBNEWS\fP,
+\fBUUCP\fP, \fBCRON\fP, and \fBLOCAL0\fP through \fBLOCAL7\fP.
+.sp
+If no severity is specified, the default is \fBERR\fP. If no
+facility is specified, the default is \fBAUTH\fP.
+.UNINDENT
+.sp
+In the following example, the logging messages from the KDC will go to
+the console and to the system log under the facility LOG_DAEMON with
+default severity of LOG_INFO; and the logging messages from the
+administrative server will be appended to the file
+\fB/var/adm/kadmin.log\fP and sent to the device \fB/dev/tty04\fP.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+[logging]
+ kdc = CONSOLE
+ kdc = SYSLOG:INFO:DAEMON
+ admin_server = FILE:/var/adm/kadmin.log
+ admin_server = DEVICE=/dev/tty04
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
.SH PKINIT OPTIONS
.IP Note
-.
The following are pkinit\-specific options. These values may
be specified in [kdcdefaults] as global defaults, or within
a realm\-specific subsection of [realms]. Also note that a
@@ -605,7 +553,6 @@ realm\-specific value over\-rides, does not add to, a generic
.RE
.INDENT 0.0
.IP 1. 3
-.
realm\-specific subsection of [realms],
.INDENT 3.0
.INDENT 3.5
@@ -614,14 +561,13 @@ realm\-specific subsection of [realms],
.ft C
[realms]
EXAMPLE.COM = {
- pkinit_anchors = FILE\e:/usr/local/example.com.crt
+ pkinit_anchors = FILE:/usr/local/example.com.crt
}
.ft P
.fi
.UNINDENT
.UNINDENT
.IP 2. 3
-.
generic value in the [kdcdefaults] section.
.INDENT 3.0
.INDENT 3.5
@@ -629,7 +575,7 @@ generic value in the [kdcdefaults] section.
.nf
.ft C
[kdcdefaults]
- pkinit_anchors = DIR\e:/usr/local/generic_trusted_cas/
+ pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
.ft P
.fi
.UNINDENT
@@ -642,19 +588,16 @@ For information about the syntax of some of these options, see
.INDENT 0.0
.TP
.B \fBpkinit_anchors\fP
-.sp
Specifies the location of trusted anchor (root) certificates which
the KDC trusts to sign client certificates. This option is
required if pkinit is to be supported by the KDC. This option may
be specified multiple times.
.TP
.B \fBpkinit_dh_min_bits\fP
-.sp
Specifies the minimum number of bits the KDC is willing to accept
for a client\(aqs Diffie\-Hellman key. The default is 2048.
.TP
.B \fBpkinit_allow_upn\fP
-.sp
Specifies that the KDC is willing to accept client certificates
with the Microsoft UserPrincipalName (UPN) Subject Alternative
Name (SAN). This means the KDC accepts the binding of the UPN in
@@ -666,60 +609,50 @@ the id\-pkinit\-san as defined in \fI\%RFC 4556\fP. There is currently
no option to disable SAN checking in the KDC.
.TP
.B \fBpkinit_eku_checking\fP
-.sp
This option specifies what Extended Key Usage (EKU) values the KDC
is willing to accept in client certificates. The values
recognized in the kdc.conf file are:
.INDENT 7.0
.TP
.B \fBkpClientAuth\fP
-.sp
This is the default value and specifies that client
certificates must have the id\-pkinit\-KPClientAuth EKU as
defined in \fI\%RFC 4556\fP.
.TP
.B \fBscLogin\fP
-.sp
If scLogin is specified, client certificates with the
Microsoft Smart Card Login EKU (id\-ms\-kp\-sc\-logon) will be
accepted.
.TP
.B \fBnone\fP
-.sp
If none is specified, then client certificates will not be
checked to verify they have an acceptable EKU. The use of
this option is not recommended.
.UNINDENT
.TP
.B \fBpkinit_identity\fP
-.sp
Specifies the location of the KDC\(aqs X.509 identity information.
This option is required if pkinit is to be supported by the KDC.
.TP
.B \fBpkinit_kdc_ocsp\fP
-.sp
Specifies the location of the KDC\(aqs OCSP.
.TP
.B \fBpkinit_mapping_file\fP
-.sp
Specifies the name of the ACL pkinit mapping file. This file maps
principals to the certificates that they can use.
.TP
.B \fBpkinit_pool\fP
-.sp
Specifies the location of intermediate certificates which may be
used by the KDC to complete the trust chain between a client\(aqs
certificate and a trusted anchor. This option may be specified
multiple times.
.TP
.B \fBpkinit_revoke\fP
-.sp
Specifies the location of Certificate Revocation List (CRL)
information to be used by the KDC when verifying the validity of
client certificates. This option may be specified multiple times.
.TP
.B \fBpkinit_require_crl_checking\fP
-.sp
The default certificate verification process will always check the
available revocation information to see if a certificate has been
revoked. If a match is found for the certificate in a CRL,
@@ -916,11 +849,30 @@ Here\(aqs an example of a kdc.conf file:
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3\-hmac\-sha1
supported_enctypes = des3\-hmac\-sha1:normal des\-cbc\-crc:normal des\-cbc\-crc:v4
+ database_module = openldap_ldapconf
}
[logging]
kdc = FILE:/usr/local/var/krb5kdc/kdc.log
admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log
+
+[dbdefaults]
+ ldap_kerberos_container_dn = cn=krbcontainer,dc=mit,dc=edu
+
+[dbmodules]
+ openldap_ldapconf = {
+ db_library = kldap
+ disable_last_success = true
+ ldap_kdc_dn = "cn=krbadmin,dc=mit,dc=edu"
+ # this object needs to have read rights on
+ # the realm container and principal subtrees
+ ldap_kadmind_dn = "cn=krbadmin,dc=mit,dc=edu"
+ # this object needs to have read and write rights on
+ # the realm container and principal subtrees
+ ldap_service_password_file = /etc/kerberos/service.keyfile
+ ldap_servers = ldaps://kerberos.mit.edu
+ ldap_conns_per_server = 5
+ }
.ft P
.fi
.UNINDENT
@@ -930,10 +882,10 @@ Here\(aqs an example of a kdc.conf file:
\fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kdc.conf\fP
.SH SEE ALSO
.sp
-\fIkrb5.conf(5)\fP, \fIkrb5kdc(8)\fP
+\fIkrb5.conf(5)\fP, \fIkrb5kdc(8)\fP, \fIkadm5.acl(5)\fP
.SH AUTHOR
MIT
.SH COPYRIGHT
-2011, MIT
+2012, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kdestroy.man b/src/man/kdestroy.man
index c178522..0832c65 100644
--- a/src/man/kdestroy.man
+++ b/src/man/kdestroy.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
.
.SH SYNOPSIS
.sp
@@ -46,17 +46,14 @@ credentials cache is destroyed.
.INDENT 0.0
.TP
.B \fB\-A\fP
-.sp
Destroys all caches in the collection, if a cache collection is
available.
.TP
.B \fB\-q\fP
-.sp
Run quietly. Normally kdestroy beeps if it fails to destroy the
user\(aqs tickets. The \fB\-q\fP flag suppresses this behavior.
.TP
.B \fB\-c\fP \fIcache_name\fP
-.sp
Use \fIcache_name\fP as the credentials (ticket) cache name and
location; if this option is not used, the default cache name and
location are used.
@@ -76,7 +73,6 @@ kdestroy uses the following environment variable:
.INDENT 0.0
.TP
.B \fBKRB5CCNAME\fP
-.sp
Location of the default Kerberos 5 credentials (ticket) cache, in
the form \fItype\fP:\fIresidual\fP. If no \fItype\fP prefix is present, the
\fBFILE\fP type is assumed. The type of the default cache may
@@ -87,10 +83,8 @@ to be present in the collection.
.SH FILES
.INDENT 0.0
.TP
-.B \fB/tmp/krb5cc_[uid]\fP
-.sp
-Default location of Kerberos 5 credentials cache ([\fIuid\fP] is the
-decimal UID of the user).
+.B \fB at CCNAME@\fP
+Default location of Kerberos 5 credentials cache
.UNINDENT
.SH SEE ALSO
.sp
@@ -98,6 +92,6 @@ decimal UID of the user).
.SH AUTHOR
MIT
.SH COPYRIGHT
-2011, MIT
+2012, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kinit.man b/src/man/kinit.man
index 4d88691..257cc98 100644
--- a/src/man/kinit.man
+++ b/src/man/kinit.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
.
.SH SYNOPSIS
.sp
@@ -60,110 +60,82 @@ kinit obtains and caches an initial ticket\-granting ticket for
.INDENT 0.0
.TP
.B \fB\-V\fP
-.sp
display verbose output.
.TP
.B \fB\-l\fP \fIlifetime\fP
+(\fIduration\fP string.) Requests a ticket with the lifetime
+\fIlifetime\fP.
.sp
-requests a ticket with the lifetime \fIlifetime\fP. The integer value
-for \fIlifetime\fP must be followed immediately by one of the
-following delimiters:
-.INDENT 7.0
-.INDENT 3.5
-.sp
-.nf
-.ft C
-s seconds
-m minutes
-h hours
-d days
-.ft P
-.fi
-.UNINDENT
-.UNINDENT
-.sp
-as in \fBkinit \-l 90m\fP. You cannot mix units; a value of
-\fB3h30m\fP will result in an error.
+For example, \fBkinit \-l 5:30\fP or \fBkinit \-l 5h30m\fP.
.sp
If the \fB\-l\fP option is not specified, the default ticket lifetime
(configured by each site) is used. Specifying a ticket lifetime
longer than the maximum ticket lifetime (configured by each site)
-results in a ticket with the maximum lifetime.
+will not override the configured maximum ticket lifetime.
