Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Merge remote-tracking branch 'upstream/master' into krbldap

  • Loading branch information...
commit 63b25f1abe34c40fd900d8fc80b184dcaa170671 2 parents 17ef3a9 + 3064892
@aadamowski authored
Showing with 11,995 additions and 6,671 deletions.
  1. +14 −10 NOTICE
  2. +15 −0 doc/Makefile
  3. +17 −36 doc/copyright.texinfo
  4. +0 −1  doc/notice.texinfo
  5. +0 −1,138 doc/rst_source/NOTICE
  6. +5 −2 doc/rst_source/conf.py
  7. +1 −0  doc/rst_source/krb_admins/admin_commands/index.rst
  8. +94 −0 doc/rst_source/krb_admins/admin_commands/sserver.rst
  9. +200 −74 doc/rst_source/krb_admins/conf_files/kdc_conf.rst
  10. +547 −164 doc/rst_source/krb_admins/conf_files/krb5_conf.rst
  11. +44 −39 doc/rst_source/krb_admins/install_kdc/slave_install.rst
  12. +3 −0  doc/rst_source/krb_users/user_commands/index.rst
  13. +63 −0 doc/rst_source/krb_users/user_commands/k5identity.rst
  14. +28 −17 doc/rst_source/krb_users/user_commands/k5login.rst
  15. +22 −0 doc/rst_source/krb_users/user_commands/sclient.rst
  16. +189 −0 doc/rst_source/krb_users/user_commands/send-pr.rst
  17. +1 −3 doc/rst_source/mitK5license.rst
  18. +5 −2 src/Makefile.in
  19. +4 −0 src/clients/kdestroy/Makefile.in
  20. +4 −0 src/clients/kinit/Makefile.in
  21. +4 −1 src/clients/klist/Makefile.in
  22. +2 −1  src/clients/kpasswd/Makefile.in
  23. +4 −0 src/clients/ksu/Makefile.in
  24. +1 −0  src/clients/ksu/setenv.c
  25. +4 −0 src/clients/kvno/Makefile.in
  26. +4 −2 src/config-files/Makefile.in
  27. +4 −0 src/config/pre.in
  28. +6 −1 src/configure.in
  29. +5 −3 src/gen-manpages/Makefile.in
  30. +8 −9 src/include/k5-int-pkinit.h
  31. +2 −238 src/include/k5-int.h
  32. +4 −13 src/include/krb5/krb5.hin
  33. +2 −0  src/kadmin/cli/Makefile.in
  34. +2 −0  src/kadmin/dbutil/Makefile.in
  35. +2 −0  src/kadmin/ktutil/Makefile.in
  36. +2 −0  src/kadmin/server/Makefile.in
  37. +2 −0  src/kdc/Makefile.in
  38. +1 −1  src/lib/gssapi/spnego/spnego_mech.c
  39. +0 −3  src/lib/krb5/asn.1/Makefile.in
  40. +26 −0 src/lib/krb5/asn.1/asn1_decode.c
  41. +3 −0  src/lib/krb5/asn.1/asn1_decode.h
  42. +336 −361 src/lib/krb5/asn.1/asn1_encode.c
  43. +233 −224 src/lib/krb5/asn.1/asn1_encode.h
  44. +2 −46 src/lib/krb5/asn.1/asn1_k_decode.c
  45. +0 −17 src/lib/krb5/asn.1/asn1_k_decode.h
  46. +0 −114 src/lib/krb5/asn.1/asn1_k_decode_sam.c
  47. +612 −1,071 src/lib/krb5/asn.1/asn1_k_encode.c
  48. +0 −159 src/lib/krb5/asn.1/asn1_k_encode.h
  49. +3 −17 src/lib/krb5/asn.1/deps
  50. +0 −113 src/lib/krb5/asn.1/krb5_decode.c
  51. +0 −178 src/lib/krb5/asn.1/krb5_encode.c
  52. +12 −13 src/lib/krb5/asn.1/ldap_key_seq.c
  53. +4 −5 src/lib/krb5/krb/get_in_tkt.c
  54. +0 −170 src/lib/krb5/krb/kfree.c
  55. +5 −35 src/lib/krb5/libkrb5.exports
  56. +1 −9 src/lib/krb5/os/Makefile.in
  57. +0 −7 src/lib/krb5/os/accessor.c
  58. +0 −14 src/lib/krb5/os/deps
  59. +0 −58 src/lib/krb5/os/realm_iter.c
  60. +0 −47 src/lib/krb5/os/t_realm_iter.c
  61. +73 −0 src/man/Makefile.in
  62. +4 −0 src/man/README
  63. +1 −0  src/man/deps
  64. +1 −0  src/man/dot.k5identity.5
  65. +1 −0  src/man/dot.k5login.5
  66. +103 −0 src/man/k5identity.5
  67. +84 −0 src/man/k5login.5
  68. +84 −0 src/man/k5srvutil.1
  69. +1,278 −0 src/man/kadmin.1
  70. +1 −0  src/man/kadmin.local.8
  71. +287 −0 src/man/kadmind.8
  72. +1,108 −0 src/man/kdb5_ldap_util.8
  73. +308 −0 src/man/kdb5_util.8
  74. +412 −0 src/man/kdc.conf.5
  75. +113 −0 src/man/kdestroy.1
  76. +258 −0 src/man/kinit.1
  77. +161 −0 src/man/klist.1
  78. +79 −0 src/man/kpasswd.1
  79. +101 −0 src/man/kprop.8
  80. +161 −0 src/man/kpropd.8
  81. +120 −0 src/man/kproplog.8
  82. +1,159 −0 src/man/krb5.conf.5
  83. +168 −0 src/man/krb5kdc.8
  84. +397 −0 src/man/ksu.1
  85. +87 −0 src/man/kswitch.1
  86. +131 −0 src/man/ktutil.1
  87. +116 −0 src/man/kvno.1
  88. +2 −0  src/plugins/kdb/ldap/ldap_util/Makefile.in
  89. +0 −9 src/plugins/preauth/pkinit/pkinit_accessor.c
  90. +0 −4 src/plugins/preauth/pkinit/pkinit_accessor.h
  91. +0 −3  src/plugins/preauth/pkinit/pkinit_clnt.c
  92. +4 −9 src/plugins/preauth/pkinit/pkinit_crypto_nss.c
  93. +3 −47 src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
  94. +9 −4 src/plugins/preauth/securid_sam2/securid_sam2_main.c
  95. +4 −1 src/slave/Makefile.in
  96. +19 −13 src/tests/asn.1/Makefile.in
  97. +79 −133 src/tests/asn.1/krb5_decode_leak.c
  98. +284 −114 src/tests/asn.1/krb5_decode_test.c
  99. +197 −151 src/tests/asn.1/krb5_encode_test.c
  100. +936 −912 src/tests/asn.1/ktest.c
  101. +131 −197 src/tests/asn.1/ktest.h
  102. +625 −428 src/tests/asn.1/ktest_equal.c
  103. +52 −56 src/tests/asn.1/ktest_equal.h
  104. +13 −0 src/tests/asn.1/pkinit_encode.out
  105. +159 −0 src/tests/asn.1/pkinit_trval.out
  106. +6 −9 src/tests/asn.1/reference_encode.out
  107. +2 −2 src/tests/asn.1/trval.c
  108. +68 −78 src/tests/asn.1/trval_reference.out
  109. +38 −30 src/tests/asn.1/utility.c
  110. +16 −15 src/tests/asn.1/utility.h
  111. +0 −40 src/windows/include/loadfuncs-krb5.h
View
24 NOTICE
@@ -1,4 +1,4 @@
-Copyright (C) 1985-2011 by the Massachusetts Institute of Technology.
+Copyright (C) 1985-2012 by the Massachusetts Institute of Technology.
All rights reserved.
@@ -8,18 +8,22 @@ All rights reserved.
contemplating export to obtain such a license before exporting.
WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute
-this software and its documentation for any purpose and without fee is
-hereby granted, provided that the above copyright notice appear in all
-copies and that both that copyright notice and this permission notice
-appear in supporting documentation, and that the name of M.I.T. not be
-used in advertising or publicity pertaining to distribution of the
-software without specific, written prior permission. Furthermore if you
-modify this software you must label your software as modified software
-and not distribute it in such a fashion that it might be confused with
-the original MIT software. M.I.T. makes no representations about the
+this software for any purpose and without fee is hereby granted,
+provided that the above copyright notice appear in all copies and that
+both that copyright notice and this permission notice appear in
+supporting documentation, and that the name of M.I.T. not be used in
+advertising or publicity pertaining to distribution of the software
+without specific, written prior permission. Furthermore if you modify
+this software you must label your software as modified software and not
+distribute it in such a fashion that it might be confused with the
+original MIT software. M.I.T. makes no representations about the
suitability of this software for any purpose. It is provided "as is"
without express or implied warranty.
+Documentation components of this software distribution are licensed
+under a Creative Commons Attribution-ShareAlike 3.0 Unported License.
+(`http://creativecommons.org/licenses/by-sa/3.0/')
+
Individual source code files are copyright MIT, Cygnus Support, Novell,
OpenVision Technologies, Oracle, Red Hat, Sun Microsystems,
FundsXpress, and others.
View
15 doc/Makefile
@@ -27,6 +27,8 @@ MANPAGES=$(SRCDIR)/clients/kdestroy/kdestroy.M $(SRCDIR)/clients/kinit/kinit.M $
USER_GUIDE_INCLUDES=definitions.texinfo copyright.texinfo glossary.texinfo
USER_GUIDE_DEPS=user-guide.texinfo $(USER_GUIDE_INCLUDES)
+SPHINX_BUILD=sphinx-build
+
.PHONY: all
all:: admin-guide-full install-guide-full user-guide-full clean-temp-ps clean-tex
@@ -155,3 +157,16 @@ tgz::
../NOTICE: notice.texinfo definitions.texinfo copyright.texinfo
makeinfo --plaintext -o $@ notice.texinfo
+
+RSTMAN=k5identity.5 k5login.5 k5srvutil.1 kadmin.1 kadmind.8 kdb5_ldap_util.8 \
+ kdb5_util.8 kdc.conf.5 kdestroy.1 kinit.1 klist.1 kpasswd.1 kprop.8 \
+ kpropd.8 kproplog.8 krb5.conf.5 krb5kdc.8 ksu.1 kswitch.1 ktutil.1 \
+ kvno.1
+
+# The file editing loop deletes some trailing whitespace that the
+# docutils manpage writer outputs near the end of its output files.
+rstman::
+ $(SPHINX_BUILD) -q -b man rst_source ../src/man
+ (cd ../src/man && for f in $(RSTMAN); do \
+ (echo '$$'; echo '?^.." $$?d'; echo 'w'; echo 'q' ) | ed $$f; \
+ done)
View
53 doc/copyright.texinfo
@@ -2,7 +2,7 @@
@begingroup
@smallfonts @rm
@end iftex
-Copyright @copyright{} 1985-2010 by the Massachusetts Institute of Technology.
+Copyright @copyright{} 1985-2012 by the Massachusetts Institute of Technology.
All rights reserved.
@@ -13,18 +13,22 @@ Government. It is the responsibility of any person or organization
contemplating export to obtain such a license before exporting.
@end quotation
-WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute
-this software and its documentation for any purpose and without fee is
-hereby granted, provided that the above copyright notice appear in all
-copies and that both that copyright notice and this permission notice
-appear in supporting documentation, and that the name of M.I.T. not be
-used in advertising or publicity pertaining to distribution of the
-software without specific, written prior permission. Furthermore if you
-modify this software you must label your software as modified software
-and not distribute it in such a fashion that it might be confused with
-the original MIT software. M.I.T. makes no representations about the
-suitability of this software for any purpose. It is provided ``as is''
-without express or implied warranty.
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software for any purpose and without fee is hereby
+granted, provided that the above copyright notice appear in all copies
+and that both that copyright notice and this permission notice appear
+in supporting documentation, and that the name of M.I.T. not be used
+in advertising or publicity pertaining to distribution of the software
+without specific, written prior permission. Furthermore if you modify
+this software you must label your software as modified software and
+not distribute it in such a fashion that it might be confused with the
+original MIT software. M.I.T. makes no representations about the
+suitability of this software for any purpose. It is provided ``as
+is'' without express or implied warranty.
