Russ Allbery [Mon, 5 May 2008 22:19:19 +0000 (22:19 +0000)]
Close the kasetkey output file descriptor before checking its exit
status so that we get accurate results.
Produce better error messages if REMOTE_USER isn't set in the
environment when checking authorization for instance management and
document the use of REMOTE_USER in the man page.
General coding style cleanup. Switch to a separate LICENSE file.
Improve the library probing and allow for systems where shared library
dependencies don't work properly.
If KRB5_CONFIG was explicitly set in the environment, don't use a
different krb5-config based on --with-krb4 or --with-krb5. If
krb5-config isn't executable, don't use it. This allows one to force
library probing by setting KRB5_CONFIG to point to a nonexistent file.
Sanity-check the results of krb5-config before proceeding and error
out in configure if they don't work.
kasetkey now supports examine, enable, and disable, so drop all
remaining calls to a Kerberos v4 kadmin client and use kasetkey for
all AFS kaserver integration.
Russ Allbery [Wed, 26 Mar 2008 03:57:20 +0000 (03:57 +0000)]
* kadmin-remctl is now Architecture: any since it includes ksetpass.
* No longer include the supervise configuration for the password reset
remctld instance in the kadmin-remctl package.
* Move remctl-server and libtext-template-perl to Recommends since
kadmin-remctl doesn't always need them.
* Update the long description for kadmin-remctl. It's no longer very
Stanford-specific as packaged.
Russ Allbery [Tue, 25 Mar 2008 19:52:39 +0000 (19:52 +0000)]
Initial commit of the rewrite to support Guest Accounts.
Significantly rework kadmin-backend. The configuration variable for
instance management has been renamed to %CONFIG and now must be set.
It controls both instances and principals without instances. Many of
the global settings have been moved into that hash and can be set
per-instance. Particular instances may now be configured to only
exist in Active Directory and bypass Kerberos v5 entirely.
Support using ksetpass for password resets in Active Directory and to
work around a Windows Server 2008 bug that prevents setting passwords
at the time of account creation when using GSS-API authentication.
Add support for optionally adding principals with instances created in
Active Directory to an Active Directory authorization group at the
time of creation.
Russ Allbery [Wed, 8 Aug 2007 23:13:21 +0000 (23:13 +0000)]
* New upstream release.
- Increase Expect timeouts in kadmin-backend.
- Improved error message stripping in kadmin-backend.
- Add a newline after remctl errors in passwd_change.
Russ Allbery [Fri, 3 Aug 2007 00:36:10 +0000 (00:36 +0000)]
Add the $K5_HOST configuration variable to kadmin-backend which, if
set, tells kadmin-backend to contact the given kadmin server instead
of the default for the local realm.
Standardize across the non-instance functions of kadmin-backend the
ordering of error and retstr messages and return retstr for the case
of creating an account that already exists instead of just error.
* New upstream release.
- Fix problems with deleting instances from Active Directory.
- Correctly encode the Active Directory unicodePwd field.
- Support listing instances in foreign realms.
- Fix kadmin examine output when K4 output faking is enabled.
Active Directory expects passwords to be encoded in UCS-2LE. Change
the password provided to the LDIF template to match those expectations
and move the modules needed for talking to Active Directory to
require statements from use statements so that those Perl modules
aren't required unless Active Directory integration is desired.
Kerberos v4 examine output faking was prepending "retstr: " even to
error messages. Drop "retstr: " when there is an error.
When listing instances, add a wildcard after the instance pattern
rather than letting kadmin append the local realm so that we can use
the same code on development servers that may be serving different
realms than the local realm.
* New upstream release.
- Add support for instance propagation to Active Directory.
- Fix time zone problems with K4 output faking.
- Fix configuration details in passwd_change documentation.
Make the LDAP configuration file and keytab paths configurable rather
than hard-coding them, adding them to the %INSTANCES hash. Rename the
ldif config variable to ad_ldif to match.
Go back to passing the quiet flag to LDAP commands and not printing
the LDIF and command before doing something. Pull the DN from the
LDIF template for delete instead of hard-coding our structure.
Delete from AD before deleting from K5, since the local delete is much
less likely to be in error. Also delete the AD principal if the local
account creation fails so as not to strand an account in AD without a
password due to our initial workarounds.
When faking Kerberos v4 examine output in kadmin-backend, strip the
time zone information from the Kerberos v5 timestamps. Kerberos v4
kadmin examine didn't include time zone information.
Russ Allbery [Fri, 29 Jun 2007 00:05:52 +0000 (00:05 +0000)]
* New upstream release.
- Fix K4 examine faking when the account doesn't exist.
- passwd_change now takes configuration from krb5.conf.
* Drop the local patch to change the passwd_change defaults and instead
pass Stanford's defaults as compiler options in debian/rules.
Russ Allbery [Wed, 6 Jun 2007 21:13:12 +0000 (21:13 +0000)]
MIT Kerberos kadmin doesn't return a useful exit status in conjunction
with -q. It always exits 0, even if the operation failed. Adjust for
this by inspecting its output instead.