.TP
.B \fB\-s\fP \fIstart_time\fP
+(\fIduration\fP string.) Requests a postdated ticket. Postdated
+tickets are issued with the \fBinvalid\fP flag set, and need to be
+resubmitted to the KDC for validation before use.
.sp
-requests a postdated ticket, valid starting at \fIstart_time\fP.
-Postdated tickets are issued with the \fBinvalid\fP flag set, and
-need to be resubmitted to the KDC for validation before use.
+\fIstart_time\fP specifies the duration of the delay before the ticket
+can become valid.
.TP
.B \fB\-r\fP \fIrenewable_life\fP
-.sp
-requests renewable tickets, with a total lifetime of
-\fIrenewable_life\fP. The duration is in the same format as the
-\fB\-l\fP option, with the same delimiters.
+(\fIduration\fP string.) Requests renewable tickets, with a total
+lifetime of \fIrenewable_life\fP.
.TP
.B \fB\-f\fP
-.sp
requests forwardable tickets.
.TP
.B \fB\-F\fP
-.sp
requests non\-forwardable tickets.
.TP
.B \fB\-p\fP
-.sp
requests proxiable tickets.
.TP
.B \fB\-P\fP
-.sp
requests non\-proxiable tickets.
.TP
.B \fB\-a\fP
-.sp
requests tickets restricted to the host\(aqs local address[es].
.TP
.B \fB\-A\fP
-.sp
requests tickets not restricted by address.
.TP
.B \fB\-C\fP
-.sp
requests canonicalization of the principal name, and allows the
KDC to reply with a different client principal from the one
requested.
.TP
.B \fB\-E\fP
-.sp
treats the principal name as an enterprise name (implies the
\fB\-C\fP option).
.TP
.B \fB\-v\fP
-.sp
requests that the ticket\-granting ticket in the cache (with the
\fBinvalid\fP flag set) be passed to the KDC for validation. If the
ticket is within its requested time range, the cache is replaced
with the validated ticket.
.TP
.B \fB\-R\fP
-.sp
requests renewal of the ticket\-granting ticket. Note that an
expired ticket cannot be renewed, even if the ticket is still
within its renewable life.
.TP
-.B \fB\-k\fP [\fB\-t\fP \fIkeytab_file\fP]
-.sp
+.B \fB\-k\fP [\fB\-i\fP | \fB\-t\fP \fIkeytab_file\fP]
requests a ticket, obtained from a key in the local host\(aqs keytab.
The location of the keytab may be specified with the \fB\-t\fP
-\fIkeytab_file\fP option; otherwise the default keytab will be used.
-By default, a host ticket for the local host is requested, but any
-principal may be specified. On a KDC, the special keytab location
-\fBKDB:\fP can be used to indicate that kinit should open the KDC
-database and look up the key directly. This permits an
+\fIkeytab_file\fP option, or with the \fB\-i\fP option to specify the use
+of the default client keytab; otherwise the default keytab will be
+used. By default, a host ticket for the local host is requested,
+but any principal may be specified. On a KDC, the special keytab
+location \fBKDB:\fP can be used to indicate that kinit should open
+the KDC database and look up the key directly. This permits an
administrator to obtain tickets as any principal that supports
authentication based on the key.
.TP
.B \fB\-n\fP
-.sp
Requests anonymous processing. Two types of anonymous principals
are supported.
.sp
@@ -184,7 +156,6 @@ As of release 1.8, the MIT Kerberos KDC only supports fully
anonymous operation.
.TP
.B \fB\-T\fP \fIarmor_ccache\fP
-.sp
Specifies the name of a credentials cache that already contains a
ticket. If supported by the KDC, this cache will be used to armor
the request, preventing offline dictionary attacks and allowing
@@ -193,7 +164,6 @@ makes sure that the response from the KDC is not modified in
transit.
.TP
.B \fB\-c\fP \fIcache_name\fP
-.sp
use \fIcache_name\fP as the Kerberos 5 credentials (ticket) cache
location. If this option is not used, the default cache location
is used.
@@ -208,12 +178,10 @@ primary cache. Otherwise, any existing contents of the default
cache are destroyed by kinit.
.TP
.B \fB\-S\fP \fIservice_name\fP
-.sp
specify an alternate service name to use when getting initial
tickets.
.TP
.B \fB\-X\fP \fIattribute\fP[=\fIvalue\fP]
-.sp
specify a pre\-authentication \fIattribute\fP and \fIvalue\fP to be
interpreted by pre\-authentication modules. The acceptable
attribute and value values vary from module to module. This
@@ -225,15 +193,12 @@ pre\-authentication mechanism:
.INDENT 7.0
.TP
.B \fBX509_user_identity\fP=\fIvalue\fP
-.sp
specify where to find user\(aqs X509 identity information
.TP
.B \fBX509_anchors\fP=\fIvalue\fP
-.sp
specify where to find trusted X509 anchor information
.TP
.B \fBflag_RSA_PROTOCOL\fP[\fB=yes\fP]
-.sp
specify use of RSA, rather than the default Diffie\-Hellman
protocol
.UNINDENT
@@ -244,7 +209,6 @@ kinit uses the following environment variables:
.INDENT 0.0
.TP
.B \fBKRB5CCNAME\fP
-.sp
Location of the default Kerberos 5 credentials cache, in the form
\fItype\fP:\fIresidual\fP. If no \fItype\fP prefix is present, the \fBFILE\fP
type is assumed. The type of the default cache may determine the
@@ -255,13 +219,10 @@ in the collection.
.SH FILES
.INDENT 0.0
.TP
-.B \fB/tmp/krb5cc_[uid]\fP
-.sp
-default location of Kerberos 5 credentials cache ([\fIuid\fP] is the
-decimal UID of the user).
+.B \fB at CCNAME@\fP
+default location of Kerberos 5 credentials cache
.TP
-.B \fB/etc/krb5.keytab\fP
-.sp
+.B \fB at KTNAME@\fP
default location for the local host\(aqs keytab.
.UNINDENT
.SH SEE ALSO
@@ -270,6 +231,6 @@ default location for the local host\(aqs keytab.
.SH AUTHOR
MIT
.SH COPYRIGHT
-2011, MIT
+2012, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/klist.man b/src/man/klist.man
index 80b1f12..cb074d1 100644
--- a/src/man/klist.man
+++ b/src/man/klist.man
@@ -28,13 +28,14 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
.
.SH SYNOPSIS
.sp
\fBklist\fP
[\fB\-e\fP]
[[\fB\-c\fP] [\fB\-l\fP] [\fB\-A\fP] [\fB\-f\fP] [\fB\-s\fP] [\fB\-a\fP [\fB\-n\fP]]]
+[\fB\-C\fP]
[\fB\-k\fP [\fB\-t\fP] [\fB\-K\fP]]
[\fB\-V\fP]
[\fIcache_name\fP|\fIkeytab_name\fP]
@@ -46,28 +47,23 @@ credentials cache, or the keys held in a keytab file.
.INDENT 0.0
.TP
.B \fB\-e\fP
-.sp
Displays the encryption types of the session key and the ticket
for each credential in the credential cache, or each key in the
keytab file.
.TP
.B \fB\-l\fP
-.sp
If a cache collection is available, displays a table summarizing
the caches present in the collection.
.TP
.B \fB\-A\fP
-.sp
If a cache collection is available, displays the contents of all
of the caches in the collection.
.TP
.B \fB\-c\fP
-.sp
List tickets held in a credentials cache. This is the default if
neither \fB\-c\fP nor \fB\-k\fP is specified.
.TP
.B \fB\-f\fP
-.sp
Shows the flags present in the credentials, using the following
abbreviations:
.INDENT 7.0
@@ -95,36 +91,39 @@ a anonymous
.UNINDENT
.TP
.B \fB\-s\fP
-.sp
Causes klist to run silently (produce no output), but to still set
the exit status according to whether it finds the credentials
cache. The exit status is \(aq0\(aq if klist finds a credentials cache,
and \(aq1\(aq if it does not or if the tickets are expired.
.TP
.B \fB\-a\fP
-.sp
Display list of addresses in credentials.
.TP
.B \fB\-n\fP
-.sp
Show numeric addresses instead of reverse\-resolving addresses.
.TP
+.B \fB\-C\fP
+List configuration data that has been stored in the credentials
+cache when klist encounters it. By default, configuration data
+is not listed.
+.TP
.B \fB\-k\fP
-.sp
List keys held in a keytab file.
.TP
+.B \fB\-i\fP
+In combination with \fB\-k\fP, defaults to using the default client
+keytab instead of the default acceptor keytab, if no name is
+given.
+.TP
.B \fB\-t\fP
-.sp
Display the time entry timestamps for each keytab entry in the
keytab file.
.TP
.B \fB\-K\fP
-.sp
Display the value of the encryption key in each keytab entry in
the keytab file.
.TP
.B \fB\-V\fP
-.sp
Display the Kerberos version number and exit.
.UNINDENT
.sp
@@ -138,7 +137,6 @@ klist uses the following environment variable:
.INDENT 0.0
.TP
.B \fBKRB5CCNAME\fP
-.sp
Location of the default Kerberos 5 credentials (ticket) cache, in
the form \fItype\fP:\fIresidual\fP. If no \fItype\fP prefix is present, the
\fBFILE\fP type is assumed. The type of the default cache may
@@ -149,13 +147,10 @@ to be present in the collection.
.SH FILES
.INDENT 0.0
.TP
-.B \fB/tmp/krb5cc_[uid]\fP
-.sp
-Default location of Kerberos 5 credentials cache ([uid] is the
-decimal UID of the user).
+.B \fB at CCNAME@\fP
+Default location of Kerberos 5 credentials cache
.TP
-.B \fB/etc/krb5.keytab\fP
-.sp
+.B \fB at KTNAME@\fP
Default location for the local host\(aqs keytab file.