+
+Documentation components of this software distribution are licensed
+under a Creative Commons Attribution-ShareAlike 3.0 Unported License.
+(@uref{http://creativecommons.org/licenses/by-sa/3.0/})
Individual source code files are copyright MIT, Cygnus Support,
Novell, OpenVision Technologies, Oracle, Red Hat, Sun Microsystems,
@@ -1252,29 +1256,6 @@ required by the GPL in this and the other files of this package. If you do
not delete the provisions above, a recipient may use your version of this
file under either the BSD or the GPL.
@end quotation
-@ifclear noticefile
-
-@cdivider
-
-Permission is granted to make and distribute verbatim copies of this
-manual provided the copyright notices and this permission notice are
-preserved on all copies.
-
-@ignore
-Permission is granted to process this file through TeX and print the
-results, provided the printed document carries a copying permission
-notice identical to this one except for the removal of this paragraph
-(this paragraph not being relevant to the printed manual).
-@end ignore
-
-Permission is granted to copy and distribute modified versions of this
-manual under the conditions for verbatim copying, provided also that the
-entire resulting derived work is distributed under the terms of a
-permission notice identical to this one.
-
-Permission is granted to copy and distribute translations of this manual
-into another language, under the above conditions for modified versions.
-@end ifclear
@iftex
@pagealignmacro
@endgroup
View
1  doc/notice.texinfo
@@ -3,7 +3,6 @@
@paragraphindent 0
@exampleindent 2
@documentencoding UTF-8
-@set noticefile
@node Top, , (dir), (dir)
@comment node-name, next, previous, up
@include definitions.texinfo
View
1,138 doc/rst_source/NOTICE
@@ -1,1138 +0,0 @@
-Copyright (C) 1985-2011 by the Massachusetts Institute of Technology.
-
-All rights reserved.
-
- Export of software employing encryption from the United States of
- America may require a specific license from the United States
- Government. It is the responsibility of any person or organization
- contemplating export to obtain such a license before exporting.
-
-WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute
-this software and its documentation for any purpose and without fee is
-hereby granted, provided that the above copyright notice appear in all
-copies and that both that copyright notice and this permission notice
-appear in supporting documentation, and that the name of M.I.T. not be
-used in advertising or publicity pertaining to distribution of the
-software without specific, written prior permission. Furthermore if you
-modify this software you must label your software as modified software
-and not distribute it in such a fashion that it might be confused with
-the original MIT software. M.I.T. makes no representations about the
-suitability of this software for any purpose. It is provided "as is"
-without express or implied warranty.
-
-Individual source code files are copyright MIT, Cygnus Support, Novell,
-OpenVision Technologies, Oracle, Red Hat, Sun Microsystems,
-FundsXpress, and others.
-
-Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira,
-and Zephyr are trademarks of the Massachusetts Institute of Technology
-(MIT). No commercial use of these trademarks may be made without prior
-written permission of MIT.
-
-"Commercial use" means use of a name in a product or other for-profit
-manner. It does NOT prevent a commercial firm from referring to the
-MIT trademarks in order to convey information (although in doing so,
-recognition of their trademark status should be given).
-
- -------------------
-
-The following copyright and permission notice applies to the OpenVision
-Kerberos Administration system located in `kadmin/create',
-`kadmin/dbutil', `kadmin/passwd', `kadmin/server', `lib/kadm5', and
-portions of `lib/rpc':
-
- Copyright, OpenVision Technologies, Inc., 1993-1996, All Rights
- Reserved
-
- WARNING: Retrieving the OpenVision Kerberos Administration system
- source code, as described below, indicates your acceptance of the
- following terms. If you do not agree to the following terms, do
- not retrieve the OpenVision Kerberos administration system.
-
- You may freely use and distribute the Source Code and Object Code
- compiled from it, with or without modification, but this Source
- Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY,
- INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY
- OR FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY,
- WHETHER EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY
- LIABILITY FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF
- PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL,
- INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT,
- INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE
- SOURCE CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR
- ANY OTHER REASON.
-
- OpenVision retains all copyrights in the donated Source Code.
- OpenVision also retains copyright to derivative works of the
- Source Code, whether created by OpenVision or by a third party.
- The OpenVision copyright notice must be preserved if derivative
- works are made based on the donated Source Code.
-
- OpenVision Technologies, Inc. has donated this Kerberos
- Administration system to MIT for inclusion in the standard
- Kerberos 5 distribution. This donation underscores our commitment
- to continuing Kerberos technology development and our gratitude
- for the valuable work which has been performed by MIT and the
- Kerberos community.
-
- -------------------
-
- Portions contributed by Matt Crawford `<crawdad@fnal.gov>' were
- work performed at Fermi National Accelerator Laboratory, which is
- operated by Universities Research Association, Inc., under contract
- DE-AC02-76CHO3000 with the U.S. Department of Energy.
-
- -------------------
-
-Portions of `src/lib/crypto' have the following copyright:
-
- Copyright (C) 1998 by the FundsXpress, INC.
-
- All rights reserved.
-
- Export of this software from the United States of America may
- require a specific license from the United States Government.
- It is the responsibility of any person or organization
- contemplating export to obtain such a license before
- exporting.
-
- WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- distribute this software and its documentation for any purpose and
- without fee is hereby granted, provided that the above copyright
- notice appear in all copies and that both that copyright notice and
- this permission notice appear in supporting documentation, and that
- the name of FundsXpress. not be used in advertising or publicity
- pertaining to distribution of the software without specific,
- written prior permission. FundsXpress makes no representations
- about the suitability of this software for any purpose. It is
- provided "as is" without express or implied warranty.
-
- THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR
- IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
-
- -------------------
-
-The implementation of the AES encryption algorithm in
-`src/lib/crypto/builtin/aes' has the following copyright:
-
- Copyright (C) 2001, Dr Brian Gladman `<brg@gladman.uk.net>',
- Worcester, UK.
- All rights reserved.
-
- LICENSE TERMS
-
- The free distribution and use of this software in both source and
- binary form is allowed (with or without changes) provided that:
-
- 1. distributions of this source code include the above copyright
- notice, this list of conditions and the following disclaimer;
-
- 2. distributions in binary form include the above copyright
- notice, this list of conditions and the following disclaimer
- in the documentation and/or other associated materials;
-
- 3. the copyright holder's name is not used to endorse products
- built using this software without specific written permission.
-
- DISCLAIMER
-
- This software is provided 'as is' with no explcit or implied
- warranties in respect of any properties, including, but not
- limited to, correctness and fitness for purpose.
-
- -------------------
-
-Portions contributed by Red Hat, including the pre-authentication
-plug-in framework and the NSS crypto implementation, contain the
-following copyright:
-
- Copyright (C) 2006 Red Hat, Inc.
- Portions copyright (C) 2006 Massachusetts Institute of Technology
- All Rights Reserved.
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions
- are met:
-
- * Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-
- * Redistributions in binary form must reproduce the above
- copyright notice, this list of conditions and the following
- disclaimer in the documentation and/or other materials
- provided with the distribution.
-
- * Neither the name of Red Hat, Inc., nor the names of its
- contributors may be used to endorse or promote products
- derived from this software without specific prior written
- permission.
-
- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
- CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
- MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
- BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
- TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
- THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- SUCH DAMAGE.
-
- -------------------
-
-The implementations of GSSAPI mechglue in GSSAPI-SPNEGO in
-`src/lib/gssapi', including the following files:
-
- lib/gssapi/generic/gssapi_err_generic.et
- lib/gssapi/mechglue/g_accept_sec_context.c
- lib/gssapi/mechglue/g_acquire_cred.c
- lib/gssapi/mechglue/g_canon_name.c
- lib/gssapi/mechglue/g_compare_name.c
- lib/gssapi/mechglue/g_context_time.c
- lib/gssapi/mechglue/g_delete_sec_context.c
- lib/gssapi/mechglue/g_dsp_name.c
- lib/gssapi/mechglue/g_dsp_status.c
- lib/gssapi/mechglue/g_dup_name.c
- lib/gssapi/mechglue/g_exp_sec_context.c
- lib/gssapi/mechglue/g_export_name.c
- lib/gssapi/mechglue/g_glue.c
- lib/gssapi/mechglue/g_imp_name.c
- lib/gssapi/mechglue/g_imp_sec_context.c
- lib/gssapi/mechglue/g_init_sec_context.c
- lib/gssapi/mechglue/g_initialize.c
- lib/gssapi/mechglue/g_inquire_context.c
- lib/gssapi/mechglue/g_inquire_cred.c
- lib/gssapi/mechglue/g_inquire_names.c
- lib/gssapi/mechglue/g_process_context.c
- lib/gssapi/mechglue/g_rel_buffer.c
- lib/gssapi/mechglue/g_rel_cred.c
- lib/gssapi/mechglue/g_rel_name.c
- lib/gssapi/mechglue/g_rel_oid_set.c
- lib/gssapi/mechglue/g_seal.c
- lib/gssapi/mechglue/g_sign.c
- lib/gssapi/mechglue/g_store_cred.c
- lib/gssapi/mechglue/g_unseal.c
- lib/gssapi/mechglue/g_userok.c
- lib/gssapi/mechglue/g_utils.c
- lib/gssapi/mechglue/g_verify.c
- lib/gssapi/mechglue/gssd_pname_to_uid.c
- lib/gssapi/mechglue/mglueP.h
- lib/gssapi/mechglue/oid_ops.c
- lib/gssapi/spnego/gssapiP_spnego.h
- lib/gssapi/spnego/spnego_mech.c
-
-and the initial implementation of incremental propagation, including
-the following new or changed files:
-
- include/iprop_hdr.h
- kadmin/server/ipropd_svc.c
- lib/kdb/iprop.x
- lib/kdb/kdb_convert.c
- lib/kdb/kdb_log.c
- lib/kdb/kdb_log.h
- lib/krb5/error_tables/kdb5_err.et
- slave/kpropd_rpc.c
- slave/kproplog.c
-
-are subject to the following license:
-
- Copyright (C) 2004 Sun Microsystems, Inc.
-
- Permission is hereby granted, free of charge, to any person
- obtaining a copy of this software and associated documentation
- files (the "Software"), to deal in the Software without
- restriction, including without limitation the rights to use, copy,
- modify, merge, publish, distribute, sublicense, and/or sell copies
- of the Software, and to permit persons to whom the Software is
- furnished to do so, subject to the following conditions:
-
- The above copyright notice and this permission notice shall be
- included in all copies or substantial portions of the Software.
-
- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
- EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
- MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
- NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
- HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
- WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
- DEALINGS IN THE SOFTWARE.
-
- -------------------
-
-Kerberos V5 includes documentation and software developed at the
-University of California at Berkeley, which includes this copyright
-notice:
-
- Copyright (C) 1983 Regents of the University of California.
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions
- are met:
-
- 1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above
- copyright notice, this list of conditions and the following
- disclaimer in the documentation and/or other materials
- provided with the distribution.
-
- 3. Neither the name of the University nor the names of its
- contributors may be used to endorse or promote products
- derived from this software without specific prior written
- permission.
-
- THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS"
- AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS
- OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
- USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
- AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
- ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
-
- -------------------
-
-Portions contributed by Novell, Inc., including the LDAP database
-backend, are subject to the following license:
-
- Copyright (C) 2004-2005, Novell, Inc.
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions
- are met:
-
- * Redistributions of source code must retain the above
- copyright notice, this list of conditions and the following
- disclaimer.
-
- * Redistributions in binary form must reproduce the above
- copyright notice, this list of conditions and the following
- disclaimer in the documentation and/or other materials
- provided with the distribution.
-
- * The copyright holder's name is not used to endorse or promote
- products derived from this software without specific prior
- written permission.
-
- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
- CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
- MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
- BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
- TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
- ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
- TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
- THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- SUCH DAMAGE.
