This commit was manufactured by cvs2svn to create tag

'MITKerberos_5_0b2'.

git-svn-id: svn://anonsvn.mit.edu/krb5/tags/MITKerberos_5_0b2@15669 dc483132-0cff-0310-8789-dd5450dbe970

doc/ChangeLog

@@ -1,3 +1,81 @@
+2003-06-20  Tom Yu  <tlyu@mit.edu>
+
+	* build.texinfo (Installing the Binaries): New node; describe
+	basic "make install", along with "DESTDIR=...".
+
+2003-06-19  Tom Yu  <tlyu@mit.edu>
+
+	* build.texinfo (HPUX): Fix typo.
+	(Options to Configure): Note that --with-system-db is unsupported,
+	concerning possible lossage with loading dumpfiles.
+
+2003-06-18  Tom Yu  <tlyu@mit.edu>
+
+	* dnssrv.texinfo: Add note about _kerberos-iv._udp SRV records.
+
+2003-05-30  Ken Raeburn  <raeburn@mit.edu>
+
+	* definitions.texinfo (DefaultCcacheType, DefaultKDCTimesync,
+	DefaultMasterKeyType, DefaultTktLifetime): Updated for code
+	changes.
+	(DefaultCcacheTypeMac, DefaultKDCTimesyncMac): Deleted.
+
+	* admin.texinfo (libdefaults): Update kdc_timesync and ccache_type
+	descriptions to not separate Mac case.
+
+2003-05-30  Sam Hartman  <hartmans@mit.edu>
+
+	* admin.texinfo (Supported Encryption Types): Document AES interop issues.
+
+	* support-enc.texinfo: Add AES enctypes
+
+2003-05-27  Tom Yu  <tlyu@mit.edu>
+
+	* admin.texinfo (realms (kdc.conf)): Update to reflect that
+	kadm5.keytab is only used by legacy admin daemons.
+
+	* install.texinfo (Create a kadmind Keytab (optional)): Update to
+	reflect that kadm5.keytab is only used by legacy admin daemons.
+
+	* build.texinfo (HPUX): Make HPUX compiler flags simpler.
+
+2003-05-23  Ken Raeburn  <raeburn@mit.edu>
+
+	* build.texinfo (HPUX, Solaris 2.X, Ultrix 4.2/3 [notdef]):
+	Replace descriptions of old --with- options with VAR=.
+	(Solaris 2.X): Suggest that defining _XOPEN_SOURCE and
+	__EXTENSIONS__ might help for 64-bit mode.
+
+2003-05-23  Tom Yu  <tlyu@mit.edu>
+
+	* admin.texinfo (appdefaults): Clarify afs_krb5 slightly.
+
+2003-05-22  Sam Hartman  <hartmans@mit.edu>
+
+	* admin.texinfo (appdefaults): Describe afs_krb5
+
+	* krb425.texinfo (AFS and the Appdefaults Section): Note about AFS and 2b tokens
+
+2003-05-13  Ken Raeburn  <raeburn@mit.edu>
+
+	* definitions.texinfo: Updated DefaultSupportedEnctypes.
+
+2003-05-12  Sam Hartman  <hartmans@mit.edu>
+
+	* definitions.texinfo: Default v4 mode is now none
+
+2003-04-18  Ken Raeburn  <raeburn@mit.edu>
+
+	* definitions.texinfo (DefaultETypeList,
+	DefaultSupportedEnctypes): Update for AES.
+	* install.texinfo (Client Machine Configuration Files): Fix typo
+	in variable reference.
+
+2003-04-08  Tom Yu  <tlyu@mit.edu>
+
+	* krb4-xrealm.txt: New file.  Describe the krb4 cross-realm
+	patchkit.  Copied from 2003-004-krb4_patchkit.
+
 2003-02-04  Sam Hartman  <hartmans@mit.edu>
 
 	* krb425.texinfo (Upgrading KDCs): Note that -4 needs to be specified

doc/admin.texinfo

@@ -350,6 +350,25 @@ types can be set to some combination of the following strings.
 