.UNINDENT
.SH SEE ALSO
@@ -164,6 +159,6 @@ Default location for the local host\(aqs keytab file.
.SH AUTHOR
MIT
.SH COPYRIGHT
-2011, MIT
+2012, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kpasswd.man b/src/man/kpasswd.man
index 0aab125..177091f 100644
--- a/src/man/kpasswd.man
+++ b/src/man/kpasswd.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
.
.SH SYNOPSIS
.sp
@@ -48,7 +48,6 @@ characters.)
.INDENT 0.0
.TP
.B \fIprincipal\fP
-.sp
Change the password for the Kerberos principal principal.
Otherwise, kpasswd uses the principal name from an existing ccache
if there is one; if not, the principal is derived from the
@@ -60,6 +59,6 @@ identity of the user invoking the kpasswd command.
.SH AUTHOR
MIT
.SH COPYRIGHT
-2011, MIT
+2012, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kprop.man b/src/man/kprop.man
index 210e6a3..f7a3792 100644
--- a/src/man/kprop.man
+++ b/src/man/kprop.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
.
.SH SYNOPSIS
.sp
@@ -49,26 +49,21 @@ specified by \fIslave_host\fP. The dump file must be created by
.INDENT 0.0
.TP
.B \fB\-r\fP \fIrealm\fP
-.sp
Specifies the realm of the master server.
.TP
.B \fB\-f\fP \fIfile\fP
-.sp
Specifies the filename where the dumped principal database file is
to be found; by default the dumped database file is normally
\fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/slave_datatrans\fP.
.TP
.B \fB\-P\fP \fIport\fP
-.sp
Specifies the port to use to contact the \fIkpropd(8)\fP server
on the remote host.
.TP
.B \fB\-d\fP
-.sp
Prints debugging information.
.TP
.B \fB\-s\fP \fIkeytab\fP
-.sp
Specifies the location of the keytab file.
.UNINDENT
.SH ENVIRONMENT
@@ -76,7 +71,6 @@ Specifies the location of the keytab file.
\fIkprop\fP uses the following environment variable:
.INDENT 0.0
.IP \(bu 2
-.
\fBKRB5_CONFIG\fP
.UNINDENT
.SH SEE ALSO
@@ -85,6 +79,6 @@ Specifies the location of the keytab file.
.SH AUTHOR
MIT
.SH COPYRIGHT
-2011, MIT
+2012, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kpropd.man b/src/man/kpropd.man
index e6da04b..c429401 100644
--- a/src/man/kpropd.man
+++ b/src/man/kpropd.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
.
.SH SYNOPSIS
.sp
@@ -40,7 +40,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
[\fB\-p\fP \fIkdb5_util_prog\fP]
[\fB\-P\fP \fIport\fP]
[\fB\-d\fP]
-[\fB\-S\fP]
.SH DESCRIPTION
.sp
The \fIkpropd\fP command runs on the slave KDC server. It listens for
@@ -56,8 +55,9 @@ Kerberos server to use \fIkprop(8)\fP to propagate its database to
the slave servers. Upon a successful download of the KDC database
file, the slave Kerberos server will have an up\-to\-date KDC database.
.sp
-Normally, kpropd is invoked out of inetd(8). This is done by adding
-a line to the \fB/etc/inetd.conf\fP file which looks like this:
+Where incremental propagation is not used, kpropd is commonly invoked
+out of inetd(8) as a nowait service. This is done by adding a line to
+the \fB/etc/inetd.conf\fP file which looks like this:
.INDENT 0.0
.INDENT 3.5
.sp
@@ -69,9 +69,9 @@ kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd
.UNINDENT
.UNINDENT
.sp
-kpropd can also run as a standalone daemon by specifying the \fB\-S\fP
-option. This is done for debugging purposes, or if for some reason
-the system administrator just doesn\(aqt want to run it out of inetd(8).
+kpropd can also run as a standalone daemon. This is required for
+incremental propagation. But this is also useful for debugging
+purposes.
.sp
Incremental propagation may be enabled with the \fBiprop_enable\fP
variable in \fIkdc.conf(5)\fP. If incremental propagation is
@@ -84,45 +84,42 @@ enabled, the principal \fBkiprop/slavehostname at REALM\fP (where
\fIslavehostname\fP is the name of the slave KDC host, and \fIREALM\fP is the
name of the Kerberos realm) must be present in the slave\(aqs keytab
file.
+.sp
+\fIkproplog(8)\fP can be used to force full replication when iprop is
+enabled.
.SH OPTIONS
.INDENT 0.0
.TP
.B \fB\-r\fP \fIrealm\fP
-.sp
Specifies the realm of the master server.
.TP
.B \fB\-f\fP \fIfile\fP
-.sp
Specifies the filename where the dumped principal database file is
to be stored; by default the dumped database file is \fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/from_master\fP.
.TP
.B \fB\-p\fP
-.sp
Allows the user to specify the pathname to the \fIkdb5_util(8)\fP
program; by default the pathname used is \fB at SBINDIR@\fP\fB/kdb5_util\fP.
.TP
.B \fB\-S\fP
-.sp
-Turn on standalone mode. Normally, kpropd is invoked out of
+[DEPRECATED] Enable standalone mode. Normally kpropd is invoked by
inetd(8) so it expects a network connection to be passed to it
-from inetd(8). If the \fB\-S\fP option is specified, kpropd will put
-itself into the background, and wait for connections on port 754
-(or the port specified with the \fB\-P\fP option if given).
+from inetd(8). If the \fB\-S\fP option is specified, or if standard
+input is not a socket, kpropd will put itself into the background,
+and wait for connections on port 754 (or the port specified with the
+\fB\-P\fP option if given).
.TP
.B \fB\-d\fP
-.sp
Turn on debug mode. In this mode, if the \fB\-S\fP option is
selected, kpropd will not detach itself from the current job and
run in the background. Instead, it will run in the foreground and
print out debugging messages during the database propagation.
.TP
.B \fB\-P\fP
-.sp
Allow for an alternate port number for kpropd to listen on. This
is only useful in combination with the \fB\-S\fP option.
.TP
.B \fB\-a\fP \fIacl_file\fP
-.sp
Allows the user to specify the path to the kpropd.acl file; by
default the path used is \fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kpropd.acl\fP.
.UNINDENT
@@ -131,17 +128,14 @@ default the path used is \fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kpropd.acl\fP.
kpropd uses the following environment variables:
.INDENT 0.0
.IP \(bu 2
-.
\fBKRB5_CONFIG\fP
.IP \(bu 2
-.
\fBKRB5_KDC_PROFILE\fP
.UNINDENT
.SH FILES
.INDENT 0.0
.TP
.B kpropd.acl
-.
Access file for kpropd; the default location is
\fB/usr/local/var/krb5kdc/kpropd.acl\fP. Each entry is a line
containing the principal of a host from which the local machine
@@ -153,6 +147,6 @@ will allow Kerberos database propagation via \fIkprop(8)\fP.
.SH AUTHOR
MIT
.SH COPYRIGHT
-2011, MIT
+2012, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kproplog.man b/src/man/kproplog.man
index d5bd21c..974f0bc 100644
--- a/src/man/kproplog.man
+++ b/src/man/kproplog.man
@@ -28,11 +28,12 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
.
.SH SYNOPSIS
.sp
\fBkproplog\fP [\fB\-h\fP] [\fB\-e\fP \fInum\fP] [\-v]
+\fBkproplog\fP [\-R]
.SH DESCRIPTION
.sp
The kproplog command displays the contents of the KDC database update
@@ -56,20 +57,22 @@ last update received and the associated time stamp of the last update.
.SH OPTIONS
.INDENT 0.0
.TP
+.B \fB\-R\fP
+Reset the update log. This forces full resynchronization. If used
+on a slave then that slave will request a full resync. If used on
+the master then all slaves will request full resyncs.
+.TP
.B \fB\-h\fP
-.sp
Display a summary of the update log. This information includes
the database version number, state of the database, the number of
updates in the log, the time stamp of the first and last update,
and the version number of the first and last update entry.
.TP
.B \fB\-e\fP \fInum\fP
-.sp
Display the last \fInum\fP update entries in the log. This is useful
when debugging synchronization between KDC servers.
.TP
.B \fB\-v\fP
-.sp
Display individual attributes per update. An example of the
output generated for one entry:
.INDENT 7.0
@@ -101,7 +104,6 @@ Update Entry
kproplog uses the following environment variables:
.INDENT 0.0
.IP \(bu 2
-.
\fBKRB5_KDC_PROFILE\fP
.UNINDENT
.SH SEE ALSO
@@ -110,6 +112,6 @@ kproplog uses the following environment variables:
.SH AUTHOR
MIT
.SH COPYRIGHT
-2011, MIT
+2012, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
index cc85bb9..07021eb 100644
--- a/src/man/krb5.conf.man
+++ b/src/man/krb5.conf.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
.
.sp
The krb5.conf file contains Kerberos configuration information,
@@ -169,13 +169,15 @@ Controls plugin module registration
T}
_
.TE
+.sp
+Additionally, krb5.conf may include any of the relations described in
+\fIkdc.conf(5)\fP, but it is not a recommended practice.
.SS [libdefaults]
.sp
The libdefaults section may contain any of the following relations:
.INDENT 0.0
.TP
.B \fBallow_weak_crypto\fP
-.sp
If this flag is set to false, then weak encryption types will be
filtered out of the previous three lists (as noted in
\fIEncryption_and_salt_types\fP in \fIkdc.conf(5)\fP). The
@@ -186,7 +188,6 @@ should set this tag to true until their infrastructure adopts
stronger ciphers.