-
- -------------------
-
-Portions funded by Sandia National Laboratory and developed by the
-University of Michigan's Center for Information Technology Integration,
-including the PKINIT implementation, are subject to the following
-license:
-
- COPYRIGHT (C) 2006-2007
- THE REGENTS OF THE UNIVERSITY OF MICHIGAN
- ALL RIGHTS RESERVED
-
- Permission is granted to use, copy, create derivative works and
- redistribute this software and such derivative works for any
- purpose, so long as the name of The University of Michigan is not
- used in any advertising or publicity pertaining to the use of
- distribution of this software without specific, written prior
- authorization. If the above copyright notice or any other
- identification of the University of Michigan is included in any
- copy of any portion of this software, then the disclaimer below
- must also be included.
-
- THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION FROM THE
- UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY PURPOSE, AND
- WITHOUT WARRANTY BY THE UNIVERSITY OF MICHIGAN OF ANY KIND, EITHER
- EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED
- WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- PURPOSE. THE REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE
- LIABLE FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
- CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING OUT OF OR
- IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN IF IT HAS BEEN OR
- IS HEREAFTER ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
-
- -------------------
-
-The pkcs11.h file included in the PKINIT code has the following license:
-
- Copyright 2006 g10 Code GmbH
- Copyright 2006 Andreas Jellinghaus
-
- This file is free software; as a special exception the author gives
- unlimited permission to copy and/or distribute it, with or without
- modifications, as long as this notice is preserved.
-
- This file is distributed in the hope that it will be useful, but
- WITHOUT ANY WARRANTY, to the extent permitted by law; without even
- the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
- PURPOSE.
-
- -------------------
-
-Portions contributed by Apple Inc. are subject to the following license:
-
- Copyright 2004-2008 Apple Inc. All Rights Reserved.
-
- Export of this software from the United States of America may
- require a specific license from the United States Government.
- It is the responsibility of any person or organization
- contemplating export to obtain such a license before
- exporting.
-
- WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- distribute this software and its documentation for any purpose and
- without fee is hereby granted, provided that the above copyright
- notice appear in all copies and that both that copyright notice and
- this permission notice appear in supporting documentation, and that
- the name of Apple Inc. not be used in advertising or publicity
- pertaining to distribution of the software without specific,
- written prior permission. Apple Inc. makes no representations
- about the suitability of this software for any purpose. It is
- provided "as is" without express or implied warranty.
-
- THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR
- IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
-
- -------------------
-
-The implementations of UTF-8 string handling in src/util/support and
-src/lib/krb5/unicode are subject to the following copyright and
-permission notice:
-
- The OpenLDAP Public License
- Version 2.8, 17 August 2003
-
- Redistribution and use of this software and associated
- documentation ("Software"), with or without modification, are
- permitted provided that the following conditions are met:
-
- 1. Redistributions in source form must retain copyright
- statements and notices,
-
- 2. Redistributions in binary form must reproduce applicable
- copyright statements and notices, this list of conditions,
- and the following disclaimer in the documentation and/or
- other materials provided with the distribution, and
-
- 3. Redistributions must contain a verbatim copy of this document.
-
- The OpenLDAP Foundation may revise this license from time to time.
- Each revision is distinguished by a version number. You may use
- this Software under terms of this license revision or under the
- terms of any subsequent revision of the license.
-
- THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS
- CONTRIBUTORS "AS IS" AND ANY EXPRESSED OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
- MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION, ITS
- CONTRIBUTORS, OR THE AUTHOR(S) OR OWNER(S) OF THE SOFTWARE BE
- LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
- TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
- THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- SUCH DAMAGE.
-
- The names of the authors and copyright holders must not be used in
- advertising or otherwise to promote the sale, use or other dealing
- in this Software without specific, written prior permission. Title
- to copyright in this Software shall at all times remain with
- copyright holders.
-
- OpenLDAP is a registered trademark of the OpenLDAP Foundation.
-
- Copyright 1999-2003 The OpenLDAP Foundation, Redwood City,
- California, USA. All Rights Reserved. Permission to copy and
- distribute verbatim copies of this document is granted.
-
- -------------------
-
-Marked test programs in src/lib/krb5/krb have the following copyright:
-
- Copyright (C) 2006 Kungliga Tekniska Högskolan
- (Royal Institute of Technology, Stockholm, Sweden).
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions
- are met:
-
- 1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above
- copyright notice, this list of conditions and the following
- disclaimer in the documentation and/or other materials
- provided with the distribution.
-
- 3. Neither the name of KTH nor the names of its contributors may
- be used to endorse or promote products derived from this
- software without specific prior written permission.
-
- THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS "AS IS" AND
- ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
- THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS
- CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
- USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
- AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
- ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
-
- -------------------
-
-Portions of the RPC implementation in src/lib/rpc and src/include/gssrpc
-have the following copyright and permission notice:
-
- Copyright (C) 2010, Oracle America, Inc.
-
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions
- are met:
-
- 1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above
- copyright notice, this list of conditions and the following
- disclaimer in the documentation and/or other materials
- provided with the distribution.
-
- 3. Neither the name of the "Oracle America, Inc." nor the names
- of its contributors may be used to endorse or promote products
- derived from this software without specific prior written
- permission.
-
- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
- CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
- MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS
- BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
- TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
- ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
- TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
- THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- SUCH DAMAGE.
-
- -------------------
-
- Copyright (C) 2006,2007,2009 NTT (Nippon Telegraph and Telephone
- Corporation). All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions
- are met:
-
- 1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer
- as the first lines of this file unmodified.
-
- 2. Redistributions in binary form must reproduce the above
- copyright notice, this list of conditions and the following
- disclaimer in the documentation and/or other materials
- provided with the distribution.
-
- THIS SOFTWARE IS PROVIDED BY NTT "AS IS" AND ANY EXPRESS OR
- IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- ARE DISCLAIMED. IN NO EVENT SHALL NTT BE LIABLE FOR ANY DIRECT,
- INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
- OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
- EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
- -------------------
-
- Copyright 2000 by Carnegie Mellon University
-
- All Rights Reserved
-
- Permission to use, copy, modify, and distribute this software and
- its documentation for any purpose and without fee is hereby
- granted, provided that the above copyright notice appear in all
- copies and that both that copyright notice and this permission
- notice appear in supporting documentation, and that the name of
- Carnegie Mellon University not be used in advertising or publicity
- pertaining to distribution of the software without specific,
- written prior permission.
-
- CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO
- THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE
- LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY
- DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
- WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-
- -------------------
-
- Copyright (C) 2002 Naval Research Laboratory (NRL/CCS)
-
- Permission to use, copy, modify and distribute this software and
- its documentation is hereby granted, provided that both the
- copyright notice and this permission notice appear in all copies
- of the software, derivative works or modified versions, and any
- portions thereof.
-
- NRL ALLOWS FREE USE OF THIS SOFTWARE IN ITS "AS IS" CONDITION AND
- DISCLAIMS ANY LIABILITY OF ANY KIND FOR ANY DAMAGES WHATSOEVER
- RESULTING FROM THE USE OF THIS SOFTWARE.
-
- -------------------
-
-Portions extracted from Internet RFCs have the following copyright
-notice:
-
- Copyright (C) The Internet Society (2006).
-
- This document is subject to the rights, licenses and restrictions
- contained in BCP 78, and except as set forth therein, the authors
- retain all their rights.
-
- This document and the information contained herein are provided on
- an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
- REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND
- THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES,
- EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT
- THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR
- ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
- PARTICULAR PURPOSE.
-
- -------------------
-
- Copyright (C) 1991, 1992, 1994 by Cygnus Support.
-
- Permission to use, copy, modify, and distribute this software and
- its documentation for any purpose and without fee is hereby
- granted, provided that the above copyright notice appear in all
- copies and that both that copyright notice and this permission
- notice appear in supporting documentation. Cygnus Support makes
- no representations about the suitability of this software for any
- purpose. It is provided "as is" without express or implied
- warranty.
-
- -------------------
-
- Copyright (C) 2006 Secure Endpoints Inc.
-
- Permission is hereby granted, free of charge, to any person
- obtaining a copy of this software and associated documentation
- files (the "Software"), to deal in the Software without
- restriction, including without limitation the rights to use, copy,
- modify, merge, publish, distribute, sublicense, and/or sell copies
- of the Software, and to permit persons to whom the Software is
- furnished to do so, subject to the following conditions:
-
- The above copyright notice and this permission notice shall be
- included in all copies or substantial portions of the Software.
-
- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
- EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
- MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
- NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
- BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
- ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
- CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- SOFTWARE.
-
- -------------------
-
-Portions of the implementation of the Fortuna-like PRNG are subject to
-the following notice:
-
- Copyright (C) 2005 Marko Kreen
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions
- are met:
-
- 1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above
- copyright notice, this list of conditions and the following
- disclaimer in the documentation and/or other materials
- provided with the distribution.
-
- THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
- AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR
- OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
- USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
- AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
- ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
-
- Copyright (C) 1994 by the University of Southern California
-
- EXPORT OF THIS SOFTWARE from the United States of America may
- require a specific license from the United States Government.
- It is the responsibility of any person or organization
- contemplating export to obtain such a license before
- exporting.
-
- WITHIN THAT CONSTRAINT, permission to copy, modify, and distribute
- this software and its documentation in source and binary forms is
- hereby granted, provided that any documentation or other materials
- related to such distribution or use acknowledge that the software
- was developed by the University of Southern California.
-
- DISCLAIMER OF WARRANTY. THIS SOFTWARE IS PROVIDED "AS IS". The
- University of Southern California MAKES NO REPRESENTATIONS OR
- WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not
- limitation, the University of Southern California MAKES NO
- REPRESENTATIONS OR WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY
- PARTICULAR PURPOSE. The University of Southern California shall
- not be held liable for any liability nor for any direct, indirect,
- or consequential damages with respect to any claim by the user or
- distributor of the ksu software.
-
- -------------------
-
- Copyright (C) 1995
- The President and Fellows of Harvard University
-
- This code is derived from software contributed to Harvard by
- Jeremy Rassen.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions
- are met:
-
- 1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above
- copyright notice, this list of conditions and the following
- disclaimer in the documentation and/or other materials
- provided with the distribution.
-
- 3. All advertising materials mentioning features or use of this
- software must display the following acknowledgement:
-
- This product includes software developed by the
- University of California, Berkeley and its contributors.
-
- 4. Neither the name of the University nor the names of its
- contributors may be used to endorse or promote products
- derived from this software without specific prior written
- permission.
-
- THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS"
- AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS
- OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
- USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
- AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
- ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
-
- -------------------
-
- Copyright (C) 2008 by the Massachusetts Institute of Technology.
- Copyright 1995 by Richard P. Basch. All Rights Reserved.
- Copyright 1995 by Lehman Brothers, Inc. All Rights Reserved.
- Export of this software from the United States of America may
- require a specific license from the United States Government.
- It is the responsibility of any person or organization
- contemplating export to obtain such a license before
- exporting.
-
- WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- distribute this software and its documentation for any purpose and
- without fee is hereby granted, provided that the above copyright
- notice appear in all copies and that both that copyright notice and
- this permission notice appear in supporting documentation, and that
- the name of Richard P. Basch, Lehman Brothers and M.I.T. not be
- used in advertising or publicity pertaining to distribution of the
- software without specific, written prior permission. Richard P.
- Basch, Lehman Brothers and M.I.T. make no representations about
- the suitability of this software for any purpose. It is provided
- "as is" without express or implied warranty.
-
- -------------------
-
-The following notice applies to `src/lib/krb5/krb/strptime.c':
-
- Copyright (C) 1997, 1998 The NetBSD Foundation, Inc.
- All rights reserved.
-
- This code was contributed to The NetBSD Foundation by Klaus Klein.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions
- are met:
-
- 1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above
- copyright notice, this list of conditions and the following
- disclaimer in the documentation and/or other materials
- provided with the distribution.
-
- 3. All advertising materials mentioning features or use of this
- software must display the following acknowledgement:
-
- This product includes software developed by the NetBSD
- Foundation, Inc. and its contributors.
-
- 4. Neither the name of The NetBSD Foundation nor the names of its
- contributors may be used to endorse or promote products
- derived from this software without specific prior written
- permission.
