kadmin-remctl 3.1 (unreleased)
+ In the Heimdal backend, don't set KADM5_POLICY_NORMAL_MASK or
+ KADM5_POLICY_CLR as attributes when creating a new principal. These
+ are not valid attribute values and end up setting or clearing large
+ numbers of other attributes.
+
+ In the Heimdal backend, don't unconditionally set the preauth required
+ attribute on newly created principals. This should be handled using
+ the "default" principal in Heimdal to configure the desired default
+ principal lifetime and attributes.
+
kadmin-backend for an MIT Kerberos server no longer has the boolean
checking configuration parameter, which said whether to do password
checking. Instead, there is a new policy configuration parameter
my $princdata = eval { $kadmin->makePrincipal ($principal) };
my $attrs = $princdata->getAttributes;
- $attrs |= KRB5_KDB_REQUIRES_PRE_AUTH;
- if ($CONFIG{$instance}{checking}) {
- $attrs |= KADM5_POLICY_NORMAL_MASK;
- } else {
- $attrs |= KADM5_POLICY_CLR;
- }
if ($status ne 'enabled') {
$attrs |= KRB5_KDB_DISALLOW_ALL_TIX;
} else {