.TP
.B \fBap_req_checksum_type\fP
-.sp
An integer which specifies the type of AP\-REQ checksum to use in
authenticators. This variable should be unset so the appropriate
checksum for the encryption key in use will be used. This can be
@@ -195,14 +196,12 @@ See the \fBkdc_req_checksum_type\fP configuration option for the
possible values and their meanings.
.TP
.B \fBcanonicalize\fP
-.sp
If this flag is set to true, initial ticket requests to the KDC
will request canonicalization of the client principal name, and
answers with different client principals than the requested
principal will be accepted. The default value is false.
.TP
.B \fBccache_type\fP
-.sp
This parameter determines the format of credential cache types
created by \fIkinit(1)\fP or other programs. The default value
is 4, which represents the most current format. Smaller values
@@ -210,45 +209,51 @@ can be used for compatibility with very old implementations of
Kerberos which interact with credential caches on the same host.
.TP
.B \fBclockskew\fP
-.sp
Sets the maximum allowable amount of clockskew in seconds that the
library will tolerate before assuming that a Kerberos message is
invalid. The default value is 300 seconds, or five minutes.
.TP
+.B \fBdefault_ccache_name\fP
+This relation specifies the name of the default credential cache.
+The default is \fB at CCNAME@\fP. This relation is subject to parameter
+expansion (see below).
+.TP
+.B \fBdefault_client_keytab_name\fP
+This relation specifies the name of the default keytab for
+obtaining client credentials. The default is \fB at CKTNAME@\fP. This
+relation is subject to parameter expansion (see below).
+.TP
.B \fBdefault_keytab_name\fP
-.sp
This relation specifies the default keytab name to be used by
-application servers such as telnetd and rlogind. The default is
-\fB/etc/krb5.keytab\fP.
+application servers such as sshd. The default is \fB at KTNAME@\fP. This
+relation is subject to parameter expansion (see below).
.TP
.B \fBdefault_realm\fP
-.sp
Identifies the default Kerberos realm for the client. Set its
value to your Kerberos realm. If this value is not set, then a
realm must be specified with every Kerberos principal when
invoking programs such as \fIkinit(1)\fP.
.TP
.B \fBdefault_tgs_enctypes\fP
-.sp
Identifies the supported list of session key encryption types that
-should be returned by the KDC. The list may be delimited with
-commas or whitespace. See \fIEncryption_and_salt_types\fP in
+should be returned by the KDC, in order of preference from
+highest to lowest. The list may be delimited with commas or
+whitespace. See \fIEncryption_and_salt_types\fP in
\fIkdc.conf(5)\fP for a list of the accepted values for this tag.
The default value is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types
will be implicitly removed from this list if the value of
\fBallow_weak_crypto\fP is false.
.TP
.B \fBdefault_tkt_enctypes\fP
-.sp
Identifies the supported list of session key encryption types that
-should be requested by the client. The format is the same as for
+should be requested by the client, in order of preference from
+highest to lowest. The format is the same as for
default_tgs_enctypes. The default value for this tag is
\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly
removed from this list if the value of \fBallow_weak_crypto\fP is
false.
.TP
.B \fBdns_lookup_kdc\fP
-.sp
Indicate whether DNS SRV records should be used to locate the KDCs
and other servers for a realm, if they are not listed in the
krb5.conf information for the realm. (Note that the admin_server
@@ -265,7 +270,6 @@ data), and anything the fake KDC sends will not be trusted without
verification using some secret that it won\(aqt know.
.TP
.B \fBextra_addresses\fP
-.sp
This allows a computer to use multiple local addresses, in order
to allow Kerberos to work in a network that uses NATs while still
using address\-restricted tickets. The addresses should be in a
@@ -273,12 +277,10 @@ comma\-separated list. This option has no effect if
\fBnoaddresses\fP is true.
.TP
.B \fBforwardable\fP
-.sp
If this flag is true, initial tickets will be forwardable by
default, if allowed by the KDC. The default value is false.
.TP
.B \fBignore_acceptor_hostname\fP
-.sp
When accepting GSSAPI or krb5 security contexts for host\-based
service principals, ignore any hostname passed by the calling
application, and allow clients to authenticate to any service
@@ -289,7 +291,6 @@ compromise the security of virtual hosting environments. The
default value is false.
.TP
.B \fBk5login_authoritative\fP
-.sp
If this flag is true, principals must be listed in a local user\(aqs
k5login file to be granted login access, if a \fI.k5login(5)\fP
file exists. If this flag is false, a principal may still be
@@ -298,7 +299,6 @@ file exists but does not list the principal. The default value is
true.
.TP
.B \fBk5login_directory\fP
-.sp
If set, the library will look for a local user\(aqs k5login file
within the named directory, with a filename corresponding to the
local username. If not set, the library will look for k5login
@@ -307,23 +307,20 @@ For security reasons, .k5login files must be owned by
the local user or by root.
.TP
.B \fBkdc_default_options\fP
-.sp
Default KDC options (Xored for multiple values) when requesting
initial tickets. By default it is set to 0x00000010
(KDC_OPT_RENEWABLE_OK).
.TP
.B \fBkdc_timesync\fP
-.sp
-If this flag is true, client machines will compute the difference
-between their time and the time returned by the KDC in the
-timestamps in the tickets and use this value to correct for an
-inaccurate system clock when requesting service tickets or
-authenticating to services. This corrective factor is only used
-by the Kerberos library; it is not used to change the system
-clock. The default value is true.
+Accepted values for this relation are 1 or 0. If it is nonzero,
+client machines will compute the difference between their time and
+the time returned by the KDC in the timestamps in the tickets and
+use this value to correct for an inaccurate system clock when
+requesting service tickets or authenticating to services. This
+corrective factor is only used by the Kerberos library; it is not
+used to change the system clock. The default value is 1.
.TP
.B \fBkdc_req_checksum_type\fP
-.sp
An integer which specifies the type of checksum to use for the KDC
requests, for compatibility with very old KDC implementations.
This value is only used for DES keys; other keys use the preferred
@@ -391,13 +388,11 @@ _
.TE
.TP
.B \fBnoaddresses\fP
-.sp
If this flag is true, requests for initial tickets will not be
made with address restrictions set, allowing the tickets to be
used across NATs. The default value is true.
.TP
.B \fBpermitted_enctypes\fP
-.sp
Identifies all encryption types that are permitted for use in
session key encryption. The default value for this tag is
\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly
@@ -405,47 +400,40 @@ removed from this list if the value of \fBallow_weak_crypto\fP is
false.
.TP
.B \fBplugin_base_dir\fP
-.sp
If set, determines the base directory where krb5 plugins are
located. The default value is the \fBkrb5/plugins\fP subdirectory
of the krb5 library directory.
.TP
.B \fBpreferred_preauth_types\fP
-.sp
This allows you to set the preferred preauthentication types which
the client will attempt before others which may be advertised by a
KDC. The default value for this setting is "17, 16, 15, 14",
which forces libkrb5 to attempt to use PKINIT if it is supported.
.TP
.B \fBproxiable\fP
-.sp
If this flag is true, initial tickets will be proxiable by
default, if allowed by the KDC. The default value is false.
.TP
.B \fBrdns\fP
-.sp
If this flag is true, reverse name lookup will be used in addition
to forward name lookup to canonicalizing hostnames for use in
service principal names. The default value is true.
.TP
.B \fBrealm_try_domains\fP
-.sp
Indicate whether a host\(aqs domain components should be used to
determine the Kerberos realm of the host. The value of this
variable is an integer: \-1 means not to search, 0 means to try the
host\(aqs domain itself, 1 means to also try the domain\(aqs immediate
parent, and so forth. The library\(aqs usual mechanism for locating
Kerberos realms is used to determine whether a domain is a valid
-realm\-\-which may involve consulting DNS if \fBdns_lookup_kdc\fP is
+realm, which may involve consulting DNS if \fBdns_lookup_kdc\fP is
set. The default is not to search domain components.
.TP
.B \fBrenew_lifetime\fP
-.sp
-Sets the default renewable lifetime for initial ticket requests.
-The default value is 0.
+(\fIduration\fP string.) Sets the default renewable lifetime
+for initial ticket requests. The default value is 0.
.TP
.B \fBsafe_checksum_type\fP
-.sp
An integer which specifies the type of checksum to use for the
KRB\-SAFE requests. By default it is set to 8 (RSA MD5 DES). For
compatibility with applications linked against DCE version 1.1 or
@@ -455,12 +443,10 @@ with the session key type. See the \fBkdc_req_checksum_type\fP
configuration option for the possible values and their meanings.
.TP
.B \fBticket_lifetime\fP
-.sp
-Sets the default lifetime for initial ticket requests. The
-default value is 1 day.
+(\fIduration\fP string.) Sets the default lifetime for initial
+ticket requests. The default value is 1 day.
.TP
.B \fBudp_preference_limit\fP
-.sp
When sending a message to the KDC, the library will try using TCP
before UDP if the size of the message is above
\fBudp_preference_limit\fP. If the message is smaller than
@@ -469,7 +455,6 @@ Regardless of the size, both protocols will be tried if the first
attempt fails.
.TP
.B \fBverify_ap_req_nofail\fP
-.sp
If this flag is true, then an attempt to verify initial
credentials will fail if the client machine does not have a
keytab. The default value is false.
@@ -483,14 +468,12 @@ following tags may be specified in the realm\(aqs subsection:
.INDENT 0.0
.TP
.B \fBadmin_server\fP
-.sp
Identifies the host where the administration server is running.
Typically, this is the master Kerberos server. This tag must be
given a value in order to communicate with the \fIkadmind(8)\fP
server for the realm.