-
- THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND
- CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
- MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS BE
- LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
- OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
- BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
- USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
- DAMAGE.
-
- -------------------
-
-The following notice applies to Unicode library files in
-`src/lib/krb5/unicode':
-
- Copyright 1997, 1998, 1999 Computing Research Labs,
- New Mexico State University
-
- Permission is hereby granted, free of charge, to any person
- obtaining a copy of this software and associated documentation
- files (the "Software"), to deal in the Software without
- restriction, including without limitation the rights to use, copy,
- modify, merge, publish, distribute, sublicense, and/or sell copies
- of the Software, and to permit persons to whom the Software is
- furnished to do so, subject to the following conditions:
-
- The above copyright notice and this permission notice shall be
- included in all copies or substantial portions of the Software.
-
- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
- EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
- MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
- NONINFRINGEMENT. IN NO EVENT SHALL THE COMPUTING RESEARCH LAB OR
- NEW MEXICO STATE UNIVERSITY BE LIABLE FOR ANY CLAIM, DAMAGES OR
- OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
- OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE
- OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
- -------------------
-
-The following notice applies to `src/util/support/strlcpy.c':
-
- Copyright (C) 1998 Todd C. Miller <Todd.Miller@courtesan.com>
-
- Permission to use, copy, modify, and distribute this software for
- any purpose with or without fee is hereby granted, provided that
- the above copyright notice and this permission notice appear in
- all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL
- WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE
- AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
- CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
- -------------------
-
-The following notice applies to `src/util/profile/argv_parse.c' and
-`src/util/profile/argv_parse.h':
-
- Copyright 1999 by Theodore Ts'o.
-
- Permission to use, copy, modify, and distribute this software for
- any purpose with or without fee is hereby granted, provided that
- the above copyright notice and this permission notice appear in all
- copies. THE SOFTWARE IS PROVIDED "AS IS" AND THEODORE TS'O (THE
- AUTHOR) DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
- INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS.
- IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER
- RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. (Isn't
- it sick that the U.S. culture of lawsuit-happy lawyers requires
- this kind of disclaimer?)
-
- -------------------
-
-The following notice applies to SWIG-generated code in
-`src/util/profile/profile_tcl.c':
-
- Copyright (C) 1999-2000, The University of Chicago
-
- This file may be freely redistributed without license or fee
- provided this copyright message remains intact.
-
- -------------------
-
-The following notice applies to portiions of `src/lib/rpc' and
-`src/include/gssrpc':
-
- Copyright (C) 2000 The Regents of the University of Michigan. All
- rights reserved.
-
- Copyright (C) 2000 Dug Song <dugsong@UMICH.EDU>. All rights
- reserved, all wrongs reversed.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions
- are met:
-
- 1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above
- copyright notice, this list of conditions and the following
- disclaimer in the documentation and/or other materials
- provided with the distribution.
-
- 3. Neither the name of the University nor the names of its
- contributors may be used to endorse or promote products
- derived from this software without specific prior written
- permission.
-
- THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
- WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
- OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
- BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
- USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
- DAMAGE.
-
- -------------------
-
-Implementations of the MD4 algorithm are subject to the following
-notice:
-
- Copyright (C) 1990, RSA Data Security, Inc. All rights reserved.
-
- License to copy and use this software is granted provided that it
- is identified as the "RSA Data Security, Inc. MD4 Message Digest
- Algorithm" in all material mentioning or referencing this software
- or this function.
-
- License is also granted to make and use derivative works provided
- that such works are identified as "derived from the RSA Data
- Security, Inc. MD4 Message Digest Algorithm" in all material
- mentioning or referencing the derived work.
-
- RSA Data Security, Inc. makes no representations concerning either
- the merchantability of this software or the suitability of this
- software for any particular purpose. It is provided "as is"
- without express or implied warranty of any kind.
-
- These notices must be retained in any copies of any part of this
- documentation and/or software.
-
- -------------------
-
-Implementations of the MD5 algorithm are subject to the following
-notice:
-
- Copyright (C) 1990, RSA Data Security, Inc. All rights reserved.
-
- License to copy and use this software is granted provided that it
- is identified as the "RSA Data Security, Inc. MD5 Message- Digest
- Algorithm" in all material mentioning or referencing this software
- or this function.
-
- License is also granted to make and use derivative works provided
- that such works are identified as "derived from the RSA Data
- Security, Inc. MD5 Message-Digest Algorithm" in all material
- mentioning or referencing the derived work.
-
- RSA Data Security, Inc. makes no representations concerning either
- the merchantability of this software or the suitability of this
- software for any particular purpose. It is provided "as is"
- without express or implied warranty of any kind.
-
- These notices must be retained in any copies of any part of this
- documentation and/or software.
-
- -------------------
-
-The following notice applies to
-`src/lib/crypto/crypto_tests/t_mddriver.c':
-
- Copyright (C) 1990-2, RSA Data Security, Inc. Created 1990. All
- rights reserved.
-
- RSA Data Security, Inc. makes no representations concerning either
- the merchantability of this software or the suitability of this
- software for any particular purpose. It is provided "as is"
- without express or implied warranty of any kind.
-
- These notices must be retained in any copies of any part of this
- documentation and/or software.
-
- -------------------
-
-Portions of `src/lib/krb5' are subject to the following notice:
-
- Copyright (C) 1994 CyberSAFE Corporation.
- Copyright 1990,1991,2007,2008 by the Massachusetts Institute of
- Technology.
- All Rights Reserved.
-
- Export of this software from the United States of America may
- require a specific license from the United States Government.
- It is the responsibility of any person or organization
- contemplating export to obtain such a license before
- exporting.
-
- WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- distribute this software and its documentation for any purpose and
- without fee is hereby granted, provided that the above copyright
- notice appear in all copies and that both that copyright notice and
- this permission notice appear in supporting documentation, and that
- the name of M.I.T. not be used in advertising or publicity
- pertaining to distribution of the software without specific,
- written prior permission. Furthermore if you modify this software
- you must label your software as modified software and not
- distribute it in such a fashion that it might be confused with the
- original M.I.T. software. Neither M.I.T., the Open Computing
- Security Group, nor CyberSAFE Corporation make any representations
- about the suitability of this software for any purpose. It is
- provided "as is" without express or implied warranty.
-
- -------------------
-
-Portions contributed by PADL Software are subject to the following
-license:
-
- Copyright (c) 2011, PADL Software Pty Ltd. All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions
- are met:
-
- 1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above
- copyright notice, this list of conditions and the following
- disclaimer in the documentation and/or other materials provided
- with the distribution.
-
- 3. Neither the name of PADL Software nor the names of its
- contributors may be used to endorse or promote products derived
- from this software without specific prior written permission.
-
- THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS "AS
- IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL PADL
- SOFTWARE OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
- INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
- OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
- EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
- -------------------
-
-The bundled libev source code is subject to the following license:
-
- All files in libev are Copyright (C)2007,2008,2009 Marc Alexander
- Lehmann.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions
- are met:
-
- * Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-
- * Redistributions in binary form must reproduce the above
- copyright notice, this list of conditions and the following
- disclaimer in the documentation and/or other materials
- provided with the distribution.
-
- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
- OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
- EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
- Alternatively, the contents of this package may be used under the
- terms of the GNU General Public License ("GPL") version 2 or any
- later version, in which case the provisions of the GPL are
- applicable instead of the above. If you wish to allow the use of
- your version of this package only under the terms of the GPL and
- not to allow others to use your version of this file under the BSD
- license, indicate your decision by deleting the provisions above
- and replace them with the notice and other provisions required by
- the GPL in this and the other files of this package. If you do not
- delete the provisions above, a recipient may use your version of
- this file under either the BSD or the GPL.
View
7 doc/rst_source/conf.py
@@ -225,9 +225,9 @@
('krb_users/user_commands/kpasswd', 'kpasswd', u'change a user\'s Kerberos password', [u'MIT'], 1),
('krb_users/user_commands/kvno', 'kvno', u'print key version numbers of Kerberos principals', [u'MIT'], 1),
('krb_users/user_commands/ksu', 'ksu', u'Kerberized super-user', [u'MIT'], 1),
- ('krb_users/user_commands/k5login', '.k5login', u'Kerberos V5 acl file for host access', [u'MIT'], 5),
+ ('krb_users/user_commands/k5login', 'k5login', u'Kerberos V5 acl file for host access', [u'MIT'], 5),
+ ('krb_users/user_commands/k5identity', 'k5identity', u'Kerberos V5 client principal selection rules', [u'MIT'], 5),
('krb_admins/admin_commands/krb5kdc', 'krb5kdc', u'Kerberos V5 KDC', [u'MIT'], 8),
- ('krb_admins/admin_commands/kadmin_local', 'kadmin.local', u'Kerberos V5 database administration program', [u'MIT'], 8),
('krb_admins/admin_commands/kadmin_local', 'kadmin', u'Kerberos V5 database administration program', [u'MIT'], 1),
('krb_admins/admin_commands/kprop', 'kprop', u'propagate a Kerberos V5 principal database to a slave server', [u'MIT'], 8),
('krb_admins/admin_commands/kproplog', 'kproplog', u'display the contents of the Kerberos principal update log', [u'MIT'], 8),
@@ -239,4 +239,7 @@
('krb_admins/admin_commands/kdb5_ldap_util', 'kdb5_ldap_util', u'Kerberos configuration utility', [u'MIT'], 8),
('krb_admins/conf_files/krb5_conf', 'krb5.conf', u'Kerberos configuration file', [u'MIT'], 5),
('krb_admins/conf_files/kdc_conf', 'kdc.conf', u'Kerberos V5 KDC configuration file', [u'MIT'], 5),
+ ('krb_users/user_commands/send-pr', 'krb5-send-pr', u'send problem report (PR) to a central support site', [u'MIT'], 1),
+ ('krb_users/user_commands/sclient', 'sclient', u'sample Kerberos version 5 client', [u'MIT'], 1),
+ ('krb_admins/admin_commands/sserver', 'sserver', u'sample Kerberos version 5 server', [u'MIT'], 8),
]
View
1  doc/rst_source/krb_admins/admin_commands/index.rst
@@ -17,6 +17,7 @@ Administration programs
k5srvutil.rst
kadmind.rst
kdb5_ldap_util.rst
+ sserver.rst
------------
View
94 doc/rst_source/krb_admins/admin_commands/sserver.rst
@@ -0,0 +1,94 @@
+.. _sserver(8):
+
+sserver
+========
+
+SYNOPSIS
+------------
+
+**sserver**
+[ **-p** *port* ]
+[ **-S** *keytab* ]
+[ *server_port* ]
+
+DESCRIPTION
+---------------
+
+**sserver** and :ref:`sclient(1)` are a simple demonstration client/server application.
+When *sclient* connects to *sserver*, it performs a Kerberos authentication,
+and then sserver returns to *sclient* the Kerberos principal which was used for
+the Kerberos authentication. It makes a good test that Kerberos
+has been successfully installed on a machine.
+
+The service name used by *sserver* and *sclient* is sample.
+Hence, *sserver* will require that there be a keytab entry for the service
+"sample/hostname.domain.name\@REALM.NAME".
+This keytab is generated using the :ref:`kadmin(1)` program.
+The keytab file is usually installed as "/etc/krb5.keytab".
+
+The **-S** option allows for a different keytab than the default.
+
+*sserver* is normally invoked out of inetd(8), using a line in /etc/inetd.conf that looks like this::
+
+ sample stream tcp nowait root /usr/local/sbin/sserver sserver
+
+Since *sample* is normally not a port defined in /etc/services,
+you will usually have to add a line to /etc/services which looks like this::
+
+ sample 13135/tcp
+
+When using *sclient*, you will first have to have an entry in the Kerberos database,
+by using :ref:`kadmin(1)`, and then you have to get Kerberos tickets, by using kinit(1).
+Also, if you are running the *sclient* program on a different host than the *sserver*
+it will be connecting to, be sure that both hosts have an entry in /etc/services
+for the sample tcp port, and that the same port number is in both files.