 @include support-enc.texinfo
 
+While aes128-cts and aes256-cts are supported for all Kerberos
+operations, they are not supported by the GSSAPI.  AES GSSAPI support
+will be added after the necessary standardization work is
+completed.  
+
+By default, AES is enabled on clients and application servers.
+Because of the lack of support for GSSAPI, AES is disabled in the
+default KDC supported_enctypes @ref{kdc.conf}.  Sites wishing to use
+AES encryption types on their KDCs need to be careful not to give
+GSSAPI services AES keys.  If GSSAPI services are given AES keys, then
+services will start to fail in the future when clients supporting AES
+for GSSAPI are deployed before updated servers that support AES for
+GSSAPI.  Sites may wish to use AES for user keys and for the ticket
+granting ticket key, although doing so requires specifying what
+encryption types are used as each principal is created.  Alternatively
+sites can use the default configuration which will make AES support
+available in clients and servers but not actually use this support
+until a future version of Kerberos adds support to GSSAPI.
+
 @node Salts, krb5.conf, Supported Encryption Types, Configuration Files
 @section Salts
 
@@ -425,9 +444,7 @@ If this is set to 1 (for true), then client machines will compute the
 difference between their time and the time returned by the KDC in the
 timestamps in the tickets and use this value to correct for an
 inaccurate system clock.  This corrective factor is only used by the
-Kerberos library.  The default is @value{DefaultKDCTimesyncMac} for
-Macintosh computers and @value{DefaultKDCTimesync} for all other
-platforms.
+Kerberos library.  The default is @value{DefaultKDCTimesync}.
 
 @itemx kdc_req_checksum_type
 @itemx ap_req_checksum_type
@@ -466,9 +483,7 @@ type of cache to be created by kinit, or when forwarded tickets are
 received.  DCE and Kerberos can share the cache, but some versions of
 DCE do not support the default cache as created by this version of
 Kerberos.  Use a value of 1 on DCE 1.0.3a systems, and a value of 2 on
-DCE 1.1 systems.  The default value is @value{DefaultCcacheTypeMac}
-for Macintosh computers and @value{DefaultCcacheType} for other
-platforms.
+DCE 1.1 systems.  The default value is @value{DefaultCcacheType}.
 
 @ignore
 @itemx tkt_lifetime
@@ -610,6 +625,33 @@ The list of specifiable options for each application may be found in
 that application's man pages.  The application defaults specified here
 are overridden by those specified in the [realms] section.
 
+A special application name (afs_krb5) is used by the krb524 service to
+know whether new format AFS tokens based on Kerberos 5 can be used
+rather than the older format which used a converted Kerberos 4 ticket.
+The new format allows for cross-realm authentication without
+introducing a security hole.  It is used by default.  Older AFS
+servers (before OpenAFS 1.2.8) will not support the new format.  If
+servers in your cell do not support the new format, you will need to
+add an @code{afs_krb5} relation to the @code{appdefaults} section.
+The following config file shows how to disable new format AFS tickets
+for the @code{afs.example.com} cell in the @code{EXAMPLE.COM} realm.
+
+@smallexample
+@group
+[appdefaults]
+    afs_krb5 = @{ 
+        EXAMPLE.COM = @{
+            afs/afs.example.com = false
+        @}
+    @}
+
+@end group
+@end smallexample
+
+
+
+
+
 @node login, realms (krb5.conf), appdefaults, krb5.conf
 @subsection [login]
 
@@ -1089,9 +1131,9 @@ uses to determine which principals are allowed which permissions on the
 database.  The default is @code{@value{DefaultAclFile}}.
 