.TP
.B \fBauth_to_local\fP
-.sp
This tag allows you to set a general rule for mapping principal
names to local user names. It will be used if there is not an
explicit mapping for the principal name that is being
@@ -498,7 +481,6 @@ translated. The possible values are:
.INDENT 7.0
.TP
.B \fBRULE:\fP\fIexp\fP
-.sp
The local name will be formulated from \fIexp\fP.
.sp
The format for \fIexp\fP is \fB[\fP\fIn\fP\fB:\fP\fIstring\fP\fB](\fP\fIregexp\fP\fB)s/\fP\fIpattern\fP\fB/\fP\fIreplacement\fP\fB/g\fP.
@@ -506,7 +488,7 @@ The integer \fIn\fP indicates how many components the target
principal should have. If this matches, then a string will be
formed from \fIstring\fP, substituting the realm of the principal
for \fB$0\fP and the \fIn\fP\(aqth component of the principal for
-\fB$n\fP (e.g. if the principal was \fBjohndoe/admin\fP then
+\fB$n\fP (e.g., if the principal was \fBjohndoe/admin\fP then
\fB[2:$2$1foo]\fP would result in the string
\fBadminjohndoefoo\fP). If this string matches \fIregexp\fP, then
the \fBs//[g]\fP substitution command will be run over the
@@ -515,7 +497,6 @@ global over the \fIstring\fP, instead of replacing only the first
match in the \fIstring\fP.
.TP
.B \fBDEFAULT\fP
-.sp
The principal name will be used as the local user name. If
the principal has more than one component or is not in the
default realm, this rule is not applicable and the conversion
@@ -545,20 +526,17 @@ these two rules are any principals \fBjohndoe/*\fP, which will
always get the local name \fBguest\fP.
.TP
.B \fBauth_to_local_names\fP
-.sp
This subsection allows you to set explicit mappings from principal
names to local user names. The tag is the mapping name, and the
value is the corresponding local user name.
.TP
.B \fBdefault_domain\fP
-.sp
This tag specifies the domain used to expand hostnames when
translating Kerberos 4 service principals to Kerberos 5 principals
(for example, when converting \fBrcmd.hostname\fP to
\fBhost/hostname.domain\fP).
.TP
.B \fBkdc\fP
-.sp
The name or address of a host running a KDC for that realm. An
optional port number, separated from the hostname by a colon, may
be included. If the name or address contains colons (for example,
@@ -569,13 +547,11 @@ be given a value in each realm subsection in the configuration
file, or there must be DNS SRV records specifying the KDCs.
.TP
.B \fBkpasswd_server\fP
-.sp
Points to the server where all the password changes are performed.
If there is no such entry, the port 464 on the \fBadmin_server\fP
host will be tried.
.TP
.B \fBmaster_kdc\fP
-.sp
Identifies the master KDC(s). Currently, this tag is used in only
one case: If an attempt to get credentials fails because of an
invalid password, the client software will attempt to contact the
@@ -584,7 +560,6 @@ the updated database has not been propagated to the slave servers
yet.
.TP
.B \fBv4_instance_convert\fP
-.sp
This subsection allows the administrator to configure exceptions
to the \fBdefault_domain\fP mapping rule. It contains V4 instances
(the tag name) which should be translated to some specific
@@ -592,7 +567,6 @@ hostname (the tag value) as the second component in a Kerberos V5
principal name.
.TP
.B \fBv4_realm\fP
-.sp
This relation is used by the krb524 library routines when
converting a V5 principal name to a V4 principal name. It is used
when the V4 realm name and the V5 realm name are not the same, but
@@ -776,13 +750,10 @@ are overridden by those specified in the \fI\%realms\fP section.
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
-.
\fI\%pwqual\fP interface
.IP \(bu 2
-.
\fI\%kadm5_hook\fP interface
.IP \(bu 2
-.
\fI\%clpreauth\fP and \fI\%kdcpreauth\fP interfaces
.UNINDENT
.UNINDENT
@@ -798,19 +769,16 @@ All subsections support the same tags:
.INDENT 0.0
.TP
.B \fBdisable\fP
-.sp
This tag may have multiple values. If there are values for this
tag, then the named modules will be disabled for the pluggable
interface.
.TP
.B \fBenable_only\fP
-.sp
This tag may have multiple values. If there are values for this
tag, then only the named modules will be enabled for the pluggable
interface.
.TP
.B \fBmodule\fP
-.sp
This tag may have multiple values. Each value is a string of the
form \fBmodulename:pathname\fP, which causes the shared object
located at \fIpathname\fP to be registered as a dynamic module named
@@ -830,12 +798,10 @@ disabled with the disable tag):
.INDENT 0.0
.TP
.B \fBk5identity\fP
-.sp
Uses a .k5identity file in the user\(aqs home directory to select a
client principal
.TP
.B \fBrealm\fP
-.sp
Uses the service realm to guess an appropriate cache from the
collection
.UNINDENT
@@ -847,20 +813,16 @@ changed. The following built\-in modules exist for this interface:
.INDENT 0.0
.TP
.B \fBdict\fP
-.sp
Checks against the realm dictionary file
.TP
.B \fBempty\fP
-.sp
Rejects empty passwords
.TP
.B \fBhesiod\fP
-.sp
Checks against user information stored in Hesiod (only if Kerberos
was built with Hesiod support)
.TP
.B \fBprinc\fP
-.sp
Checks against components of the principal name
.UNINDENT
.SS kadm5_hook interface
@@ -878,20 +840,16 @@ built\-in modules exist for these interfaces:
.INDENT 0.0
.TP
.B \fBpkinit\fP
-.sp
This module implements the PKINIT preauthentication mechanism.
.TP
.B \fBencrypted_challenge\fP
-.sp
This module implements the encrypted challenge FAST factor.
.TP
.B \fBencrypted_timestamp\fP
-.sp
This module implements the encrypted timestamp mechanism.
.UNINDENT
.SH PKINIT OPTIONS
.IP Note
-.
The following are PKINIT\-specific options. These values may
be specified in [libdefaults] as global defaults, or within
a realm\-specific subsection of [libdefaults], or may be
@@ -901,7 +859,6 @@ A realm\-specific value overrides, not adds to, a generic
.RE
.INDENT 0.0
.IP 1. 3
-.
realm\-specific subsection of [libdefaults]:
.INDENT 3.0
.INDENT 3.5
@@ -910,14 +867,13 @@ realm\-specific subsection of [libdefaults]:
.ft C
[libdefaults]
EXAMPLE.COM = {
- pkinit_anchors = FILE\e:/usr/local/example.com.crt
+ pkinit_anchors = FILE:/usr/local/example.com.crt
}
.ft P
.fi
.UNINDENT
.UNINDENT
.IP 2. 3
-.
realm\-specific value in the [realms] section,
.INDENT 3.0
.INDENT 3.5
@@ -926,14 +882,13 @@ realm\-specific value in the [realms] section,
.ft C
[realms]
OTHERREALM.ORG = {
- pkinit_anchors = FILE\e:/usr/local/otherrealm.org.crt
+ pkinit_anchors = FILE:/usr/local/otherrealm.org.crt
}
.ft P
.fi
.UNINDENT
.UNINDENT
.IP 3. 3
-.
generic value in the [libdefaults] section.
.INDENT 3.0
.INDENT 3.5
@@ -941,7 +896,7 @@ generic value in the [libdefaults] section.
.nf
.ft C
[libdefaults]
- pkinit_anchors = DIR\e:/usr/local/generic_trusted_cas/
+ pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
.ft P
.fi
.UNINDENT
@@ -954,7 +909,6 @@ information for PKINIT is as follows:
.INDENT 0.0
.TP
.B \fBFILE:\fP\fIfilename\fP[\fB,\fP\fIkeyfilename\fP]
-.sp
This option has context\-specific behavior.
.sp
In \fBpkinit_identity\fP or \fBpkinit_identities\fP, \fIfilename\fP
@@ -967,7 +921,6 @@ In \fBpkinit_anchors\fP or \fBpkinit_pool\fP, \fIfilename\fP is assumed to
be the name of an OpenSSL\-style ca\-bundle file.
.TP
.B \fBDIR:\fP\fIdirname\fP
-.sp
This option has context\-specific behavior.
.sp
In \fBpkinit_identity\fP or \fBpkinit_identities\fP, \fIdirname\fP
@@ -991,12 +944,10 @@ but all files in the directory will be examined and if they
contain a revocation list (in PEM format), they will be used.
.TP
.B \fBPKCS12:\fP\fIfilename\fP
-.sp
\fIfilename\fP is the name of a PKCS #12 format file, containing the
user\(aqs certificate and private key.
.TP
.B \fBPKCS11:\fP[\fBmodule_name=\fP]\fImodname\fP[\fB:slotid=\fP\fIslot\-id\fP][\fB:token=\fP\fItoken\-label\fP][\fB:certid=\fP\fIcert\-id\fP][\fB:certlabel=\fP\fIcert\-label\fP]
-.sp
All keyword/values are optional. \fImodname\fP specifies the location
of a library implementing PKCS #11. If a value is encountered
with no keyword, it is assumed to be the \fImodname\fP. If no
@@ -1009,7 +960,6 @@ See the \fBpkinit_cert_match\fP configuration option for more ways
to select a particular certificate to use for PKINIT.
.TP
.B \fBENV:\fP\fIenvvar\fP
-.sp
\fIenvvar\fP specifies the name of an environment variable which has
been set to a value conforming to one of the previous values. For
example, \fBENV:X509_PROXY\fP, where environment variable
@@ -1019,14 +969,12 @@ example, \fBENV:X509_PROXY\fP, where environment variable
.INDENT 0.0
.TP
.B \fBpkinit_anchors\fP
-.sp
Specifies the location of trusted anchor (root) certificates which
the client trusts to sign KDC certificates. This option may be
specified multiple times. These values from the config file are
not used if the user specifies X509_anchors on the command line.