+
+When you run *sclient* you should see something like this::
+
+ sendauth succeeded, reply is:
+ reply len 32, contents:
+ You are nlgilman@JIMI.MIT.EDU
+
+COMMON ERROR MESSAGES
+-----------------------
+
+1) *kinit* returns the error::
+
+ kinit: Client not found in Kerberos database while getting initial credentials
+
+ This means that you didn't create an entry for your username in the Kerberos database.
+
+2) *sclient* returns the error::
+
+ unknown service sample/tcp; check /etc/services
+
+ This means that you don't have an entry in /etc/services for the sample tcp port.
+
+3) *sclient* returns the error::
+
+ connect: Connection refused
+
+ This probably means you didn't edit /etc/inetd.conf correctly,
+ or you didn't restart inetd after editing inetd.conf.
+
+4) *sclient* returns the error::
+
+ sclient: Server not found in Kerberos database while using sendauth
+
+ This means that the "sample/hostname\@LOCAL.REALM" service was not defined
+ in the Kerberos database; it should be created using *kadmin*, and a keytab file
+ needs to be generated to make the key for that service principal available for *sclient*.
+
+5) *sclient* returns the error::
+
+ sendauth rejected, error reply is:
+ " No such file or directory"
+
+ This probably means *sserver* couldn't find the keytab file.
+ It was probably not installed in the proper directory.
+
+SEE ALSO
+------------
+
+:ref:`sclient(1)`, services(5), inetd(8)
+
View
274 doc/rst_source/krb_admins/conf_files/kdc_conf.rst
@@ -3,22 +3,28 @@
kdc.conf
==============
-The kdc.conf file contains KDC configuration information, including defaults used when issuing Kerberos tickets. Normally, you should install your kdc.conf file in the directory */usr/local/var/krb5kdc*. You can override the default location by setting the environment variable *KRB5_KDC_PROFILE*.
+The kdc.conf file contains KDC configuration information, including defaults
+used when issuing Kerberos tickets. Normally, you should install your kdc.conf
+file in the directory */usr/local/var/krb5kdc*.
+You can override the default location by setting the environment variable
+*KRB5_KDC_PROFILE*.
Structure
--------------
-The kdc.conf file is set up in the same format as the :ref:`krb5.conf` file. The kdc.conf file may contain any or all of the following three sections:
-
-==================== ================================
-:ref:`kdcdefaults` Contains default values for overall behavior of the KDC.
-:ref:`kdc_realms` Contains subsections keyed by Kerberos realm names. Each subsection describes realm-specific information, including where to find the Kerberos servers for that realm.
-:ref:`kdc_logging` Contains relations which determine how Kerberos programs are to perform logging.
-==================== ================================
+The kdc.conf file is set up in the same format as the :ref:`krb5.conf` file.
Sections
-------------
+The kdc.conf file may contain any or all of the following three sections:
+
+==================== ================================
+:ref:`kdcdefaults` Contains default values for overall behavior of the KDC.
+:ref:`kdc_realms` Contains subsections keyed by Kerberos realm names. Each subsection describes realm-specific information, including where to find the Kerberos servers for that realm.
+:ref:`kdc_logging` Contains relations which determine how Kerberos programs are to perform logging.
+==================== ================================
+
.. _kdcdefaults:
@@ -28,19 +34,34 @@ Sections
The following relation is defined in the [kdcdefaults] section:
**host_based_services**
- This relation lists the services that will get host-based referral processing even if the server principal is not marked as host-based by the client.
+ This relation lists the services that will get host-based referral processing
+ even if the server principal is not marked as host-based by the client.
**kdc_max_dgram_reply_size**
- Specifies the maximum packet size that can be sent over UDP. The default value is 4096 bytes.
+ Specifies the maximum packet size that can be sent over UDP.
+ The default value is 4096 bytes.
**kdc_ports**
- This relation lists the ports on which the Kerberos server should listen for UDP requests by default. This list is a comma separated list of integers. If this relation is not specified, the compiled-in default is 88,750, the first being the assigned Kerberos port and the second which was used by Kerberos V4.
+ This relation lists the ports on which the Kerberos server should listen
+ for UDP requests by default. This list is a comma separated list of integers.
+ If this relation is not specified, the compiled-in default is 88,750,
+ the first being the assigned Kerberos port and the second which was used
+ by Kerberos V4.
**kdc_tcp_ports**
- This relation lists the ports on which the Kerberos server should listen for TCP connections by default. This list is a comma separated list of integers. If this relation is not specified, the compiled-in default is not to listen for TCP connections at all.
-
- If you wish to change this (which we do not recommend, because the current implementation has little protection against denial-of-service attacks), the standard port number assigned for Kerberos TCP traffic is port 88.
+ This relation lists the ports on which the Kerberos server should listen
+ for TCP connections by default. This list is a comma separated list of integers.
+ If this relation is not specified, the compiled-in default is not
+ to listen for TCP connections at all.
+
+ If you wish to change this (which we do not recommend, because the current
+ implementation has little protection against denial-of-service attacks),
+ the standard port number assigned for Kerberos TCP traffic is port 88.
**no_host_referral**
- This relation blocks the specified services from host-based referral processing, even if the client marks the server principal as host-based or the service is also listed in *host_based_services*. *no_host_referral* = \* will disable referral processing altogether.
+ This relation blocks the specified services from host-based referral processing,
+ even if the client marks the server principal as host-based or the service
+ is also listed in *host_based_services*. *no_host_referral* = \* will disable
+ referral processing altogether.
**restrict_anonymous_to_tgt**
- This flag determines the default value of restrict_anonymous_to_tgt for realms. The default value is false.
+ This flag determines the default value of *restrict_anonymous_to_tgt for realms*.
+ The default value is false.
.. _kdc_realms:
@@ -48,104 +69,178 @@ The following relation is defined in the [kdcdefaults] section:
**[realms]**
~~~~~~~~~~~~~~~
-Each tag in the [realms] section of the file names a Kerberos realm. The value of the tag is a subsection where the relations in that subsection define KDC parameters for that particular realm.
+Each tag in the [realms] section of the file names a Kerberos realm.
+The value of the tag is a subsection where the relations in that subsection
+define KDC parameters for that particular realm.
For each realm, the following tags may be specified in the [realms] subsection:
**acl_file**
- (String.) Location of the access control list (acl) file that kadmin uses to determine which principals are allowed which permissions on the database. The default is */usr/local/var/krb5kdc/kadm5.acl*.
+ (String.) Location of the access control list (acl) file that
+ kadmin uses to determine which principals are allowed which permissions
+ on the database. The default is */usr/local/var/krb5kdc/kadm5.acl*.
**admin_keytab**
- (String.) Location of the keytab file that the legacy administration daemons kadmind4 and v5passwdd use to authenticate to the database. The default is */usr/local/var/krb5kdc/kadm5.keytab*.
+ (String.) Location of the keytab file that the legacy administration
+ daemons kadmind4 and v5passwdd use to authenticate to the database.
+ The default is */usr/local/var/krb5kdc/kadm5.keytab*.
**database_name**
This string specifies the location of the Kerberos database for this realm.
**default_principal_expiration**
- (Absolute time string.) Specifies the default expiration date of principals created in this realm. The default value for this tag is 0.
+ (Absolute time string.) Specifies the default expiration date of principals
+ created in this realm. The default value for this tag is 0.
**default_principal_flags**
- (Flag string.) Specifies the default attributes of principals created in this realm. The format for this string is a comma-separated list of flags, with '+' before each flag that should be enabled and '-' before each flag that should be disabled. The default is *postdateable, forwardable, tgt-based, renewable, proxiable, dup-skey, allow-tickets*, and *service enabled*.
+ (Flag string.) Specifies the default attributes of principals created
+ in this realm. The format for this string is a comma-separated list of flags,
+ with '+' before each flag that should be enabled and '-' before each flag
+ that should be disabled. The default is *postdateable, forwardable, tgt-based,
+ renewable, proxiable, dup-skey, allow-tickets*, and *service enabled*.
There are a number of possible flags:
*allow-tickets*
- Enabling this flag means that the KDC will issue tickets for this principal. Disabling this flag essentially deactivates the principal within this realm.
+ Enabling this flag means that the KDC will issue tickets for this principal.
+ Disabling this flag essentially deactivates the principal within this realm.
*dup-skey*
- Enabling this flag allows the principal to obtain a session key for another user, permitting user-to-user authentication for this principal.
+ Enabling this flag allows the principal to obtain a session key for another user,
+ permitting user-to-user authentication for this principal.
*forwardable*
Enabling this flag allows the principal to obtain forwardable tickets.
*hwauth*
- If this flag is enabled, then the principal is required to preauthenticate using a hardware device before receiving any tickets.
+ If this flag is enabled, then the principal is required to preauthenticate
+ using a hardware device before receiving any tickets.
*no-auth-data-required*
Enabling this flag prvents PAC data from being added to the service tickets.
*ok-as-delegate*
- If this flag is enabled, it hints the client that credentials can and should be delegated when authenticating to the service.
+ If this flag is enabled, it hints the client that credentials can and
+ should be delegated when authenticating to the service.
*ok-to-auth-as-delegate*
Enabling this flag allows the principal to use S4USelf ticket.
*postdateable*
Enabling this flag allows the principal to obtain postdateable tickets.
*preauth*
- If this flag is enabled on a client principal, then that principal is required to preauthenticate to the KDC before receiving any tickets. On a service principal, enabling this flag means that service tickets for this principal will only be issued to clients with a TGT that has the preauthenticated ticket set.
+ If this flag is enabled on a client principal, then that principal
+ is required to preauthenticate to the KDC before receiving any tickets.
+ On a service principal, enabling this flag means that service tickets
+ for this principal will only be issued to clients with a TGT that has
+ the preauthenticated ticket set.
*proxiable*
Enabling this flag allows the principal to obtain proxy tickets.
*pwchange*
Enabling this flag forces a password change for this principal.
*pwservice*
- If this flag is enabled, it marks this principal as a password change service. This should only be used in special cases, for example, if a user's password has expired, then the user has to get tickets for that principal without going through the normal password authentication in order to be able to change the password.
+ If this flag is enabled, it marks this principal as a password change service.
+ This should only be used in special cases, for example,
+ if a user's password has expired, then the user has to get tickets
+ for that principal without going through the normal password authentication
+ in order to be able to change the password.
*renewable*
Enabling this flag allows the principal to obtain renewable tickets.
*service*
Enabling this flag allows the the KDC to issue service tickets for this principal.
*tgt-based*
- Enabling this flag allows a principal to obtain tickets based on a ticket-granting-ticket, rather than repeating the authentication process that was used to obtain the TGT.
-
+ Enabling this flag allows a principal to obtain tickets based
+ on a ticket-granting-ticket, rather than repeating the authentication
+ process that was used to obtain the TGT.
**dict_file**
- (String.) Location of the dictionary file containing strings that are not allowed as passwords. If none is specified or if there is no policy assigned to the principal, no dictionary checks of passwords will be performed.
+ (String.) Location of the dictionary file containing strings that
+ are not allowed as passwords. If none is specified or if there is
+ no policy assigned to the principal, no dictionary checks of passwords
+ will be performed.
**host_based_services**
- (Whitespace- or comma-separated list) This relation lists the services that will get host-based referral processing even if the server principal is not marked as host-based by the client.
+ (Whitespace- or comma-separated list) This relation lists the services
+ that will get host-based referral processing even if the server principal
+ is not marked as host-based by the client.
**iprop_enable**
- This boolean ("true" or "false") specifies whether incremental database propagation is enabled. The default is "false".
+ This boolean ("true" or "false") specifies whether incremental database
+ propagation is enabled. The default is "false".
**iprop_master_ulogsize**
- This numeric value specifies the maximum number of log entries to be retained for incremental propagation. The maximum value is 2500; default is 1000.
+ This numeric value specifies the maximum number of log entries to be
+ retained for incremental propagation.
+ The maximum value is 2500; default is 1000.
**iprop_slave_poll**
- This delta time string specfies how often the slave KDC polls for new updates from the master. Default is "2m" (that is, two minutes).
+ This delta time string specfies how often the slave KDC polls for new
+ updates from the master. Default is "2m" (that is, two minutes).