 @itemx admin_keytab
-(String.)  Location of the keytab file that kadmin uses to authenticate
-to the database.  The default is
-@code{@value{DefaultAdminKeytab}}.
+(String.)  Location of the keytab file that the legacy administration
+daemons @code{kadmind4} and @code{v5passwdd} use to authenticate to
+the database.  The default is @code{@value{DefaultAdminKeytab}}.
 
 @itemx database_name
 (String.)  Location of the Kerberos database for this realm.  The

doc/api/ChangeLog

@@ -1,3 +1,7 @@
+2003-05-09  Tom Yu  <tlyu@mit.edu>
+
+	* krb5.tex: Update subkey-related information to match code.
+
 2002-01-15  Sam Hartman  <hartmans@mit.edu>
 
 	* krb5.tex (subsubsection{Principal access functions}): krb5_princ_realm returns a pointer.

doc/api/krb5.tex

@@ -183,28 +183,45 @@ \subsubsection{The krb5_auth_context}
 allocated in this function should be freed with a call to
 \funcname{krb5_free_keyblock}. 
 
-\begin{funcdecl}{krb5_auth_con_getlocalsubkey}{krb5_error_code}{\funcinout}
+\begin{funcdecl}{krb5_auth_con_getrecvsubkey}{krb5_error_code}{\funcinout}
 \funcarg{krb5_context}{context}
 \funcarg{krb5_auth_context}{auth_context}
 \funcout
 \funcarg{krb5_keyblock **}{keyblock}
 \end{funcdecl}
 
-Retrieves the local_subkey keyblock stored in
+Retrieves the recv\_subkey keyblock stored in
 \funcparam{auth_context}. The memory allocated in this function should
 be freed with a call to \funcname{krb5_free_keyblock}.
 
-\begin{funcdecl}{krb5_auth_con_getremotesubkey}{krb5_error_code}{\funcinout}
+\begin{funcdecl}{krb5_auth_con_getsendsubkey}{krb5_error_code}{\funcinout}
 \funcarg{krb5_context}{context}
 \funcarg{krb5_auth_context}{auth_context}
 \funcout
 \funcarg{krb5_keyblock **}{keyblock}
 \end{funcdecl}
 
-Retrieves the remote_subkey keyblock stored in
+Retrieves the send\_subkey keyblock stored in
 \funcparam{auth_context}. The memory allocated in this function should
 be freed with a call to \funcname{krb5_free_keyblock}.
 
+\begin{funcdecl}{krb5_auth_con_setrecvsubkey}{krb5_error_code}{\funcinout}
+\funcarg{krb5_context}{context}
+\funcarg{krb5_auth_context}{auth_context}
+\funcout
+\funcarg{krb5_keyblock *}{keyblock}
+\end{funcdecl}
+
+Sets the recv\_subkey keyblock stored in \funcparam{auth_context}.
+
+\begin{funcdecl}{krb5_auth_con_setsendsubkey}{krb5_error_code}{\funcinout}
+\funcarg{krb5_context}{context}
+\funcarg{krb5_auth_context}{auth_context}
+\funcout
+\funcarg{krb5_keyblock *}{keyblock}
+\end{funcdecl}
+
+Sets the send\_subkey keyblock stored in \funcparam{auth_context}.
 
 \begin{funcdecl}{krb5_auth_setcksumtype}{krb5_error_code}{\funcinout}
 \funcarg{krb5_context}{context}
@@ -1508,9 +1525,9 @@ \subsubsection{The application functions}
 data in \funcparam{*outbuf} after verifying its integrity.
 
 The keyblock used for verifying the integrity of the message is taken
-from the \funcparam{auth_context} local_subkey, remote_subkey, or
-keyblock. The keyblock is chosen in the above order by the first one
-which is not NULL.
+from the \funcparam{auth_context} recv\_subkey or keyblock. The
+keyblock is chosen in the above order by the first one which is not
+NULL.
 
 The remote_addr and localaddr portions of the \funcparam{*auth_context}
 specify the full addresses (host and port) of the sender and receiver,