.TP
.B \fBpkinit_cert_match\fP
-.sp
Specifies matching rules that the client certificate must match
before it is used to attempt PKINIT authentication. If a user has
multiple certificates available (on a smart card, or via other
@@ -1043,7 +991,6 @@ DN values.
The syntax of the matching rules is:
.INDENT 7.0
.INDENT 3.5
-.sp
[\fIrelation\-operator\fP]\fIcomponent\-rule\fP ...
.UNINDENT
.UNINDENT
@@ -1052,13 +999,11 @@ where:
.INDENT 7.0
.TP
.B \fIrelation\-operator\fP
-.sp
can be either \fB&&\fP, meaning all component rules must match,
or \fB||\fP, meaning only one component rule must match. The
default is \fB&&\fP.
.TP
.B \fIcomponent\-rule\fP
-.sp
can be one of the following. Note that there is no
punctuation or whitespace between component rules.
.INDENT 7.0
@@ -1080,16 +1025,12 @@ must be present in the certificate. Extended Key Usage values
can be:
.INDENT 7.0
.IP \(bu 2
-.
pkinit
.IP \(bu 2
-.
msScLogin
.IP \(bu 2
-.
clientAuth
.IP \(bu 2
-.
emailProtection
.UNINDENT
.sp
@@ -1098,10 +1039,8 @@ Usage values. All values in the list must be present in the
certificate. Key Usage values can be:
.INDENT 7.0
.IP \(bu 2
-.
digitalSignature
.IP \(bu 2
-.
keyEncipherment
.UNINDENT
.UNINDENT
@@ -1121,7 +1060,6 @@ pkinit_cert_match = <EKU>msScLogin,clientAuth<KU>digitalSignature
.UNINDENT
.TP
.B \fBpkinit_eku_checking\fP
-.sp
This option specifies what Extended Key Usage value the KDC
certificate presented to the client must contain. (Note that if
the KDC certificate has the pkinit SubjectAlternativeName encoded
@@ -1131,30 +1069,25 @@ recognized in the krb5.conf file are:
.INDENT 7.0
.TP
.B \fBkpKDC\fP
-.sp
This is the default value and specifies that the KDC must have
the id\-pkinit\-KPKdc EKU as defined in \fI\%RFC 4556\fP.
.TP
.B \fBkpServerAuth\fP
-.sp
If \fBkpServerAuth\fP is specified, a KDC certificate with the
id\-kp\-serverAuth EKU as used by Microsoft will be accepted.
.TP
.B \fBnone\fP
-.sp
If \fBnone\fP is specified, then the KDC certificate will not be
checked to verify it has an acceptable EKU. The use of this
option is not recommended.
.UNINDENT
.TP
.B \fBpkinit_dh_min_bits\fP
-.sp
Specifies the size of the Diffie\-Hellman key the client will
attempt to use. The acceptable values are 1024, 2048, and 4096.
The default is 2048.
.TP
.B \fBpkinit_identities\fP
-.sp
Specifies the location(s) to be used to find the user\(aqs X.509
identity information. This option may be specified multiple
times. Each value is attempted in order until identity
@@ -1163,7 +1096,6 @@ these values are not used if the user specifies
\fBX509_user_identity\fP on the command line.
.TP
.B \fBpkinit_kdc_hostname\fP
-.sp
The presense of this option indicates that the client is willing
to accept a KDC certificate with a dNSName SAN (Subject
Alternative Name) rather than requiring the id\-pkinit\-san as
@@ -1172,18 +1104,15 @@ times. Its value should contain the acceptable hostname for the
KDC (as contained in its certificate).
.TP
.B \fBpkinit_longhorn\fP
-.sp
If this flag is set to true, we are talking to the Longhorn KDC.
.TP
.B \fBpkinit_pool\fP
-.sp
Specifies the location of intermediate certificates which may be
used by the client to complete the trust chain between a KDC
certificate and a trusted anchor. This option may be specified
multiple times.
.TP
.B \fBpkinit_require_crl_checking\fP
-.sp
The default certificate verification process will always check the
available revocation information to see if a certificate has been
revoked. If a match is found for the certificate in a CRL,
@@ -1200,24 +1129,130 @@ fails.
policy is such that up\-to\-date CRLs must be present for every CA.
.TP
.B \fBpkinit_revoke\fP
-.sp
Specifies the location of Certificate Revocation List (CRL)
information to be used by the client when verifying the validity
of the KDC certificate presented. This option may be specified
multiple times.
.TP
.B \fBpkinit_win2k\fP
-.sp
This flag specifies whether the target realm is assumed to support
only the old, pre\-RFC version of the protocol. The default is
false.
.TP
.B \fBpkinit_win2k_require_binding\fP
-.sp
If this flag is set to true, it expects that the target KDC is
patched to return a reply with a checksum rather than a nonce.
The default is false.
.UNINDENT
+.SH PARAMETER EXPANSION
+.sp
+Several variables, such as \fBdefault_keytab_name\fP, allow parameters
+to be expanded. Valid parameters are:
+.INDENT 0.0
+.INDENT 3.5
+.TS
+center;
+|l|l|.
+_
+T{
+%{TEMP}
+T} T{
+Temporary directory
+T}
+_
+T{
+%{uid}
+T} T{
+Unix real UID or Windows SID
+T}
+_
+T{
+%{euid}
+T} T{
+Unix effective user ID or Windows SID
+T}
+_
+T{
+%{USERID}
+T} T{
+Same as %{uid}
+T}
+_
+T{
+%{null}
+T} T{
+Empty string
+T}
+_
+T{
+%{LIBDIR}
+T} T{
+Installation library directory
+T}
+_
+T{
+%{BINDIR}
+T} T{
+Installation binary directory
+T}
+_
+T{
+%{SBINDIR}
+T} T{
+Installation admin binary directory
+T}
+_
+T{
+%{username}
+T} T{
+(Unix) Username of effective user ID
+T}
+_
+T{
+%{APPDATA}
+T} T{
+(Windows) Roaming application data for current user
+T}
+_
+T{
+%{COMMON_APPDATA}
+T} T{
+(Windows) Application data for all users
+T}
+_
+T{
+%{LOCAL_APPDATA}
+T} T{
+(Windows) Local application data for current user
+T}
+_
+T{
+%{SYSTEM}
+T} T{
+(Windows) Windows system folder
+T}
+_
+T{
+%{WINDOWS}
+T} T{
+(Windows) Windows folder
+T}
+_
+T{
+%{USERCONFIG}
+T} T{
+(Windows) Per\-user MIT krb5 config file directory
+T}
+_
+T{
+%{COMMONCONFIG}
+T} T{
+(Windows) Common MIT krb5 config file directory
+T}
+_
+.TE
+.UNINDENT
+.UNINDENT
.SH SAMPLE KRB5.CONF FILE
.sp
Here is an example of a generic krb5.conf file:
@@ -1247,11 +1282,6 @@ Here is an example of a generic krb5.conf file:
kdc = kerberos\-1.example.com
admin_server = kerberos.example.com
}
- OPENLDAP.MIT.EDU = {
- kdc = kerberos.mit.edu
- admin_server = kerberos.mit.edu
- database_module = openldap_ldapconf
- }
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
@@ -1264,27 +1294,6 @@ Here is an example of a generic krb5.conf file:
EXAMPLE.COM = {
ATHENA.MIT.EDU = .
}
-
-[logging]
- kdc = SYSLOG:INFO
- admin_server = FILE=/var/kadm5.log
-[dbdefaults]
- ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com
-[dbmodules]
- openldap_ldapconf = {
- db_library = kldap
- disable_last_success = true
- ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com
- ldap_kdc_dn = "cn=krbadmin,dc=example,dc=com"
- # this object needs to have read rights on
- # the realm container and principal subtrees
- ldap_kadmind_dn = "cn=krbadmin,dc=example,dc=com"
- # this object needs to have read and write rights on
- # the realm container and principal subtrees
- ldap_service_password_file = /etc/kerberos/service.keyfile
- ldap_servers = ldaps://kerberos.mit.edu
- ldap_conns_per_server = 5
-}
.ft P
.fi
.UNINDENT
@@ -1298,6 +1307,6 @@ syslog(3)
.SH AUTHOR
MIT
.SH COPYRIGHT
-2011, MIT
+2012, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/krb5kdc.man b/src/man/krb5kdc.man
index 97bee96..1dbe739 100644
--- a/src/man/krb5kdc.man
+++ b/src/man/krb5kdc.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
.
.SH SYNOPSIS
.sp
@@ -43,6 +43,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
[\fB\-n\fP]
[\fB\-w\fP \fInumworkers\fP]
[\fB\-P\fP \fIpid_file\fP]
+[\fB\-T\fP \fItime_offset\fP]
.SH DESCRIPTION
.sp
krb5kdc is the Kerberos version 5 Authentication Service and Key
@@ -91,7 +92,6 @@ will relay SIGHUP signals to the worker subprocesses, and will
terminate the worker subprocess if the it is itself terminated or if
any other worker process exits.
.IP Note
-.
On operating systems which do not have \fIpktinfo\fP support,
using worker processes will prevent the KDC from listening
for UDP packets on network interfaces created after the KDC
@@ -105,23 +105,19 @@ Options supported for the LDAP database module are:
.INDENT 0.0
.TP
.B \fB\-x\fP nconns=<number_of_connections>
-.sp
Specifies the number of connections to be maintained per
LDAP server.
.TP
.B \fB\-x\fP host=<ldapuri>
-.sp
Specifies the LDAP server to connect to by URI.
.TP
.B \fB\-x\fP binddn=<binddn>
-.sp
Specifies the DN of the object used by the KDC server to bind
to the LDAP server. This object should have read and write
privileges to the realm container, the principal container,
and the subtree that is referenced by the realm.