**iprop_port**
- (Port number.) This specifies the port number to be used for incremental propagation. This is required in both master and slave configuration files.
+ (Port number.) This specifies the port number to be used for incremental
+ propagation. This is required in both master and slave configuration files.
**iprop_logfile**
- (File name) This specifies where the update log file for the realm database is to be stored. The default is to use the *database_name* entry from the realms section of the krb5 config file, with *.ulog* appended. (NOTE: If *database_name* isn't specified in the realms section, perhaps because the LDAP database back end is being used, or the file name is specified in the *dbmodules* section, then the hard-coded default for *database_name* is used. Determination of the *iprop_logfile* default value will not use values from the *dbmodules* section.)
+ (File name) This specifies where the update log file for the realm database
+ is to be stored. The default is to use the *database_name* entry from the
+ realms section of the krb5 config file, with *.ulog* appended.
+ (NOTE: If *database_name* isn't specified in the realms section,
+ perhaps because the LDAP database back end is being used, or the file name
+ is specified in the *dbmodules* section, then the hard-coded default for
+ *database_name* is used. Determination of the *iprop_logfile* default value
+ will not use values from the *dbmodules* section.)
**kadmind_port**
- (Port number.) Specifies the port on which the kadmind daemon is to listen for this realm. The assigned port for kadmind is 749.
+ (Port number.) Specifies the port on which the kadmind daemon is to listen
+ for this realm. The assigned port for kadmind is 749.
**key_stash_file**
- (String.) Specifies the location where the master key has been stored (via kdb5_util stash). The default is /usr/local/var/krb5kdc/.k5.REALM, where REALM is the Kerberos realm.
+ (String.) Specifies the location where the master key has been stored
+ (via kdb5_util stash). The default is /usr/local/var/krb5kdc/.k5.REALM,
+ where REALM is the Kerberos realm.
**kdc_ports**
- (String.) Specifies the list of ports that the KDC is to listen to for UDP requests for this realm. By default, the value of kdc_ports as specified in the [kdcdefaults] section is used.
+ (String.) Specifies the list of ports that the KDC is to listen to for
+ UDP requests for this realm. By default, the value of kdc_ports as specified
+ in the [kdcdefaults] section is used.
**kdc_tcp_ports**
- (String.) Specifies the list of ports that the KDC is to listen to for TCP requests for this realm. By default, the value of kdc_tcp_ports as specified in the [kdcdefaults] section is used.
+ (String.) Specifies the list of ports that the KDC is to listen to for TCP
+ requests for this realm. By default, the value of kdc_tcp_ports as specified
+ in the [kdcdefaults] section is used.
**master_key_name**
- (String.) Specifies the name of the principal associated with the master key. The default is K/M.
+ (String.) Specifies the name of the principal associated with the master key.
+ The default is K/M.
**master_key_type**
- (Key type string.) Specifies the master key's key type. The default value for this is des3-cbc-sha1. For a list of all possible values, see :ref:`Supported_Encryption_Types_and_Salts`.
+ (Key type string.) Specifies the master key's key type.
+ The default value for this is des3-cbc-sha1. For a list of all possible values,
+ see :ref:`Supported_Encryption_Types_and_Salts`.
**max_life**
- (Delta time string.) Specifies the maximum time period for which a ticket may be valid in this realm. The default value is 24 hours.
+ (Delta time string.) Specifies the maximum time period for which a ticket
+ may be valid in this realm. The default value is 24 hours.
**max_renewable_life**
- (Delta time string.) Specifies the maximum time period during which a valid ticket may be renewed in this realm. The default value is 0.
+ (Delta time string.) Specifies the maximum time period during which a valid
+ ticket may be renewed in this realm. The default value is 0.
**no_host_referral**
- (Whitespace- or comma-separated list) This relation blocks the specified services from host-based referral processing, even if the client marks the server principal as host-based or the service is also listed in *host_based_services*. *no_host_referral* = \* will disable referral processing altogether.
+ (Whitespace- or comma-separated list) This relation blocks the specified
+ services from host-based referral processing, even if the client marks
+ the server principal as host-based or the service is also listed in
+ *host_based_services*.
+ *no_host_referral* = \* will disable referral processing altogether.
**reject_bad_transit**
- A boolean value (true, false). If set to true, the KDC will check the list of transited realms for cross-realm tickets against the transit path computed from the realm names and the capaths section of its krb5.conf file; if the path in the ticket to be issued contains any realms not in the computed path, the ticket will not be issued, and an error will be returned to the client instead. If this value is set to false, such tickets will be issued anyways, and it will be left up to the application server to validate the realm transit path.
-
- If the disable-transited-check flag is set in the incoming request, this check is not performed at all. Having the reject_bad_transit option will cause such ticket requests to be rejected always.
+ A boolean value (true, false). If set to true, the KDC will check the list
+ of transited realms for cross-realm tickets against the transit path
+ computed from the realm names and the capaths section of its krb5.conf file;
+ if the path in the ticket to be issued contains any realms not in the
+ computed path, the ticket will not be issued, and an error will be returned
+ to the client instead. If this value is set to false, such tickets will be
+ issued anyways, and it will be left up to the application server to validate
+ the realm transit path.
+
+ If the disable-transited-check flag is set in the incoming request,
+ this check is not performed at all. Having the reject_bad_transit option
+ will cause such ticket requests to be rejected always.
This transit path checking and config file option currently apply only to TGS requests.
- Earlier versions of the MIT release (before 1.2.3) had bugs in the application server support such that the server-side checks may not be performed correctly. We recommend turning this option on, unless you know that all application servers in this realm have been updated to fixed versions of the software, and for whatever reason, you don't want the KDC to do the validation.
-
- This is a per-realm option so that multiple-realm KDCs may control it separately for each realm, in case (for example) one realm has had the software on its application servers updated but another has not.
+ This is a per-realm option so that multiple-realm KDCs may control it
+ separately for each realm, in case (for example) one realm has had the
+ software on its application servers updated but another has not.
This option defaults to true.
**restrict_anonymous_to_tgt**
- A boolean value (true, false). If set to true, the KDC will reject ticket requests from anonymous principals to service principals other than the realm's ticket-granting service. This option allows anonymous PKINIT to be enabled for use as FAST armor tickets without allowing anonymous authentication to services. By default, the value of restrict_anonymous_to_tgt as specified in the [kdcdefaults] section is used.
-
+ A boolean value (true, false). If set to true, the KDC will reject ticket
+ requests from anonymous principals to service principals other than
+ the realm's ticket-granting service. This option allows anonymous PKINIT
+ to be enabled for use as FAST armor tickets without allowing anonymous
+ authentication to services. By default, the value of restrict_anonymous_to_tgt
+ as specified in the [kdcdefaults] section is used.
**supported_enctypes**
- List of key:salt strings. Specifies the default key/salt combinations of principals for this realm. Any principals created through kadmin will have keys of these types. The default value for this tag is aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arcfour-hmac-md5:normal. For lists of possible values, see :ref:`Supported_Encryption_Types_and_Salts`
-
+ List of *key:salt* strings. Specifies the default key/salt combinations
+ of principals for this realm. Any principals created through kadmin will
+ have keys of these types.
+ The default value for this tag is aes256-cts-hmac-sha1-96:normal
+ aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arcfour-hmac-md5:normal.
+ For lists of possible values, see :ref:`Supported_Encryption_Types_and_Salts`
@@ -160,7 +255,11 @@ See :ref:`logging` section in :ref:`krb5.conf`
PKINIT options
---------------
-.. note:: The following are pkinit-specific options. Note that these values may be specified in [kdcdefaults] as global defaults, or within a realm-specific subsection of [realms]. Also note that a realm-specific value over-rides, does not add to, a generic [kdcdefaults] specification. The search order is:
+.. note:: The following are pkinit-specific options. Note that these values
+ may be specified in [kdcdefaults] as global defaults, or within
+ a realm-specific subsection of [realms]. Also note that
+ a realm-specific value over-rides, does not add to, a generic
+ [kdcdefaults] specification. The search order is:
1. realm-specific subsection of [realms]
@@ -178,52 +277,79 @@ PKINIT options
-For information about the syntax of some of these options, see See pkinit identity syntax.
+For information about the syntax of some of these options, see pkinit identity syntax.
**pkinit_anchors**
- Specifies the location of trusted anchor (root) certificates which the KDC trusts to sign client certificates. This option is required if pkinit is to be supported by the KDC. This option may be specified multiple times.
+ Specifies the location of trusted anchor (root) certificates which the KDC
+ trusts to sign client certificates. This option is required if pkinit is
+ to be supported by the KDC. This option may be specified multiple times.
**pkinit_dh_min_bits**
- Specifies the minimum number of bits the KDC is willing to accept for a client's Diffie-Hellman key. The default is 2048.
+ Specifies the minimum number of bits the KDC is willing to accept for
+ a client's Diffie-Hellman key. The default is 2048.
**pkinit_allow_upn**
- Specifies that the KDC is willing to accept client certificates with the Microsoft UserPrincipalName (UPN) Subject Alternative Name (SAN). This means the KDC accepts the binding of the UPN in the certificate to the Kerberos principal name.
+ Specifies that the KDC is willing to accept client certificates with
+ the Microsoft UserPrincipalName (UPN) Subject Alternative Name (SAN).
+ This means the KDC accepts the binding of the UPN in the certificate
+ to the Kerberos principal name.
The default is *false*.
- Without this option, the KDC will only accept certificates with the *id-pkinit-san* as defined in :rfc:`4556`. There is currently no option to disable SAN checking in the KDC.
+ Without this option, the KDC will only accept certificates with the
+ *id-pkinit-san* as defined in :rfc:`4556`. There is currently no option
+ to disable SAN checking in the KDC.
**pkinit_eku_checking**
- This option specifies what Extended Key Usage (EKU) values the KDC is willing to accept in client certificates. The values recognized in the kdc.conf file are:
+ This option specifies what Extended Key Usage (EKU) values the KDC is
+ willing to accept in client certificates. The values recognized in
+ the kdc.conf file are:
*kpClientAuth*
- This is the default value and specifies that client certificates must have the id-pkinit-KPClientAuth EKU as defined in :rfc:`4556`.
+ This is the default value and specifies that client certificates
+ must have the id-pkinit-KPClientAuth EKU as defined in :rfc:`4556`.
*scLogin*
- If scLogin is specified, client certificates with the Microsoft Smart Card Login EKU (id-ms-kp-sc-logon) will be accepted.
+ If scLogin is specified, client certificates with
+ the Microsoft Smart Card Login EKU (id-ms-kp-sc-logon) will be accepted.
*none*
- If none is specified, then client certificates will not be checked to verify they have an acceptable EKU. The use of this option is not recommended.
+ If none is specified, then client certificates will not be checked
+ to verify they have an acceptable EKU. The use of this option
+ is not recommended.
**pkinit_identity**
- Specifies the location of the KDC's X.509 identity information. This option is required if pkinit is to be supported by the KDC.
+ Specifies the location of the KDC's X.509 identity information.
+ This option is required if pkinit is to be supported by the KDC.
**pkinit_kdc_ocsp**
Specifies the location of the KDC's OCSP.
**pkinit_mapping_file**
- Specifies the name of the ACL pkinit mapping file. This file maps principals to the certificates that they can use.
+ Specifies the name of the ACL pkinit mapping file.
+ This file maps principals to the certificates that they can use.
**pkinit_pool**
- Specifies the location of intermediate certificates which may be used by the KDC to complete the trust chain between a client's certificate and a trusted anchor. This option may be specified multiple times.
+ Specifies the location of intermediate certificates which may be used by
+ the KDC to complete the trust chain between a client's certificate and
+ a trusted anchor. This option may be specified multiple times.
**pkinit_revoke**
- Specifies the location of Certificate Revocation List (CRL) information to be used by the KDC when verifying the validity of client certificates. This option may be specified multiple times.
+ Specifies the location of Certificate Revocation List (CRL) information
+ to be used by the KDC when verifying the validity of client certificates.
+ This option may be specified multiple times.