.TP
.B \fB\-x\fP bindpwd=<bind_password>
-.sp
Specifies the password for the above mentioned binddn. Using
this option may expose the password to other users on the
system via the process list; to avoid this, instead stash the
@@ -130,6 +126,9 @@ password using the \fBstashsrvpw\fP command of
.UNINDENT
.UNINDENT
.UNINDENT
+.sp
+The \fB\-T\fP \fIoffset\fP option specifies a time offset, in seconds, which
+the KDC will operate under. It is intended only for testing purposes.
.SH EXAMPLE
.sp
The KDC may service requests for multiple realms (maximum 32 realms).
@@ -161,10 +160,8 @@ description for further details.
krb5kdc uses the following environment variables:
.INDENT 0.0
.IP \(bu 2
-.
\fBKRB5_CONFIG\fP
.IP \(bu 2
-.
\fBKRB5_KDC_PROFILE\fP
.UNINDENT
.SH SEE ALSO
@@ -174,6 +171,6 @@ krb5kdc uses the following environment variables:
.SH AUTHOR
MIT
.SH COPYRIGHT
-2011, MIT
+2012, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/ksu.man b/src/man/ksu.man
index d45a5f5..7830a7e 100644
--- a/src/man/ksu.man
+++ b/src/man/ksu.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
.
.SH SYNOPSIS
.sp
@@ -54,10 +54,9 @@ ksu is a Kerberized version of the su program that has two missions:
one is to securely change the real and effective user ID to that of
the target user, and the other is to create a new security context.
.IP Note
-.
For the sake of clarity, all references to and attributes of
the user invoking the program will start with "source"
-(e.g. "source user", "source cache", etc.).
+(e.g., "source user", "source cache", etc.).
.sp
Likewise, all references to and attributes of the target
account will start with "target".
@@ -67,12 +66,12 @@ account will start with "target".
To fulfill the first mission, ksu operates in two phases:
authentication and authorization. Resolving the target principal name
is the first step in authentication. The user can either specify his
-principal name with the \fB\-n\fP option (e.g. \fB\-n jqpublic at USC.EDU\fP)
+principal name with the \fB\-n\fP option (e.g., \fB\-n jqpublic at USC.EDU\fP)
or a default principal name will be assigned using a heuristic
described in the OPTIONS section (see \fB\-n\fP option). The target user
name must be the first argument to ksu; if not specified root is the
default. If \fB.\fP is specified then the target user will be the
-source user (e.g. \fBksu .\fP). If the source user is root or the
+source user (e.g., \fBksu .\fP). If the source user is root or the
target user is the source user, no authentication or authorization
takes place. Otherwise, ksu looks for an appropriate Kerberos ticket
in the source cache.
@@ -167,7 +166,6 @@ not provided (user hit return) ksu continues in a normal mode of
operation (the target cache will not contain the desired TGT). If the
wrong password is typed in, ksu fails.
.IP Note
-.
During authentication, only the tickets that could be
obtained without providing a password are cached in in the
source cache.
@@ -176,7 +174,6 @@ source cache.
.INDENT 0.0
.TP
.B \fB\-n\fP \fItarget_principal_name\fP
-.sp
Specify a Kerberos target principal name. Used in authentication
and authorization phases of ksu.
.sp
@@ -184,7 +181,6 @@ If ksu is invoked without \fB\-n\fP, a default principal name is
assigned via the following heuristic:
.INDENT 7.0
.IP \(bu 2
-.
Case 1: source user is non\-root.
.sp
If the target user is the source user the default principal name
@@ -201,13 +197,10 @@ cache. If both conditions are met that principal becomes the
default target principal, otherwise go to the next principal.
.INDENT 2.0
.IP a. 3
-.
default principal of the source cache
.IP b. 3
-.
target_user at local_realm
.IP c. 3
-.
source_user at local_realm
.UNINDENT
.sp
@@ -227,7 +220,6 @@ example if candidate a) is \fBjqpublic at ISI.EDU\fP and
account then the default principal is set to
\fBjqpublic/secure at ISI.EDU\fP.
.IP \(bu 2
-.
Case 2: source user is root.
.sp
If the target user is non\-root then the default principal name
@@ -241,8 +233,7 @@ exist, default principal name is set to \fBroot\e at local_realm\fP.
\fB\-c\fP \fIsource_cache_name\fP
.INDENT 0.0
.INDENT 3.5
-.sp
-Specify source cache name (e.g. \fB\-c FILE:/tmp/my_cache\fP). If
+Specify source cache name (e.g., \fB\-c FILE:/tmp/my_cache\fP). If
\fB\-c\fP option is not used then the name is obtained from
\fBKRB5CCNAME\fP environment variable. If \fBKRB5CCNAME\fP is not
defined the source cache name is set to \fBkrb5cc_<source uid>\fP.
@@ -264,17 +255,14 @@ krb5cc_1984.2
.INDENT 0.0
.TP
.B \fB\-k\fP
-.sp
Do not delete the target cache upon termination of the target
shell or a command (\fB\-e\fP command). Without \fB\-k\fP, ksu deletes
the target cache.
.TP
.B \fB\-D\fP
-.sp
Turn on debug mode.
.TP
.B \fB\-z\fP
-.sp
Restrict the copy of tickets from the source cache to the target
cache to only the tickets where client == the target principal
name. Use the \fB\-n\fP option if you want the tickets for other then
@@ -282,7 +270,6 @@ the default principal. Note that the \fB\-z\fP option is mutually
exclusive with the \fB\-Z\fP option.
.TP
.B \fB\-Z\fP
-.sp
Don\(aqt copy any tickets from the source cache to the target cache.
Just create a fresh target cache, where the default principal name
of the cache is initialized to the target principal name. Note
@@ -290,7 +277,6 @@ that the \fB\-Z\fP option is mutually exclusive with the \fB\-z\fP
option.
.TP
.B \fB\-q\fP
-.sp
Suppress the printing of status messages.
.UNINDENT
.sp
@@ -298,7 +284,6 @@ Ticket granting ticket options:
.INDENT 0.0
.TP
.B \fB\-l\fP \fIlifetime\fP \fB\-r\fP \fItime\fP \fB\-pf\fP
-.sp
The ticket granting ticket options only apply to the case where
there are no appropriate tickets in the cache to authenticate the
source user. In this case if ksu is configured to prompt users
@@ -307,29 +292,24 @@ ticket granting ticket options that are specified will be used
when getting a ticket granting ticket from the Kerberos server.
.TP
.B \fB\-l\fP \fIlifetime\fP
-.sp
-specifies the lifetime to be requested for the ticket; if this
-option is not specified, the default ticket lifetime (configured
-by each site) is used instead.
+(\fIduration\fP string.) Specifies the lifetime to be requested
+for the ticket; if this option is not specified, the default ticket
+lifetime (12 hours) is used instead.
.TP
.B \fB\-r\fP \fItime\fP
-.sp
-specifies that the \fBrenewable\fP option should be requested for
-the ticket, and specifies the desired total lifetime of the
-ticket.
+(\fIduration\fP string.) Specifies that the \fBrenewable\fP option
+should be requested for the ticket, and specifies the desired
+total lifetime of the ticket.
.TP
.B \fB\-p\fP
-.sp
specifies that the \fBproxiable\fP option should be requested for
the ticket.
.TP
.B \fB\-f\fP
-.sp
option specifies that the \fBforwardable\fP option should be
requested for the ticket.
.TP
.B \fB\-e\fP \fIcommand\fP [\fIargs\fP ...]
-.sp
ksu proceeds exactly the same as if it was invoked without the
\fB\-e\fP option, except instead of executing the target shell, ksu
executes the specified command. Example of usage:
@@ -394,7 +374,6 @@ the target program. Otherwise, the user must specify either a
full path or just the program name.
.TP
.B \fB\-a\fP \fIargs\fP
-.sp
Specify arguments to be passed to the target shell. Note that all
flags and parameters following \-a will be passed to the shell,
thus all options intended for ksu must precede \fB\-a\fP.
@@ -420,7 +399,6 @@ ksu can be compiled with the following four flags:
.INDENT 0.0
.TP
.B \fBGET_TGT_VIA_PASSWD\fP
-.sp
In case no appropriate tickets are found in the source cache, the
user will be prompted for a Kerberos password. The password is
then used to get a ticket granting ticket from the Kerberos
@@ -429,19 +407,16 @@ source user is logged in remotely and does not have a secure
channel, the password may get exposed.
.TP
.B \fBPRINC_LOOK_AHEAD\fP
-.sp
During the resolution of the default principal name,
\fBPRINC_LOOK_AHEAD\fP enables ksu to find principal names in
the .k5users file as described in the OPTIONS section
(see \fB\-n\fP option).
.TP
.B \fBCMD_PATH\fP
-.sp
Specifies a list of directories containing programs that users are
authorized to execute (via .k5users file).
.TP
.B \fBHAVE_GETUSERSHELL\fP
-.sp
If the source user is non\-root, ksu insists that the target user\(aqs
shell to be invoked is a "legal shell". \fIgetusershell(3)\fP is
called to obtain the names of "legal shells". Note that the
@@ -460,7 +435,7 @@ ksu should be owned by root and have the set user id bit turned on.
.sp
ksu attempts to get a ticket for the end server just as Kerberized
telnet and rlogin. Thus, there must be an entry for the server in the
-Kerberos database (e.g. \fBhost/nii.isi.edu at ISI.EDU\fP). The keytab
+Kerberos database (e.g., \fBhost/nii.isi.edu at ISI.EDU\fP). The keytab
file must be in an appropriate location.