**pkinit_require_crl_checking**
- The default certificate verification process will always check the available revocation information to see if a certificate has been revoked. If a match is found for the certificate in a CRL, verification fails. If the certificate being verified is not listed in a CRL, or there is no CRL present for its issuing CA, and pkinit_require_crl_checking is false, then verification succeeds.
-
- However, if pkinit_require_crl_checking is true and there is no CRL information available for the issuing CA, then verification fails.
-
- *pkinit_require_crl_checking* should be set to true if the policy is such that up-to-date CRLs must be present for every CA.
+ The default certificate verification process will always check the available
+ revocation information to see if a certificate has been revoked.
+ If a match is found for the certificate in a CRL, verification fails.
+ If the certificate being verified is not listed in a CRL, or there is no
+ CRL present for its issuing CA, and pkinit_require_crl_checking is false,
+ then verification succeeds.
+
+ However, if pkinit_require_crl_checking is true and there is no CRL
+ information available for the issuing CA, then verification fails.
+
+ *pkinit_require_crl_checking* should be set to true if the policy is such
+ that up-to-date CRLs must be present for every CA.
Sample kdc.conf File
View
711 doc/rst_source/krb_admins/conf_files/krb5_conf.rst
@@ -3,25 +3,32 @@
krb5.conf
==========
-The krb5.conf file contains Kerberos configuration information, including the locations of KDCs and admin servers for the Kerberos realms of interest, defaults for the current realm and for Kerberos applications, and mappings of hostnames onto Kerberos realms. Normally, you should install your krb5.conf file in the directory /etc. You can override the default location by setting the environment variable KRB5_CONFIG.
+The *krb5.conf* file contains Kerberos configuration information, including
+the locations of KDCs and admin servers for the Kerberos realms of interest,
+defaults for the current realm and for Kerberos applications,
+and mappings of hostnames onto Kerberos realms.
+Normally, you should install your krb5.conf file in the directory /etc.
+You can override the default location by setting the environment variable KRB5_CONFIG.
Structure
---------
-The krb5.conf file is set up in the style of a Windows INI file. Sections are headed by the section name, in square brackets. Each section may contain zero or more relations, of the form::
+The krb5.conf file is set up in the style of a Windows INI file.
+Sections are headed by the section name, in square brackets.
+Each section may contain zero or more relations, of the form::
foo = bar
-
or ::
fubar = {
foo = bar
baz = quux
}
-
-Placing a '\*' at the end of a line indicates that this is the *final* value for the tag. This means that neither the remainder of this configuration file nor any other configuration file will be checked for any other values for this tag.
+Placing a '\*' at the end of a line indicates that this is the *final* value for the tag.
+This means that neither the remainder of this configuration file nor any other
+configuration file will be checked for any other values for this tag.
For example, if you have the following lines::
@@ -31,19 +38,32 @@ For example, if you have the following lines::
then the second value of *foo* (baz) would never be read.
-The krb5.conf file can include other files using either of the following directives at the beginning of a line::
+The krb5.conf file can include other files using either of the following
+directives at the beginning of a line::
include FILENAME
includedir DIRNAME
-*FILENAME* or *DIRNAME* should be an absolute path. The named file or directory must exist and be readable. Including a directory includes all files within the directory whose names consist solely of alphanumeric characters, dashes, or underscores. Included profile files are syntactically independent of their parents, so each included file must begin with a section header.
+*FILENAME* or *DIRNAME* should be an absolute path. The named file or directory
+must exist and be readable. Including a directory includes all files within
+the directory whose names consist solely of alphanumeric characters, dashes,
+or underscores. Included profile files are syntactically independent of their
+parents, so each included file must begin with a section header.
-The krb5.conf file can specify that configuration should be obtained from a loadable module, rather than the file itself, using the following directive at the beginning of a line before any section headers::
+The krb5.conf file can specify that configuration should be obtained from
+a loadable module, rather than the file itself, using the following directive
+at the beginning of a line before any section headers::
module MODULEPATH:RESIDUAL
-*MODULEPATH* may be relative to the library path of the krb5 installation, or it may be an absolute path. *RESIDUAL* is provided to the module at initialization time. If krb5.conf uses a module directive, kdc.conf should also use one if it exists.
+*MODULEPATH* may be relative to the library path of the krb5 installation,
+or it may be an absolute path. *RESIDUAL* is provided to the module at
+initialization time.
+If krb5.conf uses a module directive, kdc.conf should also use one if it exists.
+
+Sections
+----------
The krb5.conf file may contain any or all of the following sections:
@@ -57,9 +77,6 @@ plugins_ Contains tags to register dynamic plugin modules and to turn modu
appdefaults_ Contains default values that can be used by Kerberos V5 applications.
============== =======================================================
-Sections
-----------
-
.. _libdefaults:
@@ -69,86 +86,160 @@ Sections
The libdefaults section may contain any of the following relations:
**allow_weak_crypto**
- If this is set to 0 (for false), then weak encryption types will be filtered out of the previous three lists (as noted in :ref:`Supported_Encryption_Types_and_Salts`). The default value for this tag is false, which may cause authentication failures in existing Kerberos infrastructures that do not support strong crypto. Users in affected environments should set this tag to true until their infrastructure adopts stronger ciphers.
+ If this is set to 0 (for false), then weak encryption types will be
+ filtered out of the previous three lists (as noted in
+ :ref:`Supported_Encryption_Types_and_Salts`).
+ The default value for this tag is false, which may cause authentication
+ failures in existing Kerberos infrastructures that do not support strong crypto.
+ Users in affected environments should set this tag to true until their
+ infrastructure adopts stronger ciphers.
**ap_req_checksum_type**
An integer which specifies the type of AP-REQ checksum to use in authenticators.
- This variable should be unset so the appropriate checksum for the encryption key in use will be used.
+ This variable should be unset so the appropriate checksum for the encryption
+ key in use will be used.
This can be set if backward compatibility requires a specific checksum type.
- See the *kdc_req_checksum_type* configuration option for the possible values and their meanings.
+ See the *kdc_req_checksum_type* configuration option for the possible values
+ and their meanings.
**canonicalize**
- This flag indicates to the KDC that the client is prepared to receive a reply that contains a principal name other than the one requested.
+ This flag indicates to the KDC that the client is prepared to receive
+ a reply that contains a principal name other than the one requested.
The client should expect, when sending names with the "canonicalize" KDC option,
that names in the KDC's reply will be different than the name in the request.
The default value for this flag is not set.
**ccache_type**
- Use this parameter on systems which are DCE clients, to specify the type of cache to be created by kinit, or when forwarded tickets are received. DCE and Kerberos can share the cache, but some versions of DCE do not support the default cache as created by this version of Kerberos. Use a value of 1 on DCE 1.0.3a systems, and a value of 2 on DCE 1.1 systems. The default value is 4.
+ Use this parameter on systems which are DCE clients, to specify the type
+ of cache to be created by kinit, or when forwarded tickets are received.
+ DCE and Kerberos can share the cache, but some versions of DCE do not support
+ the default cache as created by this version of Kerberos.
+ Use a value of 1 on DCE 1.0.3a systems, and a value of 2 on DCE 1.1 systems.
+ The default value is 4.
**clockskew**
- Sets the maximum allowable amount of clockskew in seconds that the library will tolerate before assuming that a Kerberos message is invalid. The default value is 300 seconds, or five minutes.
+ Sets the maximum allowable amount of clockskew in seconds that the library
+ will tolerate before assuming that a Kerberos message is invalid.
+ The default value is 300 seconds, or five minutes.
**default_keytab_name**
- This relation specifies the default keytab name to be used by application servers such as telnetd and rlogind. The default is */etc/krb5.keytab*.
+ This relation specifies the default keytab name to be used by application
+ servers such as telnetd and rlogind. The default is */etc/krb5.keytab*.
**default_realm**
- Identifies the default Kerberos realm for the client. Set its value to your Kerberos realm. If this is not specified and the TXT record lookup is enabled (see :ref:`udns_label`), then that information will be used to determine the default realm. If this tag is not set in this configuration file and there is no DNS information found, then an error will be returned.
+ Identifies the default Kerberos realm for the client.
+ Set its value to your Kerberos realm.
+ If this is not specified and the TXT record lookup is enabled
+ (see :ref:`udns_label`), then that information will be used to determine
+ the default realm. If this tag is not set in this configuration file and
+ there is no DNS information found, then an error will be returned.
**default_tgs_enctypes**
- Identifies the supported list of session key encryption types that should be returned by the KDC. The list may be delimited with commas or whitespace. Kerberos supports many different encryption types, and support for more is planned in the future. (see :ref:`Supported_Encryption_Types_and_Salts` for a list of the accepted values for this tag). The default value is *aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4*.
+ Identifies the supported list of session key encryption types that should be
+ returned by the KDC. The list may be delimited with commas or whitespace.
+ Kerberos supports many different encryption types, and support for more
+ is planned in the future. (see :ref:`Supported_Encryption_Types_and_Salts`
+ for a list of the accepted values for this tag).
+ The default value is *aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
+ des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4*.
**default_tkt_enctypes**
- Identifies the supported list of session key encryption types that should be requested by the client. The format is the same as for default_tgs_enctypes. The default value for this tag is *aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4*.
+ Identifies the supported list of session key encryption types that should be
+ requested by the client. The format is the same as for default_tgs_enctypes.
+ The default value for this tag is *aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
+ des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4*.
**dns_fallback**
- General flag controlling the use of DNS for Kerberos information. If both of the preceding options are specified, this option has no effect.
+ General flag controlling the use of DNS for Kerberos information.
+ If both of the preceding options are specified, this option has no effect.
**dns_lookup_kdc**
- Indicate whether DNS SRV records should be used to locate the KDCs and other servers for a realm, if they are not listed in the information for the realm. (Note that the admin_server entry must be in the file, because the DNS implementation for it is incomplete.)
-
- Enabling this option does open up a type of denial-of-service attack, if someone spoofs the DNS records and redirects you to another server. However, it's no worse than a denial of service, because that fake KDC will be unable to decode anything you send it (besides the initial ticket request, which has no encrypted data), and anything the fake KDC sends will not be trusted without verification using some secret that it won't know.
-
- If this option is not specified but dns_fallback is, that value will be used instead. If neither option is specified, the behavior depends on configure-time options; if none were given, the default is to enable this option. If the DNS support is not compiled in, this entry has no effect.
+ Indicate whether DNS SRV records should be used to locate the KDCs and
+ other servers for a realm, if they are not listed in the information for the realm.
+ (Note that the admin_server entry must be in the file,
+ because the DNS implementation for it is incomplete.)
+
+ Enabling this option does open up a type of denial-of-service attack,
+ if someone spoofs the DNS records and redirects you to another server.
+ However, it's no worse than a denial of service, because that fake KDC
+ will be unable to decode anything you send it
+ (besides the initial ticket request, which has no encrypted data),
+ and anything the fake KDC sends will not be trusted without verification
+ using some secret that it won't know.
+
+ If this option is not specified but dns_fallback is, that value will be used instead.
+ If neither option is specified, the behavior depends on configure-time options;
+ if none were given, the default is to enable this option.
+ If the DNS support is not compiled in, this entry has no effect.
**dns_lookup_realm**
- Indicate whether DNS TXT records should be used to determine the Kerberos realm of a host.
-
- Enabling this option may permit a redirection attack, where spoofed DNS replies persuade a client to authenticate to the wrong realm, when talking to the wrong host (either by spoofing yet more DNS records or by intercepting the net traffic). Depending on how the client software manages hostnames, however, it could already be vulnerable to such attacks. We are looking at possible ways to minimize or eliminate this exposure. For now, we encourage more adventurous sites to try using Secure DNS.
-
- If this option is not specified but dns_fallback is, that value will be used instead. If neither option is specified, the behavior depends on configure-time options; if none were given, the default is to disable this option. If the DNS support is not compiled in, this entry has no effect.
+ Indicate whether DNS TXT records should be used to determine
+ the Kerberos realm of a host.
+
+ Enabling this option may permit a redirection attack, where spoofed DNS
+ replies persuade a client to authenticate to the wrong realm,
+ when talking to the wrong host (either by spoofing yet more DNS records
+ or by intercepting the net traffic). Depending on how the client software
+ manages hostnames, however, it could already be vulnerable to such attacks.
+ We are looking at possible ways to minimize or eliminate this exposure.
+ For now, we encourage more adventurous sites to try using Secure DNS.
+
+ If this option is not specified but dns_fallback is, that value will be used instead.
+ If neither option is specified, the behavior depends on configure-time options;
+ if none were given, the default is to disable this option.
+ If the DNS support is not compiled in, this entry has no effect.
**extra_addresses**
- This allows a computer to use multiple local addresses, in order to allow Kerberos to work in a network that uses NATs. The addresses should be in a comma-separated list.
+ This allows a computer to use multiple local addresses, in order to allow
+ Kerberos to work in a network that uses NATs.
+ The addresses should be in a comma-separated list.
**forwardable**
- If this flag is set, initial tickets by default will be forwardable. The default value for this flag is not set.
+ If this flag is set, initial tickets by default will be *forwardable*.
+ The default value for this flag is not set.
**ignore_acceptor_hostname**
- When accepting GSSAPI or krb5 security contexts for host-based service principals,
- ignore any hostname passed by the calling application and allow any service principal present in the keytab
- which matches the service name and realm name (if given).
- This option can improve the administrative flexibility of server applications on multihomed hosts,
- but can compromise the security of virtual hosting environments. The default value is false.
+ When accepting GSSAPI or krb5 security contexts for host-based service
+ principals, ignore any hostname passed by the calling application and
+ allow any service principal present in the keytab which matches
+ the service name and realm name (if given).
+ This option can improve the administrative flexibility of server
+ applications on multihomed hosts, but can compromise the security of
+ virtual hosting environments. The default value is false.
**k5login_authoritative**
- If the value of this relation is true (the default), principals must be listed in a local user's k5login file to be granted login access, if a k5login file exists. If the value of this relation is false, a principal may still be granted login access through other mechanisms even if a k5login file exists but does not list the principal.
+ If the value of this relation is true (the default), principals must be
+ listed in a local user's k5login file to be granted login access,
+ if a *.k5login* file exists. If the value of this relation is false,
+ a principal may still be granted login access through other mechanisms
+ even if a k5login file exists but does not list the principal.
**k5login_directory**
- If set, the library will look for a local user's k5login file within the named directory, with a filename corresponding to the local username. If not set, the library will look for k5login files in the user's home directory, with the filename .k5login. For security reasons, k5login files must be owned by the local user or by root.
+ If set, the library will look for a local user's k5login file within
+ the named directory, with a filename corresponding to the local username.
+ If not set, the library will look for k5login files in the user's home
+ directory, with the filename .k5login. For security reasons,
+ *.k5login* files must be owned by the local user or by root.
**kdc_default_options**
- Default KDC options (Xored for multiple values) when requesting initial credentials. By default it is set to 0x00000010 (KDC_OPT_RENEWABLE_OK).
+ Default KDC options (Xored for multiple values) when requesting initial credentials.
+ By default it is set to 0x00000010 (KDC_OPT_RENEWABLE_OK).
**kdc_timesync**
- If this is set to 1 (for true), then client machines will compute the difference between their time and the time returned by the KDC in the timestamps in the tickets and use this value to correct for an inaccurate system clock. This corrective factor is only used by the Kerberos library. The default is 1.
+ If this is set to 1 (for true), then client machines will compute
+ the difference between their time and the time returned by the KDC
+ in the timestamps in the tickets and use this value to correct for
+ an inaccurate system clock. This corrective factor is only used by
+ the Kerberos library. The default is 1.
**kdc_req_checksum_type**
- An integer which specifies the type of checksum to use for the KDC requests for compatibility with DCE security servers
+ An integer which specifies the type of checksum to use for
+ the KDC requests for compatibility with DCE security servers
which do not support the default RSA MD5 used by Kerberos V5.
This applies to DCE 1.1 and earlier.
Use a value of 2 to use the RSA MD4 instead.
- This value is only used for DES keys; other keys use the preferred checksum type for those keys.
+ This value is only used for DES keys;
+ other keys use the preferred checksum type for those keys.
The possible values and their meanings are as follows.
@@ -169,68 +260,112 @@ The libdefaults section may contain any of the following relations:
Setting this flag causes the initial Kerberos ticket to be addressless. The default for the flag is set.
**permitted_enctypes**
- Identifies all encryption types that are permitted for use in session key encryption. The default value for this tag is *aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4*.
+ Identifies all encryption types that are permitted for use in session key encryption.
+ The default value for this tag is *aes256-cts-hmac-sha1-96
+ aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5
+ des-cbc-crc des-cbc-md5 des-cbc-md4*.
**plugin_base_dir**
If set, determines the base directory where krb5 plugins are located.
- The default value is the "krb5/plugins" subdirectory of the krb5 library directory.
+ The default value is the "krb5/plugins" subdirectory of the krb5 library directory.
**preferred_preauth_types**
- This allows you to set the preferred preauthentication types which the client will attempt before others which may be advertised by a KDC. The default value for this setting is "17, 16, 15, 14", which forces libkrb5 to attempt to use PKINIT if it is supported.
+ This allows you to set the preferred preauthentication types which
+ the client will attempt before others which may be advertised by a KDC.
+ The default value for this setting is "17, 16, 15, 14",
+ which forces libkrb5 to attempt to use PKINIT if it is supported.
**proxiable**
- If this flag is set, initial tickets by default will be proxiable. The default value for this flag is not set.
+ If this flag is set, initial tickets by default will be proxiable.
+ The default value for this flag is not set.
**rdns**
- If set to false, prevent the use of reverse DNS resolution when translating hostnames into service principal names. Defaults to true. Setting this flag to false is more secure, but may force users to exclusively use fully qualified domain names when authenticating to services.
+ If set to false, prevent the use of reverse DNS resolution when translating
+ hostnames into service principal names. Defaults to true.
+ Setting this flag to false is more secure, but may force users to exclusively
+ use fully qualified domain names when authenticating to services.
**realm_try_domains**
- Indicate whether a host's domain components should be used to determine the Kerberos realm of the host. The value of this variable is an integer: -1 means not to search, 0 means to try the host's domain itself, 1 means to also try the domain's immediate parent, and so forth. The library's usual mechanism for locating Kerberos realms is used to determine whether a domain is a valid realm--which may involve consulting DNS if *dns_lookup_kdc* is set. The default is not to search domain components.
+ Indicate whether a host's domain components should be used to determine
+ the Kerberos realm of the host. The value of this variable is
+ an integer: -1 means not to search, 0 means to try the host's domain itself,
+ 1 means to also try the domain's immediate parent, and so forth.
+ The library's usual mechanism for locating Kerberos realms is used
+ to determine whether a domain is a valid realm--which may involve consulting
+ DNS if *dns_lookup_kdc* is set. The default is not to search domain components.
**renew_lifetime**
- The value of this tag is the default renewable lifetime for initial tickets. The default value for the tag is 0.
+ The value of this tag is the default renewable lifetime for initial tickets.
+ The default value for the tag is 0.
**safe_checksum_type**
- An integer which specifies the type of checksum to use for the KRB-SAFE requests. By default it is set to 8 (RSA MD5 DES).
- For compatibility with applications linked against DCE version 1.1 or earlier Kerberos libraries,
- use a value of 3 to use the RSA MD4 DES instead.
+ An integer which specifies the type of checksum to use for the KRB-SAFE requests.
+ By default it is set to 8 (RSA MD5 DES).
+ For compatibility with applications linked against DCE version 1.1 or
+ earlier Kerberos libraries, use a value of 3 to use the RSA MD4 DES instead.
This field is ignored when its value is incompatible with the session key type.
- See the *kdc_req_checksum_type* configuration option for the possible values and their meanings.
+ See the *kdc_req_checksum_type* configuration option for the possible values
+ and their meanings.
**ticket_lifetime**
- The value of this tag is the default lifetime for initial tickets. The default value for the tag is 1 day.
+ The value of this tag is the default lifetime for initial tickets.
+ The default value for the tag is 1 day.
**udp_preference_limit**
- When sending a message to the KDC, the library will try using TCP before UDP if the size of the message is above *udp_preference_list*. If the message is smaller than *udp_preference_list*, then UDP will be tried before TCP. Regardless of the size, both protocols will be tried if the first attempt fails.
+ When sending a message to the KDC, the library will try using TCP before UDP
+ if the size of the message is above *udp_preference_list*.
+ If the message is smaller than *udp_preference_list*,
+ then UDP will be tried before TCP. Regardless of the size,
+ both protocols will be tried if the first attempt fails.
+
**verify_ap_req_nofail**
- If this flag is set, then an attempt to get initial credentials will fail if the client machine does not have a keytab. The default for the flag is not set.
+ If this flag is set, then an attempt to get initial credentials will fail
+ if the client machine does not have a keytab.
+ The default for the flag is not set.
.. _realms:
**[realms]**
~~~~~~~~~~~~~~~~~
-Each tag in the [realms] section of the file is the name of a Kerberos realm. The value of the tag is a subsection with relations that define the properties of that particular realm. For each realm, the following tags may be specified in the realm's subsection:
-
+Each tag in the [realms] section of the file is the name of a Kerberos realm.
+The value of the tag is a subsection with relations that define the properties
+of that particular realm.
+For each realm, the following tags may be specified in the realm's subsection:
**admin_server**
- Identifies the host where the administration server is running. Typically, this is the master Kerberos server. This tag must be given a value in order to communicate with the kadmin server for the realm.
+ Identifies the host where the administration server is running.
+ Typically, this is the master Kerberos server. This tag must be given
+ a value in order to communicate with the kadmin server for the realm.
**auth_to_local**
- This tag allows you to set a general rule for mapping principal names to local user names. It will be used if there is not an explicit mapping for the principal name that is being translated. The possible values are:
-
+ This tag allows you to set a general rule for mapping principal names
+ to local user names. It will be used if there is not an explicit mapping
+ for the principal name that is being translated. The possible values are:
DB:filename
- The principal will be looked up in the database filename. Support for this is not currently compiled in by default.
+ The principal will be looked up in the database filename.
+ Support for this is not currently compiled in by default.
RULE:exp
The local name will be formulated from exp.
- The format for exp is [n:string](regexp)s/pattern/replacement/g. The integer n indicates how many components the target principal should have. If this matches, then a string will be formed from string, substituting the realm of the principal for $0 and the n'th component of the principal for $n (e.g. if the principal was *johndoe/admin* then [2:$2$1foo] would result in the string "adminjohndoefoo"). If this string matches regexp, then the s//[g] substitution command will be run over the string. The optional g will cause the substitution to be global over the string, instead of replacing only the first match in the string.
+ The format for exp is *[n:string](regexp)s/pattern/replacement/g*.
+ The integer *n* indicates how many components the target principal should have.
+ If this matches, then a string will be formed from string,
+ substituting the realm of the principal for $0 and the n'th component
+ of the principal for *$n*
+ (e.g. if the principal was *johndoe/admin* then [2:$2$1foo] would
+ result in the string "adminjohndoefoo"). If this string matches *regexp*,
+ then the *s//[g]* substitution command will be run over the string.
+ The optional *g* will cause the substitution to be global over the *string*,
+ instead of replacing only the first match in the *string*.
DEFAULT
- The principal name will be used as the local user name. If the principal has more than one component or is not in the default realm, this rule is not applicable and the conversion will fail.
+ The principal name will be used as the local user name.
+ If the principal has more than one component or is not in the default realm,
+ this rule is not applicable and the conversion will fail.
For example::
@@ -243,43 +378,81 @@ Each tag in the [realms] section of the file is the name of a Kerberos realm. Th
}
- would result in any principal without *root* or *admin* as the second component to be translated with the default rule. A principal with a second component of *admin* will become its first component. *root* will be used as the local name for any principal with a second component of *root*. The exception to these two rules are any principals *johndoe*/\*, which will always get the local name *guest*.
+ would result in any principal without *root* or *admin* as the second
+ component to be translated with the default rule.
+ A principal with a second component of *admin* will become its first component.
+ *root* will be used as the local name for any principal with a second component of *root*.
+ The exception to these two rules are any principals *johndoe*/\*,
+ which will always get the local name *guest*.