.SH SIDE EFFECTS
.sp
@@ -471,6 +446,6 @@ GENNADY (ARI) MEDVINSKY
.SH AUTHOR
MIT
.SH COPYRIGHT
-2011, MIT
+2012, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kswitch.man b/src/man/kswitch.man
index b265b78..753f008 100644
--- a/src/man/kswitch.man
+++ b/src/man/kswitch.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
.
.SH SYNOPSIS
.sp
@@ -42,11 +42,9 @@ collection, if a cache collection is available.
.INDENT 0.0
.TP
.B \fB\-c\fP \fIcachename\fP
-.sp
Directly specifies the credential cache to be made primary.
.TP
.B \fB\-p\fP \fIprincipal\fP
-.sp
Causes the cache collection to be searched for a cache containing
credentials for \fIprincipal\fP. If one is found, that collection is
made primary.
@@ -57,7 +55,6 @@ kswitch uses the following environment variables:
.INDENT 0.0
.TP
.B \fBKRB5CCNAME\fP
-.sp
Location of the default Kerberos 5 credentials (ticket) cache, in
the form \fItype\fP:\fIresidual\fP. If no \fItype\fP prefix is present, the
\fBFILE\fP type is assumed. The type of the default cache may
@@ -68,10 +65,8 @@ to be present in the collection.
.SS FILES
.INDENT 0.0
.TP
-.B \fB/tmp/krb5cc_[uid]\fP
-.sp
-Default location of Kerberos 5 credentials cache ([\fIuid\fP] is the
-decimal UID of the user).
+.B \fB at CCNAME@\fP
+Default location of Kerberos 5 credentials cache
.UNINDENT
.SS SEE ALSO
.sp
@@ -79,6 +74,6 @@ decimal UID of the user).
.SH AUTHOR
MIT
.SH COPYRIGHT
-2011, MIT
+2012, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/ktutil.man b/src/man/ktutil.man
index be2cc7d..31b0d51 100644
--- a/src/man/ktutil.man
+++ b/src/man/ktutil.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
.
.SH SYNOPSIS
.sp
@@ -42,7 +42,6 @@ V4 srvtab file.
.SS list
.INDENT 0.0
.INDENT 3.5
-.sp
\fBlist\fP
.UNINDENT
.UNINDENT
@@ -53,7 +52,6 @@ Alias: \fBl\fP
.SS read_kt
.INDENT 0.0
.INDENT 3.5
-.sp
\fBread_kt\fP \fIkeytab\fP
.UNINDENT
.UNINDENT
@@ -64,7 +62,6 @@ Alias: \fBrkt\fP
.SS read_st
.INDENT 0.0
.INDENT 3.5
-.sp
\fBread_st\fP \fIsrvtab\fP
.UNINDENT
.UNINDENT
@@ -75,7 +72,6 @@ Alias: \fBrst\fP
.SS write_kt
.INDENT 0.0
.INDENT 3.5
-.sp
\fBwrite_kt\fP \fIkeytab\fP
.UNINDENT
.UNINDENT
@@ -86,7 +82,6 @@ Alias: \fBwkt\fP
.SS write_st
.INDENT 0.0
.INDENT 3.5
-.sp
\fBwrite_st\fP \fIsrvtab\fP
.UNINDENT
.UNINDENT
@@ -97,7 +92,6 @@ Alias: \fBwst\fP
.SS clear_list
.INDENT 0.0
.INDENT 3.5
-.sp
\fBclear_list\fP
.UNINDENT
.UNINDENT
@@ -108,7 +102,6 @@ Alias: \fBclear\fP
.SS delete_entry
.INDENT 0.0
.INDENT 3.5
-.sp
\fBdelete_entry\fP \fIslot\fP
.UNINDENT
.UNINDENT
@@ -119,7 +112,6 @@ Alias: \fBdelent\fP
.SS add_entry
.INDENT 0.0
.INDENT 3.5
-.sp
\fBadd_entry\fP {\fB\-key\fP|\fB\-password\fP} \fB\-p\fP \fIprincipal\fP
\fB\-k\fP \fIkvno\fP \fB\-e\fP \fIenctype\fP
.UNINDENT
@@ -131,7 +123,6 @@ Alias: \fBaddent\fP
.SS list_requests
.INDENT 0.0
.INDENT 3.5
-.sp
\fBlist_requests\fP
.UNINDENT
.UNINDENT
@@ -142,7 +133,6 @@ Aliases: \fBlr\fP, \fB?\fP
.SS quit
.INDENT 0.0
.INDENT 3.5
-.sp
\fBquit\fP
.UNINDENT
.UNINDENT
@@ -174,6 +164,6 @@ ktutil:
.SH AUTHOR
MIT
.SH COPYRIGHT
-2011, MIT
+2012, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/kvno.man b/src/man/kvno.man
index 38ef7af..e66b911 100644
--- a/src/man/kvno.man
+++ b/src/man/kvno.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
.
.SH SYNOPSIS
.sp
@@ -49,35 +49,29 @@ and prints out the key version numbers of each.
.INDENT 0.0
.TP
.B \fB\-c\fP \fIccache\fP
-.sp
Specifies the name of a credentials cache to use (if not the
default)
.TP
.B \fB\-e\fP \fIetype\fP
-.sp
Specifies the enctype which will be requested for the session key
of all the services named on the command line. This is useful in
certain backward compatibility situations.
.TP
.B \fB\-q\fP
-.sp
Suppress printing output when successful. If a service ticket
cannot be obtained, an error message will still be printed and
kvno will exit with nonzero status.
.TP
.B \fB\-h\fP
-.sp
Prints a usage statement and exits.
.TP
.B \fB\-P\fP
-.sp
Specifies that the \fIservice1 service2\fP ... arguments are to be
treated as services for which credentials should be acquired using
constrained delegation. This option is only valid when used in
conjunction with protocol transition.
.TP
.B \fB\-S\fP \fIsname\fP
-.sp
Specifies that the \fIservice1 service2\fP ... arguments are
interpreted as hostnames, and the service principals are to be
constructed from those hostnames and the service name \fIsname\fP.
@@ -85,7 +79,6 @@ The service hostnames will be canonicalized according to the usual
rules for constructing service principals.
.TP
.B \fB\-U\fP \fIfor_user\fP
-.sp
Specifies that protocol transition (S4U2Self) is to be used to
acquire a ticket on behalf of \fIfor_user\fP. If constrained
delegation is not requested, the service name must match the
@@ -97,16 +90,13 @@ kvno uses the following environment variable:
.INDENT 0.0
.TP
.B \fBKRB5CCNAME\fP
-.sp
Location of the credentials (ticket) cache.
.UNINDENT
.SH FILES
.INDENT 0.0
.TP
-.B \fB/tmp/krb5cc_[uid]\fP
-.sp
-Default location of the credentials cache ([\fIuid\fP] is the decimal
-UID of the user).
+.B \fB at CCNAME@\fP
+Default location of the credentials cache
.UNINDENT
.SH SEE ALSO
.sp
@@ -114,6 +104,6 @@ UID of the user).
.SH AUTHOR
MIT
.SH COPYRIGHT
-2011, MIT
+2012, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/sclient.man b/src/man/sclient.man
index 0d0c951..2473e9a 100644
--- a/src/man/sclient.man
+++ b/src/man/sclient.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
.
.SH SYNOPSIS
.sp
@@ -45,6 +45,6 @@ the server\(aqs response.
.SH AUTHOR
MIT
.SH COPYRIGHT
-2011, MIT
+2012, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/src/man/sserver.man b/src/man/sserver.man
index aa07d4f..1c48cc3 100644
--- a/src/man/sserver.man
+++ b/src/man/sserver.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.\" Man page generated from reStructeredText.
+.\" Man page generated from reStructuredText.
.
.SH SYNOPSIS
.sp
@@ -48,7 +48,7 @@ The service name used by sserver and sclient is sample. Hence,
sserver will require that there be a keytab entry for the service
\fBsample/hostname.domain.name at REALM.NAME\fP. This keytab is generated
using the \fIkadmin(1)\fP program. The keytab file is usually
-installed as \fB/etc/krb5.keytab\fP.
+installed as \fB at KTNAME@\fP.
.sp
The \fB\-S\fP option allows for a different keytab than the default.
.sp
@@ -103,7 +103,6 @@ You are nlgilman at JIMI.MIT.EDU
.SH COMMON ERROR MESSAGES
.INDENT 0.0
.IP 1. 3
-.
kinit returns the error:
.INDENT 3.0
.INDENT 3.5
@@ -120,7 +119,6 @@ kinit: Client not found in Kerberos database while getting
This means that you didn\(aqt create an entry for your username in the
Kerberos database.
.IP 2. 3
-.
sclient returns the error:
.INDENT 3.0
.INDENT 3.5
@@ -136,7 +134,6 @@ unknown service sample/tcp; check /etc/services
This means that you don\(aqt have an entry in /etc/services for the
sample tcp port.
.IP 3. 3
-.
sclient returns the error:
.INDENT 3.0
.INDENT 3.5
@@ -152,7 +149,6 @@ connect: Connection refused
This probably means you didn\(aqt edit /etc/inetd.conf correctly, or
you didn\(aqt restart inetd after editing inetd.conf.
.IP 4. 3
-.
sclient returns the error:
.INDENT 3.0
.INDENT 3.5
@@ -171,7 +167,6 @@ defined in the Kerberos database; it should be created using
\fIkadmin(1)\fP, and a keytab file needs to be generated to make
the key for that service principal available for sclient.
.IP 5. 3
-.
sclient returns the error:
.INDENT 3.0
.INDENT 3.5
@@ -194,6 +189,6 @@ probably not installed in the proper directory.
.SH AUTHOR
MIT
.SH COPYRIGHT
-2011, MIT
+2012, MIT
.\" Generated by docutils manpage writer.
.
More information about the cvs-krb5
mailing list